Medium Difficulty, Maximum Impact: How Challenge Design Drives Application Security Outcomes

In application security training, difficulty level matters. If the content is too simple, learners will breeze through without gaining real skills. If it’s too difficult, they feel stuck and become frustrated. When challenges strike, the right balance of training can deliver measurable improvement across the board.

That’s one of the central findings from our 2025 CMD+CTRL report. Analyzing data from over 1,100 cyber range events and over 600,000 completed challenges, the study uncovered a clear pattern: intermediate-level training consistently delivers measurable outcomes across all experience levels.

The best approach to optimizing your training program is to focus on exercises that are realistic, relevant, and offer a “just right” level of challenge to push learners without overwhelming them. That’s the point where skills improve, developers build confidence, and teams become more resilient.

Design Challenges That Actually Work

While many organizations focus on delivering training at scale to maximize reach and minimize cost, not all programs account for differences in experience or role. This is where thoughtful challenge design can ensure that learners at every level are engaged and driven to test their skills in real-world scenarios.

Many security awareness programs introduce theoretical concepts without developing practical knowledge. Purpose-built exercises with varying levels of difficulty deliver the hands-on challenges that technical teams require to reinforce learning and build skills:

• Developers need exercises simulating real coding flaws—broken access control, injection vulnerabilities, and misconfigurations to practice detection, response, and remediation.

• Red and blue teamers benefit from scenarios that mirror complex attack chains or multi-system exploits.

• Cross-functional learners, such as DevOps or QA engineers, thrive on challenges that integrate security into workflows they already use.

Challenge design isn’t just a training tactic; it’s a strategic lever. Start by tailoring exercises to individual roles to build actionable skills and drive adoption across functional teams.

Blend Challenge Levels for Maximum Engagement

Once you’ve aligned your training program by role, the next step is to calibrate the difficulty level. The study shows that learners are most engaged and demonstrate rapid improvement when challenges hit the moderate difficulty “sweet spot.”

A layered approach works best:

• Beginner-level challenges provide a low-friction entry point, helping new hires and less-experienced developers learn foundational concepts and build confidence.
• Intermediate challenges push learners to apply knowledge in realistic scenarios, bridging theory and practice to produce the greatest skill improvement.
• Advanced and elite-level challenges allow seasoned professionals to stretch, explore complex exploits, and refine their expertise.

Progressive accessibility is key. To optimize training impact, start learners at their level and introduce more complex exercises as they advance. Track performance data to monitor progress and adjust difficulty levels accordingly. Some learners may need to repeat exercises so the lessons “stick.” Acknowledge learners as they complete each level to encourage participation and accelerate skill development.

Data-Driven Insights

The report tracked participant performance in web application and cloud-based cyber range environments that varied in difficulty from basic to advanced. Participants included technical and software development teams from mid-sized enterprises to Global 100 companies across industries.

The findings reinforce the importance of challenge design in deploying effective hands-on training:

• Moderate difficulty provides maximum impact: Nearly 45% of completed challenges were intermediate level, emphasizing the importance of balancing accessibility and technical depth for effective learning.
• Early-career learners ramp up fastest: Participants with 0–3 years of experience earned more points per event than senior peers, showing that hands-on, gamified training accelerates skill growth.
• Repeat engagement pays off: Returning cyber range participants improved their scores by 126% on average and solved nearly twice as many challenges as first-time players.
• Balanced content prevents stagnation: Basic challenges drive broad participation, while advanced content keeps high performers engaged. Finding a happy medium is key to promoting progress.

These insights underscore the importance of calibrated, role-based challenges to deliver measurable outcomes for skill-building and learner engagement.

Using Challenges to Reinforce Secure Thinking

. Intermediate challenges not only test knowledge but also strengthen mental models for secure design and adversarial thinking. By walking through realistic exploit scenarios, learners start to think like attackers, anticipating how vulnerabilities emerge, how they’re exploited, and how to prevent them through smarter design choices.

These challenges require learners to apply concepts like input validation, session management, and broken access control within dynamic, simulated systems that mirror the flaws seen in production environments.

This design principle mirrors what game designers and behavioral psychologists have long known: challenge balance determines engagement. In cyber training, it also determines readiness.

By blending difficulty levels and using repeatable, scenario-driven challenges, organizations can equip their teams to defend against actual threats more effectively.

Calibrate for Impact

Effective application security training is adaptive, progressive, and measurable. Leverage these proven challenge design principles to maximize your training impact:

• Blend difficulty levels intentionally. Start with accessible, real-world challenges, then layer in intermediate and advanced tasks that expand technical depth.
• Align challenges with roles. Developers, defenders, and assessors each require different perspectives on the same vulnerability classes.
• Reinforce concepts with hands-on exercises. Pair courses with real-world simulations to bridge theory and practice.
• Invest in early-career talent: Junior professionals respond fastest to hands-on training, turning early investment into high ROI.
• Use data to guide progression. Track learner progress to recalibrate your program and tailor future training paths. Which challenges do participants consistently complete, and which do they miss?
• Offer graduation paths: Combine courses, progressive challenges, and milestone events to maintain engagement and reward skill mastery with badges or certifications.

Effective challenge design should do more than boost engagement; it should deliver measurable growth in capability. The most successful programs use a flexible approach to challenge design, adapting to learner progress and evolving threats over time.

By blending difficulty levels, aligning exercises to functional roles, and using repeatable, scenario-driven challenges, organizations can accelerate learning and build stronger teams to reduce security risk.

Jose Lazu

Jose Lazu is an innovative and dynamic product leader with over a decade of experience driving customer-focused solutions in the cybersecurity space. Currently serving as Associate Director of Product Management at CMD+CTRL, he brings a creative, data-driven approach to shaping product vision, launching strategic roadmaps, and fostering cross-functional collaboration. With a strong foundation in stakeholder management, product strategy, and team building, Jose has consistently delivered results across roles at Security Innovation and beyond. He’s known for his original thinking, unshakable accountability, and deep commitment to trust and camaraderie in every team he leads.