This competition is designed to test your skills at conducting and authorized penetration test.
Ten (10) teams will compete at the Regional level. Each team is made of up six team members who will work with each other to conduct a pen test against a realistic organization. Users will gain access, pivot, escalate privileges, and steal “confidential data” from our target systems.That could be confidential or personally identifiable information of any kind. The entire time, your team will document your findings and provide the system owners with a report of recommendations to make the system more secure.
Teams are required to have a faculty coach who is present with the team at the regional and national competitions.
All regional competitions will be held on October 11-13, 2019. A regional map can be found at http://nationalcptc.org/.
- Central Region – Tennessee Tech University Regional Site
- North Region - University of New Haven Regional Site
- NorthEast Region – Penn State University Regional Site
- Southeast Region - Augusta University Regional Site
- Western Region – Stanford University Regional Site
Winning teams from the regionals will advance to the National CPTC Finals in Rochester, NY on November 22-24, 2019.
"Our goal for this event is to model a real life penetration test as closely as possible in a competition environment."
A penetration testing event (PT) is cooperative, whether it’s a black box test (when very little information is shared) or a crystal box test (when a lot of insider information is shared).
Cyber security events, such as a CTF, vulnerability assessment, auditing, or Pen testing, share many characteristics. All of them exercise a competitor’s understanding of how things work, knowledge of why systems function the way they do, and their skill in manipulating a systems function. They test and assess a contestant’s proficiency in the field of computing and cyber security.
Two characteristics discriminate a PT from other tests:
- A PT picks up where a vulnerability assessment of an exploit ends. The goal is to see how far and to what extent the vulnerability threatens the company and what resources are exposed. A vulnerability assessment might discover that a cheap, easily pick-able lockset is used on your home, pick the lock to verify, and stop there. A PT would continue on a demonstrate that your TV, stereo, and jewelry box could be taken. Alternatively, the lockset could be less of a concern because the door only leads to the back porch and the next door to the house has a very good lock, minimizing the threat of the weak exterior door lock.
- Unlike the CTF, the goal of a PT is to protect and improve the security of the company. The PT should do no harm. The system should not be damaged. The company’s operation or reputation should not be negatively impacted. Any and all vulnerabilities found need to be clearly documented with a mitigation plan provided to the customer for their benefit. While a CTF needs only to find a single successful exploit to gain the flag, a PT strives to find ALL (or at least as many as possible) weaknesses, vulnerabilities, and leaks in a system. This makes a PT a much more demanding exercise. A PT should not stop at the first successful breach, but continue searching for any known vulnerabilities possible in the target system.