Welcome!

We're glad to see that you're interested in competing with us as part of the Collegiate Penetration Testing Competition (CPTC)! At its heart, CPTC is a bit different from several other collegiate Cybersecurity competitions. Instead of defending your network, searching for flags, or claiming ownership of systems, CPTC focuses on mimicking the activities performed during a real-world penetration testing engagement conducted by companies, professional services firms, and internal security departments around the world.

Each year our volunteers and sponsors develop an immersive mock organization which is seeking penetration testing services. Competitors play the role of a consulting firm that is providing this service to our organization. Each team will be provided with a completely identical but separate and segmented environment to perform their testing. Just as with a real-world pen-test, you will be asked to provide deliverables, presentations to company management, and recommendations on vulnerabilities discovered during your test.

Teams will be scored not just on the technical vulnerabilities discovered, but also on their professionalism and communication skills. We will have members of the company IT team and management on-hand during the competition to answer any questions that you may have or issues that may arise during your testing of the company’s network.

CPTC10 Timeline

Vendor Security Audit

Sept 1st, 2024, rolling thereafter

Regional Events

Oct 19th - 20th*

  • Great Lakes

  • International

Nov 2nd - 3rd*

  • New England

  • Central

Nov 16th - 17th*

  • Western

  • SoCal

  • Southeastern
    (Date Changed)

* Some regions have events on Friday. Check with your Regional Host to confirm arrival time. Competition will take place Saturday for all regions.

Global Finals

January 18th - 20th

Global Cybersecurity Institute

Rochester Institute of Technology
Rochester, New York
United States

CPTC 10 Registration is Open!

We are doing something different this year and replacing the RFP process with a Vendor Security Assessment (VSA).

  1. YOU: To submit your registration for this season of CPTC, please complete the following form below.

  2. YOU: Next, follow the instructions below to submit your Vendor Security Assessment (VSA) via the CPTC Ticketing system. Once both portions are completed and as long as the VSA contains all required portions, your application will be complete.

  3. US: The CPTC Registration team will notify teams within 3 business days stating that they have received their application and VSA and confirm that your application is complete.

    1. We will be accepting applications for the first round of regional placements until September 1st at 11:59pm US Eastern.

    2. Teams who submit after Sept. 8th will be on a space-available basis.

  4. US: Teams will be informed of their status and regional placement on or before September 8th, 2024 and additional information will be requested.

  5. YOU: Teams should respond to the Regional Placement email within 3 business days with the additional information.

    1. Your placement is NOT GUARENTEED if you do not respond to this email within 3 business days with the additional information

How to Submit a Ticket to CPTC Ticketing System

  1. Visit https://support.cp.tc/

  2. Click New Support Ticket

  3. Fill out the details below

    1. Requester (This is your name).

    2. Subject: “University name, Vendor Security Assessment”

    3. Region: Your top preferred region.

    4. Description: Any in-character welcome note you wish to have attached to your VSA as well as any questions you may have.

  4. Click attach a file and upload your completed VSA document. There should only be one file here. Please submit the attachment in the same format (Excel document).

  5. Verify you are not a robot (if you are, find the nearest human to beat the CAPTCHA).

  6. Click “Submit”.

  7. Wait patiently for up to 3 business days while the CPTC Registration Team reviews your application

We are looking forward to seeing everyone for another exciting season of CPTC! Feel free to forward this email to anyone else that you think might be interested in participating this year or another school your wish to compete against!

Competition Structure

Online Registration (Qualifier)
The competition generally kicks off with the release of an online registration deliverable that mimics how a vendor would start to engage with a client in the real world. This has come in many forms over the year from a simple sign-up to an RFP response to a vendor security audit.

Regionals
The top 10 responses per region are selected to advance (preference for early submissions) to the in-person engagement at the Regional Host Institution they are assigned. Here, competitors will spend the day penetration testing a piece of the clients’ environments, being mindful of the scope and client requests. They will also prepare a professional report and submit for evaluation. Evaluation is based on both their technical abilities in the environment and their ability to communicate effectively via the report.

Finals
The top team in each region is guaranteed a spot at the Global Finals. All other teams will be ranked against each other and the remaining Finals spots will go to the top finishers across the globe. The Global Finals is held at the ESL Global Cybersecurity Institute on the Rochester Institute of Technology’s campus in Rochester, New York, United States. Here, the competitors will spend 2 full days in the clients environment. They will also prepare a report AND a presentation, which will be delivered lived to a panel of industry executive judges. Evaluation will be based on their technical skills, their ability to communicate across all levels both orally and in writing, and their overall professionalism throughout the weekend. The Top 3 winners are announced at the conclusion of the event.

Team Composition

  • Teams are composed of up to 6 competitors (minimum 3)

  • Teams can additionally register 2 alternates

    • Alternates can be between swapped between Regionals and Finals, but cannot be “hot swapped” during an event.

    • Alternates are not permitted to assist with after-hours competition activities, such as report writing and proofreading.

  • 2 coaches (minimum 1)

    • At least 1 coach is REQUIRED to travel with the team

Pro Tip: There is more to penetration testing than just technical findings.

The most successful team have been cross-major (cross-functional), with at least 1 writing or communications intensive member.

Rules

While these don’t change much year to year, we do make revisions between each competition season to keep the rules current based on our experiences! Still have questions? Please contact us!