Labs (interactive environments)#

These are the boot-to-root and hands-on-curriculum platforms. Real machines or guided environments to exploit.

• TryHackMe is where I started. Best on-ramp for someone new to offensive security. Guided rooms, learning paths, beginner-friendly. Once you finish the SOC Analyst or PenTester path you’re ready for the harder stuff.
• HackTheBox is the next step. No hand-holding, real machines, active community. Use the main platform for boxes, HTB Academy for structured paths (paid, so I lean on the free tier).
• HackMyVM is like Vulnhub but with online flag submission and a leaderboard. Good if you want to root machines but don’t want to download VMs.
• Hackviser is a newer entry, focused on practical pentesting upskilling with certifications (CAPT, CWSE, CSOA). Free tier is generous.
• PortSwigger Web Security Academy is the gold standard for web. 100% free, deep, well-maintained. If you’re doing any web work, you have to do these labs.
• Hacker101 by HackerOne. Free CTF labs covering common web bug classes. No bounty involvement needed to use it.

CTF Practice (challenge-based)#

Standing challenges across categories. Solve at your own pace.

• CyLab Security Academy (formerly picoCTF / PicoGym) is the easiest on-ramp. Carnegie Mellon CyLab’s beginner-friendly platform. Annual competition + an always-on challenge gym.
• CryptoHack is the best crypto-specific platform out there. I’ve done 33 challenges and counting. Math-heavy in the upper tiers, which is the fun part.
• Root-Me is huge. 300+ challenges across web, crypto, network, forensics, RE. Older but still active.
• CTFlearn is simpler challenges, good for filling skill gaps.
• pwn.college is binary exploitation taught dojo-style. The belt progression makes it feel like a real curriculum.
• RingZer0 CTF has a huge catalog (300+) across multiple categories. Long-running and underrated.
• Pwnable.tw is for serious binary exploitation. Authored by top DEFCON CTF players. Don’t start here.
• Webhacking.kr is a veteran Korean platform focused on web exploitation. Classic SQLi / XSS / auth bypass focus.
• FlagYard is a relatively new platform with realistic-feeling challenges.
• 247CTF is always-on with a modern UI and a balanced category mix.
• ImaginaryCTF runs monthly events plus a permanent catalog.
• MetaCTF is team-style practice with an emphasis on realistic scenarios.
• CTFGuide is more of a learning platform but with challenge progression.
• Crackmes.one is the spot for reverse engineering challenges specifically.
• PyDefis is French Python-focused challenges with crypto and security flavor.
• Hack.arrrg.de is a smaller German CTF platform.

Blue Team / SOC#

Defensive-focused training. SIEM, IR, threat hunting, malware analysis.

• LetsDefend is where I’ve earned the most badges. SOC Analyst learning path, hands-on alert triage, real-feeling tickets. Highly recommend for anyone going into SOC work.
• CyberDefenders runs blue team CTFs and labs on real incident data (memory dumps, packet captures, log archives).
• Blue Team Labs Online is similar to CyberDefenders, with more focus on threat hunting scenarios.

CTF Tracker#

• CTFtime isn’t a challenge platform. It’s where every live CTF event gets listed, and where individual and team rankings live across the whole CTF universe. If you compete, you should have a profile here.

Where to start#

If you’re new and reading this, my unfair-but-useful advice:

1. Do all of TryHackMe’s SOC Analyst (or PenTester) path
2. Pick a specialty and dig in: HackTheBox for offensive, LetsDefend for blue team
3. Compete in one CTFtime-listed event with a team
4. Pick a vertical you actually enjoy (web / pwn / crypto / RE) and go deep on the platform that specializes in it

Don’t try to do everything on every platform. Breadth here is a trap.