BYOT-CPS: A Hybrid Cyber-Physical Systems Testbed for IoT Security Assessment and Platform Evaluation

Internet of Things (IoT) security research continues to face a methodological gap between scalable virtual experimentation and realistic device behaviour. While pure simulation and emulation platforms provide control, repeatability, and scale, they do not fully reproduce firmware-specific behaviours, hardware characteristics, and vendor implementation weaknesses that frequently determine real-world exploitability. Conversely, physicalonly testbeds provide realism but are costly to assemble, difficult to reconfigure, and hard to replicate across institutions. This paper presents Build Your Own Cyber-Physical Systems Testbed (BYOT-CPS), a hybrid cyber-physical testbed that connects real IoT devices to virtualised network infrastructure built on GNS3. BYOT-CPS is designed to support security experimentation, education, and independent evaluation of commercial IoT security platforms within a controlled environment that preserves authentic device behaviour. Six requirements for such a testbed are defined: fidelity, heterogeneity, scalability, reproducibility, extensibility, and independence. A prototype deployment integrating smart bulbs, smart plugs, switches, and IP cameras with virtual enterprise, server, attack, and monitoring zones is used to demonstrate hybrid connectivity, penetration testing workflows, a Mirai-style denial-of-service attack, traffic monitoring, and controlled device manipulation. The evidence presented constitutes a feasibility validation of the framework rather than a largescale comparative benchmark. Within that scope, BYOT-CPS offers a practical middle ground between emulation-only research environments and costly physical laboratories while positioning vendor-neutral platform evaluation as a forward-looking design objective.