Ten Years of iCTF: The Good, The Bad, and The Ugly


Giovanni Vigna, Kevin Borgolte, Jacopo Corbetta, Adam Doupé, Yanick Fratantonio, Luca Invernizzi, Dhilung Kirat, Yan Shoshitaishvili


, August 2014


Security competitions have become a popular way to foster security education by creating a competitive environment in which participants go beyond the effort usually required in traditional security courses. Live security competitions (also called “Capture The Flag,” or CTF competitions) are particularly well-suited to support hands-on experience, as they usually have both an attack and a defense component. Unfortunately, because these competitions put several (possibly many) teams against one another, they are difficult to design, implement, and run. This paper presents a framework that is based on the lessons learned in running, for more than 10 years, the largest educational CTF in the world, called iCTF. The framework’s goal is to provide educational institutions and other organizations with the ability to run customizable CTF competitions. The framework is open and leverages the security community for the creation of a corpus of educational security challenges.

  title     = {{Ten Years of iCTF: The Good, The Bad, and The Ugly}},
  author    = {Vigna, Giovanni and Borgolte, Kevin and Corbetta, Jacopo and Doupé, Adam and Fratantonio, Yanick and Invernizzi, Luca and Kirat, Dhilung and Shoshitaishvili, Yan},
  booktitle = {Proceedings of the 1st USENIX Summit on Gaming, Games and Gamification in Security Education (3GSE)},
  date      = {2014-08},
  edition   = {1},
  editor    = {Peterson, Zachary N. J.},
  location  = {San Diego, CA},
  publisher = {USENIX Association},
  url       = {https://www.usenix.org/conference/3gse14/summit-program/presentation/vigna}