Why Playing Capture the Flag Will Make You a Cyber Elite

The goals of capture the flag (CTF) are simple—outthink, outwit, outhack. If you run in cyber circles you already know how to play: Apply real-world hacking tools to infiltrate a computer system, find intentionally placed vulnerabilities, and exploit them to capture a “flag," a string of code that proves you discovered the flaw.

 “There’s a whole underground culture around it,” says Tim Nary, resident cyber expert at Booz Allen’s Dark Labs, the firm’s elite group of security engineers.  

“Yeah, we’re all nerds,” laughs Fred Frey, Dark Labs’ technical director.

But what you may not know is that Booz Allen’s leadership, recognizing the development potential of CTF, supports these players and their passion, in ways big and small.

It’s all part of the firm’s mission to empower people to change the world, tap our collective ingenuity, and invest in our talent over the long term to create opportunities for the future. CTFs help us—and you—achieve that in several ways.

“CTF teaches you to learn on the fly and work with technologies and systems you might not have used before,” Tim says. “You need that hacker spirit, that creativity, that way of figuring out how to get around constraints. You have to outthink someone who’s trying to stop you from doing what you’re doing.”

It’s a battle that develops teamwork, improvisation, offensive and defensive strategy, and, above all, persistence.

“It’s a cyber war game,” says Tim. “Secrets are hidden in technical puzzles and we have to crack them.”

Fred describes CTF players as “people who like mysteries and challenges. You need a thorough knowledge of computer science: Not just how to program, but how not to program. You have to know reverse engineering, higher-level programming languages, low-level assembly code instructions, security vulnerabilities. Whoever’s writing the binary is your opponent and you’re trying to find a weakness in their game.”

Booz Allen’s CTF team, BAH Humbug, is gaining prestige in CTF circles. The team has been playing—and growing—together for five years. These days, they compete in several CTF events a year and have won multiple titles. The events are good times—and really good practice—for the World Series of CTF: DEF CON.

The DEF CON Qualifiers separate the top 15 teams from almost 400 hopefuls and send them to Las Vegas to cyber-duke it out for the world championship. Two years ago, BAH Humbug placed 89^th. This year they were 49^th. Next year they intend to go all the way to Vegas.

The team is uniquely qualified to excel in the competition—our cybersecurity pros spend their days safeguarding critical medical devices, traffic control systems, oil and gas infrastructure, clean water supplies, and just about every other network that keeps our world turning.

BAH Humbug’s members can charge competition time and enjoy plenty of company-provided pizza and energy drinks. For this year’s DEF CON Qualifiers, Booz Allen rented a house for the team. For 48 hours, the team members competed until 4 a.m., crashed, and got back to it “college style” the next morning, Tim says.

The process is “100 percent collaborative,” he adds. Camaraderie aside, though, there’s still the question of why—why play a mentally exhausting game for days on end? Because to the cyber professionals engrossed in the challenges, CTF is a high-stakes puzzle waiting to be solved, with real-world parallels that affect their work and all of our lives.

“Some people play baseball. Some people play basketball. We hack,” says Fred. “Why do mountain climbers climb? Because the mountain is there. Because it’s a calling.”