NSTOOLS 2026 · INTERNATIONAL WORKSHOP ON NETWORK SIMULATION TOOLS · PISA, ITALY · OCT 19, 2026

Home / Insights / Cyber ranges: simulated networks for security training

Security · Simulated environments

Cyber ranges: simulated networks for security training

You cannot safely test a ransomware response plan on a production network. Cyber ranges exist to give security teams and researchers a realistic network to break, without the risk.

What a cyber range actually is

The U.S. National Institute of Standards and Technology defines a cyber range as an interactive, simulated representation of an organization’s local network, systems, tools, and applications, connected to a simulated internet-level environment. In practice, that usually means target infrastructure — servers, firewalls, routers, and endpoints — built to mirror an organization’s real environment closely enough that security tools like intrusion detection systems and digital forensics software behave the same way they would in production, while attacks and defensive responses play out with no risk to anything real.

NIST’s own guidance lists the main use cases plainly: cybersecurity education in academic settings, hands-on training for security operations and forensics roles, skills evaluation for job candidates, and “situational operations” testing before a new product, release, or organizational restructuring goes live. The common thread across all of them is rehearsal — giving people and processes a realistic dry run before the stakes are real.

Where they come from

Cyber ranges did not appear out of nowhere; they are a direct descendant of the same simulation, emulation, and testbed traditions that produced tools like ns-3 and NIST Net. A cyber range built primarily on simulation techniques models the target network’s behavior in software; one built on emulation, or on physical hardware, reproduces that behavior more directly at the cost of scale and setup time. Recent academic surveys of the field find the same split researchers see in general network testbeds: some published cyber ranges rely entirely on virtualization and simulation, others on emulation, and others on real physical equipment, with many combining more than one approach depending on which part of the environment needs to be most realistic.

Industrial control systems are a case in point. Because a cyberattack on physical infrastructure — a water treatment plant, a power substation — can have real-world physical consequences, researchers have built simulation-based cyber ranges specifically for these environments, reproducing the behavior of SCADA processes without needing an actual water tank or turbine on hand, while still allowing a realistic multi-stage intrusion to be exercised safely from initial network breach through to the simulated industrial process.

What they are used for, concretely

The clearest applications fall into a few buckets. Training: security teams practice against realistic, evolving attack scenarios — distributed denial-of-service, phishing-driven compromise, database attacks — using the same monitoring and response tools they use in their day-to-day work, so the muscle memory built in training transfers directly. Education: cybersecurity courses use ranges to give students hands-on exposure to attacker and defender roles without the legal and safety complications of practicing on live systems. Testing: organizations use ranges to evaluate how a new product, patch, or network change holds up against known attack techniques before it reaches production.

The trade-off is the same one that runs through this whole field

Building a cyber range means making the same realism-versus-cost decision that applies to any simulated network: a fully simulated range is cheaper to stand up and easier to reset between exercises, but may miss subtle behavior in real hardware and software; a range built on real or emulated infrastructure captures that behavior more faithfully, at higher cost and slower iteration. Neither choice is universally correct — it depends on what the exercise is actually trying to validate, which is precisely the judgment call this workshop’s broader technical program is built to help researchers make well.

A scope note

This article describes cyber ranges as a category of research and training infrastructure. It is not a guide to conducting offensive security testing, and readers looking to build or operate a range for their own organization should follow their institution’s security policies and relevant legal guidance.