Rules & Acceptable Use

The short version

RatLabs is a deliberately vulnerable training platform. Every machine listed on the Challenges page exists to be attacked — that's the point. Everything else does not.

In scope

• All challenge machines listed on /challenges — attack them however you like.
• Active Directory lab networks (VaultNet, MegaCorp, Corp) — the full kill-chain is fair game.
• Retired machines you spin up via your Premium account.

Out of scope — do not attack

• The portal itself (this website, its login, its API endpoints, its database).
• The Kubernetes cluster nodes and control plane.
• Linode / cloud infrastructure hosting this platform.
• Any service not explicitly listed as a challenge machine.
• Other users' accounts, sessions, or data.
• Automated scanning or DoS against portal endpoints.

Violating these rules may result in immediate account termination and, where appropriate, legal action.

Found a real vulnerability in the portal?

If you discover a genuine security issue in the portal application or its infrastructure, please disclose it responsibly:

• Email: info@thexssrat.com
• Security policy: /.well-known/security.txt

We appreciate responsible disclosure and will credit researchers who report valid issues.

Fair play

• Don't intentionally break machines for other users (e.g. deleting challenge files, changing root passwords to lock others out).
• Sharing flags or full solutions publicly spoils the challenge for others — keep writeups private until a machine retires.
• One account per person. Shared accounts are not permitted.
• Don't use RatLabs to practice illegal techniques against systems you don't own or have permission to test.

Last updated: May 2026. Questions? info@thexssrat.com