Tim Harmon is a Cisco Champion, an elite group of technical experts who are passionate about IT and enjoy sharing their knowledge, expertise, and thoughts across the social web and with Cisco. The program has been running for over four years and has earned two industry awards as an industry best practice. Learn more about the program at http://cs.co/ciscochampion.


Welcome to the Cyber Security Capture the Flag (CTF) Series. This series is about how to develop and host a cyber security CTF and how to do it well. As from my previous blog (Cyber Security Capture the Flag (CTF): What Is It?”), cyber security CTFs are used to keep security professionals and students up-to-date with their skills in the cyber security industry. They are also used to determine what areas of security that professionals need to work on. There is a process in developing and hosting a CTF and this should help anyone who is interested in developing and hosting their own cyber security CTF. It is recommended that you have some experience in at least participating in CTFs before you develop and host your own CTF.

The first and most important phase of developing and hosting a CTF is the planning phase. Planning, or lack thereof, can make or break the event as there may be some delays on implementing the CTF due to situations arising from not enough planning. I know this from experience as my team did not plan enough and we had to figure out a backup plan to get the CTF to be ready. We ended up pushing the CTF back one week but it became a success anyway.

This phase consists of several decisions based on the answers to the who, what, where, when, why and how questions. There can be a few to a lot of questions for each section and all questions for the even should be at least attempted to be answered. Any question left unanswered can cause problems later on in the process. In this section, I will pose some of the questions that can be used.


  • Who is the target audience for the CTF?
  • Who, if any, are the sponsors of the CTF?
  • Who will promote the CTF in order to gain participants?
  • Who will secure the venue and equipment?


  • What type of CTF will this be? Jeopardy-style, attack-defend or hybrid?
  • What equipment do we need for the CTF?
  • What will the participants need to bring?
  • What categories are going to be in the CTF?
  • What types of challenges will there be?
  • What will the scoreboard be?


  • Where are we going to host the CTF?
  • Where are the participants going to plug their laptop in? (if they need them)


  • When are we going to have the CTF event?
  • When are we doing a run-through of the CTF before the actual event?


  • Why are we hosting this CTF event?
  • Why are we using this software over that other software?


  • How are we going to secure a venue?
  • How are we going to get participants?
  • How is the scoreboard going to be set up?
  • How is the CTF going to be implemented?
  • How are the participants going to access the scoreboard?

After all of these questions are answered, the group will need to start developing the several documents that need to be filled out before anything else can happen. These documents include a Project Proposal, Design Document, Work Breakdown Structure (WBS), Rules of the CTF, Participant Sign-up, Pre-CTF participant survey, Post-CTF participant survey and CTF marketing flyers. Some of these documents can be worked on during the Developing stage. These include the Participant Sign-up, Pre and Post-CTF surveys and the flyers.


Cyber Security Capture the Flag (CTF) Series 01

Figure 1 – Screenshots of Design Document, Project Management Plan, Rules of Play and Sign Up

The Design Document, Project Management Plan and the WBS are very important documents that need to be completed as soon as possible because these documents help the process of getting the CTF to be successful. The Design Document includes what the layout of the CTF will be with the equipment at the venue. It will also include what the rules of play are and it will detail how the scoring system will be used. As you can see in the Figure below, my team’s network diagram changed throughout the process as we ran into some problems and could not get the attack-defend CTF to work so we decided it was going to be a Jeopardy-style CTF. We originally had it be two teams for the attack-defend but changed to four teams in the Jeopardy-style. Our CTF was held at Coleman University in San Diego, CA and we were using their equipment. This was possible by Mr. William Reid at Coleman University.

Cyber Security Capture the Flag (CTF) Series 02

Figure 2 – Network Diagram (Original on the left, revised on the right)

The Project Management Plan consists of a summary of the project that include assumptions and constraints and the management of the scope that will include the WBS and the project schedule. It will also include risk assessment/risk management, quality management, Human Resources management and the budget. A budget is highly recommended, even if the equipment and venue is being donated, as it can show how much you could spend and how much you could save. The WBS is a schedule of deliverables and milestones that will help the group to stay on track with being ready for the CTF event. Milestones can be the completion of each phase, the execution of the event and the final write-ups. Figure 3 below is an example of my team’s WBS for our CTF event.

Cyber Security Capture the Flag (CTF) Series 03

Figure 3 – Work Breakdown Structure for CTF

The pre and post CTF surveys for the participants to fill out can be done while the group is in the development phase as these are not the first priority and will be discussed in Part 2 (Developing) of this series. One person can create sign-up sheets for people to sign up as participants and this person can also create the flyers for the CTF event. After a date, time and location for the CTF event has been set in place, the group can start seeking participants. This can be the hardest aspect as some participants may end up not being able to make it. The sign-ups can be on paper or even online through social media or website.

You may be a little discouraged right now as there is a lot of work that needs to be done just in the planning/design phase of the CTF event. I encourage your group to not get discouraged as the hard work and dedication will pay off. You should be able to get help with the planning and design of the event through the Internet and local chapters of the professional cyber security associations. One association that was helpful with my team’s CTF was the Open Web Application Security Project (OWASP) San Diego Chapter. They held a CTF just a couple weeks before my team’s CTF and it gave us some insight. In Part 2 of this blog series, I will discuss the steps to take in the Developing phase of the CTF event.


Tim Harmon

Cyber Security & Network Professional

Cisco Champion