Cybersecurity Labs-as-a-Service (CLaaS)
- Cybersecurity Labs-as-a-Service (CLaaS) are on-demand remote cybersecurity environments offering reusable, isolated lab scenarios for education, testing, and compliance.
- They employ modular scenario packaging, declarative provisioning, and automated lifecycle management to ensure reproducibility, scalability, and robust monitoring.
- Emerging trends focus on multi-cloud orchestration, AI-driven instruction, and automated evidence management to advance the CLaaS service model.
Searching arXiv for the cited CLaaS-related papers and adjacent terminology. arxiv_search query="Cybersecurity Labs-as-a-Service OR Cyber Range-as-a-Service virtual laboratories cybersecurity education CTF as a Service digital twin cybersecurity compliance" max_results=10
Cybersecurity Labs-as-a-Service (CLaaS) denotes the on-demand provision of cybersecurity laboratory environments as managed services: isolated scenarios are instantiated remotely, exposed through browsers or APIs, and coupled to orchestration, monitoring, assessment, or analytics functions rather than being assembled manually on each learner or operator workstation. Across recent work, the term appears explicitly in an AWS-based legacy CLaaS platform extended with generative-AI assistance, and implicitly through adjacent forms such as Virtual Laboratories, Cyber Range-as-a-Service, CTF-as-a-Service, cloud-native private laboratories, and Security Digital Twin-as-a-Service. Taken together, these systems describe a common service abstraction built around reusable scenarios, remote accessibility, automated lifecycle management, and instrumentation for education, experimentation, testing, or compliance (Patel et al., 3 Sep 2025, Orbinato, 2021, Azcarate, 23 Mar 2026, Koufos et al., 9 Sep 2025).
1. Conceptual scope and neighboring models
CLaaS is best situated within a broader family of service-delivered cyber environments. In distance education, “Virtual Laboratories” are presented as remotely accessible, VM-based practical environments that support multiple tasks, shared data, and real-time collaborative execution of hands-on assignments (Kebande, 2024). In enterprise cyber-range research, Cyber Range-as-a-Service is framed as a cloud-based platform that instantiates large-scale virtual scenarios, supports virtual clones of corporate infrastructures, automatically monitors participant activities, and emulates behavior through AI agents (Orbinato, 2021). In competition infrastructure, CTF-as-a-Service treats each challenge as a self-contained lab defined by source code, build resources, and configuration, then deploys it as containerized services with reproducible infrastructure and CI/CD automation (Azcarate, 23 Mar 2026). In compliance engineering, Security Digital Twin-as-a-Service exposes on-demand digital twins of ICT infrastructures, populated with machine-readable evidence such as SBOMs, CBOMs, VEX, and BOM-Links, to support automated, non-intrusive assessment (Koufos et al., 9 Sep 2025).
A recurrent misconception is that CLaaS is synonymous with a single implementation substrate, typically browser notebooks or student labs. The literature is broader. It includes notebook-centric DevOps security modules delivered through GitHub and Google Colab (Akter et al., 2023), AWS EC2 topologies surfaced through noVNC (Patel et al., 3 Sep 2025), OpenStack-based cyber ranges with virtual cloning and hypervisor-level introspection (Orbinato, 2021), Proxmox- and Docker-Swarm-based challenge hosting (Azcarate, 23 Mar 2026), cloud-native Kubernetes and serverless laboratories managed through GitOps (Saqib et al., 4 Feb 2025), shared RF-centric laboratories for SAAMD technologies that are open for use and collaboration (Costin et al., 2023), and digital-twin simulators for systemic cyber risk that operate at a much more abstract level than packet or host emulation (Awiszus et al., 2022). This suggests that CLaaS is more usefully understood as a service model than as a fixed software stack.
