Hack The Box Builds Cybersecurity Training Around Legal Hacking Challenges

01 /The Concept

Cybersecurity training has a compounding advantage most edtech companies never find: the subject matter never goes stale. Hack The Box built its business on that insight, and investors have noticed – the platform has now raised $69.5M across four rounds, including a recent $55M raise that dwarfs its earlier $10.5M seed.

The core product is a controlled environment where users legally break into servers. Hack The Box runs 316 training labs across difficulty tiers, refreshed weekly with new challenges. Every engagement is structured as a game – single-player or multiplayer, with progression mechanics, point systems, and leaderboards. The goal isn't to produce script kiddies; it's to train cybersecurity professionals who defend systems by first learning how attackers breach them.

The approach has assembled what may be the largest community of offensive-security enthusiasts anywhere: 1.7 million users on the platform. Entry is free, but limited to a handful of labs. Full access runs $14–20/month.

That's only the first monetization layer. A Pro tier offers advanced attack scenarios where successful completion earns certificates – roughly equivalent to course completion credentials, but earned through live combat rather than passive video consumption. Those certificates matter to the employers posting jobs in Hack The Box's dedicated jobs board, a third revenue stream.

Under all of this sits the Academy – a catalog of foundational IT courses covering operating systems, programming languages, and security frameworks. The Academy uses a currency system: registration yields a starter supply of "cubes" (in-platform learning credits) that unlock basic modules. Completing modules earns more cubes to spend on harder content. In practice, grinding all the way to the top on earned credits alone requires exceptional dedication – most learners will either buy additional cubes or take out a subscription.

The subscription architecture on the site is deliberately layered and somewhat opaque, likely intentional: draw users in gradually, reveal the depth of content as engagement deepens. Pro and Academy appear to be separate subscription tiers from the base platform. B2B sales round it out – companies buy Pro training and Academy access for their security teams at enterprise rates, with admin controls like custom certification rules and team-level cube allocations.

02 /Why It Matters

Most edtech businesses run into the same three walls. First, completion rates: typical online courses see roughly 5% of enrolled learners finish. Second, scalability: meaningful feedback requires human instructors, and human instructors don't scale. Third, LTV: a good course teaches its students and loses them; a bad one loses them anyway.

Hack The Box sidesteps all three.

The training medium is a game – and not a virtuous, educational-sounding game. The goal is to attack. The same psychology that drives engagement in first-person shooters works here: mission-based progress, visible advancement, the satisfaction of breaking through a defense. This is not incidental; it's the architecture.

Feedback is built into the environment itself. Either you breached the next layer of defense – in which case you've demonstrated the skill – or you didn't, and you need to go back and study. No instructor required, and this logic scales to any number of simultaneous learners.

Most importantly, the subject matter never resolves. Software vendors ship new OS versions; attackers find new vulnerabilities in every one; vendors patch those and introduce new attack surfaces. Staying current as a security professional is not a one-time learning event. It's a subscription to a living discipline – which is precisely why a subscription model works here when it doesn't work for most education products.

Think of it as media, not education. The two durable media models are news and entertainment – people pay for news because staying informed never ends, and for entertainment because it never gets old. Hack The Box is both at once. That's what gives it the long LTV that conventional courses almost never achieve.

03 /Opportunities

Cybersecurity is already a large market – and the talent gap is widening faster than the field can close it. The shortage of qualified professionals is structural, not cyclical, which means demand for credentialed, practically skilled security talent will keep growing.

The most direct opportunity is to build within this space using the same model: game-based skill development, automated feedback loops, and subscription economics tied to a discipline that requires continuous learning. The moat Hack The Box has built is its community and lab library – both are hard to replicate quickly – but the underlying model is transferable to adjacent security verticals (cloud security, application security, AI security) where the same talent shortage applies.

The broader question is which other domains share the same structural properties: a growing market, a persistent knowledge gap, and subject matter that never stands still. AI is the obvious candidate. The tooling, models, and best practices in AI engineering are evolving faster than any individual can absorb on a fixed curriculum. The challenge is translating Hack The Box's attack-and-defend game mechanic into an AI-native equivalent – perhaps adversarial model evaluation, prompt injection challenges, or AI red-teaming scenarios. That translation problem is the specific constraint worth solving first.