Hack The Box Review (2026): Labs, Academy, and Whether It's Worth It

Hack The Box is two products in one platform, and conflating them is how most people end up with the wrong impression of it. HTB Labs is the original — machines, Pro Labs, fortresses, the competitive offensive playground that built the brand. HTB Academy is the structured learning side, launched later, and the part that actually competes with TryHackMe.

You probably want one of them, possibly both, depending on where you are in your career. This is the honest review from someone who's spent real time on both halves of the platform.

What HTB actually is

HTB Labs is the gym. Hundreds of vulnerable machines you connect to via VPN (or in-browser via Pwnbox), root them, submit flags, climb the global leaderboard. Pro Labs are multi-machine red team scenarios that simulate enterprise networks — Active Directory environments with lateral movement, privilege escalation, and the kind of complexity you only otherwise see on a real engagement.

HTB Academy is structured education. Modules grouped into tiers (0 through advanced), grouped further into Job Role Paths (Penetration Tester, SOC Analyst, Bug Bounty Hunter, DFIR, AI Red Teamer, etc.). Each module has theory, hands-on labs, and a graded skills assessment at the end. The Job Role Paths terminate in HTB's professional certifications.

The two products complement each other. Academy teaches you something; Labs is where you prove you actually learned it.

HTB Labs review

Labs is what HTB is famous for and what the brand was built on.

The active machine catalog rotates: new boxes released regularly, old ones retired and made available to paid subscribers with official writeups and walkthroughs. As of mid-2026 there are well over 400 retired machines across difficulty levels from easy to insane.

Starting Point is the entry on-ramp — guided machines with explicit hints, designed to take you from "can use Linux" to "can root an easy box without a walkthrough." Free tier covers most of Starting Point.

Pro Labs are the standout product. Multi-machine scenarios that simulate full enterprise environments: AD domains, internal segmentation, DMZ-to-internal pivoting, the works. Pro Labs are what separate HTB from THM in offensive depth. They're closer to what an actual red team engagement looks like than any other paid training short of OffSec's PG Practice or PEN-300 lab.

Fortresses are themed multi-machine challenges. Sponsored by various vendors. Quality varies but the better ones (Jet, Akerva, Rasta Labs) are excellent.

The community. HTB has the most active offensive security community of any commercial platform. Discord is huge, the forum is busy, and the writeup ecosystem (on Medium, GitHub, personal blogs) means there's always supplementary material when you're stuck.

HTB Academy review

Academy is HTB's newer half and the part most beginners overlook.

The structure uses modules (single-topic units) grouped into Job Role Paths. The Penetration Tester path is the flagship — multi-month curriculum that mirrors a real pentest engagement. The SOC Analyst path is HTB's answer to THM's SOC Level 1 (newer, less battle-tested but improving).

The teaching quality is high. Modules are written by working professionals, lean technical, and don't waste time. Each module has theory sections, hands-on labs, and a skills assessment that gates your progress. The skills assessments are harder than THM equivalents — they make you actually demonstrate mastery, not just complete tasks.

The certifications:

CPTS (Certified Penetration Testing Specialist) — multi-day practical exam. As of 2026, recognized as an OSCP-class credential. Some hiring managers prefer it.
CBBH (Certified Bug Bounty Hunter) — for AppSec and bug bounty paths.
CDSA (Certified Defensive Security Analyst) — blue team cert. Still building hiring recognition but improving.
CAPE (Certified Active Directory Penetration Expert) — advanced AD attack cert. For working pentesters, not entry level.
CWES (Web Exploitation Specialist), CJCA (Junior Cybersecurity Analyst), and others rounding out the cert portfolio.

All HTB certs are 100% hands-on. No multiple choice. You exploit a real environment and write a real report.

Pricing

This is where HTB gets confusing because there are multiple pricing models.

HTB Labs:

Free tier — Starting Point and a rotating selection of active machines
VIP — increased active machine access, retired machine access, official writeups
VIP+ — around $223/year (~$18/mo equivalent). Recommended tier for serious learners

HTB Academy:

Free tier — 30 Cubes on signup, enough for several Tier 0 modules
Cube-based — buy Cubes monthly at a discount, unlock modules permanently. Best for picking specific modules
Silver Annual — access-based, all Tier 1 and Tier 2 modules for the subscription duration
Student plan — $8/mo with .edu email. The single best deal in security training. If you have any university affiliation (community college, non-degree program, official course enrollment), use it
Higher tiers (Gold, Platinum) — for serious cert pursuit

HTB Enterprise — starts around $250/month for one seat. For corporate training programs, not individuals.

