Announcement: CPTC11 Registration is now Open!

Announcement: CPTC11 Registration is now Open!

Welcome!

We're glad to see that you're interested in competing with us as part of the Collegiate Penetration Testing Competition (CPTC)! At its heart, CPTC is a bit different from several other collegiate Cybersecurity competitions. Instead of defending your network, searching for flags, or claiming ownership of systems, CPTC focuses on mimicking the activities performed during a real-world penetration testing engagement conducted by companies, professional services firms, and internal security departments around the world.

Each year our volunteers and sponsors develop an immersive mock organization which is seeking penetration testing services. Competitors play the role of a consulting firm that is providing this service to our organization. Each team will be provided with a completely identical but separate and segmented environment to perform their testing. Just as with a real-world pen-test, you will be asked to provide deliverables, presentations to company management, and recommendations on vulnerabilities discovered during your test.

Teams will be scored not just on the technical vulnerabilities discovered, but also on their professionalism and communication skills. We will have members of the company IT team and management on-hand during the competition to answer any questions that you may have or issues that may arise during your testing of the company’s network.

CPTC11 Timeline

Vendor Security Assessment

Sept 17th, 2025, rolling thereafter

Regional Events

Oct 18th - 19th*

  • Central

  • Great Lakes

Oct 25th-26th*

  • International

Nov 8th-9th*

  • Southeast

  • West

Nov 1st-2nd*

  • New England

  • SoCal

* Some regions have events on Friday. Check with your Regional Host to confirm arrival time. Competition will take place Saturday for all regions.

Global Finals

January 2026

Global Cybersecurity Institute

Rochester Institute of Technology
Rochester, New York
United States

Competition Structure

Online Registration (Qualifier)
The competition generally kicks off with the release of an online registration deliverable that mimics how a vendor would start to engage with a client in the real world. This has come in many forms over the year from a simple sign-up to an RFP response to a vendor security audit.

Regionals
The top 10 responses per region are selected to advance (preference for early submissions) to the in-person engagement at the Regional Host Institution they are assigned. Here, competitors will spend the day penetration testing a piece of the clients’ environments, being mindful of the scope and client requests. They will also prepare a professional report and submit for evaluation. Evaluation is based on both their technical abilities in the environment and their ability to communicate effectively via the report.

Finals
The top team in each region is guaranteed a spot at the Global Finals. All other teams will be ranked against each other and the remaining Finals spots will go to the top finishers across the globe. The Global Finals is held at the ESL Global Cybersecurity Institute on the Rochester Institute of Technology’s campus in Rochester, New York, United States. Here, the competitors will spend 2 full days in the clients environment. They will also prepare a report AND a presentation, which will be delivered lived to a panel of industry executive judges. Evaluation will be based on their technical skills, their ability to communicate across all levels both orally and in writing, and their overall professionalism throughout the weekend. The Top 3 winners are announced at the conclusion of the event.

Team Composition

  • Teams are composed of up to 6 competitors (minimum 3)

  • Teams can additionally register 2 alternates

    • Alternates can be between swapped between Regionals and Finals, but cannot be “hot swapped” during an event.

    • Alternates are not permitted to assist with after-hours competition activities, such as report writing and proofreading.

  • 2 coaches (minimum 1)

    • At least 1 coach is REQUIRED to travel with the team

Pro Tip: There is more to penetration testing than just technical findings.

The most successful team have been cross-major (cross-functional), with at least 1 writing or communications intensive member.

Rules

While these don’t change much year to year, we do make revisions between each competition season to keep the rules current based on our experiences! Still have questions? Please contact us!