What Is a CTF? Capture the Flag Hacking Competitions Explained

CTF stands for Capture the Flag. In a security context, it's a competition where participants solve hacking challenges to find hidden strings called flags — typically formatted like FLAG{some_text} — and submit them for points. The team or individual with the most points at the end wins.

CTFs are where most working security professionals got their start. They compress years of learning into weeks of focused, competitive problem-solving. They're also free, legal, and completely safe — every challenge runs in an isolated environment built for the purpose.

How CTF challenges work

Each challenge is a self-contained puzzle. You're given a target — a web app URL, a binary file, a packet capture, a cryptographic ciphertext — and your job is to find and exploit the vulnerability to retrieve the flag.

A simple web challenge might look like this: you get a URL to a login page. The username field is vulnerable to SQL injection. You inject admin'--, bypass authentication, and the dashboard shows you the flag. Submit it. Points.

Harder challenges require chaining multiple techniques — an XSS vulnerability that lets you steal an admin's cookie, which you then use to access an API endpoint that leaks a file path, which contains a binary you have to reverse engineer to extract the flag. Each step builds on the last.

The main categories of CTF challenges

• —Web — web application vulnerabilities. XSS, SQLi, IDOR, SSRF, authentication bypass, SSTI. The most accessible category for beginners and directly applicable to bug bounty.
• —Forensics — analysing files, disk images, memory dumps, network captures. Finding hidden data, recovering deleted files, examining packet traffic for credentials.
• —Cryptography — breaking weak encryption, exploiting implementation flaws, recovering keys from mathematical properties. Ranges from Caesar ciphers to real cryptographic attacks.
• —Reverse Engineering — analysing compiled binaries to understand what they do without having the source code. Using tools like Ghidra or IDA Pro.
• —Binary Exploitation (Pwn) — exploiting low-level memory vulnerabilities in compiled programs. Buffer overflows, format string bugs, heap exploitation. The steepest learning curve.
• —OSINT — open source intelligence. Finding information from public sources. Geolocation from photos, finding people from usernames, tracing digital footprints.
• —Misc — everything else. Steganography, code golf, puzzle challenges that don't fit elsewhere.

CTF formats: Jeopardy vs Attack-Defence

Jeopardy-styleis the most common format. Teams solve individual challenges across multiple categories. Each challenge has a fixed point value (often scaled to how many teams have solved it — first blood is worth more). You pick your challenges based on your team's strengths. This is the beginner-friendly format.

Attack-Defenceis more advanced. Each team gets an identical server running vulnerable services. You attack other teams' servers to steal their flags while defending your own. It runs in real time. Your score depends on both offence and defence. This format appears at high-level competitions like DEF CON CTF.

Where to find CTFs

CTFtime.orgis the central calendar for upcoming competitions. It lists events by difficulty rating, upcoming dates, and past writeups. Sort by beginner-friendly if you're starting out.

For practice that's always available (not tied to a competition date):

• —PicoCTF — specifically designed for beginners and high school/university students. Excellent web and cryptography challenges. Free, permanent, well-maintained.
• —HackTheBox — a platform with a constantly refreshed set of machines to compromise. More infrastructure-focused than pure web, but excellent for developing a complete skillset.
• —TryHackMe — guided rooms that teach while you hack. More hand-holding than HackTheBox, which makes it better for absolute beginners.
• —CTFlearn — community-submitted challenges across all categories. Good for filling gaps in specific areas.

CTF writeups: the secret weapon

After every CTF, participants publish writeups — step-by-step explanations of how they solved each challenge. These are invaluable learning resources. Reading how someone else approached a problem you couldn't solve teaches you techniques and thought processes you couldn't get elsewhere.

The CTFtime page for any past competition links to writeups. GitHub is full of them. Search for the competition name + "writeup". Reading one good writeup per day compounds dramatically over a year.

How CTFs translate to real-world skills

The skills are direct. Web CTF challenges use the exact same techniques as bug bounty hunting: the same browser developer tools, the same Burp Suite workflow, the same thought process for finding injection points. The difference is that CTF challenges are designed to be solvable in hours, while real targets require more patience and methodology.

Forensics and reverse engineering skills translate directly to incident response, malware analysis, and threat intelligence roles. Binary exploitation maps to vulnerability research. Cryptography challenges build the intuition to spot weak crypto in real applications.

Many hiring managers at security companies specifically ask about CTF participation and ask candidates to walk through their approach to a challenge. It's a better signal of practical ability than most certifications.

Getting started this week

Register on CTFtime.org. Create a HackerOne account. Go to PicoCTF and attempt the first five web challenges. When you get stuck, spend twenty minutes thinking, then read a writeup from a previous year's version of the challenge. Understand the technique, not just the answer.

That loop — attempt, struggle, understand, repeat — is the entire method. There's no secret beyond volume of practice.