An honest breakdown of the best online hacking labs — hackr.gg, HackTheBox, TryHackMe, PortSwigger, PentesterLab — who each one is for and where they fall short.
To get good at hacking, you need to actually hack things. Not read about hacking. Not watch videos about hacking. Actually run the attacks against real systems and see what happens. The challenge is doing that legally, which means using lab environments built for the purpose.
Here's an honest breakdown of the best online hacking labs available right now — who each one is for, what they're good at, and where they fall short.
hackr.gg spins up isolated vulnerable machines directly in your browser. No VPN, no VM, no local installation. You get an attack terminal and a target web application, both accessible from a single tab.
The labs cover the full web security stack — SQL injection, XSS, IDOR, SSRF, command injection, CSRF, authentication attacks, JWT exploitation, business logic flaws, and more. Each lab is paired with a course module that explains the vulnerability before you exploit it.
Best for: people who want to go from zero to exploiting real vulnerabilities quickly, without spending the first weekend configuring a lab environment. The zero-setup model means you can start a lab in under ten seconds.
HackTheBox (HTB) hosts a constantly rotating set of virtual machines across Windows and Linux, each with realistic vulnerabilities to find and exploit. The goal is to compromise the machine and retrieve two flags — one for user-level access, one for root/administrator.
HTB requires a VPN connection to access the lab machines, which adds a setup step but also makes the environment more realistic — you're attacking a machine on a network, not just a web form. The starting point machines and the Academy platform are well-suited to beginners. The main machine queue is genuinely challenging.
Best for: people who want to develop a complete skillset including network exploitation, privilege escalation, and Active Directory attacks alongside web hacking. Strong community with extensive writeups for retired machines.
TryHackMe structures its content as "rooms" — guided challenges that walk you through each step with hints and explanations. It's more hand-holding than HTB, which makes it significantly more accessible for complete beginners.
The free tier has a substantial amount of content. The paid subscription unlocks the full library. Like HTB, it requires a VPN or uses an in-browser attack box.
Best for: absolute beginners who want guidance through each concept, or people who prefer a more structured curriculum rather than open-ended machine challenges.
Built by the creators of Burp Suite, the Web Security Academy is arguably the most comprehensive free resource on web application security. It covers every major vulnerability class with in-depth explanations and hands-on labs, all in the browser.
The labs are well-designed, the content is authoritative, and it's entirely free. The weakness is that it can feel dry — it's more of a reference than a guided course. And because it's browser-based labs tied directly to the theory, there's less of the "figure it out yourself" aspect that builds real skill.
Best for: deepening understanding of specific vulnerability classes, especially web — particularly useful for topics like advanced SQL injection, authentication attacks, and access control.
PentesterLab is unique in that it includes source code review exercises alongside exploitation. You get to see the vulnerable code, understand why it's vulnerable, and exploit it — which builds much stronger intuition than exploitation alone.
The free tier is limited. The Pro subscription (~$20/month) opens the full library including badges that serve as a curriculum. The exercises are good quality and the code review angle is underrepresented elsewhere.
Best for: developers getting into security, or security testers who want to understand vulnerabilities at the code level rather than just the exploitation surface.
DVWA is a PHP web application you run locally (or in Docker) that's deliberately vulnerable to a range of attacks. It's been around for years, it's free, and it covers the basics well. The adjustable security levels (low/medium/high) show you progressively harder implementations of the same vulnerability.
# Run DVWA in Docker in under a minute docker run -p 80:80 vulnerables/web-dvwa
The downside: it's old and the vulnerable apps are obviously artificial. Great for initial practice on each vulnerability class, less useful for developing realistic methodology.
Best for: learning each vulnerability class in total isolation with maximum control. Good for the first week of understanding each attack type before moving to more realistic targets.
The mistake people make is jumping between platforms every week. Each one has a different approach and the temptation is to try them all rather than go deep on any of them.
A reasonable path: start with hackr.gg or TryHackMe to build basic web exploitation skills in a low-friction environment. Add PortSwigger Web Security Academy for depth on specific topics. Move to HackTheBox when you're ready to work without guidance. Use CTFtime.org to participate in competitions when you want to test yourself under time pressure.
None of these platforms are magic. They're environments. The skill development comes from the hours you put in, not the platform you're on.
Put this into practice on hackr.gg. Real vulnerable machines, real attack tools, right in your browser. No setup, no VPN — get your first flag in under 10 minutes.
Start hacking free →