We're glad to see that you're interested in competing with us as part of the Collegiate Penetration Testing Competition (CPTC)! At its heart, CPTC is a bit different from several other collegiate Cybersecurity competitions. Instead of defending your network, searching for flags, or claiming ownership of systems, CPTC focuses on mimicing the activities performed during a real-world penetration testing engagement conducted by companies, professional services firms, and internal security departments around the world.
Each year our volunteers and sponsors develop a mock organization which is seeking penetration testing services. During the competition, you - the student teams, play the role of a consulting firm that is providing this test to our organization. We will develop background information, employees, organizational policies, Internet services, and a network that will be used as part of the testing. Each team will be provided with a completely identical but separate and segmented environment to perform their testing. Just as with a real-world pen-test, you will be asked to provide deliverables, presentations to company management, and recommendations on vulnerabilities discovered during your test. Teams will be scored not just on the technical vulnerabilities discovered, but also on their professionalism and communication skills. We will have members of the company IT team and management on-hand during the competition to answer any questions that you may have or issues that may arise during your testing of our network.
CPTC begins with a set of regional competitions that will occur in the fall of each year. During these regional competitions, teams will compete using identical environments with other teams from around the nation. The test environment will be coordinated nationally to ensure that all teams across all regions will have the same environment. The top two teams from each region will advance to the national competition. Furthermore, the highest ranked teams at-large from across all regional competitors will also advance, creating a national competition of ten teams total.
We have included a general timeline of activities below. If you have further interest please don't hestiate to contact members of our advisory board or any of our regional coordinators. If you're interested in competing in one of our regional competitions, please sign up and we'll be in touch!
The schedule for 2019 has not been finalized yet. Please check back later
Can our some, or all, of our team participate remotely?
Our team (or some members) need to leave early or arrive late, is this allowed?
If one of the members that we register gets sick or cannot make the event, can we substitute another student?
Are graduate students allowed on the team?
One of our members is uncomfortable signing the CPTC participation agreement, does that disqualify our whole team?
Do we have to have a coach?
If our team or member gets disqualified, is there an appeals process?
What sort of activities might disquality our team or members?
What does "ROE" stand for and what does it mean?
What does "scope" mean?
How will we be scored and winners selected?
What does our penetration testing system contain?
Will we have Internet access during the competition?
Can we use our own systems to perform the testing?
What kind of tools can we download or use?
Teams will be allowed to customize their testing systems by using any publically available tools. This means that anything which can be freely downloaded without requiring a signup or account may be used. Although real-world penetration testing firms may have proprietary tools they use, the spirit of this rule is to keep the testing environment level for all teams. For example, the following tools would be allowed:
- Scripts or programs downloaded from publically available, well known github repositories
- Executables available for direct download from a company website
- Binaries included within the repositories of major operating systems and distributions
- Tools or scripts found within the "client" networks
The following forms of tools would not be allowed:
- Items stored on private repositories or those made public but unknown or obfuscated, bypassing the "public" requirement
- Tools requiring signing up for an account on a vendor's website, even if anyone is allowed to create an account
- Scripts pre-generated by teams and placed on Internet storage locations, even if public
If you are unsure if you are allowed to use a specific tool, please contact the White Team.