The first “Capture the Flag” or CTF competition occurred back in 1996 in DEFCON, one of the most important cybersecurity conferences in the USA, and the name comes from the outdoor game, where participants try to seek and find and retrieve a physical "flag". Also, CTFs still have many similarities to early "wargaming" and "king-of-the-hill" cyber security competitions. Nowadays, the CTF term encompasses a range of competition types that target a broad audience and are used for both competitive and educational purposes.
There are two main types of CTFs:
Jeopardy
The most common is a set of developed challenges explicitly created for the event. In this type of format, the players tackle each challenge individually or as a team, aiming to solve them as fast as they can. The solution is achieved upon encountering the flag. Each of the developed challenges for the CTF in jeopardy style is specialised in several areas of knowledge, such as:
- Web: for challenges centred around web security;
- Cryptography: if the focus is to break or solve by using complex mathematical algorithms related to secure data or communications;
- Reverse: if the objective is to apply methodologies and techniques to reverse applications and discover faults or malfunctions in the code;
- Forensics: when it involves a player investigating an unknown piece of data, usually determining the format of the data, and then finding or building a tool capable of reading the information and solving the challenge of getting the flag;
- Pwn: which consists of replicating attacks on vulnerable services.
These challenges might involve exploiting a piece of software with known vulnerabilities, but more commonly, they are custom-built programs designed to highlight a specific exploit. These challenges are typically solved by interacting with a remote server, often through a command line interface.
Some CTF competitions also have Physical exercises involving players who interact with real-world hardware or equipment. Examples of physical security-focused challenges include performing wiretaps of Ethernet cables, intercepting wifi traffic, and the perennial favourite of picking locks.
The second better-known type of CTF, with great adherence when competing in teams, is the
Attack-Defence (AD)
Attack-Defence, the more recent type of competition, has grown from 'wargame' activities in military and hacker communities. The competitions are very demanding because of the complexity of setting up and running events of this format and the risks of high security. Attack-Defence CTFs are more common for invitational or private events and infrequent in public events.
In an AD, CTF teams are granted access to a set of target hosts. The objective of each participant team is to seize and uphold control over as many of the target hosts as possible. In AD competitions, the challenge organisers will deploy or create a range of vulnerable services, ensuring that each target contains one or more vulnerabilities.
Teams must balance the need to attack other hosts to accumulate more points with the need to patch vulnerable services on hosts they already control - preventing other teams from compromising those hosts instead. 
ECSC2023 – 2nd Day - Attack-Defence CTF - credits: Portuguese Safer Internet Centre
To promote education, training, skills enhancement, and the identification of young talents through these competitions, the National Cybersecurity Centre (CNCS), the Instituto Superior Técnico (IST), the University of Porto (UP) and the Portuguese Association for the Promotion of Information Security (AP2SI) organise an annual national competition that encourages more students to join the world of cybersecurity.
The Cybersecurity Challenge Portugal (CSCPT) aims to bring together the ten best national talents to take part in the European Cybersecurity Challenge (ECSC), organised by the European Network and Information Security Agency (ENISA). Portugal has shown itself to be a promising country participating since 2019 in the ESCS. 
Team Portugal ECSC 2023 – Hamar Norway - credits: Portuguese Safer Internet Centre
Portugal also has a significant representation on Team Europe. This ENISA initiative focuses on training and selecting the best European talent to participate in the International Cybersecurity Challenge (ICC).
It's important to emphasise that although Portugal has some of the best talent in Europe and the world, efforts must continue to be made, and training opportunities in cybersecurity must continue to be supported.
Initiatives like these not only help to attract new talent but also help to develop skills such as resilience, problem-solving, and the ability to work under pressure and as part of a team while also putting participants' technical knowledge to the test.
In summary, the community of CTF players is increasingly emerging as a solution to the labour market challenge of a shortage of qualified cybersecurity professionals.
Find out more about the work of the Portuguese Safer Internet Centre, including its awareness raising, helpline, hotline, and youth participation services – or find similar information for Safer Internet Centres throughout Europe.
