Updated: April 11, 2025
The Cyber Range Exercises scenarios from Immersive offer a unique and immersive way for organizations to simulate and practice their response to cyber incidents. These scenarios are designed to replicate real-world cyber threats and challenges, allowing teams to collaborate, communicate, and make critical decisions in a controlled environment. By engaging in Cyber Range Exercises scenarios, participants can enhance their incident response capabilities, test their cybersecurity procedures, and improve their overall cyber resilience. With a focus on teamwork, problem-solving, and decision-making under pressure, These scenarios provide a valuable training experience that prepares organizations to effectively respond to cyber incidents and protect their assets.
The following scenarios are currently provided for Cyber Range Exercise:
| Scenario Name | Category | Difficulty | Description |
| Scion | Offensive | Advanced | Scion is an offensive exercise focused on code analysis and exploitation, requiring participants to demonstrate intermediate or higher proficiency in identifying vulnerabilities and developing functional exploits. The scenario replicates a modern software engineering company's development network, complete with local workstations and a GitLab instance for source code hosting. Participants progress through this network, compromising one or both public-facing machines before targeting the final machine. |
| Operation Vulpes | Defensive | Intermediate | In Operation Vulpes, Orchid Corporation has suffered a ransomware attack, with users unable to access or decipher their files and a ransom note appearing on desktops. As a security team member, players must leverage Orchid's security stack to investigate the incident, determine the extent of the compromise, and understand the attack timeline, focusing on SIEM events from November 29, 2024. |
| Operation Bastion | Defensive | Beginner | Operation Bastion tasks players, as members of Orchid Corporation's security team, with investigating a suspicious email incident. On August 5, 2024, a colleague unknowingly opened a malicious document containing macros, mistakenly believing it was from internal support. Players must analyze this incident, starting with the provided screenshot and details, to determine the extent of the compromise and understand the attack vector. |
| Nebula Bank | Offensive | Beginner | Nebula Bank is an digital bank that's deployed a range of generative AI technology into its customer-facing portal. It's looking to ensure that the GenAI doesn't contain anything that could compromise customer security or the business overall. Nebula Bank hopes you won't be able to access its network using anything you can learn from AI! |
| Operation Sunder | Defensive | Beginner | In Operation Sunder, players are part of ForwardEdge Corp's security team and must investigate a potential compromise stemming from a malicious email attachment. On July 26, 2024, an employee reports a colleague on workstation HR01 opening an email attachment, enabling macros, and potentially triggering a security incident. Players must analyze this information to determine the extent of the compromise. |
| Artica - Offensive | Offensive | Beginner | Artica - Offensive is an offensive Cyber Range Exercise scenario consisting of a Windows AD environment. Users need to enumerate and attack machines in succession in order to move laterally through the environment with the final goal of compromising the Domain Controller. Each user is afforded a Kali machine to attack from, or can choose to VPN into the environment and attack from their own testing system. |
| Operation Nimrod - Defensive | Defensive | Intermediate | In this simulation scenario at ForwardEdge Corporation, a cybersecurity provider for financial institutions, a suspicious alert related to Microsoft Word spawning unusual child processes on a senior manager's workstation has been triggered on the evening of August 6, 2024. The activity, including PowerShell prompt instances and attempts to contact an external IP address, indicates a potential macro-based malware attack, raising concerns for data compromise. Participants are tasked with swiftly investigating the incident, identifying the root cause, and assessing if sensitive data has been compromised. Utilizing tools such as the Analyst Workstation, Elastic Stack for log analysis, and Velociraptor for incident response, participants must respond effectively to prevent further damage and protect the organization's infrastructure. |
| Boot2Root Beginner | Offensive | Beginner | Boot2Root is an offensive scenario in which users attack 5 machines simultaneously in order to gain access and escalate privileges and obtain flags per task, with each machine having two flags. |
| Mythical - Offensive | Offensive | Beginner | Mythical is an Offensive scenario, aimed at Junior Security Professionals, in which users are tasked to perform ‘Pentest-like’ activities against a Linux network. Users are also given a small diagram that helps them with the path they have to take in the network. The goal of the scenario is to move through the network and completely compromise every single machine by getting access to and then escalating privileges on it. |
