Build Those Cyber Skills: Here’s How to Host a Successful Capture the Flag Event

Jul 18, 2018
5 minutes

Experience matters when it comes to stopping contemporary cybercriminals. This advice might sound straightforward, but the real question is, “How?” How exactly do cybersecurity professionals and those new to the field get this kind of experience?

Learning to think like a hacker includes having hands-on experience – learning to do what hackers do, and using the tools and tactics they use. That provides valuable on-the-ground intelligence on how to best prevent cybersecurity breaches.

This type of hands-on experience is not part of most traditional computer science programs. However, one activity many organizations find successful is to hold capture the flag events on a regular basis for students, employees and others who may be interested. If done right, CTF events can be highly interactive sessions for participants to build a rapid understanding of how security works, and how they can stop hackers from exploiting vulnerabilities in their own environments.

Ask any member of a Red Team – the “white hat” hackers who take on the challenge of using their hacker mindset on a daily basis to stay several steps ahead of the bad guys – and that person will recommend participating in capture the flag events.


Palo Alto Networks hosted “Academy Day” in our Amsterdam office. Over 40 students from universities in six different countries participated in a CTF event. Watch highlights from the event.

What’s Behind Hosting a Successful Capture the Flag Event?

While hosting a capture the flag event requires resources and planning, the benefits of having a more security-minded workforce – and being able to introduce students and others to the fast-growing field of cybersecurity—are well-worth it. What follows are some important factors to consider when hosting a successful CTF event.


Determine the Challenge

  • It’s rare that organizations have the internal resources to dedicate to creating a capture the flag activity, such as a web app where participants can learn offensive and defensive tactics. As an alternative, there are some free challenges out there, but it’s best to seek out experienced vendors with a range of tested solutions that will work for different audiences.
  • The level of difficulty of the challenge should range from common vulnerabilities, such as SQL injection and cross-site scripting, or XSS, to more advanced cryptanalysis and cipher-cracking challenges. Don’t forget to embed vulnerabilities that reflect common business process pitfalls, such as weak password policies.
  • It is important that the target chosen for the CTF reflects real-world scenarios as closely as possible.
  • There is often confusion about the differences between capture the flag challenges and “hackathons.” Hackathons require more foundational coding and developer skills, usually to build something from scratch, while CTF challenges focus on detecting and exploiting vulnerabilities. Making this distinction clear to participants will help to set expectations about the skill level required.


Build in Learning Resources

  • Effectively managing the balancing act of competition vs. education is important to the effectiveness of a CTF event.
  • Provide participants with cheat sheets or online resources prior to the event for those who want to get warmed up.
  • Offer participants a chance to team up with others, especially if there are different backgrounds and skill levels. If there’s an opportunity to host an event for students or a mix of employees and students, you’ll see the level of learning is high!
  • At the event, schedule learning labs that are 15- or 30-minutes long to provide a deeper dive into topics of interest.
  • Employ a scoring strategy that’ll tie the team score to the number of team members who have solved each challenge, thus ensuring collaboration within the team.
  • Recruit experts, such as your information security team, to participate as mentors at the event. Their own real-life stories and insights can prove to be valuable to the participants.


Make the Event Fun and Memorable

  • Having at least one core team member with strong events planning expertise or hiring an events planner to ensure logistics run smoothly is highly recommended. Because capture the flag events are usually one or two days long, think through the details of how to handle signing in, meals and breaks, and other logistics.
  • Find a venue that will comfortably accommodate the number of expected participants. Be sure screens – particularly the scoreboard – and audio systems are set up and tested from several vantage points.
  • Use the capture the flag event as an opportunity to build brand awareness by centering giveaways, prizes and décor on a company or common theme.
  • Go one step further to uplevel the event by inviting executives and other guests to speak or just check out what CTF events are all about and how much value they can add. This additional context can reinforce the significance of a culture of learning and security for the participants.



At a Palo Alto Networks-hosted CTF event held in Santa Clara, California, participants were a good mix of employees, interns and students. One participant said, “This was an amazing experience. I have learned more than [in] any classroom. Such a great way to build community too!” Another added, “To be honest, half of the challenges were really surprising to me because I never would have thought of so many potential vulnerabilities in a site.” Watch highlights from the 2017 event.



final CTF

Palo Alto Networks interns learn and have fun at the capture the flag event hosted by the Information Security team. Watch highlights from the 2018 event. Comments from participants include:

  • “A great way to learn about offensive security."
  • “It was really fun, and I learned a lot. It's like an escape room, but you don't need to move from your chair."
  • “I like being on a team with a variety of skills.”

Subscribe to the Newsletter!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.