A common complaint among those who teach computer science, programming, and cybersecurity is that the moment they establish a curriculum, it is already out of date. New technologies are invented, new programming languages are conceived, and new security vulnerabilities are discovered constantly. This is the situation cyber officers face as they prepare training plans for their units, and it is the same one faced by the Army Training and Doctrine Command (TRADOC) as they develop classes for their cyber courses. It is impossible for the Army to keep up with the pace of technology and cybersecurity, and the specific skills that students learn in training are often already obsolete. Luckily, the private sector developed a solution to this challenge years ago: the Capture the Flag (CTF) competition. CTFs are the perfect tool for teaching cyber Soldiers how to learn, not what to learn. The Army should develop and host CTFs to recruit, train, and recognize cyber talent; cyber units should make CTFs part of their battle rhythms.
A CTF is a gamified learning tool that rewards students with points for successfully completing challenges. Students complete challenges by finding “flags,” which are typically a random string of characters that cannot be guessed, similar to a password. Some flags are hidden inside large files that must be forensically analyzed, decrypted, or exploited. Alternatively, a flag might be located on a remote server, and the student is left to figure out a way onto that system themselves. Another flag might be an answer to a question.(Think: “Based on this packet capture, what was the username of the person who exploited the website?”). Typically, challenges are displayed on a Jeopardy-style game board and assigned points based on difficulty. Alternatively, some CTFs are more linear, requiring the student to solve challenges in order to progress and unlock new challenges. There are many CTFs that are available for anyone in the world to register for and participate in, and many of them are free. The target audience for CTFs can range from middle school students to cybersecurity professionals, and the rewards can range from public recognition to significant cash prizes.
Capture the Flags are powerful learning tools because each new question requires a student to think independently and devise a novel solution. This can be daunting, especially if students are used to learning in a typical classroom environment where a teacher presents material and the students attempt to remember it until they are tested. In a CTF, there is no lesson plan, no PowerPoint, no lecture. The student is given a goal and little else. This is the most difficult and most important step. I remember when I participated in my first CTF while trying out for the West Point Cadet Competitive Cyber Team (C3T). I would look at problems and have no idea what they were saying, let alone how to solve them. Even for the easiest challenges, I had to do hours of research just to understand the question. It is true that it would have been so much easier and faster if someone had simply provided me with the necessary information to solve the problem and then left it up to me to apply it independently. But that is the point. Eventually, I gained a foundation in the basics, and more importantly, I learned how to build that foundation on my own. When I looked at new problems about unfamiliar topics, rather than being discouraged, I knew that there was nothing stopping me from diving in and teaching myself.
CTFs teach a mindset of tenacity and independent thinking, which industry leaders identify as the key to success in cybersecurity. Offensive Security (OffSec) is a company that is well-known in the cybersecurity community for the Kali Linux operating system, the Offensive Security Certified Professional (OSCP) certification, and many other products. OffSec’s motto, “Try Harder,” is one that exemplifies the mindset needed to succeed in CTFs and in cyber. OffSec (2025) recently published a blog about their motto that I think explains the benefits of CTFs:
The world of information security doesn’t hand out neat instructions or guaranteed solutions. It demands persistence, adaptability, and sharp critical thinking under pressure. That process of not giving up, of getting creative, of growing through setbacks, is where the real transformation happens.
OffSec lays out three core components of the “Try Harder” mindset: Self-Directed Learning, Resourcefulness and Resilience, and Failing Forward. Looking closer at these components, it’s clear that the traditional classroom training model teaches none of them. Training is developed and approved far outside of the student’s control. Students are given answers rather than discovering them on their own. Proficiency is assessed once, at the end of training, where failure is discouraged. Traditional classroom training cannot instill a “Try Harder” mindset on its own.