| Qing - Offensive | Offensive | Intermediate | Qing - Offensive is an Offensive scenario in which a number of users are tasked to perform ‘Pentest-like’ activities against a fictional corporate network (qing.corp). Users will have to move through three different networks until they get to the target OT network. The scope of this penetration test is to gain access to the OT network. |
| Kween - Offensive | Offensive | Intermediate | Kween - Offensive is an Offensive scenario in which a number of users are tasked to perform ‘Pentest-like’ activities against a small network (kween.local). The network simulates a real-life situation where access from the outside world to the network was easily attainable and the internal network had a series of vulnerabilities that led to its compromise. |
| Operations - Offensive | Offensive | Intermediate | Operations is an Offensive scenario in which a number of users are tasked to perform ‘Pentest-like’ activities against a small Active Directory (AD) environment (operations.local) and are given credentials to access two different starting machines. The flow of the scenario is to move through the environment, achieving in most cases access to and then escalating privileges on a number of separate machines with logical misconfiguration flaws to be exploited, much in the style of a real world AD assessment. |
| The Heist | Offensive | Advanced | The Heist is an Offensive CTF scenario where users take on the role of bank robbers who need to complete several technical challenges in three distinct networks – to open a ‘vault’ and obtain the final token to complete the scenario. The challenges are very much ‘pentest’ skill-focused and cover a variety of disciplines ranging from infrastructure to web application to reverse engineering. Attacking teams can choose to start against one of two networks, both of which can be attacked concurrently and have a distinct attack path to follow. The questions inside the sim environment guide users. Both networks must be completed to obtain credentials and information to attack the final network. |
| Heist II: Aftermath | Offensive | Advanced | This exercise continues the story from The Heist, where the mastermind, RJH, betrayed the team and escaped with the loot. Now, players use their offensive skills to seek revenge by targeting RJH's vault. The objective is to compromise both the Attacker and Active Directory Networks to reach the Vault Network, disable its defenses, and unlock the vault for a final loot grab. |
| Artica - Defensive | Defensive | Beginner | Artica - Defensive is a small scenario which gives users access to both Velociraptor and Splunk and asks them a series of questions in order to detect and understand an attack which runs in the background of the range using Metasploit and rudimentary automation to repeat the attack every 10-15 mins or so, with some jitter-time to add an element of randomisation. |
| Oilrig: A nation state compromise | Defensive | Beginner | Oilrig: A nation state compromise is a Defensive range scenario where users take on the role of a junior SOC analyst, employing various skills and techniques from defensive disciplines such as incident response and threat hunting. The user is presented with a set of tasks where they must uncover IOCs (indicators of compromise) relating to an attack against an organization called Lycia Pensions. The tasks test the user's ability to threat hunt through logs, and other digital forensic artifacts available within the range. |
| Earth Lusca (TAG-22) - Defensive | Defensive | Beginner | Earth Lusca (TAG-22) is a Defensive scenario, aimed at SOC/IR Professionals, in which users are tasked with finding IoCs in a compromised network. The attack that had occurred mimics the techniques and tools employed by the APT group Earth Lusca. The tasks test the user's ability to threat hunt through logs. This will require users to look into running processes, commands that were issued, persistence techniques, lateral movement and more! |
| Operation Kobold - Defensive | Defensive | Beginner | Operation Kobold is a Defensive range scenario where users take on the role of a SOC analyst, employing various skills and techniques from defensive disciplines such as incident response and threat hunting. The user is presented with a set of tasks where they must uncover IOCs (indicators of compromise) relating to an attack against an organization called Somnium Technology. The tasks test the user's ability to threat hunt through logs, and other digital forensic artifacts available within the range. There are also a few basic reverse engineering-based tasks in order to test the user's skills to perform this. |
| Kween - Defensive | Defensive | Intermediate | Kween Defensive scenario is aimed at SOC Analysts / IR Professionals, the user is presented with a set of tasks where they must uncover IOCs (indicators of compromise) relating to an attack against an organization called Kween Industries. Kween Industries suspects that its network has been compromised by an unknown attacker, and you've been called in to investigate! The client has given you access to their Splunk and Velociraptor setups and has provided the following information about its network. |
| Qing - Defensive | Defensive | Intermediate | Qing Defensive scenario is aimed at SOC Analysts / IR Professionals, the user is presented with a set of tasks where they must uncover IOCs (indicators of compromise) relating to an attack against an organization called the Qing Corporation. Users are provided with a set of defensive-based security tools which can be used to aid them in detecting the attack that has taken place. |
