TryHackMe follows a two-phase testing process to review rooms: Room Testing and User Acceptance Testing (UAT). The goal of this process is to ensure that all room content is accessible, consistent, appropriate, high-quality, and engaging for users.

Rooms are first tested by the TryHackMe QA Staff, who validate the content against a carefully defined Quality Standard to ensure accuracy and clarity.

After passing Room Testing, a room may be selected for User Acceptance Testing (UAT). In this phase, community UAT volunteers review the room from a user’s perspective, providing feedback on usability and engagement.

The TryHackMe QA Staff member responsible for your room will leave their THM username with feedback. However, if not, please ask a Lead Room Reviewer in the THM Discord or email qa@tryhackme.com with your query so they can forward it. During the UAT phase, you may ask questions in the Discord Thread for your room.

Once a room is marked as Public, it is added to the room submission queue. You will receive an email notification whenever the status of your room changes. To track the progress of your room, visit the General view in the room management section on the THM site at /room/manage/your_room_name.

The status of your room reflects at what stage of Room Testing your room currently resides. The following table provides an overview of the status:

- Public Accessibility of Write-ups: If you plan to submit your room for public review, we ask that there are no publicly accessible write-ups. This includes video livestreams, video write-ups, and written write-ups. Public write-ups can delay the testing and release process. This ensures the competitive element is maintained for our Friday releases. If a write-up was publicly available before submission, we prefer that significant changes have been made to the intended path to avoid delays.

- Credentials for Write-up Submission: When submitting the official write-up, provide SSH credentials for root or a high-level user on Linux machines. If using key-based authentication, include the private key. For Windows machines, provide RDP credentials for an administrator or high-level user. If you are unable to include these in the write-up, we will request them during review. Please ensure these services are enabled, even if they are not part of the intended path

- Room Topics: Verify that your room is not on the "No-Go" topics list (see the section below)

- Brute-forcing and Enumeration: Any brute-forcing, such as password hashes or enumeration, should not exceed 5 minutes in duration. While hardware affects cracking times, please benchmark using high entries from wordlists, and consider using the THM AttackBox for reference

- Room Question Limit: Rooms should contain a maximum of 15 questions unless you have a detailed walkthrough and explicit approval from the QA team. Contact qa@tryhackme.com for approval if necessary

- Content Appropriateness: Ensure that all room content, including downloadable media and VMs, is PG-13 and suitable for educational environments, as TryHackMe is used in classrooms, workshops, and corporate settings

- Interactive Elements: Rooms should include interactive elements, not just text

- Question Formatting: Task questions should be clearly written with proper grammar in English. If any content includes a different language, please indicate this within the room for discussion with the testing team

- Room Icons and Banners: The THM Creative Design team will design all room icons, drawing inspiration from the original icon. You are welcome to provide input. The room banner will be the default THM banner

- Task Question Format: Questions requiring answers should be posed as questions (e.g., "What is the user.txt flag?" rather than "user.txt"). Non-answer tasks should include instructional text, such as "Read the above"

- Tags: Use appropriate tags to reflect the room’s content, with at least four tags required. For challenge/CTF rooms, we allow more leniency with tags based on difficulty to avoid spoilers (e.g., an "easy" room might have more revealing tags than a "medium" or "hard" room)

- Rights to Content: The creator must own the rights to the content or have properly credited external sources. Room testers will check for plagiarism rigorously

- Licensing for Source Code: If your room includes source code that is not your own, ensure you reference the licensing agreement or terms and conditions. The code must allow for commercial use on TryHackMe. Code without a clear licensing agreement is considered All rights reserved and cannot be used.

- No VulnHub Uploads: Do not upload boxes from sites like VulnHub unless you are the creator or have explicit permission from the original author. Room testers may request proof of permission. Boxes created with SecGen are strictly prohibited

- Re-submissions: If you need to resubmit your room, please make the necessary changes suggested by the room tester before doing so

- Tester Access: Please do not ban room testers from your room during the submission or testing process.

Exceptions may apply on a per-room and topic basis to avoid content repetition across the site:

- Steganography Rooms: The only acceptable exception is for anthology rooms that are part of a larger collection or series, where steganography is not the central focus.

- Unrealistic or CTF Rooms on Cryptography/Ciphering: This includes basic ciphers such as substitution ciphers (e.g., ROT13) and similar examples. Exceptions are made for realistic cases such as those involving AES/RSA encryption, or specialized content like the CICCADA 3301 room.

- Illegal or "Black Hat" Activity: Rooms encouraging or involving illegal activities or unethical "Black Hat" practices will be rejected. "Grey Hat" rooms will be reviewed with the administrators for further discussion

- Pirated Content or Certification-based Content: Rooms containing pirated material or content directly taken from certification labs (e.g., PWK labs) will be rejected. Challenge rooms inspired by certifications are acceptable, but there’s a clear distinction between being “inspired by” and copying content

- Questionnaire/Quiz-Style Rooms: These are generally not acceptable unless they cover heavily theoretical topics, which will be reviewed and considered on a case-by-case basis

- Undisclosed 0-days: Rooms focusing on undisclosed 0-day vulnerabilities will not be accepted