What is a CTF?

While trying to popularize CTF * BG as an initiative we often struggle with the same issue: a lot of people, even InfoSec professionals are not aware what exactly is a “CTF”. We hope the following article provides a short answer to this question.

CTF or Capture the Flag, within the field of Information Security, is a type of competition consisting of contestants attempting to infiltrate a specifically created environment and to find “flags” inside. Each “flag” carries a certain amount of points depending on the difficulty of the challenge that yielded this flag.


Usually the flags are easily recognizable strings, like “FLAG{&4jaubH3}” so that contestants don’t miss them.

In such competitions there usually are different categories of challenges and within each category, challenges are sorted by their difficulty. Traditional categories include:

Web: This type of challenges focus on finding and leveraging vulnerabilities in websites/webapps.

Forensics: The main goal in this category is to “investigate” some sort of data, like a network capture (e.g. a .pcap file) and finding the “needle” in the “haystack”.

Crypto: Challenges of this type focus on finding and using vulnerabilities in a cryptographic protocol, primitive or a particular implementation. Challenges of this kind are usually most demanding in theoretical knowledge. Here at CTF * BG we have a fondness for Crypto challenges and we have a slight focus on this type.

Reversing (or Reverse Engineering): The purpose here is to explore a given binary file and to find the key by decompilation, static or dynamic analysis or other reverse engineering tools.

Exploitation: Within this type, the goal is to build an exploit, very often for a binary, though sometimes for a Web application. Almost always contestants have (explicit) access to the source code of the application, unlike the Reversing category, where a big part of the challenge is that you have to essentially play “in the dark”. Problems within this category are usually the most difficult with regards to technical knowledge.

Miscellaneous: Everything not listed else that is still relevant to Information Security is in this category.

It’s worth noting that this list is by no means comprehensive and there are other categories of challenges, but at CTF * BG we give challenges in the above categories. Also, there are other types of competitions  – e.g. the Attack-Defense competition, where the goal is for teams to simultaneously attack other teams’ infrastructure, while defending their own servers/services. Although very enjoyable and rewarding, this type of CTFs is quite rare.

In case we have got you interested, you can learn more about CTF competitions at https://ctftime.org/ctf-wtf/ or to join the next edition of CTF * BG as a competitor/team.

Follow our site for more information on CTF * BG and other CTF initiatives of CyResLab.

Home of the first Bulgarian CTF competition