Where to hack legally and for free.

Free tier substantial · $14/mo Premium recommended after month one · Absolute beginner → mid

The single best starting platform for someone with zero background. Browser-based, no setup. Guided learning paths ('Pre-Security', 'Cyber Security 101', 'Junior Penetration Tester'). Each room walks you through a concept and then has you exploit a deliberately vulnerable machine. The 'rooms' format is gamified and that works · stage-01-to-stage-02 graduation almost always happens here.

Free + paid ($14/mo VIP, $20/mo VIP+, Academy modules ~$50-$150 each) · Beginner → senior

Less hand-holding than TryHackMe. The box you spin up is the entire challenge — figure out what it's running, find the path in, escalate to root, capture the flags. This is the platform that reveals whether you're going to be good at this. The 'Pro Hacker' rank or higher is a real credential on resumes. HackTheBox Academy is their paid course track; the CPTS / CBBH paths there are well-regarded.

100% FREE · forever · Beginner → senior · web focus

Made by the people who make Burp Suite. The single best free web-application security training in existence. Every lab is a real deliberately-vulnerable web app you exploit using the free Burp Community Edition. Apprentice / Practitioner / Expert tiers. If you want to do web pentest or bug bounty, finish this. All of it.

100% FREE · Linux beginner → CTF veteran

The Bandit wargame (Level 0 → Level 34) is the canonical Linux + command-line + Unix-tooling primer for security. Each level gives you SSH access to a box; you find the password for the next level somewhere on the filesystem or in a running process. By Level 20 you've absorbed years of Linux fluency without realizing.

100% FREE · High school → undergrad → beginner pro

Carnegie Mellon's CTF (capture-the-flag) platform. Originally for high-school students, now a year-round on-ramp for anyone. Challenges in cryptography, reverse engineering, web exploitation, binary exploitation, forensics. The puzzles are real, the difficulty curve is reasonable, and 'I did well on picoCTF' is a credential at the early-career stage.

Free tier + paid labs · Blue-team focused · beginner → senior

If you're more interested in defending than attacking (often higher-paying and more in-demand than the marketing makes it seem), this is your TryHackMe. Forensics challenges, incident response scenarios, log analysis, threat hunting. The free tier is large enough to learn the core competencies.

Free + paid tiers · Beginner → expert

French-origin platform that's been running for years and is one of the largest repositories of CTF-style challenges (cryptanalysis, network, web, programming, forensics, app-system, app-script, realist, steganography). Multilingual UI. Cheap subscription if you want VPN access to their lab network for the realist challenges.

100% FREE · Pre-OSCP practice

Downloadable virtual machines, free. You run them in your own VM software (VirtualBox is free). The 'OSCP-like' boxes (search for 'OSCP-like' in the description filter) are vetted to prepare you for the OSCP exam. No leaderboard, no scoring · pure practice on isolated machines you control.

Free with HTB account · Bridge from TryHackMe to HTB

Three tiers of guided machines that bridge the gap from TryHackMe's hand-holding to HackTheBox's silence. If you finish TryHackMe's Junior Penetration Tester path and feel under-prepared for HTB's main free machines, do Starting Point first.

100% FREE · self-hosted · Beginner web

OWASP-maintained vulnerable applications you run locally. Juice Shop in particular is excellent — modern JavaScript SPA with every OWASP Top 10 vuln intentionally present, plus a scoreboard. Run with Docker in one command. Self-paced, self-hosted, well-documented.