We're glad to see that you're interested in competing with us as part of the Collegiate Penetration Testing Competition (CPTC)! At its heart, CPTC is a bit different from several other collegiate Cybersecurity competitions. Instead of defending your network, searching for flags, or claiming ownership of systems, CPTC focuses on mimicing the activities performed during a real-world penetration testing engagement conducted by companies, professional services firms, and internal security departments around the world.
Each year our volunteers and sponsors develop a mock organization which is seeking penetration testing services. During the competition, you - the student teams, play the role of a consulting firm that is providing this test to our organization. We will develop background information, employees, organizational policies, Internet services, and a network that will be used as part of the testing. Each team will be provided with a completely identical but separate and segmented environment to perform their testing. Just as with a real-world pen-test, you will be asked to provide deliverables, presentations to company management, and recommendations on vulnerabilities discovered during your test. Teams will be scored not just on the technical vulnerabilities discovered, but also on their professionalism and communication skills. We will have members of the company IT team and management on-hand during the competition to answer any questions that you may have or issues that may arise during your testing of our network.
CPTC begins with a set of regional competitions that will occur in the fall of each year. During these regional competitions, teams will compete using identical environments with other teams from around the nation. The test environment will be coordinated nationally to ensure that all teams across all regions will have the same environment. The top team from each region will advance to the national competition. Furthermore, the highest ranked teams at-large from across all regional competitors will also advance, creating a national competition of ten teams total.
We have included a general timeline of activities below. If you have further interest please don't hestiate to contact members of our advisory board or any of our regional coordinators. If you're interested in competing in one of our regional competitions, please sign up here and we'll be in touch!
During the fall, competitions will be held in several regions simultaneously. All regional teams will be provided access to a corporate environment (separate for each team across the country) to identify vulnerabilities. The winners from each region, as well as the top ranked teams from all nationwide competitors, will advance to the National Competition.
Reporting and Results
Teams will be expected to develop a report as a "professional services firm" that has provided a penetration test to a ficticious organization developed for CPTC. Reports will be scored and winners from each region will be announced simultaneously at the nationally-coordinated regional awards ceremony.
Request for Proposals
Four Weeks Before Nationals
Similar to the scope of a real-life professional penetration assessment, teams will be asked to develop a proposal for the ficticious company. Four weeks before the competition, an RFP will be sent to each team to provide pre-competition information.
Three Weeks Before Nationals
A audio conference call will be held with members of the ficticious company, in character, allowing teams to ask questions in support of their proposal to the organization.
One Week Before Nationals
Proposals for teams will be due one week before the beginning of the competition
After spending some time getting to know each other, each team will individually have an opportunity to lead, in character, an entrance meeting with the leadership of the ficticious company.
Teams will be provided access to the "corporate network" and allowed to begin their penetration tests. Throughout the day the teams will have the ability to work with the fictious company IT team, test the systems for vulnerabilities, and work to document their issues.
Report and Exit Meetings
During the morning of day three, teams will both deliver a drafted report as well as a live presentation to leadership of the ficticious company. After judging is completed by company leaders, winners will be announced.
Sponsor Summit and Industry Presentations
During the morning, while other teams are presenting to company leadership, students will have the opportunity to network with sponsors (bring your resumes!) and listen to presentations from various industry leaders and volunteers.
Can our some, or all, of our team participate remotely?
Our team (or some members) need to leave early or arrive late, is this allowed?
If one of the members that we register gets sick or cannot make the event, can we substitute another student?
Are graduate students allowed on the team?
One of our members is uncomfortable signing the CPTC participation agreement, does that disqualify our whole team?
Do we have to have a coach?
If our team or member gets disqualified, is there an appeals process?
What sort of activities might disquality our team or members?
What does "ROE" stand for and what does it mean?
What does "scope" mean?
How will we be scored and winners selected?
What does our penetration testing system contain?
Will we have Internet access during the competition?
Can we use our own systems to perform the testing?
What kind of tools can we download or use?
Teams will be allowed to customize their testing systems by using any publically available tools. This means that anything which can be freely downloaded without requiring a signup or account may be used. Although real-world penetration testing firms may have proprietary tools they use, the spirit of this rule is to keep the testing environment level for all teams. For example, the following tools would be allowed:
- Scripts or programs downloaded from publically available, well known github repositories
- Executables available for direct download from a company website
- Binaries included within the repositories of major operating systems and distributions
- Tools or scripts found within the "client" networks
The following forms of tools would not be allowed:
- Items stored on private repositories or those made public but unknown or obfuscated, bypassing the "public" requirement
- Tools requiring signing up for an account on a vendor's website, even if anyone is allowed to create an account
- Scripts pre-generated by teams and placed on Internet storage locations, even if public
If you are unsure if you are allowed to use a specific tool, please contact the White Team.