| Archetype | Representative papers | Core traits |
|---|---|---|
| Browser and notebook labs | (Akter et al., 2023, Patel et al., 3 Sep 2025) | Browser access, no local setup, reusable scenarios |
| Cyber range and CTF hosting | (Orbinato, 2021, Azcarate, 23 Mar 2026, Nichols et al., 2022) | Orchestration, isolation, monitoring, repeatability |
| Cloud-native security labs | (Saqib et al., 4 Feb 2025, Koufos et al., 9 Sep 2025) | Kubernetes, GitOps, machine-readable evidence |
| Shared physical or simulation twins | (Costin et al., 2023, Awiszus et al., 2022) | Centralized specialized resources, digital-twin modeling |
2. Architectural patterns and service composition
Despite heterogeneity, CLaaS implementations converge on a small set of architectural motifs. One is modular scenario packaging. In the DevOps security labware, each module is structured as pre-lab, hands-on lab, and post-lab; content is distributed through GitHub and executed through Google Colab, with an explicit goal of avoiding installation and maintenance hassles (Akter et al., 2023). In the AWS-based legacy CLaaS platform later extended with generative AI, each training scenario is a topology of EC2 instances plus a subnet, instructors customize a primary image and snapshot scenario images, the front end embeds noVNC for browser delivery, and the backend manages authentication, role-based access, VPC subnets, instance lifecycle, and CloudWatch alarms (Patel et al., 3 Sep 2025).
A second motif is declarative infrastructure and separated provisioning layers. The CTF-as-a-Service platform uses Proxmox VE, Terraform for provisioning, Ansible for post-provisioning configuration, Docker Swarm for challenge services, HAProxy for reverse proxying and session persistence, and a Git repository plus post-receive hook, artifacts branch, and pipeline.sh for automated deployment updates (Azcarate, 23 Mar 2026). The cloud-native Cloudlab environment similarly separates repositories, pipelines, clusters, and security controls: GKE clusters host Tekton CI and ML workloads, GitHub repositories serve as the single source of truth, GCR stores images, and GitHub Actions, Renovate, Bridgecrew, Kyverno, and Panorama-managed CN-Series firewalls are integrated into the workflow (Saqib et al., 4 Feb 2025).
A third motif is explicit modeling of the environment itself as a managed service object. Security Digital Twin-as-a-Service introduces an Audit Management Service with Profile Management, Evidence Collector Controller, and BOM Creator; an SDT Manager with an HTTP/JSON API, LifeCycle Manager, and Data Adapter; and SDT instances backed by Eclipse Ditto and WoT descriptions, instantiated as Kubernetes pods in roughly six seconds in the reported use cases (Koufos et al., 9 Sep 2025). The next-generation Cyber Range-as-a-Service proposal generalizes the same pattern through OpenStack-backed virtual infrastructures, a domain-specific language for scenario description, dashboards and APIs for management, and virtual clones of corporate infrastructures derived from statistical models of topology, services, users, and traffic (Orbinato, 2021).
These architectures consistently separate high-level scenario definition from low-level resource orchestration. A plausible implication is that CLaaS maturity depends less on any single hypervisor, notebook, or orchestrator than on how effectively a platform encodes scenarios, provisions them reproducibly, and exposes them through stable user and service interfaces.
3. Automation, instrumentation, and security control loops
Automation in CLaaS typically appears as a closed loop of instantiate, analyze, modify, and re-evaluate. In DevOps security education, this loop is explicit: students run Bandit and related automated tooling over real vulnerable Python code, inspect findings, apply fixes, and re-run the tools; taint tracking is used conceptually to trace untrusted inputs to sensitive sinks such as system command execution, database queries, file operations, and network calls (Akter et al., 2023). In Cloudlab, the same pattern is generalized to GitOps: GitHub webhooks trigger Tekton tasks, Bridgecrew scans IaC and Dockerfiles on every PR, Kyverno enforces policy in-cluster, and images are built and pushed to GCR under a declarative, repository-centered workflow (Saqib et al., 4 Feb 2025).
Instrumentation layers differ by use case but are central to the service model. The AI/quantum collaborative penetration-testing suite combines DAST and SAST through OWASP ZAP, Burp Suite, SonarQube, and Fortify; IAST through Contrast Assess; Hyperledger Fabric for tamper-evident logging; RLWE-based quantum-resistant cryptography; and AI red-team simulations. It reports 300+ vulnerabilities identified across test environments, a 70% reduction in high-severity issues within 2 weeks, 90% resolution efficiency for blockchain-logged vulnerabilities, and 100% integrity for quantum-resistant cryptography in tests (Radanliev, 22 Oct 2025). In compliance-oriented twins, evidence is normalized into CycloneDX SBOMs, CBOMs, VEX, and BOM-Links, then loaded into a twin representation where external services can query the mirrored state instead of touching production systems (Koufos et al., 9 Sep 2025).
