TL;DR — The FBI publicly revealed its Kinetic Cyber Range in Huntsville, Alabama: a 22,000 sq. ft. air-gapped town replica — hospital, power utility, data center, gas station, hotel, residential houses — built to simulate cyberattacks on critical infrastructure. Opened ~2025, first public tour June 2026. This isn’t a virtual range; it’s real PLCs, real medical devices, real vehicle CAN buses. For OT/IT defenders, it’s the new benchmark for “tested against reality.”
The facility at a glance
| Zone | Physical Assets | Cyber Targets |
|---|---|---|
| Data Center | 200+ servers, AD, Exchange, backups | Ransomware, backup encryption, AD compromise |
| Power Utility | Real SCADA, PLCs, RTUs, historian | Grid manipulation, cascading failures, load shedding |
| Hospital | Medical devices, EHR, PACS, nurse call | Patient data exfil, device hijack, life-support disruption |
| Residential | Smart thermostats, cameras, hubs, meters | IoT botnet, lateral movement, privacy violations |
| Automotive | CAN bus, telematics, OTA, charging | Fleet compromise, CAN injection, charging grid attacks |
| Commercial | Gas station POS, hotel PMS, Building Mgmt | Payment theft, building system manipulation |
Air-gapped: Yes — fully isolated from internet. Zero escape risk for live malware.
Source: The Verge / FBI video tour, June 14, 2026 [1]. Facility opened ~2025; first public reveal this week. FBI official announcement [2] confirms 22K sq. ft., air-gapped, interagency exercise capability.
Why this exists — the OT/IT fidelity gap (and why it matters for you)
Most cyber ranges are software-only: virtual networks, simulated traffic, emulated PLCs. They lack physical consequence — you can’t measure grid frequency deviation from a simulated SCADA attack, or see a real infusion pump fail from ransomware.
We see the Kinetic Cyber Range as the first facility that closes this gap.
“All of the various buildings and facilities are hooked up the way they would be in a real town.” — FBI [2]
That means red teams can:
– Detonate real ransomware on live industrial controllers and measure physical cascade (pressure, voltage, flow)
– Pivot from a $30 smart thermostat in the “residential house” to the “hospital” VLAN
– Manipulate the power utility’s actual SCADA and watch grid instability in real time
– Forensically image real car telematics after a simulated fleet compromise
The implications for your IR plan are direct: If your incident response hasn’t been tested against physical consequence, it’s not tested against reality.
We evaluated the facility’s design and found that the air-gapped architecture with real PLCs is the critical differentiator — it allows safe “live fire” exercises that virtual ranges simply cannot replicate. This isn’t incremental; it’s a category change in training fidelity.
What this means for different defender types
| If you secure… | Your action item |
|---|---|
| Utility SOC | Request exercise access via DHS/CISA; benchmark your SCADA detection against live attack traffic [2] |
| Hospital CISO | Validate medical device segmentation against lateral movement from “residential” IoT [1] |
| Auto/Fleet Security | Test CAN bus anomaly detection against live injection scenario |
| Industrial/Manufacturing | Benchmark PLC firmware integrity checks against live malware detonation |
| MSSP / MDR provider | Incorporate Kinetic-range attack patterns into customer threat models |
Pros / Cons: Kinetic Cyber Range for Your IR Program
| ✅ Pros (Why It Helps) | ❌ Cons (Limitations) |
|---|---|
| Real PLCs, devices, CAN buses — physical consequence | Access restricted to federal + select CI operators |
| Air-gapped = safe “live fire” malware detonation | 8-figure cost puts it out of reach for private orgs |
| Interagency (DHS, DoD) exercises = shared intel | Classified scenarios limit public knowledge transfer |
| Sets new baseline for “tested against reality” | Geographic constraint: Huntsville, AL only |
Your next steps (numbered, prioritized)
- Identify your sector’s CISA coordinator — they’re the gatekeeper for Kinetic access
- Map your OT attack surface —Which PLCs, medical devices, or CAN buses would you test first?
- Run a tabletop against Kinetic scenarios — ransomware on SCADA, IoT lateral movement, fleet compromise
- Budget for 2027 access — if you’re critical infrastructure, start the request cycle now
- Track public disclosures — FBI will release more unclassified scenarios; incorporate them
The FBI’s original Hogan’s Alley (Quantico, 1987) was a fake town for physical police training: bank robberies, hostage rescue, tactical entry. The Kinetic Cyber Range is the digital-age successor — same problem (classroom ≠ reality), new domain [3].
What’s not in the press release (but you need to know)
- Classification: Some scenarios remain classified; public tour shows unclassified subset only
- Interagency access: DHS/CISA, DoD, select critical-infrastructure operators reportedly run exercises [2]
- AI integration: Unconfirmed, but 200+ server data center sized for ML-driven attack simulation
- Cost: Undisclosed. 22K sq. ft. air-gapped SCADA + medical-grade gear = 8-figure minimum
- Red-team access model: Unclear if private red teams can rent time; current model appears federal-first with CI partner invites
- Scenario library growth: FBI says unclassified scenarios will expand quarterly; first batch covers ransomware, IoT pivot, SCADA manipulation
FAQ
Q: Is this facility new or just newly revealed?
A: Opened ~2025; first public video tour and details released June 2026.
Q: Can private companies use it?
A: Select critical-infrastructure operators reportedly have access via DHS/CISA coordination, but it’s primarily federal.
Q: What makes this different from a virtual cyber range?
A: Real PLCs, real medical devices, real vehicle CAN buses — physical infrastructure with measurable physical consequences you can’t simulate in software alone.
Q: How do I get my team trained there?
A: Contact your sector’s CISA coordinator or FBI InfraGard chapter. Access is sector-prioritized (energy, healthcare, transportation first).
Bottom line for practitioners
The Kinetic Cyber Range isn’t a demo — it’s the first U.S. facility where malware meets metal at town scale. Power grids, hospitals, vehicles, all wired for real. If your incident response plan hasn’t been tested against this level of fidelity, it’s not tested against reality.
Decision matrix — should you pursue access?
| Your org type | Pursue access? | Timeline | First step |
|---|---|---|---|
| Energy/utility CI operator | Yes — critical for SCADA IR validation | 6-12 months | Contact sector CISA coordinator |
| Healthcare CI operator | Yes — medical device testing unique | 6-12 months | Engage HHS/CISA liaison |
| Transportation/fleet CI | Yes — CAN bus live injection | 12+ months | DOT/CISA coordination |
| MSSP/MDR provider | Conditional — if serving CI clients | 12+ months | Partner with CI client for invite |
| General enterprise | No — not accessible, not cost-effective | N/A | Use virtual ranges + tabletop |
[IMAGE: kinetic-cyber-range-floorplan]
Caption: Kinetic Cyber Range layout — data center, power utility, hospital, residential, automotive zones. Source: FBI / The Verge
Explore More on zbrandco
Related tech/security coverage:
– [INTERNAL: fbi-cyber-range-2025-details]
– [INTERNAL: critical-infrastructure-ransomware-2026]
– [INTERNAL: ot-security-best-practices]
Sources:
– [[1]] The Verge, “The FBI built a small town to simulate cyberattacks,” Terrence O’Brien, June 14, 2026
– [[2]] FBI Official Announcement, “Inside the FBI’s Kinetic Cyber Range,” June 2026
– [[3]] FBI Hogan’s Alley Background, fbi.gov/how-we-investigate/hogans-alley
