To a gamer, the phrase “Capture The Flag” might bring into mind several first-person and third-person shooter games where the objective is to capture the opponent’s flag to establish dominance and win points to attain victory. I would be lying if I said that was not my first encounter with the phrase “Capture The Flag”, and even though I no longer frequently game, I have very fond (if not violent) memories of the genre. However, given that this article is in the cybersecurity section, one might be led to think “Capture The Flag” likely has to do with something else (unless it’s about hacking into shooter games, but that’s a topic for another day). In fact, one would be right!

Imagine a hacking competition where you have to break into systems and exploit vulnerabilities. To stress, I do not mean “hackathons”, which are albeit pretentious names for coding competitions or other generic tech competitions far removed from real hacking. These actual hacking competitions are called CTFs. What is the rationale behind such a name? After you have successfully compromised the system under interest in a challenge in this competition, you find a string of text called a “flag” which you then submit to the competition server as “proof of hack” to get credited for successfully completing the challenge. This attempt at capturing “flags” across challenges is what gives CTFs its name.

Kinds of CTFs

CTFs occur in a variety of flavours. They could be conducted as an offline event, or as a large-scale online event. They could be an individual CTF, a team-based CTF with teams capped by a maximum size limit, or a team-based CTF without an upper cap on the team size.

They are usually conducted for 24 hours or 48 hours and often spawn challenges from a variety of cybersecurity categories, the common ones being Cryptography, Digital Forensics, Reverse Engineering, Binary Exploitation, and Web Exploitation.

There are many other categories which one finds in CTFs nowadays which cover several new and important technologies in cyberspace, including but not limited to Cloud Security, Blockchain Security, Zero-Knowledge Proofs, Post-Quantum Cryptography, Game Hacking (and I shall now resist my temptation to connect cybersecurity CTFs with shooter CTFs), and many more.

A CTF style is more than the categories of challenges it provides; CTFs can also be in different formats. The most popular format is called “Jeopardy CTF”, named after the famous American game show. You are explicitly presented with various categories and several challenges in each category, and you can pick and choose which one you want to solve and when you want to solve it. There is no restriction on parallelism, you can work on several challenges simultaneously.