CMD+CTRL Cyber Range
CMD+CTRL Cyber Range, by Security Innovation, is a browser-based cybersecurity training and capture-the-flag (CTF) platform. It hosts intentionally vulnerable web applications, APIs, and cloud environments where players earn points by finding and exploiting real vulnerabilities. It is used by security teams for hands-on skills development, hiring assessments, and security awareness programs. A free trial launched in 2026 lets individuals and small teams get started without a purchase.
Installation
CMD+CTRL is a fully hosted SaaS platform — no local installation is required. Access is through your browser.
Access Options
# Free trial signup (2026)
# Visit: https://cmdandctrl.net/trial
# - No credit card required
# - Access to beginner challenge modules
# - Up to 5 team members
# Browser requirements
# Chrome 110+ or Firefox 110+ recommended
# Disable aggressive ad-blockers (may block challenge assets)
# JavaScript must be enabledCLI Companion Tool (optional)
# Install cmdctrl CLI for score tracking and session management
pip install cmdctrl-cli
# Or with npm
npm install -g @securityinnovation/cmdctrl-cli
# Authenticate
cmdctrl login --token $CMDCTRL_API_TOKEN
# Verify
cmdctrl whoamiCTF Event Hosting Setup
# For organizations hosting private CTF events
# Download the event management CLI
curl -sSL https://cmdandctrl.net/cli/install.sh | bash
# Initialize new event
cmdctrl event init \
--name "Acme Corp Pentest Challenge 2026" \
--type ctf \
--duration 8h \
--max-teams 20
# Generate team invite links
cmdctrl event invite --event acme-2026 --teams 20Configuration
Profile Setup
# Set up your player profile via CLI
cmdctrl profile set \
--display-name "h4x0r42" \
--timezone "America/New_York" \
--skill-level intermediate # beginner | intermediate | advanced
# View your current profile
cmdctrl profile show
# Set notification preferences (hint unlocks, new challenges)
cmdctrl profile notifications \
--email-on-new-challenge \
--email-on-hint-unlockTeam Configuration
# Create a team
cmdctrl team create --name "DevSecOps Tigers" --size 5
# Invite members (generates join link)
cmdctrl team invite --team-id TEAM-1234
# Set team captain
cmdctrl team set-captain --user alice@company.com
# View team dashboard
cmdctrl team dashboard --team-id TEAM-1234Event Manager Configuration (for admins)
# Configure challenge set for a training event
cmdctrl event configure \
--event acme-2026 \
--modules "web-app-basics,api-security,auth-bypass" \
--difficulty intermediate \
--hints-allowed true \
--hint-penalty 50 # points deducted per hint used
# Set scoring weights
cmdctrl event scoring \
--first-blood-bonus 200 \
--time-decay-enabled \
--time-decay-interval 30m \
--time-decay-percent 10Core Commands
| Command | Description |
|---|---|
cmdctrl login --token <token> | Authenticate with API token |
cmdctrl whoami | Show current user and team |
cmdctrl challenges list | List available challenges |
cmdctrl challenges list --module <name> | Filter challenges by module |
cmdctrl challenges start <id> | Launch a challenge environment |
cmdctrl challenges submit --id <id> --flag <flag> | Submit a captured flag |
cmdctrl challenges hints --id <id> | List available hints for a challenge |
cmdctrl challenges hints unlock --id <id> --hint 1 | Unlock a specific hint |
cmdctrl challenges reset --id <id> | Reset a challenge environment |
cmdctrl score show | Show your current score and rank |
cmdctrl score leaderboard | Show team/event leaderboard |
cmdctrl score history | Show your flag submission history |
cmdctrl team dashboard | Open team performance dashboard |
cmdctrl event list | List events you are enrolled in |
cmdctrl event join --code <code> | Join an event with invite code |
Advanced Usage
Challenge Navigation
# List all modules and their challenges
cmdctrl challenges list --verbose
# Filter by category and difficulty
cmdctrl challenges list \
--category "injection" \
--difficulty "intermediate" \
--status unsolved
# Get full details on a challenge
cmdctrl challenges info --id CHAL-0042
# Start challenge and open in browser
cmdctrl challenges start --id CHAL-0042 --openScoring and Progress Tracking
| Command | Description |
|---|---|
cmdctrl score show --user <name> | Show score for another player |
cmdctrl score leaderboard --top 10 | Show top 10 players |
cmdctrl score leaderboard --team | Show team leaderboard |
cmdctrl score export --format csv | Export score history |
cmdctrl progress --module web-app-basics | Show module completion % |
cmdctrl progress --all | Show overall completion across all modules |
Session Management
# List active challenge sessions
cmdctrl sessions list
# Extend a session before it expires
cmdctrl sessions extend --id sess-abc123 --minutes 60
# Save session notes locally
cmdctrl sessions notes --id sess-abc123 \
--add "Found IDOR at /api/v1/users/{id} - auth check missing"
# End a session cleanly
cmdctrl sessions end --id sess-abc123Admin: Event Management
# Monitor live event progress
cmdctrl event monitor --event acme-2026
# Export participant scores mid-event
cmdctrl event scores --event acme-2026 --format csv
# Add time to a running event
cmdctrl event extend --event acme-2026 --minutes 30
# Broadcast message to all participants
cmdctrl event announce \
--event acme-2026 \
--message "30 minutes remaining! API Security module is now worth 2x points."
