Software powers almost every part of business, which means attackers have more chances than ever to exploit insecure code. A new report from CMD+CTRL Security looks at how teams are building their defenses through cyber range training. Based on more than 1,000 cyber range events and 600,000 completed challenges, the study shows where teams are improving and where important security skills are still missing.
Hands-on training drives real results
Traditional training often fails to prepare teams for real-world threats. Cyber ranges create simulated environments where participants face realistic vulnerabilities like broken access controls, injection attacks, and misconfigurations. According to the report, repeat participants improved their performance by more than 120 percent over time and solved nearly twice as many challenges as first-time learners. This shows that ongoing, cyber range training can help teams retain knowledge and steadily improve their skills.
The report also found that 70 percent of participants came from software development roles, reinforcing the need for secure coding education. However, security defenders and red team members tended to be the top performers, highlighting the value of cross-functional training.
Beginners outshine seasoned pros (Source: CMD+CTRL Security)
Early-career professionals are key to growth
One of the most striking findings is that junior professionals with zero to three years of experience showed the fastest growth in skills. They scored higher on average per event than more experienced peers, demonstrating that immersive, gamified training is especially effective for new talent.
For security leaders, this suggests that investing in early-career training programs and providing structured learning paths can quickly build a strong talent pipeline. Experienced team members still need advanced challenges to stay engaged, but the biggest return comes from helping newcomers ramp up quickly.
Where teams excel and where they struggle
The most completed challenges were focused on the OWASP Top 10 risks, particularly broken access control, cross-site scripting, and injection flaws. These align closely with the threats organizations see every day, showing that realistic scenarios are essential for training relevance.
At the same time, many basic and core challenges in key areas like sensitive data exposure and broken authentication were frequently missed. This signals that some foundational concepts are not being reinforced. The report recommends adding guided hints and structured walkthroughs to help learners overcome these sticking points.
Building a balanced training strategy
The data shows that intermediate-level challenges drive the most learning progress, with 45 percent of all completed challenges falling into this category. Basic ranges are valuable for onboarding, while advanced ranges are necessary to challenge senior staff. A well-rounded program needs all three levels to maintain engagement across the workforce.
The report also emphasizes the importance of blending different types of learning. Cyber ranges work best when combined with courses, assessments, and capstone events as part of a structured journey. This integrated approach leads to higher participation and stronger outcomes compared to standalone courses.
Measuring success and proving ROI
For CISOs, one of the most valuable aspects of cyber ranges is the data they provide. Challenge completion rates, speed, and progression over time show leaders how their teams are improving. This insight helps identify emerging top performers, guide promotions, and justify training budgets.
By investing in realistic, hands-on environments and tracking performance, security leaders can close skill gaps, accelerate onboarding, and build resilient teams. As cyber ranges become more common, they are set to play a central role in how organizations measure and improve their overall security readiness.
Source link
