The rise of capture-the-flag (CTF) competitions and offensive security training requires the deployment of systems that are, by design, flawed. This creates a unique architectural paradox: how does one host a system intended to be compromised without compromising the host itself? This paper classifies the security principles of “range engineering”—the discipline of engineering the environment. This research study synthesizes evidence across the cyber-range, honeypot, ICS/OT testbed, and cloud-isolation literature to derive a containment-focused classification of threat planes, security invariants, boundary mechanisms and properties, and operational controls for intentionally vulnerable environments used in education, training, and research. Five security invariants are derived under the assumption of expected compromise and mapped to boundary families and measurable operational objectives. The analysis further identifies under-evidenced areas, particularly control-plane isolation, corrective controls for cross-tenant failures, and systematic validation of externalization defenses.
Stanislav Abaimov (Mon,) studied this question.