Abstract:

Container-based cyber ranges are increasingly used as lightweight alternatives to virtual machine–based environments for cybersecurity experimen-tation and training. However, empirical evaluation of detection-related runtime properties in such environments remains limited. This paper presents an experi-mental study of detection latency and scenario-level observability in a minimal container-based cyber range based exclusively on application-level telemetry. A multi-step application-layer attack scenario was executed, including reconnais-sance, SQL injection-like and XSS-like events, and administrative access attempts. Detection latency and Telemetry Coverage Index (TCI) were used as complementary metrics. The experiments covered a baseline condition, partial observability conditions with selectively disabled telemetry, and load conditions with benign background traffic from 0 to 75 requests per second. The results showed full observability in the baseline and all load conditions (TCI = 1.00), while partial observability reduced TCI to 0.80 and 0.60. Detection latency remained within a narrow range across the evaluated conditions, and increasing benign workload did not substantially affect the upper tail of the latency distri-bution. The study provides a practical empirical baseline for future comparisons involving more complex monitoring pipelines and alternative cyber range archi-tectures.