Pryaxis Jump

Over the last few years, I’ve been back and forth with ideas on how to improve training cyber defense best practices. No real world simulation platform is accurate1 or robust enough23 for more than basic use. As the popularity of competitions like CyberPatriot4 and National CCDC5 increases, tooling for simulating these environments has stagnated. I needed a way6 to build and train using advanced cyber defense scenarios, so I got a friend or two7, and together, we built Pryaxis Jump.

Jump allows someone with knowledge8 about information security, like a CyberPatriot coach or mentor, to marry training with real-time evaluation and results. For the longest time, competitors were trained prior to competitions with tutorials and given dense copies of benchmarks to memorize. Many times, they were “thrown off the deep end,” having been told to somehow secure systems with no guidance on what constituted secure. This has a negative impact on competitor learning, performance, and morale9.

This is where Pryaxis, and its flagship product, Jump, comes into play. Jump is, at its most basic level, an evaluation engine that evaluates checks10 based on conditions.

Jump provides competitor tracking11, which allows a coach to build a variety of images and track competitor performance from the convenience of a single dashboard. At a quick glance, competitor performance data shows missed checks across all images, giving an immediate way to spot trends and help remedy weak points.

Performance goes beyond simply tracking competitors on an individual basis. Jump provides data on exactly which checks are missed the most from all competitors on a given image, which quickly reveals how well the group performs as a whole. Weak points are easily identifiable and correctable. By using multiple successive images, combined with these reports, competitor performance can be rapidly improved.

A Jump most missed report

For competitors who have familiarity with other score engines, Jump improves upon the concept of local score feedback considerably. Leaderboards and scenario requirements are displayed right on the score feedback page, along with an easy to understand rank that helps competitors identify how they’re performing. Because the requirements are displayed on a website, rather than in a file on the desktop12, requirements can be dynamically changed, even after an image has been deployed. If a detail was accidentally left out, it becomes trivial to add it back in.

Similarly, Jump provides the same flexibility for tweaking checks, even after an image has been distributed. If a check isn’t reporting correctly, it can be changed or excluded from scoring entirely. This happens on the fly, and score updates can be recalculated from the control panel. The image doesn’t even need to be online for this to happen.

Pryaxis Jump is the first step towards building the ideal cyber defense training platform. There’s so much more to Jump than what I was able to detail here, and I’m excited to see how it gets used.

Jump receives regular updates, from bug fixes to new features, at no additional cost to those who already use Jump. Jump is pay what you want for most groups13 and free for students14 who compete in CyberPatriot and National CCDC.

Try Jump today.

  1. CyberCIEGE is a good example of where good concepts are marred by an overly simplistic training system. While it acts as a good introduction to cyber security, it does a poor job of marrying concepts to the real world. 

  2. TAMCC is offered by CyberPatriot for free, but it doesn’t support Linux, and doesn’t receive regular updates. It’s also client side only, meaning that a competitor could reverse engineer the vulnerability list if they so desired. 

  3. Darklight Nova has similar pitfalls. Vulnerabilities can be reverse engineered, which is no good, and requires advanced programming knowledge to develop images with. 

  4. CyberPatriot is the National Youth Cyber Defense program, presented by Northrop Grumman. It isn’t a hacking competition, and it focuses on defense, rather than offense. CyberPatriot won’t teach penetration testing, and actively discourages it. 

  5. National CCDC is the National Collegiate Cyber Defense Competition, and is presented by Raytheon. The environment is similar to CyberPatriot, but it more demanding due to heavy use of offensive red teams. Raphael Mudge’s Cobalt Strike is commonly used by red team attackers to simulate real threats. 

  6. I use Jump regularly. The best part is that even if nobody else wants to use it, I do. 

  7. Pryaxis roughly consists of Isaac Grant, Lucas Nicodemus (me), and Savannah Clemente. The full credits list is available in Jump’s humans.txt file

  8. Jump tries to avoid ruining the competitive spirit of CyberPatriot and CCDC by refusing to give up lists of vulnerabilities. While we maintain parity with other score engines, we do so by offering modules that capture data and leave the interpretation and evaluation up to coaches. 

  9. I have no data to back up this claim, but I’ve seen CyberPatriot groups thin out because of poor performance over the span of a year. As a former competitor, I’ve felt the impact of this too. 

  10. A check is a Jump representation of any scorable event, such as a vulnerability or a critical service. 

  11. Competitor tracking is completely optional, but highly suggested. Anonymous feedback limits Jump’s ability to link a specific competitor to multiple images. 

  12. A readme file is typically present on CyberPatriot images on the desktop. It contains valid users, policy requirements, and critical services for a given image. 

  13. Jump is “pay what you want” for under 50 competitors, with a minimum price of $20. A Jump subscription lasts a year and offers unlimited support. For greater than 50 competitors, paid competitions, and other use cases, we prefer to discuss individual use cases with people prior to asking for payment. 

  14. Jump is free for students, not their coaches, teachers, or mentors. I was a student, and I dreamed of using something like this for my team. However, servers cost money, and we want to at least cover that. 


Now read this

IPv6 and DOCSIS 2.0 Performance Degredation

Note: This post is exceedingly technical in nature. For those experiencing similar problems, skip directly to the fix. The Problem After coming home during break from university, one of my first objectives was to replace a dying wireless... Continue →