Competitor Information

We're glad to see that you're interested in competing with us as part of the Collegiate Penetration Testing Competition (CPTC)! At its heart, CPTC is a bit different from several other collegiate Cybersecurity competitions. Instead of defending your network, searching for flags, or claiming ownership of systems, CPTC focuses on mimicing the activities performed during a real-world penetration testing engagement conducted by companies, professional services firms, and internal security departments around the world.

Each year our volunteers and sponsors develop a mock organization which is seeking penetration testing services. During the competition, you - the student teams, play the role of a consulting firm that is providing this test to our organization. We will develop background information, employees, organizational policies, Internet services, and a network that will be used as part of the testing. Each team will be provided with a completely identical but separate and segmented environment to perform their testing. Just as with a real-world pen-test, you will be asked to provide deliverables, presentations to company management, and recommendations on vulnerabilities discovered during your test. Teams will be scored not just on the technical vulnerabilities discovered, but also on their professionalism and communication skills. We will have members of the company IT team and management on-hand during the competition to answer any questions that you may have or issues that may arise during your testing of our network.

CPTC begins with a set of regional competitions that will occur in the fall of each year. During these regional competitions, teams will compete using identical environments with other teams from around the nation. The test environment will be coordinated nationally to ensure that all teams across all regions will have the same environment. The top team from each region will advance to the national competition. Furthermore, the highest ranked teams at-large from across all regional competitors will also advance, creating a national competition of ten teams total.

We have included a general timeline of activities below. If you have further interest please don't hestiate to contact members of our advisory board or any of our regional coordinators. If you're interested in competing in one of our regional competitions, please sign up here and we'll be in touch!

Competition Timeline

Regional Competitions

  • Penetration Testing

    Day 1

    During the fall, competitions will be held in several regions simultaneously. All regional teams will be provided access to a corporate environment (separate for each team across the country) to identify vulnerabilities. The winners from each region, as well as the top ranked teams from all nationwide competitors, will advance to the National Competition.

  • Reporting and Results

    Day 2

    Teams will be expected to develop a report as a "professional services firm" that has provided a penetration test to a ficticious organization developed for CPTC. Reports will be scored and winners from each region will be announced simultaneously at the nationally-coordinated regional awards ceremony.

National Competition

  • Request for Proposals

    Four Weeks Before Nationals

    Similar to the scope of a real-life professional penetration assessment, teams will be asked to develop a proposal for the ficticious company. Four weeks before the competition, an RFP will be sent to each team to provide pre-competition information.

  • Bidder's Conference

    Three Weeks Before Nationals

    A audio conference call will be held with members of the ficticious company, in character, allowing teams to ask questions in support of their proposal to the organization.

  • Proposal Submission

    One Week Before Nationals

    Proposals for teams will be due one week before the beginning of the competition

  • Entrance Meetings

    Day 1

    After spending some time getting to know each other, each team will individually have an opportunity to lead, in character, an entrance meeting with the leadership of the ficticious company.

  • Penetration Testing

    Day 2

    Teams will be provided access to the "corporate network" and allowed to begin their penetration tests. Throughout the day the teams will have the ability to work with the fictious company IT team, test the systems for vulnerabilities, and work to document their issues.

  • Report and Exit Meetings

    Day 3

    During the morning of day three, teams will both deliver a drafted report as well as a live presentation to leadership of the ficticious company. After judging is completed by company leaders, winners will be announced.

  • Sponsor Summit and Industry Presentations

    Day 3

    During the morning, while other teams are presenting to company leadership, students will have the opportunity to network with sponsors (bring your resumes!) and listen to presentations from various industry leaders and volunteers.

