Ever wondered what makes truly effective cyber security training? It's not just about having cool hacking challenges - the technical foundation needs to be rock solid. Let's peek behind the curtain at how Hacktivity is transforming cyber security education through some serious technical innovation.

The cyber security training landscape has a problem. Most platforms rely on static challenges, where everyone gets the exact same task with the exact same solution. While this works for learning basic concepts, it falls apart when you want to do any real assessment or simulate real-world scenarios. Solutions get shared around, students can often cheat by just analysing VM disk files, and creating new challenges is a massive time sink for educators.

Traditional Capture The Flag (CTF) competitions try to address this. They're a great way to learn and practice cyber security skills - you solve challenges to capture flags that prove you've completed the task. CTFs have become a cornerstone of cyber security training since they first appeared at DEF CON. But when used in education, they hit the same wall: static challenges that can be solved once and shared forever.

We built Hacktivity to tackle these limitations head-on. At its core is SecGen, our open-source Automatic Problem Generation (APG) framework. This isn't your typical training platform - it's a complete technical framework that generates endless variations of security challenges.

The Power of Randomisation and Automation

The secret sauce of Hacktivity is how it handles virtualisation and challenge generation. When you start a challenge, you're not getting a simple clone of a virtual machine that hundreds of others have used. Instead, SecGen isused to dynamically generate a set of VMs configured uniquely for you. This includes randomised usernames, passwords, IP addresses, and even the specific vulnerabilities and configurations you'll be working with.

Our modular architecture, inspired by the Metasploit Framework, makes this possible. We use an XML-based configuration language that lets us specify exactly how challenges should be generated. Here's a glimpse at how it works:

<system>
  <system_name>linux_server</system_name>
  <base distro="Debian 12"/>
  <vulnerability 
    module_path=".*/unrealirc_3281_backdoor">
    <input into="strings_to_leak">
      <generator type="flag_generator" />
    </input>
  </vulnerability>
  <!-- Additional configurations -->
</system>

This code-based approach means we can create infinitely variable scenarios while maintaining consistent learning objectives. A scenario might specify that it needs a remotely exploitable vulnerability leading to user-level compromise, and SecGen will randomly select and configure one from its library of options.

The Technical Stack

Under the hood, Hacktivity is built on a robust technical foundation. The core is a Ruby on Rails application that integrates closely with SecGen. We use Redis for caching and handling background jobs, PostgreSQL for database management, and web sockets to push real-time updates to users. All of this runs via Passenger and Nginx, ensuring smooth performance even with hundreds of concurrent users.

VM management is where things get really interesting. Hacktivity doesn't just create VMs - it maintains pools of pre-generated VM sets ready to go. When you start a challenge, you get instant access because we've already done the heavy lifting. These VMs run on either oVirt or Proxmox virtualisation platforms, with Hacktivity handling all the orchestration.

Network isolation is a crucial part of our architecture. Each VM set runs in its own isolated network segment, ensuring that security tasks and attacks can't affect other users or systems. This is especially important for offensive security training - you can perform real attacks and security tasks within your own safe, isolated environment. Whether you're practicing exploitation techniques or learning about network security, your activities are completely isolated from other users.

The desktop experience is seamless thanks to SPICE (Simple Protocol for Independent Computing Environments). Unlike the laggy browser-based solutions you might have used elsewhere, SPICE gives you a full HD remote desktop with proper copy-paste support and file transfer capabilities. No VPNs required, no local VM management - everything just works.

Security at Every Layer

We take security seriously - it would be pretty ironic if we didn't! Multi-Factor Authentication (MFA) is required for all logins, with additional MFA prompts for sensitive actions. We implement role-based access control, and scope staff access to managing users of their specific organisations.

But it goes deeper than that. We've implemented request rate-limiting to prevent denial-of-service attempts, Content Security Policy (CSP) to defend against cross-site scripting, and Recaptcha to stop automated attacks. Strong password policies and automated bruteforce prevention round out our security stack.

The Power of Modular Design

Our modular architecture isn't just about randomisation - it's about creating a flexible, maintainable system. Each module in SecGen can specify vulnerabilities, services, utilities, encoders, or generators. They can include Puppet code for VM configuration or Ruby code for data randomisation. Everything is parameterised and reusable.

The real magic happens in how these modules work together. Each module's metadata (stored in secgen_metadata.xml) includes details like CVE information, privilege access levels, and descriptions. This lets us automatically select appropriate modules based on scenario requirements, ensuring that challenges remain pedagogically valid even when randomised.

Infrastructure that Scales

Managing hundreds of VMs across multiple datacenter cluster nodes isn't trivial. Hacktivity handles this by dynamically moving VMs between server nodes to maintain load balance. We use virtualisation APIs to track resource usage and VM states in real-time, automatically adjusting to demand.

Users can control their VMs directly through Hacktivity - starting, stopping, taking snapshots, and mounting disks. When they're done, VMs can be reset to their original state and returned to the pool for others to use. It's efficient resource usage that enables us to support large-scale deployments.

Real-World Impact

This isn't just cool tech for tech's sake. At Leeds Beckett University, Hacktivity is already supporting 300+ students weekly as part of their NCSC-accredited cyber security degrees. The platform handles everything from lab exercises to formal assessments, with automated marking and detailed progress tracking.

Read More

We've published papers about Hacktivity, if you want to dive in deeper here's some highlights:

Paper: Z.C. Schreuders, T. Shaw, Hacktivity Cyber Security Labs: Randomised Challenges and Virtualisation Infrastructure Management, with CyBOK Integration, Advances in Cyber Security Education, Bristol, UK. CSE-Connect, 2024.

Paper: Z.C. Schreuders, T. Shaw, M. Shan-A-Khuda, G. Ravichandran, J. Keighley, and M. Ordean, “Security Scenario Generator (SecGen): A Framework for Generating Randomly Vulnerable Rich-scenario VMs for Learning Computer Security and Hosting CTF Events,” USENIX Workshop on Advances in Security Education (ASE'17), Vancouver, BC, Canada. USENIX Association, 2017. (This paper provides a good overview of SecGen.)

Experience It Yourself

Now you can access this same powerful platform. Our Pro subscription gives you access to labs and multi-step CTFs, all running on this robust technical infrastructure. Whether you're just starting out or looking to advance your cyber security career, you'll benefit from training on a platform that takes technical excellence seriously.

Want to see how it works in practice? Start with our beginner-friendly Ethical Hacking course and experience the difference proper technical architecture makes.

Subscribe from just $7/month