Jump to

ThreatSpace Cyber Range

When your systems are under attack, the time for planning a response has already passed. Your teams must spring into action immediately, working swiftly and in concert. Each member must know their role – and the action to take – without hesitation.

This kind of coordination doesn't just happen. It requires hours of practice working with a range of real-world scenarios in a safe space – without the fear of failing.

What is ThreatSpace?

A virtual environment that experiments with real-world attack scenarios to rehearse and refine incident response capabilities in a consequence-free environment.

ThreatSpace is a technology-enabled cyber range that assesses and develops your security team’s technical capabilities, processes, and procedures when responding to real-world cyber threats.

This is done in a consequence-free environment, through a simulated infrastructure that includes network segments, servers, and applications.

Students investigate and respond to simulated attacks with real-time coaching from our expert instructors. Your team will receive feedback on their strengths and weaknesses, along with an actionable best practices roadmap for improvement.

The ThreatSpace experience

During a typical 3-day ThreatSpace workshop, our expert instructors will provide guidance to help your security professionals learn from their mistakes as well as their successes. When the workshop ends, our instructors will  recommend areas of improvement so that, when a threat or attack does occur, your team is confidently prepared.

  • Hands-on experiential learning
  • Variety of real-world threat and attack scenarios
  • Expert coaching and evaluation
  • Simulated, consequence-free environments
  • Custom scenarios available

Learn more

What are the benefits of ThreatSpace Cyber Range?

Identify gaps and opportunities for improvement

Investigate real-world, complex incidents to identify gaps in training, processes, procedures, and communication plans.

Learn from incident response experts

Work closely with experienced Mandiant incident responders who draw on years of intelligence-led investigative expertise to assess and provide real-time feedback and coaching.

Investigate critical security incidents

Familiarize your response and intelligence teams with the latest attack scenarios and attacker TTPs relevant to your organization, as learned from Mandiant advanced persistent threat (APT) investigations.

Gain experience with different attack scenarios and threat actors

Evaluate and improve the abilities of your incident response and intelligence teams as they respond to various attack scenarios and threat actors in real time.

Research and analyze identified threats

Learn how to effectively research attacker TTPs and identify indicators of compromise from host-based and network-based artifacts.

ThreatSpace sample scenarios

Custom scenarios are offered to meet your organization's specific objectives. Listed below are examples of popular exercises performed.

Reconnaissance by an insider threat

This scenario emulates an insider threat with a valid user currently on a system. This user opens a reverse shell session on the initial access host and uses it to discover information about the entire network.

Beacon deployment

This scenario imitates an attacker gaining access to a host via a spear phishing attachment. It opens a bypass session on that host, gathers information, and deploys a beacon.


A domain user is compromised, allowing the threat to access the system and move laterally, conducting internal reconnaissance and establishing persistence. Once initial compromise is secured, the attacker deploys ransomware and runs malware on multiple mission-critical systems.

Active directory attack

A threat actor gains access to a host and begins discovery before conducting a Kerberoast attack and further reconnaissance of the domain. Then, the actor compromises the domain controller, exfiltrates passwords, and disrupts normal business operations.