What is Capture the Flag

A primer on Capture the Flag


Capture the Flag competitions can come in several forms, but most commonly refers to challenges where players use techniques to exploit vulnerabilities to “capture” or reveal flags which are hidden from plain view. The practice of CTF’s helps to develop deep understanding of computer’s, computer networking, software, open source intelligence, and more. There are several different types of CTF events including boot2root, Jeopardy, Attack-Defense, OSINT, and mixed. Each type requires the use of slightly different skill sets, and can vary on exact format.

The many faces of CTF

When it comes to actually competing in a CTF competition, there are a wide variety of topics that can be choose. Many CTFs are focused on challenges in information technology security, others do not require technical knowledge at all. Level of interaction with others also differs depending on the type of CTF. A Jeopardy competition hosted by a University might be held in large open auditoriums with hundreds or thousands of participants. Some jeopardy competitions are entirely virtual, and teams can decide to meet in small group to compete or work on challenges in a remote setting. Length of competitions can also vary. The National Collegiate Cyber Defense Competition holds a championship CTF which takes place for 16 hours over the course of two days. In contrast, Boot 2 Root challenges have no expected time frame, and can be completed at the players leisure.

National Collegiate Cyber Defense Competition

The National Collegiate Cyber Defense Competition (CCDC) is an annual competition which offers a chance for college and post secondary students to compete against one another in an attack/defense style CTF competition. It is often regarded as the cornerstone of CTF competitions at the collegiate level, and a goal for many college teams to get a chance to compete for. It is hosted by The Center for Infrastructure Assurance and Security (CIAS) at The University of Texas at San Antonio. It's format is a two day long defense scenario in which teams of 12 must protect essential application services from being taken offline by seasoned industry experts.

Scoring will be based on keeping required services up, controlling/preventing un-authorized access, and completing business tasks that will be provided throughout the competition. Teams accumulate points by successfully completing injects and maintaining services. Teams lose points by violating service level agreements, usage of recovery services, and successful penetrations by the Red Team. ~ NCCDC

Google CTF

In addition to Universities, many companies host CTF competitions. Google's CTF consists of an online qualification event as well as an in-person event where competitors can win prizes totaling over $30,000. Challenge categories range from hardware and cryptography, to reverse engineering and web exploitation. Common to many events, Google's annual challenge features a live scoreboard for teams to track their progress, and scout the competition

Google CTF Leaderboard

Trace Labs OSINT CTF

Unlike other CTFs Trace Labs competition is non-theoretical. Each competition uses actual information for ongoing missing persons cases. Teams gain points by conducing open source intelligence to produce leads on cases for law enforcement

This OSINT CTF is non-theoretical where contestants work in teams of up to 4 members to crowdsource the collection of OSINT to assist law enforcement in generating new leads on missing persons. In the information security community, a typical CTF will be of a technical nature where “flags” are hidden within pre-configured servers/virtual machines that contestants have to obtain using hacking techniques to gain points. The Trace Labs OSINT CTF differs from this by having different flag categories based off pieces of information that law enforcement would look to gather to aid in a missing persons case. ~Trace Labs


With thousands of live or virtual CTF events happening each year, there are many opportunities to get involved. With the addition of always-on events like over