How Rapifuzz CyberKshetra Built a Scalable Cyber Range on OpenStack (and Cut Costs by 60%)

Cyber ranges have become essential for hands-on security training, incident response drills, and realistic attack simulations. But traditional cyber range platforms tend to be expensive, hardware-heavy, and tightly coupled to proprietary tooling, putting them out of reach for many organizations and educational institutions.

CK set out to change that.

By building their cyber range on OpenStack, they created a flexible, scalable, and cost-effective environment for red/blue team exercises and security education. Along the way, they reduced costs by 60%, improved deployment times by 70%, and increased training effectiveness by 80%.

This case study walks through how CK designed and deployed their OpenStack-based cyber range, what it looks like under the hood, and what they learned along the way.

Why a Cyber Range, and Why Now?

Cyber threats are evolving quickly, and it’s no longer enough to rely on slides and simulations on paper. Teams need to practice:

• Incident response
• Penetration testing
• Threat hunting
• Forensics and post-incident analysis

A cyber range provides a controlled, high-fidelity environment where all of this can happen without risking production systems.

The problem: traditional cyber ranges often come with:

• High CAPEX on hardware and maintenance
• Limited scalability when running large-scale or concurrent exercises
• Manual, error-prone environment setup
  Rigid licensing and vendor lock-in

CK wanted the opposite: a cloud-like, open, and automated platform for training.

That made OpenStack a natural fit.

Why OpenStack?

OpenStack’s modular, open-source cloud platform gives CK the building blocks to recreate realistic enterprise environments, without the cost and lock-in.

Key reasons CK chose OpenStack for their cyber range:

• Scalability: Dynamic resource allocation for many simultaneous testbeds
• Flexibility: Custom virtual networks, images, and topologies per scenario
• Open source: No licensing fees, full control over the stack
• Multi-tenancy: Isolated environments for teams, customers, or classes
• Automation: Integration with Heat, Ansible, Terraform, and Kolla-Ansible
• Security features: RBAC, network isolation, and strong identity management
  

Instead of buying a proprietary cyber range product, CK used OpenStack like a toolkit to assemble exactly what they needed.

What CK Needed From Their Cyber Range

Before writing any code or installing any packages, CK defined the core requirements.

Pain Points with Traditional Cyber Ranges

• High upfront hardware and software costs
• Limited ability to scale up for large exercises or multiple cohorts
• Manual VM and network configuration for each scenario
• Shared environments that make strict isolation hard
• Slow scenario deployment and reset times

Requirements for the OpenStack-Based Design

• Dynamic provisioning of VMs, networks, and security policies
• Automation of scenarios, including attack/defense workflows
• Secure multi-tenancy so different teams can train in parallel
• Integration with monitoring and logging for analysis and forensics
• Hybrid cloud options for future expansion

These requirements shaped how CK used specific OpenStack services.

CK’s Methodology: From Idea to Running Range

CK approached the project as a practical case study:

1. Infrastructure Setup
   • Select and configure bare-metal servers
   • Deploy OpenStack using KVM as the hypervisor
2. Environment Design
   • Create isolated networks, projects, and roles
     Define Red Team, Blue Team, and observer environments
3. Scenario Implementation
   • Deploy security tools, attack frameworks, and monitoring agents
   • Build repeatable labs (e.g., phishing, lateral movement, privilege escalation)
4. Testing & Evaluation
   • Benchmark performance and scalability
   • Validate isolation, logging, and forensic readiness
     

The OpenStack Architecture Behind CK’s Cyber Range

At a high level, CK built a full IaaS environment using OpenStack and then layered cyber range scenarios on top of that.

Keystone: Identity and Multi-Tenant Isolation

Keystone is at the center of identity and access control:

• Manages authentication and authorization for users and services
• Implements role-based access control (RBAC) to isolate training environments
• Uses projects to separate organizations, teams, and classes
• Allows fine-grained control over who can view, modify, or reset scenarios

This gives CK the ability to onboard different customers or cohorts with strong isolation between them.

Nova: Compute for Attackers and Defenders

Nova manages the virtual machines that represent:

• Attack infrastructure (e.g., Kali boxes, C2 servers)
• Defender systems (SIEMs, firewalls, IDS/IPS, jump hosts)
• Victim networks and realistic enterprise workloads

Nova supports KVM in CK’s deployment, with dynamic resource allocation so labs can scale based on the number of participants and scenario intensity.

Neutron: SDN for Realistic Network Topologies

Neutron lets CK build complex, isolated network topologies:

• VLAN, VXLAN, and GRE-based segments for Red Team, Blue Team, DMZ, and internal networks
• Integration with firewalls and IDS/IPS for realistic traffic inspection
• Floating IPs and dynamic routing to simulate internet-facing services
• Support for complex, multi-subnet, multi-tier application topologies
  

Neutron effectively acts as CK’s SDN canvas for creating and tearing down training environments.

Glance: Scenario Images on Demand

Glance stores the VM images used across the range:

• Pre-configured images with tools like Kali Linux, Metasploit, Snort, etc.
• Snapshot-based rollback to reset scenarios between runs
• Export functionality integrated with Kolla-Ansible workflows to share images across environments

This allows CK to treat scenarios as versioned images that can be reused, shared, and quickly redeployed.

