hackr.gg is a hands-on cybersecurity training platform. Every module pairs clear theory with a hands-on inline lab — you exploit a real vulnerability right inside the lesson, directly in your browser. No VM to configure. No VPN to fight with. No setup at all.
We built hackr.gg because the way most people learn security is backwards. Courses that are 80% slides and 20% lab don't produce people who can actually hack things. Watching a video of someone exploiting an SQL injection is not the same as doing it yourself against a live target, under time pressure, with a flag you have to retrieve.
Our model is the opposite: minimal theory, maximum hands-on time. Read enough to understand what's happening, then immediately attack something real and capture a flag. Skills stick when you earn them.
When you reach a lab, a deliberately vulnerable app runs right inside the lesson. You type real payloads — SQL injection, XSS, IDOR, command injection — and watch them land instantly, validated as you go. Nothing to install, nothing to spin up, no VPN.
Everything runs safely in your browser — you can't accidentally attack anything real, and nothing you do can affect anyone else. Reload the page and the lab resets.
Everything on hackr.gg is designed for educational use in isolated, controlled environments. The skills taught here — SQL injection, XSS, command injection, privilege escalation — are the same skills used by professional penetration testers and bug bounty hunters operating legally with explicit authorisation.
We take this seriously. Labs are sandboxed and network-isolated. Techniques are taught in the context of defensive security — you learn how attacks work so you can defend against them, find them in bug bounty programmes, and build systems that don't have them.