Comparative analysis of CTF platforms for cybersecurity training

Olga R. Laponina, Vasily A. Matoshenko


The article discusses the procedure for introducing game mechanisms into the educational process. The main elements of gamification, the concept of the game element "Capture the flag" ("CaptureTheFlag" - CTF) are described, the basic principles of the architecture of CTF platforms and the general scheme of the organization of CTF competitions are considered. The following types of CTF competitions are considered - "Survey" ("Quiz"), "Attack-Defense" ("Attack-Defense"), "Risk Analysis" or "Problem Solving" ("Jeopardy" or "Task-Based"), "King of the Hill", "Mixed". The article defines the main requirements for CTF platforms and the criteria from the comparison. The following are highlighted as requirements for CTF platforms: ease of installation, cross-platform, ease of configuration, status monitoring, extensibility, interactivity.

This article discusses five CTF platforms: WebGoat and Security Shepherd from OWASP, CTFd, FBCTF, RootTheBox from third-party manufacturers. The last three CTF platforms use JuiceShop from OWASP as a demonstratively vulnerable application, which is considered separately. All platforms have implemented the main vulnerabilities from the Top 10 OWASP. All platforms are open source and available on GitHub.

Full Text:

PDF (Russian)


Daniel Berube, Motivate player for better engagement and retention

[Jelektronnyj resurs]. // URL:, (2022).

Verbah, Kevin, D. Hanter. "Vovlekaj i vlastvuj." Igrovoe myshlenie na sluzhbe biznesa. M.: Mann, Ivanov i Ferber (2015): 16-25, 10-50 s.

Suhomlin V.A., Beljakova O. S., Klimina A.S., Poljanskaja M. S., Rusanov A. A. «Model' cifrovyh navykov kiberbezopasnosti.» (2021).

S. Kucek, M. Leitner «An Empirical Survey of Functions and Configurations of Open-Source Capture the Flag (CTF) Environments», Journal of Network and Computer Applications, Volume 151, (2020), 102470, ISSN 1084-8045.

Pew Research Center, Cybersecurity Knowledge Quiz, March 22, 2017, [Jelektronnyj resurs]. // URL:, (2022).

S. Choi, J. Cha, S.K. "Git-based {CTF}: «A simple and effective approach to organizing in-course attack-and-defense security competition". In: 2018 {USENIX} Workshop on Advances in Security Education {ASE} 18.

M. Swann, J. Rose, G. Bendiab, S. Shiaeles and F. Li, "Open Source and Commercial Capture The Flag Cyber Security Learning Platforms - A Case Study," 2021 IEEE International Conference on Cyber Security and Resilience (CSR), (2021), pp. 198-205, doi: 10.1109/CSR51186.2021.9527941.

Nakaya, Makoto, S. Akagi, and Hiroyuki Tominaga. "Implementation and trial practices for hacking competition CTF as introductory educational experience for information literacy and security learning." In Proceedings of ICIA 2016, vol. 5, pp. 57-62. (2016).

Bock, Kevin, George Hughey, and Dave Levin. "King of the hill: A novel cybersecurity competition for teaching penetration testing." In 2018 {USENIX} Workshop on Advances in Security Education ({ASE} 18).

Smussenko, Diana Alexandrovna. "Cyber kill chain." Jazyk v sfere professional'noj kommunikacii. — Ekaterinburg, (2021): 569-575.

M. Bach-Nutman "Understanding the Top 10 OWASP Vulnerabilities." arXiv preprint arXiv:2012.09960 (2020).

Registry of all known vulnerable web applications OWASP-VWAD,

[Jelektronnyj resurs]. // URL:, (2022).

V. Švábenský, P. Čeleda, J. Vykopal, and S. Brišáková. "Cybersecurity knowledge and skills taught in capture the flag challenges" Computers & Security 102 (2021): 102154.

Amin, Muhammad Ahmad and Saqib Saeed. "Role of Usability in E-Learning System: An Empirical Study of OWASP WebGoat." Human Factors in Software Development and Design, edited by Saqib Saeed, et al., IGI Global, (2015), pp. 295-312.

WebGoat 8: A deliberately insecure Web Application, [Jelektronnyj resurs]. // URL:, (2022).

Wibowo, Ripto Mukti, and Aruji Sulaksono. "Web Vulnerability Through Cross Site Scripting (XSS) Detection with OWASP Security Shepherd." Indonesian Journal of Information Systems 3, no. 2 (2021): 149-159.

Manual Shepherd Setup, [Jelektronnyj resurs]. // URL:, (2022).

OWASP Juice Shop CTF Extension, [Jelektronnyj resurs]. // URL:, (2022).

Chicone, Rhonda G., and Susan Ferebee. "A comparison study of two cybersecurity learning systems: facebook’s open-source capture the flag and CTFd." Issues in Information Systems 21, no. 1 (2020): 202-212.

FBCTF, «What is FBCTF?», [Jelektronnyj resurs]. // URL:, (2022).

Magkos, Emmanouil. "An Analysis and Evaluation of Open Source Capture the Flag Platforms as Cybersecurity e-Learning Tools." Information security education. information security in action: 13th Ifip Wg 579, (2020).

RootTheBox/, [Jelektronnyj resurs]. // URL:, (2022).

Basic Deployment, [Jelektronnyj resurs]. // URL: (2022).

CTFd Documentation, [Jelektronnyj resurs]. // URL: (2022).


  • There are currently no refbacks.

Abava  Кибербезопасность MoNeTec 2024

ISSN: 2307-8162