The story behind SagaLabs – “the saga so far”

Follow May 31, 2023 · 7 mins read
The story behind SagaLabs – “the saga so far”
Share this

The original SagaLabs was established by:

David and Andrew were creating a course about Incident Response and Threat Hunting to be taught at the Business Academy in Aarhus, as part of the PBa IT Security education. Andrew was a senior teacher at the academy and David was brought in as an expert to bring his experience in performing incident response within critical infrastructure and large scale enterprises.

When the course was drafted, it was very apparent that the students would need far more than just some powerpoint slides to work through the course. Hands on excercises have always been an exciting enhancement when it comes to cyber security courses. David had some ideas around giving the students an environment that would be as close to the type of cyber defence architecture that they would come into contact in their professional careers.

“From experience, I knew that the best learning that I had during my career was from real situations and we needed to figure out how we could provide something like this for the students” - David Thejl Clayton

Andrew had a vision that the exam for the course would be based on an emulation of a known threat actor with a high degree of similarity to the Tactics, Techniques and Procedures of that actor. The students would then apply their technical skills as well as Structured Analytical Techniques leveraging the use of external bodies of knowledge such as the MITRE ATT&CK framework and corresponding threat intelligence.

There was just one problem… An environment like this was going to need hardware and not just any kind of hardware, but something that could support a large number of students each having their own instance of the lab environment.

David was able to secure a donation from his employer ‘JN Data’ of two powerful – but end of life – servers. Which made their way to the basement of the Business Academy. This would then provide the foundation of the build along with a well considered suite of tooling mostly composed of open source projects.

Long evenings in and around the outskirts of Aarhus finally led to a finished product – SagaLabs was born and ready to support the first of three exam projects in the newly launched Incident Response and Threat Hunting course at the Academy.

David’s previous role at one of the major service providers for the Financial Industry as manager of their Cyber Defense Center had exposed him to multiple Threat Intelligence Based Ethical Red Team tests, or TIBER for short. These tests are overseen by the regulator and conducted with high sophistication and rigor with a realistic narrative. Tiber-EU.

A key component of this type of test is the learning that comes from the entire experience. In David’s perspective this approach would be ideal to transfer to a kind of experiential form of learning where assets, tools, behavior and artifacts of the adversary would form a coherent and highly realistic storyline/narrative – thus the name “SagaLabs” was chosen. The idea being that Saga means story, and these labs were meant to tell a story.

During 2021 another key initiative in the industry emerged. The first two intakes of recruits that served on the Danish Defence Cyber Enlistment were successfully discharged. Having found their way into the private sector, further education or pursuing a position in the defence, they had a social gathering in summer 2021. Following this gathering they chose to establish an association – The Association of Danish Cyber Alumni (FDCA) - with the purpose of promoting professional skills and ability in the cyber domain. David was asked to be join the Advisory Board of the Association. With his experience in running multiple SagaLabs events for the Business Academy, the excitement grew around the possiblity of hosting a similar event for FDCA.

Soon after FDCA was established, David hosted in close cooperation with Nichlas Falk a first weekend-training of Purple Teaming in the original SagaLabs in November 2021.

The immense success of the first training weekend of SagaLabs spawned the idea of semi-annual training in SagaLabs for the members of the association.

Following the second SagaLabs weekend in May 2022, a huge appetite for more events was building among the Cyber Recruits that were not yet discharged. The rumor about SagaLabs and its amazing learning opportunities was too exciting not to spread like wildfire.

As expected one day, the affiliations to Business Academy in Aarhus were discontinued when Andrew left the education sector away from teaching and into the private sector. This subsequently meant that the servers in their basement would not be available for the upcoming autumn event or future events beyond this. A huge thanks should be given to the Business Academy in Aarhus for their early support in this SagaLabs program.

Some bold decisions on the future of SagaLabs were then taken by David, Andrew and the Association of Danish Cyber Alumni board in May 2022. Firstly, the SagaLabs concept was handed over to FDCA. Secondly, a decision was taken to migrate (rebuild would be a more realistic description) SagaLabs to the cloud as no one from the association was in the immediate possession of a datacenter or two hugely power consuming servers. The SagaLab autumn event was settled to take place in the middle weekend of October 2022.

“We needed a space where we could educate our alumni and train them to combat and comprehend the current cyber threats. That’s why we made the decision to establish SagaLabs 2.0 within FDCA. We have been incredibly fortunate that numerous volunteers have expressed their eagerness to join us on our journey.” - Christian Henriksen

A few challenges were identified, the major ones being: Cloud capacity is not free and a build like this which is green field requires some pretty skilled developers with lots of time available.

By mid 2022, FDCA being less than a year old had yet to fully establish itself with sustainable funding to run externally hosted services – at least not for more than housekeeping. However, all available funds were thrown into Azure credits to enable the developers to get going (well to get going as soon as they were identified).

Just before the summer break 2022, alumni member Daniel Mogens James Mcmillan signed up to be lead architect for SagaLabs 2.0 to bring it to the cloud.

“I saw an opportunity to learn about system development, cloud technologies and cyber ranges. I know that I have a big drive for projects, so when I heard their plans for the future of SagaLabs 2.0, I wanted to give it a shot. With a clear goal and date for next event, I was ready to take the on the challenge” - Daniel Mogens James McMillan

Profiting from long and bright summer evenings the developer team managed to get a good build in place by end of September 2022. In addition to the basic migration of the original functionality of SagaLabs 1.0 to the Cloud, some further enhancements were on the way. An orchestration set-up was introduced enabling full repeatability of the build process for individual environments and automation was significantly enhanced. Further, Elastic were so kind to enable FDCA the use of Elastic Cloud and a range of the Enterprise Elastic Suite tools were enabled.

Another sponsor heard the rumours about the SagaLabs concept and the learnings that could be take from it. This sponsorship came from the critical infrastructure provider, Norlys, providing the financial ability to cover the cost to conduct the anticipated autumn 2022 event SagaLabs 2.0. Norlys’s sponsorhip also provided stability for the operational cost over the course of the FDCA SagaLabs 2.0 events in 2023.

SagaLabs has now turned into what would be defined as a Cyber Range. There quite a few Cyber Ranges out there, some are highly sophisticated, however not very many accessible unless you have large funds and fairly large teams to make an investment effective. It seems that there are not yet that many communities discussing aspects of developing cyber ranges out there – by this blog we hope to initiate this kind of discussion with the intent to share our experiences.

Stay tuned for upcoming posts…


  • Pictures generated by MidJourney
Written by