A safe place to watch things break.
Bastion is a teaching range. Every lab reproduces the mechanism of a real vulnerability in a contained model, so you can learn how it works by doing — without touching anything you shouldn't.
Why hands-on
You can read the definition of a buffer overflow a dozen times and still not feel it. The moment it clicks is when you type one extra character and watch a byte land somewhere it shouldn't. Bastion is built around that moment: see the cause, see the effect, in the same view.
Each challenge pairs a short briefing with a live model. The briefing keeps the theory plain. The model makes it tangible — inputs are instrumented and visualized so the failure isn't described to you, it happens in front of you.
How the labs are built
The labs are deliberately simple. They simulate the shape of a flaw — a length check standing in for a memory write, for instance — rather than shipping exploitable code. That keeps them safe to run anywhere, easy to reason about, and honest about what they are: conceptual models, not attack tools.
Where a lab references something low-level, like a buffer declared as char[10], the goal is to build the right mental picture. When you later meet the real thing in real code, the instinct is already there.
Who it's for
Students getting their first look at application security. Developers who want to recognize these patterns in their own code. Anyone preparing for a CTF or a security course who learns better by touching the controls than by reading slides. No prior exploitation experience is assumed.
These labs exist to teach defense through understanding. Use what you learn on systems you own or are explicitly authorized to test — never on anything else. Curiosity is the point; permission is the boundary.
Ready to try it?
The Buffer Overflow lab is live and takes about ten minutes.