Capture all the things!

Capture the Flag (CTF) games seem to be all the rage now! I mean, I’m not complaining, I’ve been using these for years now and I’ve been building games for about a year so I’m super excited they are more popular, but popular != great.

I want to host a CTF!

Now you are probably reading this because you think, great I’ll run a CTF, it’s simple right. I just building some complex computer booper challenges and load a few flags and jobs a good’un! Now if only life was so simple, I’ve been planning, designing, building and configuring (even operating) technology systems for over 20 years now (is it really that long?! Crap!) and its funny how many parallels run with business system deployment and CTF games. I started when I was a kid, wanting to be a games maker! I cut my teach with PC’s in the early 90’s playing doom, making mods and messing with code in games like Jedi Knight, Half Life etc.

I learnt quite quickly that building a component did not mean I was equipped to build a whole game, hell I struggled to even get a level built and released for Half Life multiplayer, and the result was well… given I was a kid… ok but I didn’t understand a lot of things required to make a level good, let alone a whole game.

So, why am I rambling about this? Well I thought I’d share some of my experience with people to try and help people who are considering building CTF games. I’ve come up with a few key points I think people should consider.

Capture the Flag Project Architecture

Call if a game, call it an education platform, call if whatever you want but fundamentally you are running a project to meet a business objective and it’s going to require time, money and require equipment! It’s just like deploying a new business service. So treat it as such!

Now I’m not saying it needs a huge level of formality but building these isn’t a two-minute job and it requires effort, persistence and dedication, at the end of the day your payers are your customers!

Key Considerations

With this reality in mind here’s my list of key considerations to start thinking about ASAP (and guess what they aren’t about 0’s and 1’s), it’s not everything but it’s probably a good few points that you should really put some thought into!

  • What are your goals of the CTF?
    • Why are you making this?
  • What are the lessons or experiences you are trying to share?
    • Demonstrate real world attack/defence?
    • Teach new techniques
    • Demonstrate how off the wall you can make a challenge? (I might be being tongue in cheek, but I see some builds give off this impression that the focus is on the box maker more than the players)
  • Who is your audience?
    • What skill level have they got?
    • What experience level do they have?
    • What are the constraints they might have whilst playing?
  • What do you want people to feel when they are playing the game?
    • Is there a theme to your CTF?
  • What do you want people to remember about their experience?
  • What type of CTF game/platform/arena are you trying to make?

Now these are quite holistic questions, once you have a good understanding of these you will also need to deal with more practical elements such as:

  • Game Platform
  • Story and Immersion
    • You may not want to create an immersive experience however I strongly recommend you consider this both at the initial strategy and planning and in this detailed technical space
  • Scoring
  • Registration
  • Teams
  • Rules
  • Flag Structures
  • Flag Locations
  • Game Times
  • Access Requirements
  • Marketing and Communications
  • Prizes
  • Game Arenas
  • Challenges
    • Remember you need to build vulnerable and solvable puzzles. The build and test time for a single machine can take weeks.
  • Vulnerabilities and techniques
    • Building a vulnerable box with a specific route isn’t as easy as it sounds so be mindful of the types of vulnerability or technique you want to showcase etc.
  • Walkthroughs
  • Testing (god don’t forget to test! I know this from experience)
  • Timescales
  • Project Management
  • Document Management and Collaboration
  • Player support
  • Password resets
  • Hints
  • Event logistics
  • Event Management
  • On the day technical troubleshooting
  • Software licensing
  • Finances

And all of this is required to be understood before you have even built a puzzle, virtual machine of coded anything! See its fun right! Now don’t get me wrong, it is super fun but it also bloody hard work. Make sure you work out your plan, understand what you are trying to achieve and ensure you have the appropriate resources allocated to make these.

Common Pitfalls I see

Here’s some of the things I see with CTFs and some of the pitfalls I’ve observed from both a builder and player (I’m sure there are more!)

  • Underestimating the level of resources and effort required
  • Reliance on community challenge donations
  • Not marketing well
  • Creating challenges that are simply too hard for the audience either through complexity or through obscurity
  • Not focusing on the player experience
  • Bugs (hell I get hit by these a lot)
  • Trying to do too much in one game

I’m sure there are more but these are the items that spring to mind, it’s really easy to focus on crazy challenges and massively increasing scopes, but in the end if you bite off more than you can chew, the player experience will probably suffer, the build process will be stressful and overall your probably going to have a more negative experience. Remember, this is about fun, learning, teamwork and enabling the players!


I could write forever on this subject and this was just meant to be a glimpse into the process of planning and running a capture the flag game. Some are simpler than others, this isn’t a definitive list nor is this prescriptive, its simply based on my experience over the last year running CTFs both online and in person both alongside and with events such as Bsides. Hopefully this helps you think about the type of game you want to build and makes you walk in with your eyes open!

Remember, CTF’s are for the players!

Leave a Reply