We recognise that cyber range infrastructure, if misused, could potentially support activities contrary to legitimate defensive security purposes. Our access governance framework ensures that platform access is restricted to qualifying organisations with demonstrable legitimate training requirements.
Our operational framework implements controls designed to ensure that training activities remain within appropriate boundaries and that platform capabilities are used only for their intended defensive training purposes.
Our platform and operations are structured to support client compliance with applicable regulations across the jurisdictions we serve. We maintain awareness of regulatory developments affecting cybersecurity training and adjust our operations accordingly.
Cyber Range Solutions (CRS) is committed to full compliance with all applicable export control laws and regulations. As a U.S.-domiciled entity, CRS operates in accordance with the Export Administration Regulations (EAR), administered by the U.S. Department of Commerce, Bureau of Industry and Security (BIS), and maintains awareness of the International Traffic in Arms Regulations (ITAR) administered by the Directorate of Defense Trade Controls (DDTC).
CRS recognises that cyber range infrastructure carries inherent dual-use risk. We maintain rigorous client qualification procedures to ensure our platform is accessed exclusively by organisations with demonstrable, legitimate defensive security training requirements.
All prospective clients undergo the following qualification process before platform access is granted:
• Organisational identity verification and corporate due diligence (KYC/KYB)
• Assessment and documentation of training objectives and intended use cases
• Screening against all applicable sanctions, export control, and denied party lists
• Industry sector and end-use appropriateness assessment
• Verification of relevant regulatory authorisations or security clearances where applicable
• End-user certification for engagements involving controlled technology or sensitive capabilities
CRS reserves the unconditional right to decline, suspend, or terminate service to any party where concerns arise regarding the legitimacy of intended use, regulatory compliance, or alignment with our responsible operation commitments.
Client relationships are subject to periodic review, including re-screening against updated sanctions and restricted party lists.
Our cybersecurity training infrastructure, tools, and related technology may be classified under the following Export Control Classification Numbers (ECCNs) on the Commerce Control List:
• ECCN 4A005 — Systems, equipment, and components for the generation, command and control, or delivery of intrusion software
• ECCN 4D004 — Software specially designed for the generation, command and control, or delivery of intrusion software
• ECCN 4E001.c — Technology for the development of intrusion software
• ECCN 5A001.j — IP network communications surveillance systems
CRS services are designed and operated exclusively for legitimate defensive cybersecurity training and may qualify for export under License Exception ACE (Authorized Cybersecurity Exports) to most destinations. However, CRS services are not available to individuals, entities, or end-users located in, or acting on behalf of parties located in, countries subject to comprehensive U.S. sanctions or designated under EAR Country Groups D:1 or D:5.