Case Study 3.2: HackTheBox, TryHackMe, and SANS Cyber Ranges — The Online Training Platform Revolution

Overview

The Training Gap

For decades, learning to hack required one of three paths: formal education (university programs or expensive SANS courses), self-study with locally built labs (time-intensive and limited), or learning "in the wild" (illegal and dangerous). Each path had significant barriers. University cybersecurity programs were rare and often theoretical. SANS courses cost $5,000–$9,000 per course. Building a comprehensive local lab required significant hardware and expertise. And learning on live systems could end your career before it started.

The emergence of online training platforms in the 2010s fundamentally changed this equation. Today, anyone with an Internet connection and a basic computer can access world-class hacking practice environments, guided learning paths, and a global community of practitioners. These platforms have done for cybersecurity training what YouTube did for music lessons — they have democratized access to knowledge and practice that was previously available only to a privileged few.

Platform Deep Dives

HackTheBox (HTB)

Founded: 2017 by Haris Pylarinos in the UK Model: Gamified practice platform with virtual machines Users: Over 2 million registered users as of 2024

History and Philosophy: HackTheBox began as a side project. Haris Pylarinos created a platform where security enthusiasts could practice attacking vulnerable virtual machines in a legal, controlled environment. The platform's philosophy is learning through doing — machines are presented as challenges with no instructions or walkthroughs (though a thriving community provides hints and, for retired machines, complete writeups).

To even create an account on the original HackTheBox platform, users had to "hack" the registration page by finding a hidden invite code — a deliberate barrier that filtered for genuine interest and basic technical skill.

How It Works: HTB provides virtual machines ("boxes") that are connected to a VPN. Users connect their attack machine (typically Kali Linux) to the HTB VPN and attack the target machines. Each box has a specific set of vulnerabilities that must be chained together to achieve two objectives: obtaining a "user flag" (proving initial access and sometimes privilege to a standard user) and a "root flag" (proving full system compromise).

Boxes are rated by difficulty: Easy, Medium, Hard, and Insane. New boxes ("active" machines) are released weekly, and old boxes are "retired" and made available to VIP subscribers.

Key Offerings:

Free Tier: - Access to two active machines at a time - Starting Point guided track (beginner-friendly) - Community forums and discussions

VIP Subscription ($14/month): - Access to all retired machines (hundreds of machines spanning years) - Priority VPN connection (faster, more reliable) - Official writeups for retired machines

Pro Labs ($49–$89 for 30 days): - Multi-machine environments simulating realistic enterprise networks - Dante: Beginner-friendly network with multiple subnets - Offshore: Simulates a corporate network with Active Directory - RastaLabs: Advanced Active Directory lab with real-world complexity - Zephyr: Advanced network simulating a complete corporate environment - Cybernetics: Expert-level environment

HTB Academy: - Structured learning modules (similar to TryHackMe's approach) - Covers specific topics with theory and hands-on exercises - Some modules free, others require subscription

Strengths: - The most realistic practice environment available outside of professional engagements - Pro Labs are exceptional for building real-world skills - Strong competitive community drives continuous improvement - Excellent OSCP preparation - Machines designed by community members bring diverse perspectives

Weaknesses: - Steep learning curve for beginners (limited guidance on active machines) - VPN can be unstable on free tier during peak hours - Shared environments mean other users may interfere with your testing (e.g., resetting a machine while you are working on it) - Competitive ranking system can encourage speedrunning over deep learning

Ideal For: Intermediate to advanced practitioners; OSCP preparation; building a portfolio; competitive learners.

TryHackMe (THM)

Founded: 2018 by Ashu Savani in the UK Model: Guided learning platform with structured rooms and paths Users: Over 3 million registered users as of 2024

History and Philosophy: TryHackMe was founded with an explicit mission to make cybersecurity education accessible to everyone. While HackTheBox was designed for people who already had a foundation, TryHackMe was built from the ground up for complete beginners. The philosophy is structured learning — take users from zero knowledge to job-ready through progressive, guided experiences.

