The International Capture The Flag ("iCTF") is a distributed, wide-area security exercise, which aims to test the security skills of the participants. It is the world's largest and longest-running educational hacking competition that integrates both attack and defense aspects in a live setting.

iCTF is held once a year. Recent iCTF contests are organized by Prof. Giovanni Vigna of the Department of Computer Science at UC Santa Barbara together with Shellphish, as well as Prof. Adam Doupé together with pwndevils.

iCTF 2020

The iCTF 2020 will be happening on March 6, 2020! For more information, please see the iCTF 2020 website.


The UC Santa Barbara Capture The Flag contest is multi-site, multi-team hacking contest in which a number of teams compete independently against each other.

In traditional editions of the iCTF competition, the goal of each team is to maintain a set of services such that they remain available and uncompromised throughout the contest phase. Each team also has to attempt to compromise the other teams' services. Since all the teams received an identical copy of the virtual host containing the vulnerable services, each team has to find vulnerabilities in their copy of the hosts and possibly fix the vulnerabilities without disrupting the services. At the same time, the teams have to leverage their knowledge about the vulnerabilities they found to compromise the servers run by other teams. Compromising a service allows a team to bypass the service's security mechanisms and to "capture the flag" associated with the service.

The iCTF Framework

The Security Lab at UC Santa Barbara has made available to the public the iCTF framework, which is the software infrastructure used to run the competition.

The framework is available for download on GitHub:


The iCTF framework is free for both commercial and non-commercial use (donations are welcome!). The UC Santa Barbara iCTF competition is based on the iCTF framework and similar competitions can leverage the same framework to create other educational security competitions.

History and Background

The UC Santa Barbara iCTF evolved from a number of previous security "live exercises" that were carried out locally at UC Santa Barbara, in 2001 and 2002. The first wide-area edition of the UC Santa Barbara CTF was carried out in December 2003. In that CTF, fourteen teams from around the United States competed in a contest to compromise other teams' network services while trying to protect their own services from attacks. The contest included teams from UC Santa Barbara, North Carolina State University, the Naval Postgraduate School in Monterey, the West Point Academy, Georgia Tech, University of Texas at Austin, and University of Illinois, Urbana-Champaign.

In 2004, the UC Santa Barbara CTF evolved into an international exercise (hence, the name "iCTF"), which included teams from the United States, Austria, Germany, Italy, and Norway.

Throughout the years, new competition designs have been introduced that innovated the more "traditional" designs followed in the 2003-2007 competitions.

More precisely, in 2008 the iCTF featured a separate virtual network for each team. The goal was to attack a terrorist network and defuse a bomb after compromising a number of hosts. This competition allowed for the recording of several parallel multi-stage attacks against the same network. The resulting dataset has been used as the basis for correlation and attack prediction research.

In 2009, the participants had to compromise the browsers of a large group of simulated users, steal their money, and create a botnet. This design focused particularly on the concept of drive-by attacks, in which users are lured into visiting web sites that deliver attacks silently.

In 2010, the participants were part of a coalition that had to attack the rogue nation of Litya, ruled by the evil Lisvoy Bironulesk. A new design forced the team to attack the services supporting Litya's infrastructure only at specific times, when certain activities were in progress. In addition, an intrusion detection system would temporarily firewall out the teams whose attacks were detected.

In 2011, the participants had to "launder" their money through the execution of exploits, which had some risks associated with them. This created an interesting exercise in evaluating the risk/reward trade-offs in network security.

In both 2012 and 2013, teams had to "weaponize" their exploit and give them to the organizer, who would then schedule their execution. This last design was a first step towards the creation of a "cyber-range" where interesting network datasets can be created to support security research.

In 2014, the competition was used as a way to publicize the iCTF Framework. To this end, the vulnerable virtual machine contained 42 services from previous iCTF editions, which forced the participants to effectively triage their efforts.

In 2015, the iCTF followed a novel design: in order to participate, the teams had to provide a vulnerable service that would become part of the competition. As a result, the 2015 iCTF featured 35 new services (and 35 teams) and tested a new set of skills, in addition to attack and defense: the ability to create a well-balanced vulnerable service.

In 2016, the we decided to permanently move the competition to March (and since the decision was made in October, there was no iCTF event in that year).

In March 2017, the iCTF was run using Amazon Web Services (Amazon's cloud). All components were run in an enclave, and the competition was open to the world, resulting in more than 280 teams participating.

In March 2019, the iCTF competition continued to be hosted on Amazon AWS infrastructure and introduced a new way of creating and desploying services using containers. The competition was held on March 15th, 2019 with almost 400 teams participating.

Point Of Contact

The UC Santa Barbara International Capture The Flag (iCTF) is organized by Giovanni Vigna, at UC Santa Barbara.

This is the contact information: