Here's a curated list of 20+ free online defensive/offensive security labs and platforms you can use to practice ethical hacking, penetration testing, VAPT, CTFs and real-world exploitation safely and legally learning paths 👇

🎯 General Pentest & CTF Practice Platforms (Free)

  1. TryHackMe — Guided beginner-to-advanced cybersecurity labs (some free content). https://tryhackme.com
  2. Hack The Box — Real lab machines and challenges (free "Starting Point" + periodic free labs). https://hackthebox.com
  3. OverTheWire — Classic wargames for Linux, networking, exploitation fundamentals. http://overthewire.org
  4. Root-Me — Huge multilingual CTF platform with web, crypto, reversing, forensics. https://www.root-me.org
  5. PicoCTF — Beginner-friendly CTF with Linux shell access & varied challenges. https://picoctf.com
  6. CTFlearn — Community CTF challenges across many difficulty levels. https://ctflearn.com (community resource)
  7. Attack-Defense — Free CTF/CTF-like practice and team competitions. https://attackdefense.com
  8. Academy Hackaflag BR — Free gamified security CTF platform. https://hackaflag.com.br
  9. CMD Challenge — Command-line puzzle challenges for skill mastery. https://cmdchallenge.com
  10. Google CTF — Google's own curated CTF challenges and puzzle platform. https://lnkd.in/eTSiwDN8 (redirect from post)
  11. CTF Komodo Security — Free CTF challenges covering many security categories. https://ctf.komodosec.com

🕵️ Web Security & Vulnerability Labs

  1. PortSwigger Web Security Academy — Hands-on web vulnerability labs (SQL Injection, XSS, SSRF etc.). https://portswigger.net/web-security
  2. Vulnmachines — Browser-based real-scenario penetration labs (Cloud, web, OSINT). https://www.vulnmachines.com
  3. Hacking-Lab — Free hands-on hacking labs for web/network exploitation. https://hacking-lab.com
  4. Hacker101 CTF — Free web security CTF by HackerOne with video guides. https://ctf.hacker101.com
  5. Hacksplaining — Interactive vulnerability teaching & labs (XSS, SQLi, CSRF). https://hacksplaining.com

🧪 Vulnerable Apps & Boot2Root VM Labs

  1. Vulnhub — Downloadable vulnerable VMs to hack offline. https://www.vulnhub.com
  2. PentestIt Lab — Free boot2root machines to practice. https://lab.pentestit.ru
  3. PentesterLab (Free Exercises) — Web app labs with real vulnerabilities. https://pentesterlab.com/exercises
  4. Exploitation Education — Browser-based exploitation labs. https://exploit.education (from lists)
  5. Root in Jail — Simple boot2root practice VMs. http://rootinjail.com
  6. SmashTheStack — Classic stack/format exploitation challenges. https://lnkd.in/ek9UAe8m

🧠 Specialized & Fun CTF Challenges

  1. Cryptopals Crypto Challenges — Crypto puzzle hacking drills. https://cryptopals.com
  2. NewbieContest — Easy CTF challenges for beginners. https://www.newbiecontest.org
  3. W3Challs — Variety of hacking challenges including reverse, web, shell. https://w3challs.com
  4. WeChall — Aggregator of many CTF challenge sites. http://wechall.net
  5. Zenk-Security Labs — Free labs focusing on multiple techniques. https://zenk-security.com

🧠 Bonus Free Tools & Resources

  1. LabEx Kali Free Labs — Interactive Kali Linux & hacking playground. https://labex.io/free-labs/kali

💡 Tip: Combine these platforms with tools like Kali Linux, Burp Suite, and Nmap to simulate real pentest workflows.

📌 How to Use These

✔ Start with guided platforms (TryHackMe, PortSwigger, Hacker101) to learn fundamentals. ✔ Move to boot2root & VM labs (Vulnhub, PentestIt) to practice real exploitation. ✔ Join CTF platforms (PicoCTF, Attack-Defense, Root-Me) for varied challenge types. ✔ Use web labs to master OWASP Top 10 and web vulnerabilities.