Operational cyber ranges stress observability and deterministic control rather than only static analysis. At Oak Ridge National Laboratory, CORR splits an experiment enclave from an outer analytics and management layer, uses VMWare ESXi and vCenter with pyVmomi, Kafka, Splunk or Elastic, packet taps and packet splitting, VM templates, in-memory snapshots, and replayable bulk storage to support scalable, repeatable AI/ML tool evaluations (Nichols et al., 2022). The CRaaS proposal extends observability further downward through Virtual Machine Introspection using DTrace, SystemTap, Kprobes, Detours, and hypervisor-level inspection, isolation, and interposition (Orbinato, 2021).
A persistent engineering issue is statefulness. The CTF-as-a-Service platform identifies session persistence as a key requirement for stateful labs and solves it through HAProxy stick tables that map source IP to a selected replica, thereby avoiding modifications to challenge code (Azcarate, 23 Mar 2026). This directly contradicts the assumption that ephemeral scaling alone is sufficient for laboratory correctness.
4. Pedagogical structure, assessment, and learner support
Educational CLaaS research repeatedly couples infrastructure with scaffolding. The DevOps security modules are organized into pre-lab, hands-on lab, and post-lab sections; they were deployed across Kennesaw State University, Auburn University, and Tuskegee University, and the paper reports that over 80% agreed or strongly agreed that the labs and tutorials were beneficial and improved understanding of DevOps security, while over 70% agreed or strongly agreed that real-world applications engaged cybersecurity learning (Akter et al., 2023). The SeCodEd framework extends this logic into a closed loop of pre-assessment, learner profiling, modular lab selection, post-assessment, and analytics-driven progression across static analysis, log analysis, and AI-enabled secure coding. Its reported learning gains include quiz improvement from about 22% correct pre-lab to about 82% post-lab, statistically significant shifts on multiple topics, and more than 85% agreement that the labs taught real-world applications (Taeb, 2023).
The distance-education literature reinforces the same point. At Blekinge Institute of Technology, a survey-based study of Virtual Laboratories in a Network and System Security course and among educators reported Cronbach’s alpha values of 0.791 and 0.847, learner means of 3.30 for active engagement and 3.05 for active engagement and problem solving, and a strong positive learner correlation between those two dimensions, (Kebande, 2024). At the same time, perceptions of problem-solving benefit were mixed for non-trivial minorities of both learners and educators. The significance is methodological as much as pedagogical: CLaaS benefits are observable, but they are not automatic consequences of remote execution alone.
Recent work also adds instructional assistance directly into the service. A later extension of the legacy 2015 CLaaS platform by Tunc et al. integrates an OCR–LLM pipeline into slide-driven lab instruction: Tesseract extracts text from slide images, a general-purpose LLM simplifies the instructions, and students rate the result inside the CLaaS UI. In a live course, 42 ratings averaged 7.83/10. The same paper compares the OCR–LLM pipeline with multimodal LLMs and shows a sample token contrast of 392 tokens for OCR-derived text versus 1105 tokens for direct image input, while reporting that multimodal models perform better on visually dense slides but the OCR–LLM pipeline offers comparable pedagogical value on text-centric slides at much lower computational overhead and cost (Patel et al., 3 Sep 2025).
5. Domain specializations and research variants
CLaaS is not restricted to a single curricular or operational domain. In software and DevSecOps education it covers automated detection of known weaknesses in Python, taint tracking, CI-based security, IaC security, Git hooks, chaos engineering with white-box fuzzing, and automated secret management (Akter et al., 2023). In competition settings it becomes a reproducible and scalable challenge-hosting substrate, where each challenge is a Dockerized service behind NAT, reverse proxying, and CI/CD rollout workflows (Azcarate, 23 Mar 2026). In cloud-native security training and research it encompasses RBAC, Policy as Code, Security as Code, container security, CN-Series firewalls, serverless functions, and CI/CML pipelines in Google Cloud (Saqib et al., 4 Feb 2025).
