Start with the docs — they cover 90% of setup questions. If you hit something new or have a specific challenge/lab issue, check the FAQ below or open a ticket through one of the channels. Breachforge is a small project, so expect a one-to-three-day turnaround on non-urgent issues.
Bug reports, feature requests, broken challenges, stuck labs. Include your OS, Docker version, and the relevant docker compose logs snippet. One issue per problem.
Best for write-ups, tips, and "how should I approach Lab 03?" threads. Keep flags and direct exploits behind spoiler tags so people who haven't solved it yet can still enjoy it.
Join the discussion ↗For security-sensitive reports — e.g. you found an unintended vuln that breaks the containment model — email directly. Please don't file security issues publicly.
security@breachforge.localYes. Breachforge is a self-hosted training platform and is free for personal, educational, and internal-team use. There's no account, no telemetry, no paid tier. You host it, you run it, you own all the data it produces.
docker compose up and nothing happens at :8080.
Three things to check, in order:
1. Is another process already bound to 8080? Run lsof -i :8080 (macOS/Linux) or netstat -ano | findstr 8080 (Windows). If something else has the port, set BREACHFORGE_PORT=9090 (or any free port) and rerun.
2. Are the containers actually up? Run docker compose ps. All entries should show running (healthy). If any are restarting, check their logs.
3. Did nginx crash on a config error? docker compose logs nginx will show it. This usually happens if you edited nginx.conf and there's a syntax error.
Flag submissions are stored in your browser's localStorage under the key breachforge.captured.labs. Open devtools on the Labs page and run localStorage.removeItem('breachforge.captured.labs'), then refresh. All four labs reset to uncaptured.
If you also want to reset lab service state (e.g. users you created in MicroHub, files you uploaded), run docker compose down -v and bring the stack back up. The -v wipes the mounted volumes.
Submission is strict exact-match. The most common causes:
• Leading or trailing whitespace from copy-paste. Retype or copy carefully.
• Missing braces — you need both the opening BF{ and the closing }.
• Wrong flag. Some labs print decoy strings in the format BF{...} inside intermediate responses. The real flag is recovered from the final step of the chain (e.g. reading the treasury invoice's memo field in Lab 04), not from an earlier leak.
Yes, but you're responsible for the isolation. Breachforge intentionally exposes vulnerable services — SQLi, SSRF, RCE, zip-slip, command injection. Anyone who can reach the host's BREACHFORGE_PORT can exploit those services against the host and potentially against the network if the host isn't segmented.
For classroom use, the cleanest pattern is: one isolated VM per student (Multipass, Vagrant, or a small cloud instance), and each student's VM is firewalled off from the others.
Not officially — the point is for you to struggle, Google, and try ten things before the eleventh works. That's the training loop.
Community write-ups live in the GitHub Discussions tab. If you're deeply stuck on a specific step, post a thread (use spoiler tags around any actual payload) and someone will usually unblock you within a day.
Yes. Each challenge is just a directory under challenges/{stack}/NN/ with a vulnerable source file, a meta.json (title, description, difficulty map, tags), and an optional seed script. The challenge registry in the frontend is generated from those meta.json files at build time. See the documentation for the full schema.
Nice catch — please report it privately via email (see the channels above). Include reproduction steps and the impact (e.g. "lab container can escape to the host", "the hub itself is SQLi-able against its own state"). Give us reasonable time to patch before disclosing publicly.
Unintended vulns that aid a lab's intended path are fair game to discuss publicly — that's just another solution. Vulns that break the containment model aren't.
Breachforge exists to teach offensive web security on systems you own. The techniques demonstrated here — SQL injection, SSRF, zip-slip, IDOR, and the rest — are illegal in most jurisdictions when used against systems you do not have written authorization to test. By using this platform you agree to apply what you learn only against targets where you have explicit permission. Misuse is on you, not on the project.