How It Works: THM organizes content into "rooms" — individual learning units that cover specific topics. Rooms combine short written lessons, quiz questions, and hands-on tasks performed on THM's virtual machines. Users either connect via VPN (like HTB) or use an in-browser "Attack Box" — a fully configured Kali-like environment that runs directly in the web browser, eliminating the need for local setup.

Rooms are organized into "learning paths" — curated sequences that build skills progressively:

Key Learning Paths: - Complete Beginner: Linux basics, networking, web security fundamentals - Jr Penetration Tester: Entry-level pentesting methodology - Offensive Pentesting: Comprehensive offensive security training - Red Teaming: Advanced adversary simulation - Cyber Defense: Blue team and SOC analyst skills - Web Fundamentals: Web application security

Key Offerings:

Free Tier: - Access to many rooms (though limited compared to premium) - One hour per day on the Attack Box - No VPN usage limits

Premium Subscription ($14/month): - Access to all rooms - Unlimited Attack Box usage - Premium learning paths - Completion certificates

Strengths: - Exceptional for beginners — the guided approach prevents frustration - In-browser Attack Box eliminates setup barriers - Well-structured learning paths provide clear progression - Content covers both offensive and defensive skills - King of the Hill (competitive mode) adds engagement - Certificates of completion for learning paths

Weaknesses: - Advanced users may find the guided format too restrictive - Machines are less realistic than HTB's (designed for teaching, not simulation) - Attack Box, while convenient, has limitations compared to a properly configured local Kali VM - Some rooms have become outdated as tools and techniques evolve

Ideal For: Complete beginners; structured learners; students looking for a curriculum; blue team skills.

SANS Cyber Ranges and NetWars

Founded: SANS Institute has offered training since 1989; cyber ranges developed through the 2010s Model: Professional-grade simulated environments, often paired with courses Users: Tens of thousands of professionals annually

History and Philosophy: SANS Institute is the most respected name in cybersecurity training, known for intensive courses taught by industry practitioners. Their cyber ranges and NetWars competitions extend the classroom experience with immersive, realistic practice environments.

Key Offerings:

NetWars: NetWars is SANS's gamified competition platform. It is offered in multiple formats: - NetWars Tournament: Competitive events held at SANS conferences - NetWars Continuous: An ongoing online competition platform - Holiday Hack Challenge (SANS Holiday Hack): An annual free event (December–January) featuring a storyline-driven cybersecurity challenge. It is widely considered one of the best free training events in cybersecurity.

Cyber Ranges: - SANS Cyber Range: Virtual lab environments aligned with specific SANS courses - CyberCity: A physical-cyber hybrid range that includes model cities with real SCADA systems - Cyber42: A tabletop simulation for security leadership training

Strengths: - Most professionally designed environments available - Aligned with the gold-standard SANS curriculum - Holiday Hack Challenge is free, creative, and educational - Environments simulate real enterprise complexity - Recognized by employers as premium training

Weaknesses: - Most offerings are expensive (courses $5,000–$9,000; some ranges have separate fees) - Access often limited to course attendees - Less community-driven than HTB or THM - Scheduling constraints for live events

Ideal For: Professional development; enterprise-funded training; advanced practitioners; certification preparation.

PortSwigger Web Security Academy

Founded: 2019 by PortSwigger (makers of Burp Suite) Model: Free, comprehensive web application security training Users: Widely used by the security community

History and Philosophy: PortSwigger created the Web Security Academy as both a community service and a natural complement to their Burp Suite product. The content is written by their research team — the same people who discover novel vulnerability classes and build the tools used to find them.

Key Offerings: - 200+ interactive labs covering all major web vulnerability classes - Detailed written explanations of each vulnerability type - Labs hosted in the cloud — no setup required - All content completely free - Mystery labs (harder challenges with less guidance) - Certification: Web Security Professional (BSCP), which is a practical exam

Topic Coverage: - SQL injection (all variations) - Cross-site scripting (reflected, stored, DOM-based) - Cross-site request forgery (CSRF) - Server-side request forgery (SSRF) - Authentication vulnerabilities - Access control vulnerabilities - Directory traversal - OS command injection - Business logic vulnerabilities - Information disclosure - HTTP request smuggling - WebSocket vulnerabilities - Insecure deserialization - XML external entities (XXE) - Server-side template injection (SSTI) - Prototype pollution - GraphQL vulnerabilities - Race conditions - And more...

