Skip to content ↓ | Skip to navigation ↓

For most organizations who manage information technology and/or information security programs, personnel are constantly on the lookout for the best ways to train their technology superstars and provide them with the best academic and hands-on learning resources available.

Capture the Flag (CTF) events integrate both aspects of this into a single experience. In the educational and professional community, many organizations have created a variety of different events to meet this need – in the information technology, information security and development communities, many research-related volunteer organizations have created different “games” that help individuals achieve this result.

The National Collegiate Cyber Defense Competition is one such staple in the educational community for cyber CTF games and learning resources, while many other private and public organizations also put on events that push players’ performance and skill levels. Aman Hardikar has compiled a fairly comprehensive list of games in an easy-to-follow mind map that can be found here.

All this is great, you might think, but what is the point?

Many organizations don’t realize CTF games are an excellent way to train your mental muscles in situations that otherwise only come up when doomsday scenarios play out. Unfortunately, that happens more often than we would like – and we are often ill-prepared, even with a solid response plan.

For businesses, this means their IT/AppDev/InfoSec rockstars can walk into any catastrophe with calm nerves and quiet resolve – those heroes who went wargaming to earn their colors can now discover, investigate and contain their way to eradication and recovery effectively.

Undoubtedly, incident response is an area that is influential towards both the outcome and cost of a breach. Everyone acknowledges that. However, most methods of running “drills” or “simulations” fall short in terms of providing a complete hands-on experience that is true-to-life. That’s where CTF games are especially useful.

CTFs, CTFs everywhere!

Predominantly, there are two major styles of CTF games: challenge-based and scenario-based.

Challenge-based: CTF games tend to be focused on individual tasks that may be independent or related to other objectives in a more linear setting. These can involve any number of topics or focus areas, such as cryptography, memory forensics, or specific exploits/methodologies. They are exceptional at polishing individual skill areas and can usually be played anytime, anywhere. Game types include: jeopardy, mixed.

Scenario-based: CTF games tend to be focused on critical thinking skills related to different circumstances or specific events. These can involve any number of topics or focus areas but tend to focus players or teams on specific roles or objectives, such as disaster recovery, penetration testing, or network defense. They are regularly (but not always) team-based and can be found online and at many conferences around the world. Game types include: attack-defense, mixed.

One of my personal favorite events is a competition called RuCTFE, which integrates many varying elements into an extremely unique attack-defense CTF that is held once per year in November/December. Vulnerable images are provided to players from around the world in a multi-hour event. Player teams must then analyze, patch, and defend their systems while attacking the vulnerable systems of their opponents.

You can check out more international and local events of all styles and types at

To learn about the CTF competition Tripwire’s VERT team offered earlier this year, please click here.


steven d. leggAbout the Author: Steven D. Legg (@ZenM0de) is a former IT Director and Senior Security Engineer who now works as an Information Security Strategy Consultant specializing in SMB/SME. With more than 16 years of experience with everything from tinkering in small business environments to designing nationwide media distribution networks, Steven now spends his time assessing, coaching, and threat modeling. Steven is also a developer for the PoshSec (@PoshSec) project, host of #misec (@misec) Southfield, father to an awesome 1 year old daughter, and lover of difficult/roguelike games (moar permadeath, MOAR!). Oh, and he and Jayson Brown (@Ashioni) founded a scenario-based CTF and training simulation development group called Dynamic Learning Environments (@DLESec), which focus on bringing real world situations to CTF game environments and challenges to the community.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.

Title image courtesy of ShutterStock