Cinder: Persistent Storage for Artifacts and Forensics

Cinder provides block storage volumes that back:

• System and application logs
• Malware samples and captured traffic
• Forensic images for post-exercise analysis
  

CK optimized Cinder-backed storage pools with RAID to improve redundancy and availability. Storage is allocated based on actual data use rather than just volume size, helping keep costs predictable. Snapshot functionality allows quick rollbacks and cloning for repeatable training and “what-if” analysis.

Heat: Orchestration as Code

Heat is the orchestration engine behind scenario automation:

• Uses templates to define Red Team/Blue Team labs, including VMs, networks, and security groups
• Enables Infrastructure-as-Code for cyber exercises
• Supports rapid deployment, teardown, and reset of complex environments

Combined with Terraform and Ansible, Heat lets CK manage the entire cyber range declaratively.

Horizon: The Human-Friendly Window

Horizon is the web UI that gives instructors and operators:

• A visual network topology view of each scenario
• Real-time insight into which VMs are running and how they’re connected
• A way to trigger scenario resets, modify resources, or observe training sessions

For trainers who aren’t OpenStack experts, Horizon makes the environment approachable.

CK’s Deployment: Hardware and Layout

Underlying Hardware

CK’s range runs on bare metal with:

• CPU: Intel Xeon 64-core
• RAM: 512 GB
• Storage: 4 TB SSD after RAID
• Networking: 10 GbE switches for SDN configurations
• OpenStack version: 2024.2 (current as of March 2025)
• Hypervisor: KVM

This gives enough headroom to run many concurrent scenarios with realistic workloads.

Network Design

The logical network architecture includes:

• Isolated virtual networks for Red Team, Blue Team, and observers
• DMZ simulation to replicate common enterprise internet-facing services
• Firewalls and IDS integration to provide realistic detection and response workflows
• Multi-tenancy so different organizations or classes can run parallel sessions securely

Automation with Kolla-Ansible

CK uses Kolla-Ansible to deploy and manage the OpenStack control plane and supporting services:

• Scenario templates are defined via Heat for automatic deployment
• Terraform and Ansible handle infrastructure as code for repeatability
• Auto-healing and reset workflows allow scenarios to be restored to a known-good state after each session
• Glance + Kolla-Ansible workflows support exporting pre-configured images for reuse or sharing

Testing, Evaluation, and Resource Strategy

Once the cyber range was up and running, CK stress-tested it for scale and reliability.

Performance Benchmarks

• Simultaneous users: 50 concurrent participants
• CPU utilization: ~70% at peak load
• Network latency: Under 10 ms between virtualized hosts

This level of performance allows CK to confidently run multi-team exercises without noticeable degradation.

Security Testing and Forensic Readiness

CK validated:

• Isolation between tenants, teams, and scenarios via penetration testing
• Sandbox integrity, ensuring attacks stay inside the lab
• Forensic readiness, including comprehensive logging, packet capture, and artifact storage for exercises and after-action review

Resource Allocation Strategy

To keep the platform predictable and extensible, CK defined a resource allocation model:

• Scenarios supported: 150+ (from beginner to advanced)
• Average scenario size: 2–5 VMs per scenario, ~10–15 GB per VM image
• Simultaneous active users: Up to 50 with no major performance issues
• RAM per scenario: 6–16 GB depending on VM roles (attacker/defender/observer)
• Storage per session: ~30–50 GB, including logs, snapshots, and user data
• Network throughput: 1–5 Gbps on internal isolated networks

This approach gives CK a clear path to scaling horizontally as adoption grows.

Challenges and Lessons Learned

OpenStack enabled CK’s cyber range—but it wasn’t plug-and-play. Some of the key challenges included:

• High compute demand: Realistic labs require robust hardware to avoid bottlenecks
• Networking complexity: SDN-based segmentation and enterprise-like topologies demand strong Neutron expertise
• Orchestration complexity: Debugging Heat, Ansible, and Terraform interactions can be time-consuming
• Resource balancing: Some scenarios are compute-heavy (e.g., brute-force or crypto), others are storage-heavy (e.g., PCAP or disk forensics), requiring dynamic planning

Despite these hurdles, the benefits outweighed the cost and complexity of traditional proprietary solutions.

What’s Next: Future Enhancements

CK is already looking ahead to extend the OpenStack-based range with:

• Kubernetes integration: Container-based cyber ranges for microservices and cloud-native attack simulations
• AI-driven attack simulations: Automated Red Team activity using AI-generated attack paths or adaptive adversaries
• Federated cyber ranges: Linking multiple OpenStack-based ranges across organizations for joint training exercises and larger scenarios

These directions build on the OpenStack foundation, rather than replacing it.

Conclusion

CK’s experience shows that OpenStack is more than just a general-purpose cloud: it’s a powerful backbone for modern cyber ranges.

By using OpenStack’s compute, networking, storage, identity, and orchestration services, CK built a platform that is: scalable enough to handle many users and scenarios, flexible enough to model realistic, complex environments, cost-effective, with a 60% reduction in overall costs, efficient, with 70% faster deployment times, and Impactful, with an 80% improvement in measurable training effectiveness. 

For organizations and institutions considering a cyber range, OpenStack offers a compelling alternative to proprietary platforms—especially if you want control, customization, and the ability to iterate quickly.

References & Additional Reading

• OpenStack Official Documentation – docs.openstack.org
• NIST Cybersecurity Framework – nist.gov/cyberframework
• OpenStack Security: A Practical Guide – superuser.openinfra.org/articles/openstack-security-a-practical-guide/

Tags: Cinder, Cyber Range, Glance, Heat, Keystone, Neutron, Nova, OpenStack