CDXE

– Cyber Defence Exercise Environment –

CDXE is an all-in-one internet-like environment carefully designed to meet the requirements of smaller scale Cyber Defence Exercises(CDX). Focus is on easy environment setups, live environment modifications, and low resource usage.

Preparing a CDX takes a lot of time and resources, especially if you want to make a realistic exercise environment. The goal of CDXE is to make it a lot easier for you to setup and configure the internet part of your exercise environment. This includes internet routers, routing, root name servers, and much more. CDXE is deployed as a single statically compiled binary. You can either connect your local environment(s) statically or peer with CDXE using BGP. Both IPv4 and IPv6 are supported.

Getting started

Installation

You need to have a supported version of Go installed, then run;

go install kryptogram.se/cdxe@latest

First steps

CDXE comes with a builtin example configuration generator. To output an example configuration, use;

cdxe generate example ex

where ex is an non existing directory. To start CDXE use;

cdxe run ex/backbone.cdxe ex/endpoint.cdxe

The ex directory does also contain a README that you are recommended to read as well as a configuration file for WireGuard that you can use to connect to CDXE using wg-quick. This will route ALL of your network traffic into CDXE, instead of to the real internet.

wg-quick up ex/wg-endpoint.conf

Source code and more

The source code is available through git, and there is also an issue tracker available.

Features

Easy configuration

Below is a simple example of two organizations, each with one ASN and one router. These two routers are then peered. An illustration of the routers and the peering are shown on the map.

Organizations can have more than one ASN as well as allocate more IP addresses, domain names, and routers. If more than one router is operating within the same ASN, then CDXE automatically configures intra AS routing.

name Example CDX              # Exercise name
port 2870                     # UDP Port used for accessing the network via WireGuard
wg (hidden)                   # Servers private key for WireGuard

organization kryptogram       # an organization
  name Kryptogram AB          # organization name
  domain kryptogram.se        # allocate a domain name to the organization
  end
  asn 64496                   # allocate an ASN to the organization
    ip 192.0.2.0/24           # allocate IP networks to organization and ASN
    end
    ip 2001:db8:fbf0::/48     # allocate IP networks to organization and ASN
    end
  end
  router mmx                  # a router
    asn 64496                 # operating ASN 64496
    geo 55.60641 13.00048     # virtual geo location of router
    ipv4 192.0.2.1            # router IPv4 address
    ipv6 2001:db8:fbf0::1     # router IPv6 address
    endpoint client           # a client connected to router
      ip 192.0.2.2/32         # client's IP addresses
      ip 2001:db8:fbf0::2/128 # client's IP addresses
      wg weMP0gb4JeW...       # client's public WireGuard key
    end
  end
end

organization acme             # another organization
  name Acme Inc               # organization name
  asn 64511                   # allocate an ASN to the organization
    ip 198.51.100.0/24        # allocate IP networks to organization and ASN
    end
    ip 2001:db8:fbff::/48     # allocate IP networks to organization and ASN
    end
  end
  router office               # a router
    asn 64511                 # operating ASN 64511
    geo 55.70285 13.19286     # virtual geo location of router
  end                         # router's IP addresses are automatically allocated
end

// peer the two defined ASNs between the two existing routers
peer kryptogram.mmx acme.office

Live modifications

The exercise environment can be changed live while running. Components such as routers, ASN:s and peerings can be added and removed on the fly. Enabling you to simulate network failures, partitions, and much more.

Roadmap

Below follows the immediate roadmap for CDXE, the priority is more or less top to bottom.

: Improve user documentation
: World map with routers, cables, and live traffic flows
: PCAP captures
: Network packet-loss, delays, rate-limiting, and filters
: Improved BGP support
: Backend for WASM services
: Convert DNS and NTP servers to WASM services
: Mirror of package repositories(WASM service)
: WHOIS/RDAP(WASM service)
: Assigning resources to teams Red/Blue/Green/…
: Improve configuration experience based on feedback
: Virtual devices with varying fingerprints
: Background traffic generation
: Realistically looking example configuration
: Tool to help generate configuration for realistic internet structures of different sizes and focusing on different geographic regions
: Performance optimization
: And more…

Presentations

“Making the internet your playground!”, Open Infra Forum, 2025–11–06, Stockholm, Sweden.
“Making the internet your playground!”, OpenInfra User Group India, 2025–11–12, Hybrid/India.
“Making the internet your playground!”, 2600 Malmö, 2025–12–05, Malmö, Sweden.
“I need a Cyber Range!”, CyberOnsdag i Linköping, Cybernode, 2026–02–25, Linköping, Sweden.
“Get started cyber ranging with CDXE”, Open Infra Forum, 2026–05–21, Stockholm, Sweden.

Acknowledgments

Map tiles by Stamen Design, under CC BY 3.0. Data by OpenStreetMap, under CC BY SA. "WireGuard" and the "WireGuard" logo are registered trademarks of Jason A. Donenfeld.