Inside CodeLab Building Browser Cyber Labs with Node.js

Why We Built CodeLab

Traditional labs are either too abstract or too risky to deploy at scale. Learners need hands-on environments that mirror real cyber defense tasks—without the overhead of VMs, local setup, or security exposure. CodeLab was designed to bring those workflows directly into the browser, safely and interactively.

Architecture Overview

CodeLab runs containerized Node.js environments behind a secure API layer. Each session spins up a lightweight, ephemeral container with no persistent storage or external network access. Learners can execute CLI commands, send HTTP requests, or write JavaScript scripts—all within a controlled sandbox.

Interfaces & Authoring Model

Interface Modes

• Editor + Output — Split view with Monaco editor on the left and live output on the right. Ideal for Script and HTTP labs.
• Terminal-Only — Immersive terminal simulation for pure CLI tasks.

Interface Modes

• JavaScript → Node.js runner.
• Bash (Terminal) → Shell runner.

Selecting the language automatically chooses the backend runner and validation harness.

Execution Modes

• CLI — Simulates real terminal commands and log output.
• HTTP (Node HTTP) — Launches a self-contained Node web server (internally on :3000) and interacts via HTTP requests. Traffic is proxied through our API—no external egress or exposure.
• Script — Runs small JS snippets for detection logic, parsers, or automation demos.

Content Fields for Each CodeCard

• Starter Code — Scaffolding to help learners begin (function signature, skeleton, or sample routes).
• Solution Code (admin-only) — Canonical implementation used for grading and support.
• Expected Output — Describes what learners should see when the starter code is implemented correctly (stdout, JSON, HTTP response, etc.).
• Grading Logic (JSON schema) — Defines inputs, assertions, and comparison rules (exact match, regex, contains, status code, timing, etc.).

Execution Modes

We currently support three modes: CLI, HTTP, and Script. CLI mode simulates terminal commands and log output. HTTP mode allows learners to craft requests and inspect responses. Script mode runs small JavaScript snippets that mimic detection logic, parsers, or API calls—perfect for building intuition on how real defenders automate workflows.

Security by Design

Every container runs with no-new-privileges, memory and CPU caps, and read-only filesystems. Network egress is blocked by default, and every command passes through sanitization layers to prevent injection or breakout attempts. Logs are continuously streamed for monitoring and audit purposes.

Data Flow and Isolation

Requests are routed through Nginx → API Gateway → Docker Runner. The runner executes commands inside a confined namespace and returns stdout and stderr streams over WebSocket. This approach provides real-time feedback without exposing any backend surfaces.

Developer Experience

We built CodeLab with extensibility in mind. Instructors can create custom challenges using JSON schema definitions that specify inputs, expected outputs, and grading logic. Admins can monitor session health, completion rates, and error frequency directly from the dashboard.

Future Roadmap

Next up, we’re adding network simulation and endpoint triage scenarios—where learners analyze logs, detect anomalies, and respond with real commands. These features will integrate directly with PulseLab, bridging training and live threat visualization.

What This Enables for Learners

CodeLab brings real-world experience into the browser. Learners can safely experiment, make mistakes, and instantly see the results—building intuition faster and more confidently than static lessons ever could.

Try It in a Pilot

Educators, workforce programs, and training coordinators can explore HuntCode’s CodeLab through a 90-day beta. Pilots include access to secure, browser-based cyber labs built with Node.js sandboxes for hands-on training. For institutional access or per-student licensing, please contact hello@huntcode.com to set up your organization’s account.