From Gaps to Gains: Benchmarking AppSec Skills with Cyber Ranges

Applications and APIs continue to be the most frequently targeted attack surfaces. In fact, web application attacks are the leading cause of breaches (Verizon DBIR 2024), and most vulnerabilities originate directly in the codebase. The stakes are high—with the average breach now exceeding $9M (IBM 2024).

So how do you close the AppSec skills gap and build resilient, fast-learning teams?

That’s the question behind our new study: Application Security at Scale: Insights from 1,000+ Cyber Range Events. Drawing from more than 1,100 events, tens of thousands of participants and 600,000+ application-security challenges solved, the study offers a rare, data-driven look at how developers and software security professionals across industries actually learn—and what strategies deliver measurable performance gains.

Key Findings

• Practice pays off: Repeat participants achieved 126% performance growth, showing the compounding effect of hands-on training.
• Developers dominate—but defenders excel: 70% of participants came from development roles, but red teamers and defenders were top performers
• Early-career talent outpaces seasoned pros: Participants with the least experience (0–3 years) demonstrated faster learning velocity, proving the ROI of investing early.
• The Training “Sweet Spot”: Moderate difficulty challenges kept teams motivated while reinforcing fundamentals
• Blended training wins: Programs that combine courses with hands-on simulated environments showed stronger, more durable outcomes.

What We Learned

These findings, based on nearly seven years of data, show that real progress comes from doing, not just studying. Developers and defenders alike gain the most when they practice in realistic environments, repeat exercises to build muscle memory, and tackle flaws that match their aptitude level and challenge them. The data reinforces what many practitioners already know: blended, hands-on training is what turns knowledge into lasting skills.

Insights for Leaders

Cyber ranges are fun and engaging for participants, but they also provide valuable performance metrics that reveal where teams excel, where they struggle, and how quickly they improve. For CISOs, AppSec leaders, and training architects, that translates into actionable insights: how to design scalable programs, track ROI, and ensure teams are prepared for real-world threats.

About CMD+CTRL Cyber Ranges

CMD+CTRL is the only cyber range platform purpose-built for application security. By mirroring the flaws, misconfigurations, and errors that attackers exploit in real-world software, CMD+CTRL cyber ranges offer engaging, realistic scenarios that help development and engineering teams build secure applications from the start. Visit www.cmdnctrlsecurity.com/training/cyber-range/ to learn more about our suite of gamified cyber ranges, designed to motivate learners at all levels.

Download the full report to explore all the findings, benchmarks, and recommendations and learn how to turn AppSec training into lasting security resilience.