Resources to help you design security CTF and wargame challenges.
- General
- Approaches & Specific Designs
- Engineering
- Game/Puzzle Design
- Learning, Curiosity & Gamification
- Running Events
- Weird Machines & Esolangs
- Escape Rooms & Puzzle Hunts
- Mario Maker Troll Levels
- Finding Challenge Ideas
- The Many Maxims of Maximally Effective CTFs - Some important maxims to live out when making a CTF.
- What makes a programming exercise good? (Blog post) - Blog post from Julia Evans.
- CTF Design Guidelines - Design guidelines for CTF authors and organizers
- Hit ’em Where it Hurts (PDF) - A paper presenting the design of a novel kind of live security competition centered on the concept of Cyber Situational Awareness.
- A Serious Game for Eliciting Social Engineering Security Requirements (PDF) - A card game which all employees of a company can play to understand threats and document security requirements.
- Collection Deck (Website) - A training game designed by the CIA to teach employees about various collection capabilities.
- A “Divergent”-themed CTF and Urban Race for Introducing Security and Cryptography (PDF) - A set of CTF exercises and a physical activity based on an urban race, both of which are tied into a fictional story that students act out.
- Teaching Network Security Through Live Exercises (PDF) - This paper describes a series of live exercises that have been used in a graduate-level Computer Science course on network security.
- ARE CTF CREATORS EVIL?! - A Conversation around realworld CTF's with Adam Langley (Video) - Conversartion session between STÖK and Adam Langley
- OOO DEF CON CTF finals infrastructure code - All the game components necessary to run an Attack-Defense CTF that OOO used from 2018-2021
- AutoCTF - Creating Diverse Pwnables via Automated Bug Injection (PDF) - Making CTFs cheap and reusable by extending a bug injection system to add exploitable vulnerabilities, enabling rapid generation of new CTF challenges.
- Security Scenario Generator (SecGen) (PDF) - A Framework for Generating Randomly Vulnerable Rich-scenario VMs for Learning Computer Security and Hosting CTF Events
- Hackerbot (PDF) - Attacker Chatbots for Randomised and Interactive Security Labs, Using SecGen and oVirt
- The Secrets of Puzzle Design (Video) - How Game Designers Explore Ideas and Themes with Puzzles and Problems.
- The Puzzle Instinct (Book)
- Designing the Puzzle (PDF) - Bob Bates's short paper on puzzle taxonomy and how to distinguish a good from a bad puzzle.
- How to make a good puzzle (Article) - An explorable explanation on how to make a puzzle that's fun, and satisfying to solve.
- Empuzzlement (Video) - Puzzle game designers talking about puzzles. Featuring: Jonathan Blow, Marc ten Bosch, and Droqen.
- Design to Reveal the Nature of the Universe (Video) - A talk from Jonathan Blow & Marc Ten Boch at IndieCade 2011.
- Open-Ended Puzzle Design at Zachtronics (Video) - Interview with Zach Barth on his studio's puzzle design process, from the initial foundation to the basic mechanics, to the way story is integrated. See also Zach-like (PDF) which is a book of behind-the-scenes design documents from Zachtronics.
- Practical Creativity (Video) - Raph Koster explains what science tells us about creativity, and offers practical straightforward steps that any game designer or developer can make use of in order to get more creative.
- Modeling and Designing for Key Elements of Curiosity: Risking Failure, Valuing Questions (PDF) - This paper presents a design model of curiosity that articulates the relationship between uncertainty and curiosity and defines the role of failure and question-asking within that relationship.
- A New Theoretical Framework for Curiosity for Learning in Social Contexts (PDF) - This framework is a step towards designing learning technologies that can recognize and evoke curiosity during learning in social contexts.
- Curious Minds Wonder Alike (PDF) - A paper that identifies fine-grained social scaffolding of curiosity in child-child interaction, and proposes how they can be used to elicit and maintain curiosity in technology-enhanced learning environments.
- Gamification for teaching and learning computer security in higher education (PDF) - A paper that presents the design and evaluation of a gamified computer security module, with a unique approach to assessed learning activities.
- Learning Obstacles in the Capture The Flag Model (PDF) - Insights and lessons learned from organizing CSAW CTF
- Organizing Large Scale Hacking Competitions (PDF) - Two new competition designs, the challenges overcome, and the lessons learned, with the goal of providing useful guidelines to other educators who want to pursue the organization of similar events
- Ten Years of iCTF - The Good, The Bad, and The Ugly (Video) - There is also a paper about this.
- Suggestions for running a CTF - Describes some of the design decisions and technical details involved in running a CTF competition.
- What are Weird Machines? (Website) - A TLDR about the concept of Weird Machines.
- Abadidea's Index of Weird Machines in Video Games (Gist) - List of intentional gameplay features which may be used as weird machines, and exploit-based machines which can be triggered by ordinary player input.
- What Hacker Research Taught Me (Video) - Sergey Bratus' keynote at the TROOPERS 2010 conference. You can find the slides here.
- The Science of Insecurity (Video) - Meredith L. Patterson's talk at 28c3. Draws a direct connection between ubiquitous insecurity and computer science concepts of Turing completeness and theory of languages
- Computer Architecture: A Minimalist Perspective (Book) - Examines computer architecture, computability theory, and the history of computers from the perspective of one instruction set computing.
- Esoteric.Codes (Website) - Languages, platforms, and systems that break from the norms of computing
- A Model to Design Learning Escape Games: SEGAM (PDF) - A methodology for designing "Serious Escape Games" for learning.
- The joyful, perplexing world of puzzle hunts - A TED talk by Alex Rosenthal about constructing puzzles and the MIT Mystery Hunt.
- The art of creating an escape room - Thijs Bosschert's talk at SHA2017 on how to create the best experience for the players, pitfalls and how to design puzzles and puzzle flows.
- Trolling for Dummies - A perpetual work in progress and that will continue to be updated as the community learns more about making good troll levels, and as new techniques are discovered.
- Mario Maker 2 Multiplayer Troll Design - How to design a multiplayer troll that works and thrills the players and audiences.
- Multiplayer Contraptions in Super Mario Maker 2 - This guide is about various contraptions related to the multiplayer modes. Some of them are to separate the mode. And others to determine the amount of players.
- MulTROLLplayer Research Hub Tech Sheet - A compilation of multiplayer tech, from totally obvious to glitchy jank.
- Search RFCs by "best current practice" - IETF RFCs have a status called "Best Current Practice". This page lets you filter them using that status.
- CISA's catalog of "bad practice" - A catalog of bad practices that are exceptionally risky, especially in organizations supporting critical infrastructure or NCFs
Other Awesome Lists: