Capture the flag (cybersecurity)

From Wikipedia, the free encyclopedia
A team competing in the CTF competition at DEF CON 17

Capture the Flag (CTF) in computer security is an exercise in which "flags" are secretly hidden in purposefully-vulnerable programs or websites. It can either be for competitive or educational purposes. Competitors steal flags either from other competitors (attack/defense-style CTFs) or from the organizers (jeopardy-style challenges). Several variations exist. Competitions can include hiding flags in hardware devices, they can be both online or in-person, and can be advanced or entry-level. The game is based on the traditional outdoor sport of the same name.


Capture the Flag (CTF) is a cybersecurity competition that is used as a test of security skills. It was first developed in 1993 at DEFCON, the largest cybersecurity conference in the United States hosted annually in Las Vegas, Nevada.[1] The conference hosts a weekend of cybersecurity competitions including CTF. There are two ways CTF can be played: Jeopardy and Attack-Defense.[2] Both formats test participant’s knowledge in cybersecurity, but differ in objective. In the Jeopardy format, participating teams must complete as many challenges of varying point values from a given category. Some examples of categories are programming, networking, and reverse engineering.[3] In the attack-defense format, competing teams must defend their vulnerable computer systems while attacking the opponents.[2] This is done by attempting to replace the opponent's “flag” or data file with their own. Since CTF’s creation at DEFCON, there have been other CTF competitions hosted including CSAW CTF and Plaid CTF.[3]


CTF is mainly used for cybersecurity education, as studies show students tend to respond better to interactive methods demonstrated through CTF exercises than in a traditional classroom setting.[4] A study conducted by researchers at Adelphi University found using CTF exercises was a highly effective way to instill cybersecurity concepts in an enjoyable manner.[5] They can also be incorporated in a classroom setting, and have been included in undergraduate computer science classes such as Introduction to Security at the University of Southern California.[6]

CTF is also popular in military academies. They are often included as part of the curriculum for cybersecurity courses. For example, a report released by the Cyber Defense Review, a journal from the Army Cyber Institute (ACI) at West Point, highlights CTF exercises pursued by students in the Air Force Academy and the Naval Academy who are members of cybersecurity clubs.[7] Furthermore, many cybersecurity concepts are taught through CTF exercises in the Advanced Course in Engineering on Cyber Security, an immersive summer program offered to ROTC cadets, active duty members, and undergraduates.[8]


Another hindering factor to CTF effectiveness is cost, which includes hardware and software costs, as well as administrative salaries. Some competitions require user terminals for players, so machines need to be bought for each player.[9] In open source competitions such as PicoCTF where students play on their personal computers, such costs are saved but there are still server costs. CTF events also require hiring experts in cybersecurity, which can be more expensive than hiring non-specialist educators or less experienced engineers.[9]


Company-sponsored competitions[edit]

While CTF is mainly used for cybersecurity education, some studies show that companies use CTF as a form of recruitment and evaluation for high performers. It can be used to source and screen for potential employees.[5][10]

Recent competitions[edit]

Computer Science Annual Workshop (CSAW) CTF is one of the largest open-entry competitions for students learning cybersecurity from around the world.[3] In 2021, it hosted over 1200 teams during the qualification round.[11] Another popular competition is DEFCON CTF, one of the first CTF competitions to exist, which aims its competition for those who are already familiar with cybersecurity, introducing more advanced problems.[11]

See also[edit]


  1. ^ Cowan, C.; Arnold, S.; Beattie, S.; Wright, C.; Viega, J. (April 2003). "Defcon Capture the Flag: defending vulnerable code from intense attack". Proceedings DARPA Information Survivability Conference and Exposition. 1: 120–129 vol.1. doi:10.1109/DISCEX.2003.1194878. ISBN 0-7695-1897-4. S2CID 18161204.
  2. ^ a b Says, Etuuxzgknx (2020-06-10). "Introduction To 'Capture The Flags' in CyberSecurity - MeuSec". Retrieved 2022-11-02.
  3. ^ a b c Chung, Kevin; Cohen, Julian (2014). "Learning Obstacles in the Capture The Flag Model". {{cite journal}}: Cite journal requires |journal= (help)
  4. ^ McDaniel, Lucas; Talvi, Erik; Hay, Brian (January 2016). "Capture the Flag as Cyber Security Introduction". 2016 49th Hawaii International Conference on System Sciences (HICSS): 5479–5486. doi:10.1109/HICSS.2016.677. ISBN 978-0-7695-5670-3. S2CID 35062822.
  5. ^ a b Leune, Kees; Petrilli, Salvatore J. (2017-09-27). "Using Capture-the-Flag to Enhance the Effectiveness of Cybersecurity Education". Proceedings of the 18th Annual Conference on Information Technology Education. SIGITE '17. New York, NY, USA: Association for Computing Machinery: 47–52. doi:10.1145/3125659.3125686. ISBN 978-1-4503-5100-3. S2CID 46465063.
  6. ^ Vykopal, Jan; Švábenský, Valdemar; Chang, Ee-Chien (2020-02-26). "Benefits and Pitfalls of Using Capture the Flag Games in University Courses". Proceedings of the 51st ACM Technical Symposium on Computer Science Education: 752–758. arXiv:2004.11556. doi:10.1145/3328778.3366893. ISBN 9781450367936. S2CID 211519195.
  7. ^ Spidalieri, Francesca; McArdle, Jennifer (2016). "Transforming the Next Generation of Military Leaders into Cyber-Strategic Leaders: The role of cybersecurity education in US service academies". The Cyber Defense Review. 1 (1): 141–164. ISSN 2474-2120. JSTOR 26267304.
  8. ^ Argles, Christopher; Zaluska, Ed (2018). "A Conceptual Review of Cyber-Operations for the Royal Navy". The Cyber Defense Review. 3 (3): 43–56. ISSN 2474-2120. JSTOR 26554996.
  9. ^ a b Taylor, Clark; Arias, Pablo; Klopchic, Jim; Matarazzo, Celeste; Dube, Evi (2017). "{CTF}: {State-of-the-Art} and Building the Next Generation". {{cite journal}}: Cite journal requires |journal= (help)
  10. ^ Bashir, Masooda; Lambert, April; Wee, Jian Ming Colin; Guo, Boyi (2015). "An Examination of the Vocational and Psychological Characteristics of Cybersecurity Competition Participants". {{cite journal}}: Cite journal requires |journal= (help)
  11. ^ a b "CSAW Capture the Flag". CSAW. Retrieved 2022-11-02.