The Cubes system is genuinely complex and harder to reason about than THM's flat subscription. If you don't want to think about it, get the Silver Annual or Student plan. If you want lifetime access to specific modules, use Cubes.

Who Hack The Box is for

Anyone past the beginner phase who wants to level up technical skill.
OSCP and CPTS candidates. HTB is the standard preparation environment.
Working pentesters maintaining and growing skills between engagements.
Red teamers practicing AD attack chains, lateral movement, and Pro Lab scenarios.
Bug bounty hunters using Academy's web exploitation modules.
Students with .edu emails. $8/mo Academy access is unbeatable.

Who it's not for

Complete beginners with no IT background. HTB Academy's Tier 0 is okay, but you'll struggle. Start with TryHackMe Cyber Security 101 first.
People targeting GRC roles. HTB is too technical. NIST CSF and ISO 27001 study material is more useful.
Pure SOC analysts who don't want offensive context. TryHackMe SOC Level 1 is better for that. HTB Academy's defensive content exists but lags THM.
Anyone needing maximum hand-holding. HTB intentionally pushes you to figure things out. If that style frustrates you to the point of quitting, THM is the better fit.

Honest weaknesses

Cubes pricing is unnecessarily complex. The Silver Annual or Student plan removes the friction, but the default experience involves understanding three different currency systems.
Academy's blue team content lags THM. Improving, but not yet at SOC Level 1's quality.
The community can be intimidating. HTB's culture rewards skill display. People sometimes interpret that as elitism. It's not, but the perception can discourage newer learners.
Pro Labs require a separate purchase in some cases. Worth it if you're targeting red team work, but the additional spend adds up.
Active machine difficulty has crept up over the years. Easy boxes today are harder than easy boxes from 2020. Adjust expectations.
The Pwnbox cloud attack VM is great when it works, occasionally finicky. Most serious users run their own Kali / ParrotOS VM.

How HTB compares to alternatives

vs. TryHackMe: Different products for different stages. THM for foundations and SOC; HTB for leveling up offensive skill. Full comparison: TryHackMe vs Hack The Box.

vs. OffSec's PEN-200 / OSCP labs: OffSec is the recognized industry credential and the labs are excellent. But $1,599 for a 90-day subscription is steep. HTB at $223/year is the cost-effective alternative for the same skills.

vs. PortSwigger Web Security Academy: Free, narrower (web only), deeper on web exploitation specifically. Use both — PortSwigger for web depth, HTB for everything else.

vs. RangeForce / Cybrary: Both exist for enterprise blue team training. HTB Academy now competes with them and increasingly wins on quality.

vs. structured courses on Coursera: Different goals. The Google Cybersecurity Certificate gives credential value and structured concept introduction; HTB gives the lab time. Best play is to do both.

What to do on HTB specifically

If you've subscribed and don't know where to start, here's a 6-month playbook:

Start with Academy. Pick the Job Role Path matching your direction — Penetration Tester for red team, SOC Analyst for blue team. Work through Tier 0 and Tier 1.
Layer in Starting Point on Labs. Concurrent with Academy. The Starting Point machines reinforce what you're learning.
Easy retired boxes. Once Starting Point is done, pick 10 easy retired boxes and root them. Write each one up.
Medium retired boxes. Move up. By box 5-10 of medium, you'll start to feel competent.
A Pro Lab if you're going red team. Dante or Offshore are the classic starting Pro Labs.
Take a cert. CPTS for red team, CDSA for blue team. The cert isn't the goal — the preparation is.

The verdict

Hack The Box is the best technical skill-building platform in security at the price point. It's not the right starting point for true beginners — that's TryHackMe's lane — but for anyone past the foundation phase who wants to actually become technically capable, HTB is where the leveling-up happens.

The Student plan at $8/month is the single best deal in the industry. If you have any university email, use it. If you don't, the standard plans are still cost-effective compared to bootcamps or SANS courses.

Pair HTB with structured Coursera credentials for filter-clearing certs and TryHackMe for the foundational ramp, and you've got the strongest non-bootcamp pipeline available in 2026.