April 15, 2021 | 9 minute read
Cybersecurity competitions are an opportunity for cybersecurity trainees, students, professionals, and even enthusiasts, to get their feet wet in an environment that mimics real-world vulnerabilities, threats, and attacks. Within the realm of cybersecurity competitions, there are in-person and online security Capture the Flag (CTF) contests, security-oriented hackathons, and sponsored national cyber events that serve as pathways for youth in STEM, collegiate-level learners, and those seeking employment. Likewise, the physical or virtual grounds of these events, have been reliable solutions for recruiters and companies sifting out the best and brightest talent. “Competitions and contests give organizations an opportunity to circumvent the usual rat race of hiring processes.” (Swinhoe, CSO Online)
Many of the federally funded and sponsored competitions include high stakes prizes, and are great exposure when looking to land an internship, apprenticeship, or job. There are also competitions and CTF contests organized specifically for young girls, or women in security, to continue to foster female talent and encourage more females to enter and be promoted, with pay equity, in male-dominated STEM arenas, like cybersecurity.
“Competitions and contests give organizations an opportunity to circumvent the usual rat race of hiring processes.”
Among the many benefits to the industry, what organized competitions do for society, in general, is create the perfect setting for practicing teamwork. Real-world attack scenarios, that thousands of organizations face daily, require a team that can quickly pool their best resources, and work together to respond to an attack successfully. You may be an excellent hacker, but if you don’t have the soft skills to be able to work with other people to solve a problem, there’s a gap in your overall skills. “The companies that hire cybersecurity specialists often require them to be team players and comfortable working with people from different departments or those with alternative perspectives.” (Matthews, Security Boulevard) Cybersecurity competitions are the closest thing, outside of the job, to getting hands-on-experience with a security team, and are great practice for building certifiable skills outside of the classroom.
“The companies that hire cybersecurity specialists often require them to be team players and comfortable working with people from different departments or those with alternative perspectives.”
Capture the Flag (CTF) Contests
“A capture the flag (CTF) contest is a special kind of cybersecurity competition designed to challenge its participants to solve computer security problems and/or capture and defend computer systems. Typically, these competitions are team-based and attract a diverse range of participants, including students, enthusiasts, and professionals. A CTF competition may take a few short hours, an entire day, or even multiple days.” (Crump, dev.to)
“Capture-the-flags present the ideal environment to learn about security-centric techniques and the ways to turn a hypothetical exploit into practice.” (Pavursec)
CTF events can be virtual, or physical, and can last anywhere from an hour to 3 days. There are three different styles of CTF contests: Jeopardy, Attack vs. Defend (aka Red vs. Blue), and a hybrid of the former two. Topics covered in CTF contests include: Binary Exploitation, Cryptography, Forensics, Linux Security, Malware Analysis, Reverse Engineering, Steganography, Web Exploitation, and much more.
“Hackathons are an incredible way to bring your community together to learn new skills, build amazing projects, and share ideas. A hackathon is best described as an “invention marathon”.” (mlh)
“Hackathons are a collaborative event that gives ethical hackers, also known as white hat hackers, the opportunity to test and expose a company’s network vulnerabilities. These competitions look beyond immediate threats to vulnerabilities unknown to companies all together.” (CareersinCyber)
A hackathon is typically a 1-3 day (sometimes longer) marathon, in which a broad spectrum of professionals, such as: developers, programmers, engineers, designers, project managers, innovators, and creatives, collaborate to solve a problem, or invent something new. This type of team-oriented competition is applied across many different fields of interest. For the purpose of cybersecurity, which requires speed, agility, and innovation, there’s a lot that can be accomplished and learned by attending hackathons.
Below, we’ve pulled together a list of information on annual/biannual cybersecurity competitions, CTFs, and other resources you should know about.
The President’s Cup Cybersecurity Competition was first established in 2019, and is a national cyber event that aims to identify, challenge, and reward the best cybersecurity talent in the federal workforce. The individual and team challenges presented to competitors focus on areas of the NICE Framework, with three rounds, each increasingly difficult. The competition functions in an entirely live environment, with interactive updates in the form of news highlights and social media notifications. In this environment, scenarios are constantly changing, mimicking real world cybersecurity work.
Who can participate?
Employees of the United States Federal Government executive departments and agencies, uniformed service members, and drilling members of the United States military. *Government contractors are not permitted to participate.
The NCL Cybersecurity Competition is a biannual competition, held in the Spring and Fall. The National Cyber League was founded in 2011, by a group of like-minded, cybersecurity academics who sought to create a safe, inclusive, and innovative environment for students to apply what they’ve learned about cybersecurity to real world scenarios. The NCL biannual games are powered by a partnership with Cyber Skyline, a cloud-based cybersecurity skills evaluation platform where students can practice their cybersecurity skills. To continue their work promoting cybersecurity careers, NCL partnered with CompTIA, who now offer prep sessions to NCL players preparing for the games.
Who can participate?
At least 13 years old and enrolled in a US high school, collegiate institution, apprenticeship, or academic boot camp. *NCL is currently only available to residents in the United States and its territories.
The CyberPatriot National Youth Cyber Defense Competition is the world’s largest youth cybersecurity competition. The competition challenges teams of high school and middle school students to find and fix cybersecurity vulnerabilities in virtual operating systems. CyberPatriot is designed to accommodate all students, even without prior cybersecurity knowledge. While the majority of the competition is hosted online, the top winning teams eventually advance to an in-person National Finals Competition.
Who can participate?
Open to all international schools (middle and high school) and approved youth organizations.