The first “Capture the Flag” or CTF competition occurred back in 1996 in DEFCON, one of the most important cybersecurity conferences in the USA, and the name comes from the outdoor game, where participants try to seek and find and retrieve a physical "flag". Also, CTFs still have many similarities to early "wargaming" and "king-of-the-hill" cyber security competitions. Nowadays, the CTF term encompasses a range of competition types that target a broad audience and are used for both competitive and educational purposes.
There are two main types of CTFs:
Jeopardy
The most common is a set of developed challenges explicitly created for the event. In this type of format, the players tackle each challenge individually or as a team, aiming to solve them as fast as they can. The solution is achieved upon encountering the flag. Each of the developed challenges for the CTF in jeopardy style is specialised in several areas of knowledge, such as:
- Web: for challenges centred around web security;
- Cryptography: if the focus is to break or solve by using complex mathematical algorithms related to secure data or communications;
- Reverse: if the objective is to apply methodologies and techniques to reverse applications and discover faults or malfunctions in the code;
- Forensics: when it involves a player investigating an unknown piece of data, usually determining the format of the data, and then finding or building a tool capable of reading the information and solving the challenge of getting the flag;
- Pwn: which consists of replicating attacks on vulnerable services.
These challenges might involve exploiting a piece of software with known vulnerabilities, but more commonly, they are custom-built programs designed to highlight a specific exploit. These challenges are typically solved by interacting with a remote server, often through a command line interface.
Some CTF competitions also have Physical exercises involving players who interact with real-world hardware or equipment. Examples of physical security-focused challenges include performing wiretaps of Ethernet cables, intercepting wifi traffic, and the perennial favourite of picking locks.
The second better-known type of CTF, with great adherence when competing in teams, is the
Attack-Defence (AD)
Attack-Defence, the more recent type of competition, has grown from 'wargame' activities in military and hacker communities. The competitions are very demanding because of the complexity of setting up and running events of this format and the risks of high security. Attack-Defence CTFs are more common for invitational or private events and infrequent in public events.
In an AD, CTF teams are granted access to a set of target hosts. The objective of each participant team is to seize and uphold control over as many of the target hosts as possible. In AD competitions, the challenge organisers will deploy or create a range of vulnerable services, ensuring that each target contains one or more vulnerabilities.
Teams must balance the need to attack other hosts to accumulate more points with the need to patch vulnerable services on hosts they already control - preventing other teams from compromising those hosts instead. ECSC2023 – 2nd Day - Attack-Defence CTF - credits: Portuguese Safer Internet Centre
To promote education, training, skills enhancement, and the identification of young talents through these competitions, the National Cybersecurity Centre (CNCS), the Instituto Superior Técnico (IST), the University of Porto (UP) and the Portuguese Association for the Promotion of Information Security (AP2SI) organise an annual national competition that encourages more students to join the world of cybersecurity.
The Cybersecurity Challenge Portugal (CSCPT) aims to bring together the ten best national talents to take part in the European Cybersecurity Challenge (ECSC), organised by the European Network and Information Security Agency (ENISA). Portugal has shown itself to be a promising country participating since 2019 in the ESCS. Team Portugal ECSC 2023 – Hamar Norway - credits: Portuguese Safer Internet Centre
Portugal also has a significant representation on Team Europe. This ENISA initiative focuses on training and selecting the best European talent to participate in the International Cybersecurity Challenge (ICC).
It's important to emphasise that although Portugal has some of the best talent in Europe and the world, efforts must continue to be made, and training opportunities in cybersecurity must continue to be supported.
Initiatives like these not only help to attract new talent but also help to develop skills such as resilience, problem-solving, and the ability to work under pressure and as part of a team while also putting participants' technical knowledge to the test.
In summary, the community of CTF players is increasingly emerging as a solution to the labour market challenge of a shortage of qualified cybersecurity professionals.
Find out more about the work of the Portuguese Safer Internet Centre, including its awareness raising, helpline, hotline, and youth participation services – or find similar information for Safer Internet Centres throughout Europe.
- youth empowerment privacy settings digital skills
Related content
- < Previous article
- Next article >
- < Previous
- Next >
Related articles
