I ran a small internal CTF for our team last month. Twelve challenges, expected solve time around six hours for a strong player. The first three fell in under ten minutes — not because the players were geniuses, but because they pasted the prompt into an LLM and waited.
This is not a rant about cheating. The same thing is happening in public CTFs, and it's exposing a real engineering problem: most CTF challenges were designed assuming the solver is a human reading a static artifact. Frontier models are extremely good at reading static artifacts. If you want challenges that still teach something in 2026, you have to design them differently.
Here's the debugging walkthrough I went through after watching my own event get eaten.
The root cause: challenges that are pure pattern recognition
Most "easy" and "medium" CTF problems share a shape. You get a file or an endpoint. You inspect it. You recognize a known scheme — XOR with a short key, a misuse of ECB mode, a path traversal, a weak JWT secret, a pickle deserialization. You apply the known counter and pull the flag.
That shape is exactly what large language models trained on writeups handle effortlessly. There are tens of thousands of solved CTF writeups indexed on the public web. The model has seen the pattern, and it has seen the canonical exploit. Showing it your toy variant doesn't trip it up — it just fills in the blanks.
Here's a stripped-down example of a challenge I used to think was clever:
# Server side — a 'custom' XOR cipher
import os
KEY = os.urandom(8) # 8-byte repeating key
def encrypt(plaintext: bytes) -> bytes:
return bytes(b ^ KEY[i % len(KEY)] for i, b in enumerate(plaintext))
# Hand the player a ciphertext of a known-format header + flag
ciphertext = encrypt(b"FLAG_FORMAT{" + flag_body + b"}")
The intended solution is known-plaintext recovery against the header, then decrypt the rest. A first-year security student should get it after some effort. A frontier model writes the solver in one shot because the pattern is famous. The challenge isn't testing what I thought it was testing.
Why hardening the artifact doesn't help
My first instinct was to obfuscate. Pack the binary. Strip symbols. Add anti-debugging. None of it works for very long, and worse, it makes the challenge less educational for humans while barely slowing the model down. The model isn't running your binary — it's reading it, and if the underlying algorithm is something it's seen before, it'll recognize it through layers of fluff.
The issue isn't surface complexity. It's that the solution space is in the training distribution.
Step-by-step fix: design around what models are bad at
After rebuilding my challenge set, the patterns that survived had three things in common.
1. Real-time stateful interaction
If the challenge requires holding a TCP connection open, reacting to server timing, or responding within a window, you've moved out of "read the artifact" territory. The model has to plan and execute, not just generate. Agent harnesses are catching up here, but the failure rate is dramatically higher than for static problems.
A basic shape that worked well:
import asyncio, secrets, time
async def handle(reader, writer):
# Challenge sends a nonce, expects a response within 200ms
# The response must include a hash of (nonce + previous_response)
# for the last N rounds — so the player must maintain state
history = []
for _ in range(64):
nonce = secrets.token_bytes(16)
writer.write(nonce + b"\n")
await writer.drain()
start = time.monotonic()
line = await asyncio.wait_for(reader.readline(), timeout=0.2)
# Validate against history chain — details omitted
history.append(line.strip())
writer.write(FLAG)
The model can write a client for this, but if it gets one round wrong it has to redo the entire session. Latency budget plus state chain catches a lot of one-shot attempts.
2. Custom protocols with no public writeups
This is the boring answer but it's the most effective one. Invent the format. Don't reuse a well-known one and tweak it. The model's strength is recognizing what it's seen — if it has not seen your binary protocol because you made it up last Tuesday, it has to actually reason about the bytes.
A pattern I like: define a small VM with three or four opcodes, give the player a program in that bytecode, and embed the bug in the VM semantics rather than in the program. The model can disassemble the program quickly. Figuring out that opcode 0x07 has an off-by-one in the bounds check is much harder when there's no Stack Overflow answer about it.
3. Multi-stage chains where each stage gates the next
Single-shot problems are the model's home turf. Chains that require pivoting — get RCE here, find creds, use them to query an internal service, leak a key, sign a token — multiply the chance of a mid-chain failure. Each step needs to feed the next, and the model has to keep its context coherent across all of them.
The practical trick is making the intermediate outputs noisy. If stage 1 produces a clean string that says next_password: hunter2, the model marches on. If stage 1 produces a memory dump where the password is one of forty plausible candidates, the model often picks the wrong one and the chain breaks silently.
Prevention: a checklist before you ship a challenge
When I review a new challenge now, I run it past a frontier model myself with a deliberately weak prompt — something like "solve this CTF challenge, here are the files." If it gets the flag on the first or second attempt, the challenge isn't ready. Concretely:
- Does the writeup for the intended solution exist on the public web for a near-identical problem? If yes, redesign.
- Can the entire solution be derived from a single static snapshot? If yes, add interaction or state.
- Does the challenge require any novel reasoning, or is it pattern-matching a known vuln class? If pattern-matching, you're really testing recall, not skill.
- Is there a tight latency or rate constraint? Even a 500ms response window changes the game.
- Are intermediate stages noisy enough that the wrong answer is plausibly correct?
None of this is bulletproof. Models keep getting better, and harnesses for agentic exploitation are improving fast. But the framing shift matters more than any specific technique: stop designing for the solo human reader, and start designing for an adversary that has memorized every public writeup but struggles to plan across long interactive sessions.
If you run CTFs, the format isn't dead — but the lazy version of it is. The good news is that the challenges that survive this filter are also the ones that teach the most. Forcing yourself to write something a model hasn't seen tends to push you toward more interesting problems anyway.
I haven't run a fully model-resistant event yet — six months from now this advice may already be stale. But the direction of travel is clear, and the cost of redesigning a challenge set is much lower than the cost of running an event where half the leaderboard is just whoever pasted fastest.
Top comments (0)