$205 for Open Division high school teams, $165 for Middle School division teams. Fees waived upon request for all Title I schools, and all-girls teams. Fees automatically waived for JROTC, Civil Air Patrol, and Naval Sea Cadet Corps teams. *20% Discount to teams created and registered before July 1st, for the 2021-2022 season (Registration dates April 1- October 5, 2021)
In 2004, a group of students, educators, government and industry representatives founded the National Collegiate Cyber Defense Competition. Their goals were to provide a template for any educational institution to build a cybersecurity exercise, provide structure for competition among schools of all sizes and resources, and motivate continued opportunity for practical experience in information assurance. The NCCDC focuses on the operational aspect of managing and protecting an existing network infrastructure. Their partnership with Raytheon, provides a variety of specialized technical resources and employee volunteers to help with the competition.
Who can participate?
Full-time students of the US collegiate institution they are representing
If any, depends on region of US
CyberStart America, sponsored by the National Cyber Scholarship Foundation and SANS Institute, continues the work of Girls Go CyberStart. Girls Go CyberStart is a program designed to close the gender gap in cybersecurity, which had over 30,000 high school girls discover the exciting world of cybersecurity in just 3 years. CyberStart America aims to further that work by addressing the skills gap in the US through their CyberStart games, and has 2 million dollars in scholarship prizes for registered students who play and advance to the National Cyber Scholarship Competition.
Who can participate?
At least 13 years old and enrolled in a US public, private, or DoDEA secondary school (or homeschool equivalent)
Cybersecurity Awareness Worldwide is proudly organized by the NYU Center for Cybersecurity. It is the world’s largest student-run cybersecurity games and conference, featuring 10 hacking competitions, including their flagship CSAW CTF event. Final competitions are organized in the US-Canada, India, France, Israel, Mexico, and the United Arab Emirates. Contests are created to initiate research into areas of cybersecurity that have yet to be explored.
Who can participate?
In North America, competitors must be students enrolled in an undergraduate or graduate degree program in the
United States or Canada
USCC is a national program focused on identifying and developing cybersecurity talent to meet the country’s critical cybersecurity workforce needs. They offer a series of online competitions throughout the year, called Cyber Quests, that serve as qualifiers to be invited to attend one of their prestigious Cyber Camps (with CTF event as the finale). Each quest features an artifact for analysis, along with a series of quiz questions. Quests are tailored by skill level, ranging from beginner to advanced material.
Who can participate?
At least 18 years old and a US resident
picoCTF is the largest cybersecurity hacking contest for US middle and high school students, founded by a group of students and faculty at Carnegie Mellon University. Challenges presented cover these 6 domains of cybersecurity: general skills, cryptography, web exploitation, forensics, reversing, and binary exploitation. Players must reverse-engineer, break, hack, decrypt, and think creatively and critically to solve the challenges and capture the digital flags.
Who can participate?
At least 13 years old and enrolled in a US middle or high school
Originally founded in 1993, DEF CON, is one of the oldest and largest hacker conventions, held annually in Las Vegas. The highlight of the annual convention is the cut-throat competitive CTF contest, which under normal conditions is in-person. The teams who make it to DEF CON are selected through pre-qualifying CTF events, described by the Order of the Overflow, here.
Shmoocon is an annual 3-day hacker convention, held in Washington D.C. During this convention, the RF Hackers Sanctuary (formerly known as Wireless Village) host their Wireless CTF contest, which focuses on radio communications, i.e. hacking WiFi, Bluetooth, and Software Defined Radio (SDR). This CTF welcomes players of all levels, from inexperienced to advanced, and is also typically held in-person.
The first annual Silicon Valley Cybersecurity Conference was held virtually in 2020, established by the Silicon Valley Cybersecurity Institute (SVCSI), a non-profit organization that aims to develop, investigate, and promote the best security practices for dependable and secure systems and applications. The conference organized two IoT cybersecurity hackathon events for currently enrolled students, one for network security, and the other for blockchain security.
Below is a quick list of additional resources for finding more live, upcoming, and past CTFs, as well as security-focused Hackathons.
Skills, Skills, Skills
This is just a start. There are so many more competitions and resources out there that we did not include in this list. In fact, a number of large tech companies, and corporate entities have begun establishing their own competitions. With so much at stake, including the U.S. infrastructure and national security, we need more competitions and events for those with the willingness and determination to keep honing their skills. An interest in cybersecurity can start at a very young age, or well into adulthood. It is the responsibility of the industry, federal government, educational providers, and stakeholders to nurture this growth at every stage, continue to promote diversity, make learning cybersecurity accessible, provide inclusive and safe environments for all to practice their cybersecurity skills, and award the winning talent. The workforce development work of sponsors, academics, government, and organizations done already, is inspiring, but there’s still much more we can do.
CyberKnights is a workforce development tool that provides a skills-centric portal, where individuals, educators, and employers can all learn to utilize the NICE Framework, for the purpose of assessing, developing, and retaining new and existing cybersecurity talent. It is designed to seamlessly complement cybersecurity initiatives, or programs, and features visual navigation of the framework. Individuals find out what Knowledge, Skills, Abilities (KSAs) and soft skills they have by completing soft and/or hard skills assessments. They can also map out their career journey scenarios for different cybersecurity work role destinations beginning-to-end, discover certification classes and related KSAs, and view opportunities aligned to KSA-focused Skills Postings from employers. Employers assess and identify skills gaps in their organization, search and match to talent, post opportunities, view cybersecurity training courses and curriculum mapped to KSAs, and more. Academia can map their cybersecurity curriculum to KSAs, track students’ progress, and discover what skills employers are looking for.