Cyber Competitions Overview

ix
Peris.ai Feb. 18, 2025 https://peris.ai/post/what-capture-the-flag-competitions-teach-us-about-cybersecurity

Summary

The most important cybersecurity competitions fall into different categories, from prestigious Capture the Flag (CTF) events for skilled hackers to defensive competitions for students and challenges focused on specific, high-stakes exploits. The significance of a competition can vary depending on one’s career level and goals, whether it’s for learning, recruiting, or showcasing elite skills. There are also other competitions such as those on the Kaggle website and by Leet code (see weblinks for urls).

  • For top professionals and ethical hackers
  • For university students
  • For high school and younger students
  • General and online competitions

Source: Gemini AI Overview – 10/23/2025

OnAir Post: Cyber Competitions Overview

About

For elite and experienced professionals

  • DEF CON CTF: Hosted at the famous DEF CON hacker conference, this is widely regarded as one of the most prestigious and challenging CTF competitions in the world. Winning teams are awarded the coveted “Black Badge,” and the event attracts top-tier hacking talent globally.
  • Pwn2Own: Focused on the exploitation of software vulnerabilities, Pwn2Own is a high-stakes competition where researchers earn significant cash prizes for discovering and demonstrating zero-day exploits in widely used software and hardware.
  • Google CTF: A global competition organized by Google, featuring high-quality, difficult challenges that cover a broad range of cybersecurity domains. It is respected for its well-designed challenges and its ability to attract both seasoned professionals and beginners.
  • SANS NetWars Tournament of Champions: A highly respected tournament that brings together the winners of various SANS NetWars competitions. It emphasizes practical skills and is a significant showcase of talent for industry professionals. 

For students and academic development

  • National Collegiate Cyber Defense Competition (NCCDC): This competition pits teams of college students against each other to defend a commercial-style network from a live “red team” of attackers. It is a foundational competition recognized by Congress for its focus on the defensive, operational aspects of cybersecurity.
  • CyberPatriot: Co-founded with the Air Force Association, this is the largest cyber defense competition for high school and middle school students. Its purpose is to inspire students to pursue careers in cybersecurity and other STEM fields.
  • National Cyber League (NCL): A biannual competition for high school and college students, the NCL provides a cloud-based “stadium” for students to test and build their practical cybersecurity skills. It also provides “scouting reports” that students can use with potential employers.
  • picoCTF: Hosted by Carnegie Mellon University, this is a free, beginner-friendly online CTF competition for middle and high school students. It has an interactive storyline and is a great learning tool

For team-based and specialized skills

  • Global Cyberlympics: This competition goes beyond a standard CTF by challenging teams in a broad scope of IT security areas, such as penetration testing, forensics, and malware analysis. It is open to professionals globally.
  • Capture the Flag (CTF) Series: Many universities and organizations host CTF competitions throughout the year. Websites like CTFtime track and rank these events, which can range from jeopardy-style puzzles to full-scale attack-and-defense scenarios. Teams from elite hacking groups and top universities often compete in these to prove their skills.
  • US Cyber Challenge (USCC): This series of online competitions and summer camps offers participants the chance to test their skills in a variety of information security realms, with challenges ranging from beginner to advanced. 

Web Links

Wikipedia

For other uses, see Capture the flag (disambiguation).
A team competing in the CTF competition at DEF CON 17

In computer security, Capture the Flag (CTF) is an exercise in which participants attempt to find text strings, called "flags", which are secretly hidden in purposefully vulnerable programs or websites. They can be used for both competitive or educational purposes. In two main variations of CTFs, participants either steal flags from other participants (attack/defense-style CTFs) or from organizers (jeopardy-style challenges). A mixed competition combines these two styles.[1] Competitions can include hiding flags in hardware devices, they can be both online or in-person, and can be advanced or entry-level. The game is inspired by the traditional outdoor sport with the same name. CTFs are used as a tool for developing and refining cybersecurity skills, making them popular in both professional and academic settings.[2]

Overview

Capture the Flag (CTF) is a cybersecurity competition that is used to test and develop computer security skills. It was first developed in 1996 at DEF CON, the largest cybersecurity conference in the United States which is hosted annually in Las Vegas, Nevada.[3] The conference hosts a weekend of cybersecurity competitions, including their flagship CTF.