Other variants push CLaaS toward high-fidelity operational testing. CORR supports endpoint and network evaluations of AI/ML cybersecurity tools at very large scale, including an endpoint challenge over 100K file samples and a network challenge in a high-volume business network with a real 1,500-user traffic base and roughly 400 additional machines under experimenter control (Nichols et al., 2022). The SAAMD unified laboratory demonstrates a different specialization: a shared RF-centric environment using SDRs, GNU Radio Companion, and a custom pentesting platform to attack or analyze ADS-B, AIS, ACARS, EFB, EPIRB, COSPAS-SARSAT, and CCSDS systems, while remaining open for use, experimentation, and collaboration (Costin et al., 2023). Although the paper does not present itself as CLaaS, a plausible implication is that specialized physical laboratories can still participate in CLaaS if centralized scarce hardware, orchestration, and safe remote access are treated as service primitives.
At the opposite end of abstraction, the artificial cyber lab for resilience is a digital twin of a complex cyber system built on an SIR contagion model. It studies security-based interventions through , topology-based interventions through changes in the adjacency matrix , and systemic loss functions such as (Awiszus et al., 2022). This is not a host-level exploit lab; it is a policy and resilience simulator. Yet it still fits the CLaaS logic of managed, repeatable experimentation over reusable cyber-environment models.
A further specialization concerns AI and post-quantum security. The collaborative penetration-testing suite combines DAST, SAST, IAST, blockchain logging, lattice-based cryptography, and AI red-team simulations to secure generative AI systems against both present cyber threats and projected quantum attacks (Radanliev, 22 Oct 2025). This expands CLaaS from training or testing conventional systems toward orchestrated experimentation over AI-centric and cryptographically evolving infrastructures.
6. Evaluation limits, engineering tensions, and future directions
The CLaaS literature is uniformly positive about reproducibility, portability, and remote accessibility, but it also identifies recurring tensions. One is automation depth. The CTF-as-a-Service platform still scales services manually and treats auto-scaling, monitoring integration, a full web-based administration interface, standardized templates, and HAProxy high availability as future work (Azcarate, 23 Mar 2026). Cloudlab is strongly GitOps-oriented, but the paper also notes that explicit spot-instance management models are not provided despite the title, and the details indicate that GitOps and Tekton are powerful yet complex for non-experts, which implies a need for a front-end that hides operational complexity (Saqib et al., 4 Feb 2025).
A second tension concerns evaluation methodology. Several educational systems rely heavily on self-reported perception, limited cohorts, or short deployments. The VLab study at Blekinge Institute of Technology uses a small sample and explicitly notes reliance on self-reported data (Kebande, 2024). The DevOps modules were evaluated in a single-semester, three-institution deployment with no large-scale longitudinal data (Akter et al., 2023). This suggests that mature CLaaS platforms should embed richer telemetry and objective performance measures rather than depend solely on surveys.
A third tension is between fidelity and operational control. CORR disables some enterprise virtual-switch features because they interfere with precise experiments, encounters time-synchronization problems in Windows guests, faces API concurrency limits, and reports that early re-deployment scripts required about 8 hours before optimization reduced this to under an hour (Nichols et al., 2022). Security Digital Twin-as-a-Service, by contrast, keeps operational impact low by focusing on BOM-type evidence rather than full runtime behavior, but this also limits behavioral fidelity and motivates future OSCAL integration and larger-scale validation (Koufos et al., 9 Sep 2025).
Cost asymmetry is another unresolved issue. In the collaborative penetration-testing suite, blockchain logging and quantum cryptography are comparatively cost-effective, while AI red-team simulations are markedly expensive, with a reported cost of $46,000 per detected or resolved vulnerability and declining efficiency under larger-scale conditions; the same work also reports that blockchain logging efficiency drops from 100% to 87% in large-scale scenarios (Radanliev, 22 Oct 2025). For educational assistance, the OCR–LLM pipeline is favored precisely because it extends a legacy platform with minimal architectural disruption and lower token overhead than multimodal alternatives (Patel et al., 3 Sep 2025).
Finally, several papers converge on future directions that broaden rather than narrow the CLaaS concept: multi-cloud orchestration and additional IaC languages in cloud-native labs (Saqib et al., 4 Feb 2025), personalized instruction and retrieval-augmented generation in browser-based lab guidance (Patel et al., 3 Sep 2025), OSCAL-backed Compliance-as-Code for digital twins (Koufos et al., 9 Sep 2025), and adaptive or time-varying network models for resilience-oriented artificial labs (Awiszus et al., 2022). The cumulative implication is that CLaaS is moving toward a layered ecosystem in which infrastructure provisioning, twin representations, analytics, automated assessment, and instructional or adversarial agents are all service components rather than add-ons.