Creating a Good CTF Event

Capture The Flag (CTF) events are our bread and butter. And we know they can be awesome assessment tools for both current and potential employees. Not only can they be used to assess someone's technical abilities... oh no no! They're a really good tool for looking at complementary skills like communication, ability to cope with uncertainty and time pressure AND thinking outside of the box.

Not all CTFs are created equal, however. If they don’t present the right level of challenge, participants will quickly lose interest. In the process of designing a CTF, it can be easy to lose sight of what you set out to achieve. This is why we’ve outlined steps for creating a CTF with your audience and objectives in mind!?

The important first step is understanding what you’d like to achieve from the event. Are you running it just for fun or as part of a skills assessment process? Is the challenge part of a recruitment process for a particular role, or is intended for a wider audience? Are you trying to assess individual skillsets or teamwork?

It’s crucial to be clear about your objectives as these will have a huge impact on how you run the event!

It's also a good idea at this stage to consider what you want to do with the score board. If your aim is to assess skills like teamwork, then showing the leaderboard might stop people talking and helping each other. When we run CTFs for recruitment events, like we'll be doing again soon with Quorum Cyber , we tend to hide the board as this reduces pressure on the players and encourages conversation amongst the players.

However in more competitive CTFs, like those we run for team building events, all gloves are off! Showing the scoreboard brings out the competitive edge in the players and encourages people to keep solving those challenges. We do tend to switch it off during the last hour so if someone has a sneaky win, we get to announce it at the end. Definitely something for you to think about!

Once you understand your objectives, it’s time to decide the type of challenges you want to create. Web app hacking? OSINT? Steganography? Blockchain? These categories suit very different skillsets and the ones you choose to include in your event will depend on what you’re looking to achieve.?

We usually include a wide range of challenge types to make events accessible to everyone. Hosting an event where everyone can find something they love is always a bonus.

Just remember, if you’re targeting a non-technical audience, make sure to incorporate challenges such as Trivia, OSINT or code cracking. The last thing anybody wants is a challenge that nobody can solve or, even worse, a challenge that nobody is motivated to keep trying to solve!

Now it’s time to start planning a challenge. List the steps that the challenge will involve, as well as the skills each step will enable participants to demonstrate. This will help to ensure participants are given an opportunity to demonstrate all the skills you want to see. It’s also important to consider which tools the players will require during the challenge, and whether or not they’re publicly available.

Sharing a list of the tools required to complete your challenges is always a great way to ensure people turn up prepared and ready to go! On the other hand, if you want to limit the tools people can use, ensure you've outlined this early on.

Let’s get creating!

This is often the most difficult part of the process. We recommend creating the challenge in small steps and that way, if you make a mistake, you won’t lose as much time. Or as much of your mind.

At this stage, the question to consider throughout is whether the challenge makes sense? It’s easy for the challenge to become confusing, so make sure you stick to your plan!

Now it's important to ensure that the challenge works as intended. The best way to test this is to set up the challenge as the participants would receive it and give it to someone who has not seen the challenge before.

Upload your assets (if required) and get them to play along!

Does the challenge make sense to the participant? Do the descriptions and hints make sense? Issues with flag submissions are the most common ones we find during a live event so ensuring you've tested them all, removed any trailing spaces, etc. will help your event run more smoothly. Take all the feedback here, and make changes if required.

Repeat several times until you have a ton of tantalisingly testing challenges for your players and then you're ready to go!

If you’ve followed the steps so far, we’re pretty sure you’ll have a great CTF event. If you’d like to learn more about how we can help your organisation with brilliant CTF events, training and development, and more... get in touch with us on [email protected] or drop a line to ?? Amy Stokes-Waters or Shaun !