DEV Community: MT

CTFd Was Built for Hackers. That's Exactly Why It Doesn't Work for Corporate Security Training.

MT — Sun, 12 Apr 2026 05:41:03 +0000

Let me say upfront that CTFd is a great piece of software. It's open source, it's been battle-tested at thousands of competitions, and the community around it is genuinely solid. If you're a university CTF club or a group of hobbyists who want to run an annual competition and have a DevOps person on the team — CTFd is probably fine.

But I keep seeing companies reach for it when they want to train their security teams or test their employees' skills. And almost every time, it turns into a quiet disaster. Not because CTFd is bad, but because it was never designed for what companies are actually trying to do with it.

Here's what I mean.

You have to build everything yourself — including the challenges

CTFd is a platform, not a product. It gives you the scaffolding: the scoreboard, the submission system, user management, basic challenge types. What it doesn't give you is actual content.

For a CTF club, that's fine. Challenge authors exist. People volunteer their time. You have months to write interesting problems. But when a company's security manager wants to run a skills assessment for 40 employees next quarter, they don't have a roster of challenge authors. They have a calendar and a budget. Building even a basic set of web, crypto, and network challenges from scratch takes dozens of hours of skilled engineering time — and that's before you test them to make sure they're not broken or trivially unsolvable.

The result is usually the same: whoever "owns" the initiative spends three weeks writing mediocre challenges, the CTF runs once, nobody is confident in what it actually measured, and it doesn't happen again next year.

Self-hosting CTFd is a real job

The open source version of CTFd is free, but free doesn't mean zero cost. You're running Flask, MariaDB, Redis, and Nginx — at minimum. You need to configure workers correctly (the default Gunicorn worker count is 1, which falls apart the moment you have more than a handful of concurrent users). You need to handle TLS, rate limiting, reverse proxy config, and DDoS mitigation. During a live event, someone needs to be watching all of it.

The self-hosting guides are good. The community is helpful. But this is genuinely DevOps work. Companies that don't have spare DevOps capacity — which is most of them — end up either skipping the self-hosted route or deploying something misconfigured that breaks on event day.

The managed tiers solve infrastructure but not content

CTFd's hosted plans start at $60/month for the basic tier and go up to $360/month for the professional tier. That handles the server side. But you still have no challenges. You still have no learning paths. You still have no content library. The managed plans give you a place to run your CTF; they don't give you anything to actually run.

For a single annual event, paying a monthly subscription while you spend six weeks building content is a hard sell internally.

Dynamic challenge instances are an enterprise feature, and the pricing reflects it

Here's a real problem that comes up fast in corporate settings: shared challenge instances. If you have 40 employees working on the same web exploitation challenge on the same server, one person can accidentally — or intentionally — break the environment for everyone. You need per-user isolated instances.

In CTFd, that's an Enterprise-tier feature, and the Enterprise tier means contacting sales. There's no public pricing. For smaller companies, the conversation often ends there.

Analytics are shallow for training purposes

CTFd's admin panel gives you submission counts, solve rates, and a leaderboard. That's useful for running a competition. It's not enough for a company trying to answer the question: "which employees are weak on web security and need follow-up training?" You get scores, not insights. Aggregate data, not individual skill maps. If the goal is genuine assessment — the kind HR or a CISO would act on — CTFd requires significant customization or third-party tooling to get there.

The platform is optimized for events, not ongoing learning

This is the fundamental mismatch. CTFd is designed around the structure of a competition: start time, end time, frozen scoreboard. That works beautifully for a 48-hour public CTF. It works less well for a company that wants to run quarterly skill assessments, or maintain an internal practice environment where employees can work through challenges on their own schedule between events.

Persistent environments, learning paths, and progress tracking across multiple sessions aren't what CTFd was built for.

If CTFd isn't the right fit, what is?

The honest answer is it depends on your priorities, your team's technical capacity, and your budget. Here are the main alternatives worth looking at:

Hack The Box for Business — The most recognized name in corporate cybersecurity training. High-quality content library, enterprise analytics, individual skill graphs, and scalable infrastructure. The premium option. Budget accordingly.

TryHackMe for Business — More beginner-friendly than HTB. Good learning paths, solid content library, and a CTF builder that lets you spin up events from existing challenges without building from scratch. Better for teams with mixed skill levels.

Simulations Labs — A no-code platform built specifically for hosting CTFs and cyber drills. Includes a pre-built challenge library covering web, crypto, and network security, supports both internal and public competition modes, and is straightforward to set up without DevOps involvement. A solid middle ground between CTFd's DIY flexibility and HTB's premium pricing.

CyberTalents — Strong community presence, particularly in the MENA region. Has hosted 100+ competitions and offers challenge content, real-time support during events, and training resources for less experienced participants.

Parrot CTFs — Newer entrant in the managed CTF hosting space. Fully turnkey approach with white-glove support and custom challenge development available. Worth evaluating if you want a hands-off experience from day one.

