Building a Cyber Range That Feels Real
Notes from designing attack labs, defensive tooling, and live telemetry for SOC training.
The best training environments are not the ones with the most features. They are the ones that make a trainee believe the system is alive. For me, that means isolating the network properly, wiring live attack telemetry into the UI, and keeping the workflows close to what a real SOC or red team would experience.
The core idea is to keep the architecture understandable: a segmented VMware base, a control plane for the training workflows, and separate services for detection, orchestration, and visualization. That keeps the environment maintainable while still giving it enough realism to matter.
- Keep the control plane isolated from the attack surface.
- Prefer live dashboards over static logs for training scenarios.
- Standardize how alerts, playbooks, and attack steps are labeled.
- Design the environment so it can evolve without a full rebuild.
My current work on the cyber range keeps reinforcing the same lesson: realism is a product of system design, not visual polish. The more disciplined the infrastructure, the better the training outcome.