Two popular CTF formats are jeopardy and attack-defense.[2][4] Both formats test participant’s knowledge in cybersecurity, but differ in objective. In the Jeopardy format, participating teams must complete as many challenges of varying point values from a various categories such as cryptography, web exploitation, and reverse engineering.[5] In the attack-defense format, competing teams must defend their vulnerable computer systems while attacking their opponent's systems.[4]

The exercise involves a diverse array of tasks, including exploitation and cracking passwords, but there is little evidence showing how these tasks translate into cybersecurity knowledge held by security experts. Recent research has shown that the Capture the Flag tasks mainly covered technical knowledge but lacked social topics like social engineering and awareness on cybersecurity. [6]

Educational applications

Presenter walks through the solution of a CTF challenge

CTFs have been shown to be an effective way to improve cybersecurity education through gamification.[7] There are many examples of CTFs designed to teach cybersecurity skills to a wide variety of audiences, including PicoCTF, organized by the Carnegie Mellon CyLab, which is oriented towards high school students, and Arizona State University supported pwn.college.[8][9][10] Beyond educational CTF events and resources, CTFs has been shown to be a highly effective way to instill cybersecurity concepts in the classroom.[11][12] CTFs have been included in undergraduate computer science classes such as Introduction to Information Security at the National University of Singapore.[13] CTFs are also popular in military academies. They are often included as part of the curriculum for cybersecurity courses, with the NSA organized Cyber Exercise culminating in a CTF competition between the US service academies and military colleges.[14]

Competitions

Many CTF organizers register their competition with the CTFtime platform. This allows the tracking of the position of teams over time and across competitions.[15] These include "Plaid Parliament of Pwning", "More Smoked Leet Chicken", "Dragon Sector", "dcua", "Eat, Sleep, Pwn, Repeat", "perfect blue", "organizers" and "Blue Water". Overall the "Plaid Parliament of Pwning" and "Dragon Sector" have both placed first worldwide the most with three times each.[16]

Community competitions

Every year there are dozens of CTFs organized in a variety of formats. Many CTFs are associated with cybersecurity conferences such as DEF CON, HITCON, and BSides. The DEF CON CTF, an attack-defence CTF, is notable for being one of the oldest CTF competitions to exist, and has been variously referred to as the "World Series",[17] "Superbowl",[10][18] and "Olympics",[19] of hacking by media outlets. The NYU Tandon hosted Cybersecurity Awareness Worldwide (CSAW) CTF is one of the largest open-entry competitions for students learning cybersecurity from around the world.[5] In 2021, it hosted over 1200 teams during the qualification round.[20]

In addition to conference organized CTFs, many CTF clubs and teams organize CTF competitions.[21] Many CTF clubs and teams are associated with universities, such as the CMU associated Plaid Parliament of Pwning, which hosts PlaidCTF,[5] and the ASU associated Shellphish.[22]

Government-supported competitions

Governmentally supported CTF competitions include the DARPA Cyber Grand Challenge and ENISA European Cybersecurity Challenge.[23] In 2023, the US Space Force-sponsored Hack-a-Sat CTF competition included, for the first time, a live orbital satellite for participants to exploit.[24]

Corporate-supported competitions

Corporations and other organizations sometimes use CTFs as a training or evaluation exercise.[citation needed] The benefits of CTFs are similar to those of using CTFs in an educational environment.[citation needed] In addition to internal CTF exercises, some corporations such as Google[25] and Tencent host publicly accessible CTF competitions.

  • In Mr. Robot, a qualification round for the DEF CON CTF competition is depicted in the season 3 opener "eps3.0_power-saver-mode.h". The logo for DEF CON can be seen in the background.
  • In The Undeclared War, a CTF is depicted in the opening scene of the series as a recruitment exercise used by GCHQ.[26]
  • Go Go Squid!, a Chinese television series, is based around training for and competing in highly stylized CTF competitions .[27]