CTFd will almost certainly keep powering the majority of the world's public CTF competitions, and it should — it's excellent at that. But if you're a company trying to genuinely measure and develop your security team's skills, it's worth being honest with yourself about whether you're choosing it because it's the right tool or because it's just the one you've heard of.

How to Run a CTF That People Actually Learn From (Not Just Compete In)

MT — Sun, 12 Apr 2026 05:29:40 +0000

CTF competitions are having a moment. Universities are running them. Companies are using them to hire. Security conferences anchor their whole agenda around them. And yet — most CTFs, especially internal ones, get it wrong in the same way: they prioritize competition over learning.

Players rage-quit after two hours. Teams solve nothing and leave feeling incompetent. The "winner" already had professional experience. The intended learning outcomes? Nowhere.

Here's what separates a forgettable CTF from one people talk about months later.

The two audiences most CTF organizers ignore

Before you build a single challenge, answer this: who is this actually for?

There's a massive difference between running a CTF for existing security practitioners and running one for developers, students, or newcomers who are still figuring out what offensive security even feels like.

The second group needs a different design philosophy:

Challenges that teach concepts, not just test prior knowledge
Hint systems that nudge without spoiling
A difficulty curve, not a vertical wall
Categories that map to real roles (web, crypto, forensics, network)

Most CTF disasters happen when organizers design for practitioners but invite beginners. Nail your audience first.

Challenge design: where CTFs live or die

A well-designed CTF has at least 3–4 categories and at least 3 difficulty tiers in each:

Web Security — SQLi, XSS, SSRF, auth bypass, JWT attacks. Most approachable for developers.
Cryptography — Weak RNG, broken RSA, padding oracle. Math-heavy, but deeply satisfying when it clicks.
Forensics — PCAP analysis, steganography, memory dumps. Great for blue team exposure.
Binary / Pwn — Buffer overflows, ROP chains. Steep curve, but builds real intuition.

The easiest challenge in each category should be solvable by someone who just Googled the concept for the first time. The hardest should challenge someone with a year of experience.

Design principle: Write challenges backwards. Define what the player should learn first, then design the vulnerability around that outcome. A challenge is bad if the only lesson is "you either knew this trick or you didn't."

The infrastructure problem nobody talks about

Here's a pain most CTF organizers know intimately: you spend 80% of your prep time on infrastructure, and 20% on actual challenge design. Then on competition day, something breaks.

Docker containers go down. Someone finds a shared flag in a misconfigured challenge. The scoreboard hits a race condition when 40 teams submit simultaneously.

This is the real reason most internal CTFs don't happen annually — not lack of interest, but organizer burnout from reinventing the wheel every time.

I came across Simulations Labs while looking for a way around this. It's a no-code CTF hosting platform — you bring the challenge ideas (or pick from their pre-built library covering web, crypto, network security and more), and the platform handles the rest: deployment, live leaderboard, submission tracking, analytics. They also have a 7-day free trial, which is enough to run a small internal competition without writing a single line of deployment code.

Internal vs public CTFs: different goals, different design

Internal CTFs (for your team or students)

The goal here isn't to crown a winner — it's to surface gaps and build skills. Design challenges that cover your specific threat model. Use post-competition analytics to identify what concepts the team struggled with most, then run follow-up training on exactly those areas.

Public CTFs (open registration)

These serve a different purpose: talent discovery. A well-run public CTF is one of the most effective ways to find candidates who can actually do the job. Unlike résumés, a CTF leaderboard shows you exactly how someone thinks under pressure.

Common mistake: Don't run a public CTF if you haven't tested your challenges internally first. Bugs spread instantly in CTF Discord servers — your unintended solution path becomes the only solution path within 30 minutes.

The post-CTF moment is where real learning happens

The competition ends. Scores are frozen. Now what?

Most organizers close the tab. That's a mistake. The 48 hours after a CTF are when players are most motivated to understand what they missed. This is when you should:

Release official writeups for every challenge
Host a short debrief walking through the intended solution paths
Encourage participants to publish their own writeups (even wrong approaches)
Share aggregate analytics: which challenges stumped the most teams, where did people get stuck

The writeup culture in CTF communities is one of their greatest assets. A well-written writeup teaches the same concept to ten times as many people as the original competition did.

A realistic timeline for first-time organizers

6 weeks out: Define audience, format (jeopardy vs. attack-defense), and category weights. Choose your platform.

4 weeks out: Build or source challenges. Test every challenge end-to-end. Confirm flags are unique per challenge.

2 weeks out: Open registration. Set up your competition page, rules, and hint structure.

1 week out: Dry-run with 2–3 trusted people. Fix what breaks.

Competition day: Monitor in real-time. Watch for unintended solutions or infrastructure issues.

48h after: Publish writeups, collect feedback, document what to do better next time.

A CTF that people actually learn from isn't more expensive or harder to organize than a bad one. It just requires thinking about learning outcomes before challenge difficulty. Get that ordering right, and everything else follows.