A capture the flag (CTF) contest is a special kind of cybersecurity competition designed to challenge its participants to solve computer security problems and/or capture and defend computer systems. Typically, these competitions are team-based and attract a diverse range of participants, including students, enthusiasts and professionals. A CTF competition may take a few short hours, an entire day or even multiple days.
CTF competitions have elevated from their humble roots to reach sport-level status, with thousands of individual games and leagues now taking place every year across the globe — including the annual DEF CON competition, one of the most prestigious CTF events in the world.
There are several variations on the capture the flag format. The most popular styles are jeopardy, attack-defense and a mix of the two.
In a jeopardy CTF format, teams must complete as many cybersecurity challenges as they can from a given selection, testing their skills and knowledge on a diverse range of computer security categories in novel and creative ways. Typical tasks are related to networking, programming, applications, mobile, forensics, reverse engineering and cryptography. For each challenge a team completes, a specific number of points is rewarded.
In an attack-defense CTF competition, teams must capture and defend vulnerable computer systems, typically hosted on virtual machines in an isolated network. To gain points, a team can maintain ownership of as many systems as possible while denying access to the other competing teams.
Finally, a mixed CTF is arguably the most challenging for participants. Combining jeopardy and attack-defense styles, successful teams must strategically divide their efforts and play to each of their member’s strengths by completing security challenges while simultaneously hacking into target vulnerable systems, maintaining access to these machines and defending them against their competitors.
The winner is usually the team or individual with the most points at the end of the game. Like many sporting events, prizes are commonly awarded for first, second and third place. In the interest of contest integrity and respect for the game platform, CTF ground rules are shared with participants prior to the event. Violation of these rules may result in restrictions or even elimination from the competition.