| Operation Chimera: Lycia Pensions | Defensive | Intermediate | Operation Chimera is a Defensive range scenario where users take on the role of a SOC analyst, employing various skills and techniques from defensive disciplines such as incident response and threat hunting. The user is presented with a set of tasks where they must uncover IOCs (indicators of compromise) relating to an attack against the Lycia Pensions domain on the range. The tasks test the user's ability to threat hunt through logs, and other digital forensic artifacts available within the range. |
| APT43 - Defensive | Defensive | Intermediate | APT43 – Defensive Scenario is an exercise where users take on the role of a SOC analyst. In it, you’ll employ various skills and techniques from defensive disciplines such as incident response, threat hunting, and reverse engineering. APT43 scenario provides users with access to both Velociraptor and ElasticSearch, as well as Flare VM, the reverse engineering operating system. |
| Operation Lycan - Defensive | Defensive | Intermediate | Operation Lycan – Defensive Scenario is an exercise where users take on the role of a SOC analyst. In it, you’ll employ various skills and techniques from defensive disciplines such as incident response, threat hunting, and reverse engineering. Op Lycan provides users with access to both Velociraptor and ElasticSearch, as well as Flare VM, the reverse engineering operating system. In this scenario, users are asked a series of questions in which they must identify indicators of compromise (IoCs) relating to an attack against the Lycan domain on the range to detect and understand the attack. There are also a few reverse engineering-based tasks that test the user's skills further. |
| Operation Palisade | Defensive | Beginner | Operation Palisade is a beginner defensive scenario where the user must identify multiple indicators of compromise (IoCs) in logs and other digital forensic artifacts following an incident at Orchid Corporation. |
| Operation Akela - Defensive | Defensive | Intermediate | Operation Akela is a Defensive range scenario where users take on the role of a SOC analyst, employing various skills and techniques from defensive disciplines such as incident response and threat hunting. The user is presented with a set of tasks where they must uncover IOCs (indicators of compromise) relating to an attack against the Lycia Pensions domain on the range. The tasks test the user's ability to threat hunt through logs, and other digital forensic artifacts available within the range. There are also a few reverse engineering-based tasks in order to test the user's skills to perform this. |
| Operation Typhon - Defensive | Defensive | Intermediate | Operation Typhon is a Defensive range scenario where users take on the role of a SOC analyst, employing various skills and techniques from defensive disciplines such as incident response and threat hunting. The user is presented with a set of tasks where they must uncover IOCs (indicators of compromise) relating to an attack against an organization called Somnium Technology. The tasks test the user's ability to threat hunt through logs, and other digital forensic artifacts available within the range. |
| Detecting Sliver | Defensive | Advanced | Originating from the Bishop Fox team, Sliver is an open-source, cross-platform, and extensible C2 framework. It's written primarily in Go, making it fast, portable, and easy to customize. This versatility makes it a popular choice among red teams for adversary emulation and as a learning tool for security enthusiasts. The Sliver C2 framework has features catering to both beginner and advanced users. One of its main attractions is the ability to generate dynamic payloads for multiple platforms, such as Windows, Linux, and macOS. These payloads, or "slivers," provide capabilities like establishing persistence, spawning a shell, and exfiltrating data. When it comes to communication, Sliver supports a wide range of communication protocols, including HTTP, HTTPS, DNS, TCP, and WireGuard. This ensures that C2 traffic is flexible, stealthy, and can blend in with normal network traffic. |
| Operation Kaiju - Defensive | Defensive | Intermediate |
ForwardEdge Corp is a leader in stock market analytics and trading technologies. You’re members of the internal security team. Your role is to detect threats to the ForwardEdge organization. On the morning of June 3, 2024, you begin your daily routine of reviewing your organization's security alerts. At 1130 UTC, you received a message from one of your colleagues, John. He’s forwarded you a suspicious email. When he received the email, John opened the attachment and enabled macros, but now the document just hangs. He also doesn’t know who the sender, L Green, is. |
| Operation Palisade - Defensive | Defensive | Beginner |
Orchid Corporation has a global IT infrastructure supporting a myriad of services from e-commerce to data analytics. It uses Elastic Stack to proactively hunt for and mitigate security threats. You work on the internal security team. On the morning of April 3, 2024, you begin your daily routine of reviewing your Elastic dashboard – known as "Logwatch". At approximately 10:25 AM, you notice an irregular pattern in the number of alerts and a sudden increase in events. Although no users have reported anything unusual, these spikes have caught your attention. It's unlikely to be a false positive. |