CTF is dead*

Capture-the-flag (CTF) competitions has been the biggest part of my journey in cyber security, and probably is the case for most people beginning their journey in cyber security. But I'm struggling to see a bright future for CTF's in its current state.

March 19, 2026

This is just me ranting about this topic, so I am apologising in advance for the lack of coherence and structure. This post is only my own opinion derived from my experiences and personal moral compass.

The good 'ol days

There were times I would bang my head against the wall trying to understand how client-side attacks works and gluing my eyes to the Webhook.site page every time I sent a payload hoping there will be a flag there. The rush of seeing the flag finally appearing after thousands of Google searches and blog-surfing is why I still keep doing this. The whole reason for me to even put time for CTF's in the middle of all the chaos of university and life is to learn concepts that would never be mentioned in a lecture.

The community is also one aspect of CTF's that is quite unique. The CTF community is basically just a bunch of nerds (in a good way), so it's perfectly normal to just geek out on a certain subject and talk about it for hours on the Discord channel after the competition. And these kinds of interactions are where the learning happens. You don't really know who is behind the screen, so it's often the case that you are learning about how Sysmon logs work from someone who has been analysing logs and defending endpoints their entire career. I personally learned most of my forensics knowledge through people who has done these kinds of work in real life, and those kinds of real-life and practical knowledge is priceless. On the other side, when you are explaining about how you solved the "easy" web challenge, you could be explaining it to a high-school student that's now awed by how easily you solved the challenge. It's an organic and beautiful way to exchange knowledge that feels very human.

The shift

But that sense of community and struggle has since been endangered. AI has removed all the hassles of solving a challenge, from basic things such as writing scripts to the extreme end of autonomously solving the whole challenge. Now you would never have to see another documentation page published in 2012 to solve that one challenge that used a niche protocol. You won't need to tell someone you've tried X, then Y, then Z. You won't even need to read what the challenge is about because you're not required to do that anymore.

The idea of paying for the best AI model to win is also problematic. CTF's has always been one of the most accessible ways for someone getting into cyber security, where the only requirements needed to play is time and curiosity. The only things separating you and the other players were experience and determination. But when the top "players" are paying hundreds of dollars for a top-tier model, the playing field shifts from showcasing skills to showcasing how deep your pocket is.

Other side of the coin

These shifts in the way people do CTF's has also affected authors. As an author myself, I have spent months researching about what kinds of topics would be interesting for people to learn about, that can either be novel tactics and techniques that APT's have used in the real world or protocols that most people would not know how it works at a deep level. And I felt a sense of content when people would talk about the concepts that I have integrated to my challenges and willing to extend their curiosity by doing their own research. There were also cases where individual people would privately message me to ask how I found these concepts and wanted to know how I built the challenges. This passion of wanting to know more is what fuels me to be able to create more interesting challenges.

But what's my incentive now if the only eyes that would see my challenges is an AI model? Why would I spend months of my time researching about concepts that I found interesting, building out the challenge and testing it out to make the solving path reasonable just so an AI would auto-solve it in minutes? If people were to just hand the challenge files to an AI, what's stopping me to ask an AI model to make a "slop" challenge? And this demotivation would affect quality of CTF's of today and players who are keen to learn would not find the competition fun anymore. We are looking at a lose-lose situation for authors and players who are there to experience the hardships of learning.

AI bad?

With all the ranting about how AI has changed CTF's for the worse, I have to say: I don't have a problem with AI itself. I think it is a powerful tool if you use it wisely. But we do not live in a perfect world, and some people cannot or are not willing to use AI wisely. AI makes a great assistant to gather information about a certain topic and also tailor that information to the challenge you are doing. I use it extensively to research about topics that I will use for my own challenges and also aid in work such as writing scripts or README's. But what a lot of players failed to understand is that by having these informations handed out on a silver platter, they are still in charge of actually understanding what's going on. It's dangerously easy to let AI do the heavy lifting and say "okay now solve this challenge for me". But when that happens, you are no longer learning. You might get the flag and ultimately the points needed to win, but you are not gaining anything after the competition ends.

Verdict

So, is CTF dead? If you are looking at the number of competitions and players, the answer is probably "no". CTF's are here to stay.

So why did I name this blog post "CTF is dead*"?

Because currently, it feels dead. The leaderboard is filled with many full-solves but with little to no conversations after the competition ended. The conversations that used to be a mix of curiosity, cool unintended solutions and experience-sharing are now just collections of AI-style solve scripts. As I said at the start of this post, CTF is all about the passion for learning. But you can't be passionate about something that you didn't participate in. When the AI just "slops" through all the challenges, there's no more engagement from humans. Now, the competition just becomes an exercise of prompt engineering.

What now?

How can we prevent the "death" of CTF as we know it? If you are currently a beginner player reading this, my suggestion is to be passionate and curious. If you are lost, you can still ask AI to help you out. But after that, close the tab and do it yourself and let your skills be honed by trial and error. It's going to be rough at first, but the dopamine rush when you solved a challenge on your own is unmatched. As the old saying goes: "It's not about the destination, it's about the journey"

For authors, the best way to keep this community alive is to keep innovating. Keep finding those 0-day exploits or researching about tactics that's used recently by APT's, because this is an era where creative and novel challenges are required to hinder AI "slopping". There might be fewer people willing to put in the effort to solve it, but you'll never know who's looking at your challenge and find the spark that will start their entire journey in cyber security.

As for the competition itself, it might need a change in format. Some people have given out their thoughts about how should CTF's change, but I honestly have no definitive answer for this. Proctored competitions may work but it can only go so far, and proctoring is basically impossible for online competitions. And proctoring CTF's may be perceived as being negative towards using AI for CTF's. Ultimately, it depends on the goals of the competition itself. If the goal is to educate as many people such as university competitions, then restricting AI usage might be a good idea.

In summary, I think we are currently in some rough times for CTF's, but I truly believe that it will never die as long as there are still people burning with passion in the field.