Full-stack cybersecurity training platform — infrastructure, automation, AI, and real-world simulation
The CRC Cyber Lab combines enterprise infrastructure, automation, AI, and real-world simulation into a single training platform. Every component is designed to deliver one outcome: students who can operate, not just pass tests.
| Host |
Role |
IP (LAN) |
Hardware |
| PVE1 |
Primary Proxmox hypervisor |
192.168.1.90 |
Production server, 256GB+ RAM |
| PVE2 |
Secondary Proxmox hypervisor |
192.168.1.55 |
Production server, 256GB+ RAM |
| Dreamwall |
Edge firewall / router |
192.168.1.1 |
Ubiquiti Dreamwall |
- Proxmox VE cluster across two physical nodes
- 50+ virtual machines across the cluster
- High-density VM hosting for concurrent student pods
- Snapshot and rollback capability per VM
| Network |
Subnet |
Purpose |
vmbr0 (Management LAN) |
192.168.1.0/24 |
Infrastructure management |
pod01net – pod20net |
10.50.1.0/24 (shared) |
Student lab networks |
| IP |
Host |
Role |
| 192.168.1.90 |
PVE1 |
Primary hypervisor |
| 192.168.1.55 |
PVE2 |
Secondary hypervisor |
| 192.168.1.1 |
Dreamwall |
Edge firewall |
| 192.168.1.42 |
crc-wiki-01 |
Wiki.js (this wiki) |
| 192.168.1.61 |
crc-ai-ide-01 |
OpenHands + CyberLab Portal |
| 10.50.1.10 |
DC01-P01 |
Primary Domain Controller (VM 200) |
| 10.50.1.11 |
DC02-P01 |
Replica Domain Controller (VM 221) |
Each student operates in their own pod — an isolated workspace within a shared Active Directory domain. The shared domain model reduces infrastructure overhead while maintaining realistic enterprise scale.
Dreamwall Firewall
192.168.1.1
|
vmbr0 (192.168.1.0/24)
___________|___________|___________
| | | |
PVE1 PVE2 Wiki.js OpenHands
.1.90 .1.55 .1.42 .1.61
|
pod01net - pod20net (10.50.1.0/24)
|
_____|_____
| |
DC01 DC02
.1.10 <-> .1.11
|
[ AWX Automation Engine ]
- Shared Domain: All pods use
acs-p01.local — one AD domain, multiple isolated OUs
- OU-Level Isolation: Each pod gets its own OU tree (
OU=PodXX,OU=CyberLab)
- Per-Pod Delegation: Students can only manage objects within their own OU
- Shared DCs: DC01-P01 (primary) and DC02-P01 (replica) serve all 20 pods
- DC-Only Labs: Labs execute on the DC itself — no per-pod workstation VMs needed
| Decision |
Rationale |
| Shared domain, OU isolation |
Reduces VM count from 40+ to 2 shared DCs |
| DC-only labs |
Eliminates need for per-pod workstation VMs |
| Web-based access (Guacamole) |
Zero client software — students need only a browser |
| Full automation (AWX) |
Seed 20 pods in < 2 minutes, verify instantly |
| Family |
Code |
Labs |
Status |
| Access Control |
AC |
12 |
 Live |
| Identification & Authentication |
IA |
12 |
Live |
| Audit & Accountability |
AU |
12 |
 Coming Soon |
| System & Comms Protection |
SC |
12 |
Coming Soon |
| System & Info Integrity |
SI |
12 |
Coming Soon |
| Configuration Management |
CM |
12 |
Coming Soon |
View full Lab Families details
All labs simulate the fictional company ACS Consulting, giving students a consistent narrative:
- Real users, groups, and organizational structure
- Intentional misconfigurations seeded by automation
- Step-by-step remediation using enterprise tools
- Automated verification for every objective
- Active Directory Users and Computers (ADUC) — user/group/OU management
- PowerShell — reporting, policy configuration, service inspection
- Task Scheduler — scheduled task review and remediation
- Group Policy Management — GPO analysis and configuration
- File Explorer & Notepad — evidence file creation
The Juicebox is the automation and orchestration layer that turns static labs into a living system.
- AWX (open-source Ansible Tower) — enterprise automation platform
- Ansible Playbooks — one playbook per lab, per action (seed/verify/reset)
- WinRM — remote execution against Windows domain controllers
| Function |
Description |
| Seed |
Deploy misconfigurations to all 20 pods in < 2 minutes |
| Verify |
Check every remediation step — PASS/FAIL per objective |
| Reset |
Restore pods to seed state for retries or next class |
| Progress Track |
Per-student, per-lab completion tracking |
INSTRUCTOR AWX / ANSIBLE STUDENT POD
─────────── ───────────── ───────────
Launch seed job ──────────> Run seed playbook ─────────> Misconfigured
(FAIL state)
Student works on lab...