Both TRADOC and individual Cyber units already utilize CTFs in their training, but not in a standardized way. For instance, the Cyber Common Technical Core (CCTC) course uses a “cyber range” environment, where students gather flags from virtual computers that they have exploited. I have also heard from fellow officers that their units will occasionally organize teams to participate in public CTFs. For a while, the Army appeared poised to offer this kind of training to cyber units across the force. From 2016 to 2020, the Army Cyber Institute (ACI) hosted an annual Army-wide CTF called All-Army CyberStakes. As Col. Jeffrey Erickson, ACI’s chief of staff, said in 2020, “The whole purpose of CyberStakes is to challenge and recognize the best in our force, and to provide high quality, deeply technical individual training for all skill levels” (Beum, 2020). The winner of the 2020 CyberStakes was 1st Lt. Brian Welch, a mission commander and cyberspace capability developer from the 780th Military Intelligence Brigade, who benefited from the training and the rigors of competition. As he put it:
CyberStakes is the single greatest technical training event available to the DOD cyber community. Capture-the-Flags, in general, are also a great culminating event for any kind of long pipeline training and give participants an opportunity to compete and showcase their technical skillset.
I am not familiar with the exact reasons why All-Army CyberStakes lost support, but I believe it is the model that the Army should use to develop future CTF-based training.
The Army should be sponsoring CTFs at the highest level because of their potential for recruiting, training, and recognizing cyber talent. For recruiting, the Army could establish a competitive CTF team and compete in CTFs all over the world, an idea first suggested by CSM Sam Crislip (Crislip, 2020). This would establish the Army as a premier organization to learn cyber skills and prove to potential recruits that their talents will not be wasted. For training and talent recognition, the Army should dedicate resources to recreating something like All-Army CyberStakes and rewarding units and individuals who excel at it. Alternatively, the Army should encourage and provide resources for units to participate in CTFs hosted by external organizations, such as President’s Cup, and reward units accordingly.
Even absent additional resources or support, leaders at all levels of Army Cyber should take it upon themselves to promote the use of CTFs within their units. There are many ways they can start today. What follows are just a few of my favorite free resources for CTFs:
- President’s Cup Cybersecurity Competition: The Cybersecurity and Infrastructure Security Agency (CISA) established the President’s Cup Cybersecurity Competition in response to Executive Order 13870 and has run six competitions so far. I believe it exemplifies everything that the Army should be doing to train and recognize talent. The actual competition is hosted annually and includes three rounds, with the final round being held in person. There are also three tracks: Team (5 person max), Individual Track A (Offense), and Individual Track B (Defense). In addition to the annual competition, CISA’s website hosts practice challenges year-round, and many have also been published to GitHub.
https://www.cisa.gov/presidents-cup-cybersecurity-competition
https://presidentscup.cisa.gov/gb/practice
https://github.com/cisagov/prescup-challenges/tree/main
- PicoCTF: Hosted by Carnegie Mellon University, PicoCTF has been one of my favorite annual CTFs for nearly a decade. This is the quintessential CTF experience. Its challenges range from beginner to expert, so no matter how many years I have played it, I always enjoy refreshing some old skills and learning something new. Pico, too, hosts practice challenges year-round.
- Hack the Box: Hack the Box started as simply a kind of “cyber range” that hosted vulnerable virtual computers (“boxes”), which users had to exploit to earn flags. It has since expanded to include more diverse CTF challenges outside of exploitation, but its more advanced features require a paid subscription.
- CTFtime: This website serves as a hub for CTFs. You can use it to track upcoming competitions and learn how to register for them. You can also use your placement in certain competitions to gain points and increase your rank on the CTFtime site itself, in a kind of meta-competition.
The Greek philosopher Plutarch once said that “the mind does not require filling like a bottle, but rather, like wood, it only requires kindling to create in it an impulse to think independently.” If the Army wants to fight and win in cyberspace, it needs a workforce that is trained to solve hard problems. As the Army works to develop its cyber forces, it must prioritize instilling a “Try Harder” mindset in its Soldiers, teaching them to teach themselves. The proven model for identifying and developing this mindset is the CTF.
References
Beum, L. (2020, May 6). All-Army CyberStakes is more than just Army. U.S. Army.
https://www.army.mil/article/235327/all_army_cyberstakes_is_more_than_just_
Crislip, S. (2020, August 28). Capturing flags and recruiting future cyber soldiers. War
on the Rocks. https://warontherocks.com/2020/08/capturing-flags-and-recruiting-
OffSec Team. (2025, June 23). What it really means to “Try Harder.” OffSec.
Social Sharing