FAQ

Can our some, or all, of our team participate remotely?
No. Physical attendance by all members of your team at the event site is required to participate in the competition.
Our team (or some members) need to leave early or arrive late, is this allowed?
Yes and No. At least ONE person has to represent your team during the initial discussion with company leadership. We cannot extend the time alloted to access the infrastructure for any reason. Otherwise, we can be flexible in accommidating potential scheduling conflicts with team members provided they do not disrupt the competition.
If one of the members that we register gets sick or cannot make the event, can we substitute another student?
Yes, you can substitute another student from your team roster before the event. If the substitution occurs after regionals, this student must have been included on the team roster as an alternate.
Are graduate students allowed on the team?
Graduate students are allowed on your team as long as they are active matriculated students in a program at your university.
One of our members is uncomfortable signing the CPTC participation agreement, does that disqualify our whole team?
All team members must sign the CPTC participating agreement in order to compete. If an individual member refuses to sign the agreement, that member will not be allowed to attend and participate. The rest of the team will be allowed to attend and participate without that member.
Do we have to have a coach?
Absolutely, every team must be sponsored by an academic institution. A faculty or staff coach affiliated with the academic institution must also accompany the team to all CPTC events.
If our team or member gets disqualified, is there an appeals process?
During an actual penetration testing engagement a company can be cut from testing as a result of bad behavior, unprofessional performance, or significant business impact. This event will mirror real-life as closely as possible: appeals will not be allowed for disqualification.
What sort of activities might disquality our team or members?
As in the real world, anything that is deemed unprofessional or a breach of the rules is potential grounds for disqualification. This includes anything deemed by the White Team to be cheating, anything illegal, attempting to circumvent the rules, as well as rude or unprofessional behaviour before or during the competitions.
Where can I find the official rules?
A copy of the official rules can be found here.
What does "ROE" stand for and what does it mean?
ROE are the rules of engagement set out by the client to limit how a penetration test is conducted. This can include limitations on the times of testing, tools that can be used, techniques that can be employed, and what happens when a test is detected.
What does "scope" mean?
The scope defines exactly what systems and services are to be tested, as well as the details on how they can be tested. Clients will often limit targets of penetration testing to ensure that business operations continue. This will often include removing sensitive systems from the testing, or limiting the targets to only specific hosts the client is concerned about. Care should be taken to ensure that all penetration testing activities remain in scope - that is, only impact the systems that are specifically designated for testing.
How will we be scored and winners selected?
At regional competitions, teams will be scored based on a combination of their conduct during the assessment and the contents of their report. This will include both the technical content, issues identified, recommendations to the client, and professionalism of the deliverable.At the national competition, teams will continue to be scored on their conduct and report, but their deliverables will be extended to include a presentation and exit meeting to client leadership. It is important for teams to remember that they are to conduct themselves as a penetration testing consulting team / firm, meaning that the method they communicate, recommend changes, and respond to issues are just as important as their technical content.
What does our penetration testing system contain?
You will be provided two systems, both a Microsoft Windows workstation as well as a Kali Linux system, both with the default installation of tools that comes with each.
Will we have Internet access during the competition?
It will be dependent upon the year and the scenario; however, the penetration testing workstations will most likely have Internet access, although this is not guaranteed. Client networks and systems may or may not have varying levels of access.
Can we use our own systems to perform the testing?
Teams will be provided with penetration testing workstations and are forbidden from using their own systems or images. Furthermore, teams are prohibited from using any non-public tools on their systems. The intent of this rule is to create a fair and even playing field for all teams.
What kind of tools can we download or use?

Teams will be allowed to customize their testing systems by using any publically available tools. This means that anything which can be freely downloaded without requiring a signup or account may be used. Although real-world penetration testing firms may have proprietary tools they use, the spirit of this rule is to keep the testing environment level for all teams. For example, the following tools would be allowed:

  • Scripts or programs downloaded from publically available, well known github repositories
  • Executables available for direct download from a company website
  • Binaries included within the repositories of major operating systems and distributions
  • Tools or scripts found within the "client" networks

The following forms of tools would not be allowed:

  • Items stored on private repositories or those made public but unknown or obfuscated, bypassing the "public" requirement
  • Tools requiring signing up for an account on a vendor's website, even if anyone is allowed to create an account
  • Scripts pre-generated by teams and placed on Internet storage locations, even if public

If you are unsure if you are allowed to use a specific tool, please contact the White Team.

If we have licenses for commercial software can we use it during the competition?
No commercial software, unless provided by the CPTC competition to all teams, may be used during the competition.
Can we download data, logs, and results from the environment to construct our deliverables?
You will have the capability to export resources and evidence to support your analysis, presentation, and reports.
Can we work through the night to complete our deliverables?
You may work on your deliverables whenever you wish, both during and after the penetration testing time, but you must be prepared to deliver when items are due. Furthermore, access to evidence and the client network may not be available at night, be prepared before you leave or time ends.
After the RFP and bidders conference, is there a way for us to ask further questions?
An email address for the "client" will be provided where additional questions can be submitted. All questions and answers will be anonymized with the results provided to all teams.
Will we receive feedback after the competition is completed?
Teams that would like feedback may contact the White Team to setup a feedback meeting. We are more than happy to provide feedback from judges after the fact.
How will my deliverables be judged?
For regionals, a nationwide team of judges will review reports with scored averaged across all judges to provide a score. During nationals two teams of judges, one for presentations and one for reports, will grade team deliverables to provide an average score for these areas.
My school is interested in hosting a regional, what should I do?
Please email the CPTC National Director at [email protected] and let us know. We'll get back in touch with you as soon as possible to talk!
What are some good resources to look at how a professional pentest is done?
Groups such as The Penetration Testing Execution Standard and OWASP maintain excellent information on common approaches. You should also consider reaching out to regional, state, or national consulting firms that provide penetration testing services. They may be willing to provide you some thoughts on their methodology and approach as well.