Published December 8, 2023 | Version v4
Dataset Open

Dataset: Behavior of Participants in Hands-on Cybersecurity Training Suitable for Process Mining

  • 1. Masaryk University


This repository contains supplementary materials for the following journal paper:

Radek Ošlejšek, Martin Macák, Karolína Dočkalová Burská.
Hands-on cybersecurity training behavior data for process mining.
In Elsevier Data in Brief. 2023.
Available as open-access article on


Datasets store event logs of trainees participating in hands-on cybersecurity exercises organized in the KYPO Cyber Range. The data includes training scenarios (expected behavior), raw event logs in the JSON format, and aggregated behavioral data suitable for process mining analysis.

  1. Data1: A dataset of 52 trainees participating in the Locust 3302 exercise adapted an insider attack scenario. No time restrictions were posed on playtime. The data file is structured as follows:
    • training_definition.json: The exercise content – cybersecurity tasks and hints. The training is based on the Locust 3302 game adapted to an insider attack scenario.
    • training_events: Recorded progress of trainees within the exercise, i.e., the status of completing tasks.
    • command_histories: Recorded commands executed on network hosts.
    • process_mining.csv: Complete PM-ready dataset suitable for process discovery or conformance analysis.
    • process_mining_simplified.csv : Reduced PM-ready dataset with semantically identical events being removed.
  2. Data2: A dataset of 48 trainees participating in the original Locust 3302 exercise. Three supervised training sessions were restricted to two hours of playtime. The structure follows the structure of Data1.
  3. Tool: A Java application used to aggregate raw JSON data and transform them into a CSV format suitable for process mining techniques.

How to cite

If you use or build upon the materials, please use the BibTeX entry below to cite the original work.

    author    = {Radek O\v{s}lej\v{s}ek and Martin Mac\'{a}k and Karol\'{i}na {Do\v{c}kalov\'{a} Bursk\'{a}}},
    title     = {Hands-on cybersecurity training behavior data for process mining},
    journal   = {{Data in Brief}},
    publisher = {Elsevier},
    issn      = {2352-3409},
    year      = {2023},
    volume    = {52},
    doi       = {10.1016/j.dib.2023.109956},
    url       = {}


Files (925.7 kB)

Name Size Download all
426.0 kB Preview Download
430.3 kB Preview Download
69.5 kB Preview Download

Additional details