Let me say upfront that CTFd is a great piece of software. It's open source, it's been battle-tested at thousands of competitions, and the community around it is genuinely solid. If you're a university CTF club or a group of hobbyists who want to run an annual competition and have a DevOps person on the team — CTFd is probably fine.
But I keep seeing companies reach for it when they want to train their security teams or test their employees' skills. And almost every time, it turns into a quiet disaster. Not because CTFd is bad, but because it was never designed for what companies are actually trying to do with it.
Here's what I mean.
You have to build everything yourself — including the challenges
CTFd is a platform, not a product. It gives you the scaffolding: the scoreboard, the submission system, user management, basic challenge types. What it doesn't give you is actual content.
For a CTF club, that's fine. Challenge authors exist. People volunteer their time. You have months to write interesting problems. But when a company's security manager wants to run a skills assessment for 40 employees next quarter, they don't have a roster of challenge authors. They have a calendar and a budget. Building even a basic set of web, crypto, and network challenges from scratch takes dozens of hours of skilled engineering time — and that's before you test them to make sure they're not broken or trivially unsolvable.
The result is usually the same: whoever "owns" the initiative spends three weeks writing mediocre challenges, the CTF runs once, nobody is confident in what it actually measured, and it doesn't happen again next year.
Self-hosting CTFd is a real job
The open source version of CTFd is free, but free doesn't mean zero cost. You're running Flask, MariaDB, Redis, and Nginx — at minimum. You need to configure workers correctly (the default Gunicorn worker count is 1, which falls apart the moment you have more than a handful of concurrent users). You need to handle TLS, rate limiting, reverse proxy config, and DDoS mitigation. During a live event, someone needs to be watching all of it.
The self-hosting guides are good. The community is helpful. But this is genuinely DevOps work. Companies that don't have spare DevOps capacity — which is most of them — end up either skipping the self-hosted route or deploying something misconfigured that breaks on event day.
The managed tiers solve infrastructure but not content
CTFd's hosted plans start at $60/month for the basic tier and go up to $360/month for the professional tier. That handles the server side. But you still have no challenges. You still have no learning paths. You still have no content library. The managed plans give you a place to run your CTF; they don't give you anything to actually run.
For a single annual event, paying a monthly subscription while you spend six weeks building content is a hard sell internally.
Dynamic challenge instances are an enterprise feature, and the pricing reflects it
Here's a real problem that comes up fast in corporate settings: shared challenge instances. If you have 40 employees working on the same web exploitation challenge on the same server, one person can accidentally — or intentionally — break the environment for everyone. You need per-user isolated instances.
In CTFd, that's an Enterprise-tier feature, and the Enterprise tier means contacting sales. There's no public pricing. For smaller companies, the conversation often ends there.
Analytics are shallow for training purposes
CTFd's admin panel gives you submission counts, solve rates, and a leaderboard. That's useful for running a competition. It's not enough for a company trying to answer the question: "which employees are weak on web security and need follow-up training?" You get scores, not insights. Aggregate data, not individual skill maps. If the goal is genuine assessment — the kind HR or a CISO would act on — CTFd requires significant customization or third-party tooling to get there.
The platform is optimized for events, not ongoing learning
This is the fundamental mismatch. CTFd is designed around the structure of a competition: start time, end time, frozen scoreboard. That works beautifully for a 48-hour public CTF. It works less well for a company that wants to run quarterly skill assessments, or maintain an internal practice environment where employees can work through challenges on their own schedule between events.
Persistent environments, learning paths, and progress tracking across multiple sessions aren't what CTFd was built for.
If CTFd isn't the right fit, what is?
The honest answer is it depends on your priorities, your team's technical capacity, and your budget. Here are the main alternatives worth looking at:
Hack The Box for Business — The most recognized name in corporate cybersecurity training. High-quality content library, enterprise analytics, individual skill graphs, and scalable infrastructure. The premium option. Budget accordingly.
TryHackMe for Business — More beginner-friendly than HTB. Good learning paths, solid content library, and a CTF builder that lets you spin up events from existing challenges without building from scratch. Better for teams with mixed skill levels.
Simulations Labs — A no-code platform built specifically for hosting CTFs and cyber drills. Includes a pre-built challenge library covering web, crypto, and network security, supports both internal and public competition modes, and is straightforward to set up without DevOps involvement. A solid middle ground between CTFd's DIY flexibility and HTB's premium pricing.
CyberTalents — Strong community presence, particularly in the MENA region. Has hosted 100+ competitions and offers challenge content, real-time support during events, and training resources for less experienced participants.
Parrot CTFs — Newer entrant in the managed CTF hosting space. Fully turnkey approach with white-glove support and custom challenge development available. Worth evaluating if you want a hands-off experience from day one.
CTFd will almost certainly keep powering the majority of the world's public CTF competitions, and it should — it's excellent at that. But if you're a company trying to genuinely measure and develop your security team's skills, it's worth being honest with yourself about whether you're choosing it because it's the right tool or because it's just the one you've heard of.
Top comments (0)