Strengths: - Best free resource for web application security, by far - Content written by genuine experts (PortSwigger research team) - Labs are realistic and well-designed - Continuously updated with new vulnerability classes - Directly teaches the methodology used with Burp Suite

Weaknesses: - Web application security only (no network pentesting, no OS-level attacks) - Community-provided solutions vary in quality - The progression from topic to topic is less structured than THM

Ideal For: Anyone learning web application security; Burp Suite users; bug bounty hunters; web developers.

Comparative Analysis

Feature Comparison

Recommended Learning Path

For a student working through this textbook, we recommend the following platform usage:

Months 1-3 (Foundations — Parts 1-2 of this book): - Primary: TryHackMe "Complete Beginner" and "Jr Penetration Tester" paths - Secondary: PortSwigger Web Security Academy SQL Injection and XSS modules - Local lab: Kali + Metasploitable 2 (as built in this chapter)

Months 4-6 (Core Skills — Parts 3-4): - Primary: HackTheBox Easy machines, local Active Directory lab - Secondary: PortSwigger Web Security Academy (continuing through topics) - Supplementary: TryHackMe offensive pentesting rooms for specific topics

Months 7-9 (Advanced — Parts 5-6): - Primary: HackTheBox Medium machines and Dante Pro Lab - Secondary: HTB Academy modules for specific techniques - If budget allows: SANS Holiday Hack Challenge (seasonal)

Months 10-12 (Professional — certification preparation): - Primary: HackTheBox Hard machines and Offshore Pro Lab (for OSCP prep) - Secondary: Proving Grounds (Offensive Security's own platform) - Practice: Local lab with complex multi-machine scenarios

The Ecosystem Effect

These platforms do not compete — they complement each other. TryHackMe teaches you the concepts. Your local lab lets you practice in isolation. HackTheBox challenges you to apply your skills creatively. PortSwigger deepens your web application expertise. SANS provides professional-grade training. Together, they create a comprehensive learning ecosystem that did not exist even a decade ago.

The Impact on the Industry

The online training platform revolution has had measurable effects on the cybersecurity industry:

Talent pipeline: Platforms like HTB and THM have become recruiting channels. Employers actively search for candidates with strong HTB rankings or completed THM learning paths.

Skill democratization: A teenager in rural Africa or Southeast Asia can access the same training as a student at Stanford or MIT. This has diversified the cybersecurity talent pool globally.

Practical skills emphasis: The rise of practical platforms has shifted the industry's emphasis from certifications to demonstrable skills. An OSCP combined with a strong HTB profile is now more valued than an alphabet soup of knowledge-based certifications.

Community knowledge sharing: Platform communities generate enormous quantities of educational content — writeups, video walkthroughs, blog posts, and tutorials — that amplify the value of the platforms themselves.

Discussion Questions

1. Which platform would you recommend for someone with no technical background at all? What about for an experienced system administrator transitioning to security?

2. HackTheBox's competitive ranking system motivates some users but discourages others. Do you think gamification helps or hurts the learning process?

3. PortSwigger Web Security Academy is completely free. What is PortSwigger's business motivation for offering this, and is this model sustainable?

4. Should employers accept HackTheBox rankings or TryHackMe certifications as evidence of practical skills? How do these compare to traditional certifications like OSCP or CEH?

5. These platforms focus primarily on offensive skills. What platforms or approaches would you recommend for someone who wants to develop defensive (blue team) skills?

Key Takeaways

Platform Quick Reference

Further Reading

• HackTheBox. "About Us." hackthebox.com
• TryHackMe. "Our Story." tryhackme.com
• SANS Institute. "Cyber Ranges." sans.org
• PortSwigger. "Web Security Academy." portswigger.net
• Pylarinos, H. (2022). "Building HackTheBox: From Side Project to Global Platform." (Conference talk, various recordings available)