Not just a game: Why Capture the Flag matters

Kids play Capture the Flag on the playing field – you have two teams that have their own coloured flag, a designated territory for each team, and then you have to try and sneak into the other team’s territory and retrieve their flag. 

In cybersecurity, Capture the Flag (CTF) competitions work in pretty much the same way. A piece of information is hidden somewhere in the target environment, and participants have to try and find it. In 2020 there were over 879 cybersecurity CTF events globally, according to the European Union Agency for Cybersecurity; and they’ve become an important driver of cybersecurity talent development and community building. 

Two key types of CTF challenge

The first is jeopardy CTFs. In these events, participants compete to solve a series of IT security challenges that cover a range of different skill sets – including digital forensics, web application security, steganography, cryptography, reverse engineering, and more. 

Each challenge is assigned a point value, and the team with the most points at the end of the CTF is the winner. 

The second type of CTF is attack-defence. In this format, each team or participant is assigned a virtual machine or network to defend – but their system also has vulnerabilities that other teams can locate and exploit. So you attack other systems at the same time as defending yours, by finding and patching your own vulnerabilities. 

It’s a game – why is it so important? 

We recently interviewed Heba Farahat (Senior Cybersecurity Consultant at Liquid C2), and she told us that she co-led the organisation of CTF competitions in the MENA region, at the WiCSME conference, for two years. 

“I believe that CTFs offer one of the most effective ways to learn about cybersecurity in a gamified manner,” she said. 

“For that purpose, I actively participated in CTFs at the start of my career, and my team ranked among the top 5 in several regional competitions. Eventually, I transitioned from the player seat to the driver seat, aiming to help more people enhance their cybersecurity skills. Over the years, the number of participants doubled, attracting players from 15 different countries, with women comprising over 60% of the participants.” 

Within the CTF experience, participants gain access to a whole spectrum of benefits, including: 

• Learning in a risk-free environment. You get to learn and test real-world cybersecurity skills, but not actually in the real world. There are no terrible consequences if you get it wrong, or you don’t work fast enough, or you’re nearly there but not quite accurate enough.
  
• Developing technical skills. Many cybersecurity professionals say CTF is one of the best ways to learn and develop technical skills – because it’s a chance to put academic and theoretical knowledge to the test in real problem-solving challenges.
  
• A powerful experience of teamwork. Most CTF challenges use teams, so participants have to work together to solve complex problems and move through different layers of the challenge. This experience can be hugely important in helping talented cybersecurity professionals learn how to work collaboratively – and that’s a critical skill in this sector.
  
• A chance to meet mentors and potential employers. CTF has become a networking opportunity for cybersecurity professionals, and it also allows less experienced talent to showcase their skills; attracting potential employers who are there to headhunt. 

Capture the Flag cultivates the values that cybersecurity needs 

Here’s the thing: it’s not just about skill and talent and getting jobs. At its core, CTF does something pretty special for the cybersecurity industry: it cultivates the values that cyber really needs.

Farahat said it perfectly: “It's a voluntary commitment; unlike typical work, where the aim is promotion or rewards from superiors. Rather, it is fueled by a sense of responsibility towards the community and an intrinsic motivation to assist and uplift others.” 

Capture the Flag helps to build a cybersecurity culture that can carry us into the future with motivated, collaborative professionals who care about their work. It instils responsibility, and a genuine desire to protect – and those values will enable a robust security ecosystem as we move through time and encounter new challenges. 

So we think CTFs are pretty great. Tell us in the comments: has Capture the Flag been a part of your career development?