Capture-The-Flag Competitions: all you ever wanted to know!

Back to News

The report reviews the current formats of Capture-The-Flag (CTF) competitions at a global scale. Find out how they operate and what experts recommend for designing such events.

The European Union Agency for Cybersecurity releases a report addressing the contemporary use of Capture-The-Flag (CTF) competitions around the world. It explores how these competitions work and provides a high-level analysis of the dataset of the most recent major public events. Based on the results of the findings, the report suggests recommendations for consideration in the design phase of these types of competitions.

The study comes as a complement to the Capture-the-flag events co-organised for the past five years by ENISA and the European Commission such as the European Cybersecurity Challenge (ECSC).

Download the Report

CTF competitions: what are they?

Capture-the-Flag events are computer security competitions. Participants compete in security-themed challenges for the purpose of obtaining the highest score. Competitors are expected to “capture flags” to increase their score, hence the name of the event. Flags are usually random strings embedded in the challenges.

CTFs have increased in popularity as they attract a higher number of young talents each year. They help develop the essential skills required to follow a career path in cybersecurity.

These competitions can take many forms but the most common are Jeopardy and Attack-Defence. The report specifically focuses on these two types of CTF. An explanation and analysis is developed for each of them on the format, scoring, discussion and variants.

Findings: what kind of analysis and methodology was used?

The themes used to qualitatively analyse CTF events were chosen with the objective to provide readers with sufficient information about all aspects of organising a CTF event. This analysis, therefore, explores the following elements of the competition in details:

  • entry requirements: consolidates data on age, status, qualifications, location, etc.;
  • diversity and inclusion: gender balance, socio-economic background of or ethnic proportionate representation, etc.;
  • challenge format: explores challenge categories, scoring, platform used, prizes, length of the competition, etc.;
  • competition format: analyses information on team sizes, mentors and coaches, qualifiers or parallel contests;
  • event organisation: looks at other activities organised such as catering and transport or accommodation facilities provided;
  • post-event actions: explores actions performed after the event such as challenge and solution distribution, the release of result data or subsequent publications.

What are the main recommendations

Recommendations are provided in relation to the themes and areas explored. Formats for instance should be chosen according to the audience the competition is designed for. The accessibility and lower deployment costs of the Jeopardy format make it more suitable for non-professional participants. The Attack-Defence however, being more similar to wargame formats, is better suited to professional training exercises.

The report includes recommendations covering the following areas:

  • Team requirements;
  • Team sizes;
  • Scoring and rules;
  • Parallel competitions;
  • Challenge formats;
  • Communication and media;
  • Post-event.

Who is the report intended for?

The report on CTF Events will be of particular interest to all individuals and organisations who are involved in the design of CTF competitions. It will also help participants and organisations who intend to promote such events to find valuable information on how such events are structured and made functional.

Upcoming event

ENISA will be organising the first International Cybersecurity Challenge. Security Union Vice-President Margaritis Schinas announced the preselection of players for Team EU on the occasion of his visit to ENISA on 6th May.

Background

The European Cybersecurity Challenge (ECSC) is an annual exercise, coordinated by the European Union Agency for cybersecurity. The event offers a platform for young cyber talents across Europe to gather and engage in networking over a unique opportunity to experience cooperation in trying to resolve a cybersecurity problem.

The ECSC is intended to encourage young people to pursue a career in cybersecurity, by challenging and developing the participants’ skills needed in such extreme situations and connecting them with industry.

Supported by the European Commission and EU Member States, the ECSC falls within the skills chapter of the EU Cyber Security Strategy for the Digital Decade and the NIS Directive.

Further information

ENISA press release – Vice-President Schinas announces Team EU for the first Cyber World Cup

ENISA topic – European Cybersecurity Challenge (ECSC)

ECSC website - European Cybersecurity Challenge

ENISA report - Cybersecurity Skills Development in the EU

Contacts:

For questions related to the press and interviews, please contact