# Generate post-event report
cmdctrl event report \
--event acme-2026 \
--format pdf \
--include "scores,challenge-stats,time-to-solve"Integrations
# Export results to Slack
cmdctrl event scores --event acme-2026 --format slack-webhook \
--webhook $SLACK_WEBHOOK_URL
# Push scores to a Google Sheet
cmdctrl event scores --event acme-2026 --format gsheet \
--sheet-id $GOOGLE_SHEET_ID
# Generate certificates for top performers
cmdctrl event certificates \
--event acme-2026 \
--top 3 \
--format pdf \
--output ./certificates/Common Workflows
Individual Skills Development Path
# 1. Check which modules are available
cmdctrl challenges list --verbose
# 2. Start with a beginner web module
cmdctrl challenges list --module web-app-basics --difficulty beginner
cmdctrl challenges start --id CHAL-0001 --open
# 3. Work through challenges in order; use hints sparingly
cmdctrl challenges hints --id CHAL-0001 # see what hints exist
cmdctrl challenges hints unlock --id CHAL-0001 --hint 1 # unlock first hint
# 4. Submit captured flag
cmdctrl challenges submit --id CHAL-0001 --flag "FLAG{sql1_is_cl4ss1c}"
# 5. Track progress
cmdctrl progress --module web-app-basics
cmdctrl score showTeam Training Event Setup
# 1. Create event with appropriate modules for skill level
cmdctrl event init \
--name "Q2 Security Training" \
--type training \
--modules "web-app-basics,api-security,auth-bypass" \
--difficulty beginner \
--duration 4h
# 2. Generate and distribute invite links
cmdctrl event invite --event q2-training --teams 10 | tee invite-links.txt
# 3. Monitor participation on the day
cmdctrl event monitor --event q2-training --refresh 30s
# 4. Capture results after the event
cmdctrl event report \
--event q2-training \
--format pdf \
--output q2-training-results.pdf
# 5. Identify skill gaps from results
cmdctrl event scores --event q2-training --sort unsolved-challengesHiring Assessment Workflow
# 1. Create a timed assessment event
cmdctrl event init \
--name "Security Engineer Assessment - May 2026" \
--type assessment \
--modules "web-app-basics,api-security,network-recon" \
--difficulty intermediate \
--duration 2h \
--max-teams 1 # solo assessment
# 2. Generate unique invite link per candidate
cmdctrl event invite --event hiring-may2026 --count 5 --unique
# 3. Review results after each candidate completes
cmdctrl event scores \
--event hiring-may2026 \
--include "time-to-solve,hints-used,first-blood"Tips and Best Practices
- Work through challenges in order within each module — later challenges often build on techniques from earlier ones
- Try each challenge for 30 minutes before using a hint — the struggle is where learning happens; hints cost points
- Take notes in
cmdctrl sessions notesas you work so you can reference your approach in post-event debriefs - Use Burp Suite Community Edition alongside CMD+CTRL challenges for web app hacking — it pairs naturally with the platform’s HTTP-based challenges
- Read HTTP responses fully in every challenge — flags and clues are often hidden in headers, cookies, or response bodies
- For API security challenges, check for BOLA/IDOR vulnerabilities by incrementing numeric IDs in endpoints
- Reset the environment with
cmdctrl challenges resetif you break the application state — a clean environment is often faster than debugging a broken one - As a team admin, schedule training events during low-workload weeks and keep them to 2-4 hours to maintain engagement
- Export scores after events and store them — the platform only retains event data for 90 days after an event ends
- Use the hiring assessment mode for standardized candidate evaluation — it disables collaboration features and enforces individual completion