As with any other professional activity, in the world of ethical hacking practice makes perfect. Today there are thousands of ethical hackers analyzing databases, websites, mobile applications and other deployments for security vulnerabilities that could be exploited, all in order to notify administrators and, at best, get a bug bounty.

Finding vulnerabilities in the wild is a job that requires a lot of practice, so for security researchers the platforms and tools that allow them to develop their skills have become a very useful resource, although it is worth thinking about the best tools available.

This time, pentesting experts from the International Institute of Cyber Security (IICS) present a list of the best platforms for the practice and improvement of Capture the Flag (CTF) hacking and practice skills.

Hack the Box

This is one of the most important pentesting platforms in the world, with 127 vulnerable systems, 65 CTF tasks and multiple virtual implementations of hardcore AD.

Over the past few years Hack the Box has become a popular tool among pentesting experts, as it features a convenient web interface for active VM instance management, extensive technical support and a constantly updated list of vulnerable hosts.

Web-Security Academy

This is a platform developed by the creators of Burp Suite very popular among vulnerability bounty hunters.

OWASP Juice Shop

This is a web application written in JavaScript for pentesting training purposes. This platform is full of security flaws designed for users to exploit, as a fantastic cybersecurity training method.


This is a platform that provides online labs dedicated to the deployment of penetration tests. This website offers a variety of free activities for all those interested in honing their pentesting skills.


This website allows you to improve your hacking skills, with over 200 exercises and 50 virtual environments.


This is a large library of virtual machines that presents an environment with pentesting exercises for all tastes and knowledge levels.


This is a recently created platform that allows cybersecurity enthusiasts to get acquainted with very interesting topics. Unlike other self-taught platforms, TryHackMe employs all kinds of techniques to facilitate learning, accompanied by users throughout the process.

Hacker 101

This is a free didactic site for any hacking enthusiast backed by the renowned HackerOne Vulnerability Rewards platform.

PentestIt Laboratories

This is a platform operated from Russia as a large pentesting lab, allowing ethical hackers to develop their skills consistently.

Pentester Academy

In exchange for $249 USD per month, users of this platform can have multiple hands-on activities to develop their skills as ethical hackers and pentesting experts.

Attack & Defense

With over 2100 hacking activities, Attack & Defense users will be able to 100% develop their pentesting capabilities.

CTF Antichat

This is a platform to complete tasks focused on exploiting vulnerabilities and identify indicators of engagement in the systems analyzed.


Avatao has around 600 tasks and tutorials, more than 10 languages and a very complete vulnerability database.

Capture The Flag At UCF

This is another platform with multiple tasks in various areas of pentesting and ethical hacking.

Exploit Education

Exploit Education provides many resources that anyone can use to learn about vulnerability analysis, exploit development, pentesting, binary analysis and many other cybersecurity issues.

CSAW 365

This is a community of cybersecurity experts that allows you to share a lot of useful information for hacking.

Practical Pentest Labs

This is a large pentesting and exploiting lab on Windows systems available to those users willing to pay $43 USD per month.


Hack.me is a great collection of vulnerable web applications to put your hacking skills into practice. All applications are provided by platform members and can each be launched in a sandbox.

XSS Game

This is a Google program designed to practice searching for XSS vulnerabilities.


This platform was developed by the creators of RuCtf and contains a lot of useful material for pentesting experts.


This Russian website contains thousands of free hacking tasks and is highly recommended for ethical hacking enthusiasts and pentesting specialists.


This is another great teaching option for researchers to develop their skills.


This is another online platform to learn about network security and ethical hacking. Hackers will be able to develop their forensic, cryptography and reverse engineering skills.

Enigma Group

Enigma Group contains over 300 hacking tasks with a focus on OWASP’s top 10 exploits. The site has nearly 48,000 active members and hosts Capture The Flag contests on a weekly basis.


CTFlearn is a platform that allows hacking enthusiasts to put their skills into practice and compete with other researchers. This platform stores a wide set of free activities in all kinds of areas.

CTF Komodo

Komodo Consulting developed a platform completely focused on application hacking, allowing researchers to gain experience in vulnerability analysis.


RingZer0 Team Online CTF offers over 200 challenges that will test your hacking skills in multiple areas, from cryptography, malware analysis to SQL injection and pentesting.


This website contains about 61 active sites with Capture the Flag tasks divided into multiple skill difficulty levels.

Hack This Site

This is a free war games site for any user to test and improve their hacking skills, from basic tasks to complex analysis. This website also includes a forum for users to share their experiences with the ethical hacking and pentesting community.


W3Challs is a multitasking learning platform organized into a variety of categories, including hacking, war games, forensic analysis, cryptography, steganography and programming in multiple languages.

Game of Hacks

Game of Hacks displays a set of code snippets in a questionnaire with multiple options, among which users will need to identify the corresponding vulnerability.

WebGoat Project

This site is especially focused on training ethical hackers and pentesting experts. WebGoat is a cross-platform tool that can be run on any operating system with Apache Tomcat and Java SDK.


This platform allows users to test skills to work with SQL injections and has 65 tasks sorted according to their difficulty level.


This is a very interesting resource with a lot of tasks and instructions for pentesting enthusiasts.

Defend the Web

This is an interactive security platform where researchers can improve their hacking skills. Defend the Web has over 60 levels of difficulty developing the most sophisticated skills.


This is the ideal platform for all those interested in the theoretical study of information security regardless of their level of experience.

Even beginner hackers can find great guidance for solving practical issues in OverTheWire.


This is a war games website for hackers and pentesters to test their skills.

Command Challenge

This is a great option to develop your hacking skills.


This is a war game from the creators of netgarage.org, a community where like-minded people share knowledge about security, artificial intelligence, virtual reality and more.

Google Gruyere

That python-written platform offers black hat and white hat pentesting and hacking capabilities for experts to learn to think like researchers and cybercriminals.


While CTFtime is not a hacking site like the others on this list, it is a great resource to keep up with CTF competitions taking place around the world.


This is a free open source platform for pentesting web applications. The application is provided as a PHP/MySQL instance for self-deployment.

Damn Vulnerable Web Application

This platform will be of great help to security professionals who wish to test their skills in a legal environment. Like the previous example, this application is provided as a PHP/MySQL instance for self-implementation.


This is a specialized open source web application that contains about 100 vulnerabilities classified according to the OWASP methodology.

Metasploitable 2

Metasploitable 2 is like a boxing bag for pentesters and programs like Metasploit and Nmap. All ports are open and all known vulnerabilities are present on this platform.

Metasploitable 3

This is a free virtual machine that allows users to simulate attacks using Metasploit. This is one of the favorite tools of cybersecurity specialists.

ThreatGEN: Red vs. Blue

This is an excellent platform to get into the world of war games and ethical hacking.


Hacknet is a hacking simulator with a computer terminal interface presented in the form of a fun role playing game.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) website.