See also

References

  1. ^ "CTFtime.org / What is Capture The Flag?". ctftime.org. Retrieved 2023-08-15.
  2. ^ a b ENISA (2021-05-10). Contemporary Practices and State-of-the-Art in Capture-the-Flag Competitions (PDF). ENISA. ISBN 978-92-9204-501-2.
  3. ^ Cowan, C.; Arnold, S.; Beattie, S.; Wright, C.; Viega, J. (April 2003). "Defcon Capture the Flag: Defending vulnerable code from intense attack". Proceedings DARPA Information Survivability Conference and Exposition. Vol. 1. pp. 120–129. doi:10.1109/DISCEX.2003.1194878. ISBN 0-7695-1897-4. S2CID 18161204.
  4. ^ a b Says, Etuuxzgknx (2020-06-10). "Introduction To 'Capture The Flags' in CyberSecurity - MeuSec". Retrieved 2022-11-02.
  5. ^ a b c Chung, Kevin; Cohen, Julian (2014). "Learning Obstacles in the Capture The Flag Model". {{cite journal}}: Cite journal requires |journal= (help)
  6. ^ Švábenský, Valdemar; Čeleda, Pavel; Vykopal, Jan; Brišáková, Silvia (March 2021). "Cybersecurity knowledge and skills taught in capture the flag challenges". Computers & Security. 102 102154. arXiv:2101.01421. doi:10.1016/j.cose.2020.102154.
  7. ^ Balon, Tyler; Baggili, Ibrahim (Abe) (2023-02-24). "Cybercompetitions: A survey of competitions, tools, and systems to support cybersecurity education". Education and Information Technologies. 28 (9): 11759–11791. doi:10.1007/s10639-022-11451-4. ISSN 1573-7608. PMC 9950699. PMID 36855694.
  8. ^ "ASU's cybersecurity dojo". ASU News. 2021-02-15. Retrieved 2023-07-18.
  9. ^ "picoCTF aims to close the cybersecurity talent gap". www.cylab.cmu.edu. Retrieved 2023-07-18.
  10. ^ a b "Wanted: hackers. Reward: the best may get a spot at CMU". Pittsburgh Post-Gazette. Retrieved 2023-07-18.
  11. ^ McDaniel, Lucas; Talvi, Erik; Hay, Brian (January 2016). "Capture the Flag as Cyber Security Introduction". 2016 49th Hawaii International Conference on System Sciences (HICSS). pp. 5479–5486. doi:10.1109/HICSS.2016.677. ISBN 978-0-7695-5670-3. S2CID 35062822.
  12. ^ Leune, Kees; Petrilli, Salvatore J. (2017-09-27). "Using Capture-the-Flag to Enhance the Effectiveness of Cybersecurity Education". Proceedings of the 18th Annual Conference on Information Technology Education. SIGITE '17. New York, NY, USA: Association for Computing Machinery. pp. 47–52. doi:10.1145/3125659.3125686. ISBN 978-1-4503-5100-3. S2CID 46465063.
  13. ^ Vykopal, Jan; Švábenský, Valdemar; Chang, Ee-Chien (2020-02-26). "Benefits and Pitfalls of Using Capture the Flag Games in University Courses". Proceedings of the 51st ACM Technical Symposium on Computer Science Education. pp. 752–758. arXiv:2004.11556. doi:10.1145/3328778.3366893. ISBN 9781450367936. S2CID 211519195.
  14. ^ "National Security Agency/Central Security Service > Cybersecurity > NSA Cyber Exercise". www.nsa.gov. Retrieved 2023-07-18.
  15. ^ "CTFtime". CTFtime. Retrieved 2023-08-18.
  16. ^ "CTFtime rankings". CTFtime Rankings. Retrieved 2023-08-18.
  17. ^ Producer, Sabrina Korber, CNBC (2013-11-08). "Cyberteams duke it out in the World Series of hacking". CNBC. Retrieved 2023-07-18.{{cite web}}: CS1 maint: multiple names: authors list (link)
  18. ^ Noone, Ryan (2022-08-15). "CMU Hacking Team Wins Super Bowl of Hacking for 6th Time - News - Carnegie Mellon University". www.cmu.edu. Retrieved 2023-07-18.
  19. ^ Siddiqui, Zeba (2022-08-18). "Hacker tournament brings together world's best in Las Vegas". Reuters. Retrieved 2023-07-18.
  20. ^ "CSAW Capture the Flag". CSAW. Retrieved 2022-11-02.
  21. ^ Balon, Tyler; Baggili, Ibrahim (Abe) (2023-02-24). "Cybercompetitions: A survey of competitions, tools, and systems to support cybersecurity education". Education and Information Technologies. 28 (9): 11759–11791. doi:10.1007/s10639-022-11451-4. ISSN 1360-2357. PMC 9950699. PMID 36855694.
  22. ^ "These grad students want to make history by crushing the world's hackers". Yahoo Finance. 2016-08-04. Retrieved 2023-09-02.
  23. ^ "European Cybersecurity Challenge". ECSC. Retrieved 13 June 2024.
  24. ^ Hardcastle, Jessica Lyons. "Moonlighter space-hacking satellite is in orbit". www.theregister.com. Retrieved 2023-07-18.
  25. ^ "Google CTF". capturetheflag.withgoogle.com.
  26. ^ Woodward, Alan (2022-07-07). "'Some staff work behind armoured glass': a cybersecurity expert on The Undeclared War". The Guardian. ISSN 0261-3077. Retrieved 2023-07-18.
  27. ^ Qin ai de, re ai de (Drama, Romance, Sport), Zi Yang, Xian Li, Mingde Li, Shanghai GCOO Entertainment, 2019-07-09, retrieved 2023-08-15{{citation}}: CS1 maint: others (link)
  • ctftime.org - an archive of historic, current, and future CTF competitions.
source: https://en.wikipedia.org/wiki/Capture_the_flag_(cybersecurity)

    Discuss

    OnAir membership is required. The lead Moderator for the discussions is Cyber Curators. We encourage civil, honest, and safe discourse. For more information on commenting and giving feedback, see our Comment Guidelines.

    This is an open discussion on the contents of this post.

    Home Forums Open Discussion

    Viewing 1 post (of 1 total)
    Viewing 1 post (of 1 total)
    • You must be logged in to reply to this topic.
    Skip to toolbar