Benchmark any scanner
against ground truth.

iQs Cyber Range stands up a realistic network of up to 1,000 assets, hides real weaknesses behind a sealed answer key the scanner never sees, and scores the result against ground truth — recall, precision, false-positive rate, and the evasion tier it stalls at.

Start free — build a range See how it works
Any scanner — AEGIS, Nessus, OpenVAS…Sealed & tenant-isolatedNo agents
acr.iqs.ai — Range Builder+ Add asset▶ Run scan
ASSETS · 98 types
NETWORK
Firewall
Router
Switch
Load bal.
WAF
IDS / IPS
VPN
COMPUTE
Server
VM
Container
K8s pod
DATA
Database
Cache
Object store
CLOUD
AWS EC2
S3 bucket
Lambda
Azure VM
GCP GKE
OT / ICS
PLC
SCADA HMI
RTU
IDENTITY
AD domain
IdP / SSO
Workstation
internetedge ngfwfirewall web-01dmz app-01app card-dbdata s3public ws-01user dc-01domain XSS SQLi
⚡ INJECT WEAKNESS
XSS
SQL injection
RCE
SSRF
Priv-esc
Inject · 2 selected
range builder
0.0/ 10
AEGIS · frontier T4
Recall0%
Precision0%
False-positive0%
Flood scanner1.5 / 10

HOW IT WORKS

Build it. Break it. Scan it. Score it.

Four steps from a blank canvas to a defensible, vendor-neutral grade of exactly how good your scanner really is.

1

Build or generate

Drag assets from a 98-type catalog — AWS, Azure, GCP, OT/ICS, identity — or describe the network in plain English and the AI composer assembles it.

2

Inject sealed weaknesses

Place known vulnerability families behind a hashed answer key the scanner can never read. The engine proves each one is genuinely reachable.

3

Point any scanner

Run AEGIS, Nessus, OpenVAS, or your own tool against the range. Findings normalize automatically into one report format.

4

Get the honest scorecard

Recall, precision, FP-rate, F1, MTTD and the frontier tier — per surface and per evasion tier. Noise and bluffing get an F.

WHAT YOU MEASURE

Six numbers that tell the truth.

Every scan returns the same vendor-neutral metrics, so you can compare tools, releases and teams on identical ground.

Recall — did it find them?

The share of the real, sealed weaknesses your scanner actually detected. Misses are listed by name.

Precision — was it right?

The share of the scanner's findings that map to a real weakness. Garbage findings drag this down fast.

False-positive rate

How much of the report is noise. Flooding to inflate recall is punished here — directly.

F1 — the headline grade

The balance of recall and precision. This is what turns into the A–F grade you actually compare on.

MTTD — how fast?

Mean time to detect, from scan start to first valid finding per weakness.

Frontier tier — how good?

The hardest evasion tier (T0→T5) the scanner still clears as weaknesses are mutated to hide.

WHY iQs CYBER RANGE

The one benchmark a scanner can't game.

Static labs go stale the day you build them. Diagrams don't fight back. This range runs like real infrastructure and refuses to flatter a tool that missed.

It cannot be gamed.

The sealed, hashed answer key is invisible to the scanner and locked to your tenant — no teaching to the test. Flood the report to fake coverage and precision collapses. Trip a decoy and you pay. Honest, every time.

It runs the network, not a picture of it.

Real routing, NAT, standard & extended ACLs, cloud security groups, NACLs, public bucket/subnet exposure. An over-broad port-forward genuinely exposes the box behind it — reachability is computed, never claimed.

Describe it. It appears.

"PCI retail with a SQL-injectable cardholder DB behind a segmented DMZ" becomes a fully-scorable range from a 98-type catalog — no racks, no cabling, no weekend.

Reproducible to the byte.

Seed it once and it regenerates identically, forever. Race scanner v1 vs v2 on the exact same estate and see what improved — and what quietly regressed.

Scales to the whole estate.

From a single subnet to 1,000 live assets, with a T0→T5 evasion ladder that mutates weakness families to hunt your scanner's blind spot.

Sealed & isolated by design.

The answer key never reaches a target surface and never crosses a tenant boundary. Multi-tenant from the ground up — your ranges and scores are yours alone.

WHO IT'S FOR

If you depend on a scanner, you need this.

🛡️

Security teams

Validate the scanner you bet your coverage on — before an attacker tells you what it missed.

🧪

Scanner & tool vendors

Benchmark every release on an identical, reproducible estate. Prove v2 is better than v1 with numbers.

🥷

Pentest & red teams

Train, rehearse and prove detection coverage on realistic, on-demand networks instead of stale labs.

📋

Auditors & the board

Turn "we ran a scan" into a defensible, vendor-neutral grade of how much your tooling actually catches.

Works with any scanner. Findings normalize into one report format.

AEGIS SentinelNessusOpenVASQualysBurp SuiteYour custom tool

PRICING

Priced by assets. Capped at 1,000.

One number sets your tier — how many assets you need to test. Pay monthly, cancel anytime. Click a card to choose.

Recon
$40/mo
Up to 100 assets
  • 100 assets per range
  • 1 concurrent range
  • 250 scans / month
  • Core scenario templates
  • 30-day retention
Choose Recon
MOST POPULAR
Operator
$180/mo
Up to 500 assets
  • 500 assets per range
  • 3 concurrent ranges
  • 1,500 scans / month
  • All scenario templates
  • 90-day retention
Choose Operator
Command
$600/mo
Up to 1,000 assets
  • 1,000 assets per range (max)
  • 10 concurrent ranges
  • 3,000 scans / month
  • AI generator + all templates
  • SSO + audit export
  • 365-day retention
Choose Command

Need more than 1,000 assets, on-prem isolation, or a private model? Talk to us. Prices in USD, exclusive of tax.

FAQ

Questions, answered.

Is the range real or simulated?

It runs on a config-aware engine that evaluates real routing, NAT, ACLs and cloud-security behaviour against a sealed, hashed answer key. Live-infrastructure scanning is on the roadmap — it is not available yet.

Which scanners can I score?

Any of them. Findings from AEGIS, Nessus, OpenVAS, Qualys, Burp or your own tool normalize into one vendor-neutral report format and are graded identically.

How do you keep the score honest?

The answer key is sealed and never reaches the scanner, so there's no teaching to the test. Every weakness is proven reachable before it counts, and flooding the report to fake coverage collapses precision.

Is my data isolated?

Yes. iQs Cyber Range is multi-tenant by design — the answer key and your results never cross a tenant boundary.

How big can a range get?

Up to 1,000 assets per range, with concurrent ranges by plan. Need more or on-prem isolation? Talk to us.