Launch verify job ─────────> Run verify playbook ────────> Check each item
PASS / FAIL
Launch reset job ─────────> Run reset playbook ────────> Back to seed state
The Open Range is an unstructured learning environment for advanced students and exercises beyond the structured CMMC curriculum.
| Component |
Purpose |
| Sandbox ACS Domain |
Separate Active Directory domain for open-ended experimentation — students can break things without affecting the main lab environment |
| OWASP Juice Shop |
Interactive web application hacking — practice OWASP Top 10 vulnerabilities in a safe environment |
| Pen Test Range |
Network scanning, vulnerability assessment, exploit testing against intentionally vulnerable systems |
- Red Team / Blue Team exercises in controlled environments
- Tool experimentation — Nmap, Burp Suite, Wireshark, Metasploit
- Offensive security practice without rigid instructions
- Capture the Flag (CTF) events and competitions
- Incident response drills with live attack scenarios
| Component |
Status |
Description |
| OpenHands AI IDE |
Deployed |
Browser-based AI coding and operations environment on VM 105 |
| MCP Server |
Deployed |
Model Context Protocol server — AI-to-AWX bridge for lab operations |
| CyberLab Portal |
Deployed |
Next.js web portal for instructors and admins (Vercel) |
CyberLab Portal (Vercel)
|
|── OpenHands IDE (VM 105, iframe)
| |
| └── Sandbox Containers
| ├── VSCode Server
| ├── Chromium Browser
| └── Tool Preloading
|
└── MCP Server (VM 105)
|
└── AWX API Bridge
├── Pod Management
├── Lab Seeding
└── Status Queries
- AI-driven adaptive difficulty based on student performance
- Natural language lab operations ("seed pod 3 for AC lab 1")
- AI-assisted troubleshooting and hint system
- Personalized learning path recommendations
Students access the lab through Apache Guacamole, a browser-based remote desktop gateway:
- Open any web browser (Chrome, Firefox, Edge)
- Navigate to the Guacamole URL
- Log in with pod credentials
- Click the pod connection — full Windows Server desktop appears
No VPN, no RDP client, no software installation required.
- Real Windows Server 2022 desktop
- Active Directory Users and Computers pre-configured with scoped MMC shortcuts
- PowerShell with access to AD cmdlets
- Task Scheduler with lab-relevant scheduled tasks
- Desktop shortcuts for their specific pod tools
| Time |
Step |
| 0:00 |
Open browser, log in to Guacamole |
| 0:01 |
Click pod connection, get Windows desktop |
| 0:02 |
Read lab scenario in student guide |
| 0:05 |
Begin identifying the misconfiguration |
| 0:10 |
Apply remediation using enterprise tools |
| 0:20 |
Complete lab, create evidence files |
| 0:25 |
Instructor runs verify — instant PASS/FAIL |
Every lab objective is verified by Ansible playbooks that check the actual state of Active Directory, file system, services, and configurations.
| Check Type |
Example |
| AD Object State |
Is the account disabled? Is it in the correct OU? |
| Group Membership |
Were unauthorized groups removed? |
| Password Policy |
Does the fine-grained policy meet requirements? |
| File Evidence |
Does the evidence file exist with correct content? |
| Service Config |
Is the service account configured correctly? |
| GPO Settings |
Are the correct policies applied? |
Pod03 — AC M1-L1 Results
========================
[PASS] Account disabled
[PASS] Groups removed
[PASS] Moved to Terminated OU
[PASS] Evidence file found
========================
Result: 4/4 PASSED
| Metric |
Current |
Near-Term |
Future |
| Concurrent Pods |
20 |
50+ |
100+ |
| Students per Year |
200 |
500+ |
1,000+ |
| Hypervisor Nodes |
2 |
4 |
Cluster |
| CMMC Families |
2 (AC, IA) |
4 |
6 |
| Total Labs |
24 |
48 |
72 |
| Remote Access |
VPN-ready |
Full remote |
Multi-site |
- Add pods = scale students — linear, predictable growth
- Add nodes = scale capacity — Proxmox cluster expansion
- Shared domain architecture — minimal VM overhead per pod
- Automation handles provisioning — no manual setup bottleneck
- Remote access ready — students train from anywhere
| Phase |
Target |
Description |
| AU Labs |
Q3 2026 |
Audit & Accountability — 12 labs |
| SC Labs |
Q4 2026 |
System & Communications Protection — 12 labs |
| SIEM Integration |
Q4 2026 |
Wazuh SIEM for log aggregation and alerting |
| SI Labs |
Q1 2027 |
System & Information Integrity — 12 labs |
| CM Labs |
Q1 2027 |
Configuration Management — 12 labs |
| Vulnerability Scanning |
Q1 2027 |
OpenVAS integration for automated vulnerability assessment |
| Certification Pathways |
Q2 2027 |
Map lab completion to CompTIA Security+, CySA+, CMMC-AB |
| Multi-Site |
Q3 2027 |
Federated lab delivery across partner institutions |
| Component |
Details |
| PVE1 (Primary) |
Proxmox VE, 256GB+ RAM, hosts DCs + Guacamole + AWX |
| PVE2 (Secondary) |
Proxmox VE, 256GB+ RAM, hosts Wiki.js + additional VMs |
| DC01-P01 |
Primary Domain Controller, VM 200, Windows Server 2022 |
| DC02-P01 |
Replica Domain Controller, VM 221, Windows Server 2022 |
| Guacamole |
Apache Guacamole RDP gateway (VM 100) |
| AWX |
Ansible automation platform (VM 100) |
| Wiki.js |
Documentation wiki (VM 106) |
| OpenHands |
AI IDE + MCP server (VM 105) |
| CyberLab Portal |
Instructor/admin portal (Vercel + Next.js) |
| Dreamwall |
Ubiquiti edge firewall and network backbone |
| Domain |
acs-p01.local |
| Pod Networks |
pod01net through pod20net (10.50.1.0/24) |
TCecure CRC CyberLab — A full-stack cyber training platform combining infrastructure, automation, AI, and real-world simulation