Last updated at Tue, 25 Jul 2017 19:46:56 GMT

It can sometimes be challenging to find vulnerable machines for your penetration testing or vulnerability management lab. Here's a list of vulnerable machines you should check out:

  1. Metasploitable
  2. UltimateLAMP
  3. Web Security Dojo
  4. OWASP Hackademics
  5. DVWA Damn Vulnerable Web Application
  6. Mutillidae
  7. De-ICE
  8. OWASP Web Goat
  9. Google Gruyere
  10. Old ISOs - if you know what to look for (for example, old Ubuntu versions)

The Microsoft Developer Network (MSDN) subscription is also worth checking out. You can get collections online for about $200. If you are working in academia, also check out the Microsoft Developer Network Academic Alliance (

Also check your basement - you never know what old discs you still have lying around!

Note: This blog post was inspired by a question in Matt Barrett's webinar “How to set up a penetration testing test lab” as well as several audience submissions (thank you!). Watch the webinar now!