Hurricane Labs Reflections on CPTC10 (Collegiate Penetration Testing Competition)

It’s one thing to help support an organization with a mission that you feel strongly about.  But seeing something that you feel strongly about growing from an idea into something that is making a massive impact across the Cybersecurity industry and the world is something that is difficult to put into words.  But, I’m going to try.

Without further ado, this is my reflection on CPTC10 and a decade of the Collegiate Penetration Testing Competition. 

The Beginnings

Like many things in life, my involvement in CPTC was much a case of knowing the right people and being in the right place at the right time. In the spring of 2014, Professor Bill Stackpole at RIT reached out to me to be part of an industry panel to listen in on final presentations from student groups in one of his classes.  From this class came the idea to expand this beyond the students at RIT, and invite other schools to participate.  From there, and the support of Bob Kalka, CPTC was born. 

For the first several years, the event was local to RIT, and mainly attracted students from schools within a driving distance from the campus.  We had a handful of dedicated core volunteers who worked tirelessly to build an infrastructure to make the event happen, and ran into a ton of challenges associated with scaling infrastructure for this type of event.  We expanded beyond the walls of RIT in 2017 with three regional events, and added an international event in Dubai in 2019.  With these additions, we saw a massive growth in the number of teams that were able to participate, as well as the number of volunteers to make the event possible. 

One of the challenges that I’ve always faced with my involvement in CPTC is how I fit in.  Unlike many of the other volunteers, I didn’t come to the event with a ton of pentesting experience.  But I wanted to do what I could in order to make the event the best it could be. And that’s really what has come to make CPTC special.  

As our team built out CPTC, we wanted to make it as real-world as possible.  Instead of making it a CTF-style event where teams looked for certain, specific flags, we went for a more realistic approach.  This involves designing a company from the ground up – figuring out what their business will look like, what types of systems will exist in their network, how those systems will work together, and what employees will make up their team.  We develop custom applications to replicate systems in the environment (often with consultation from industry representatives or other experts in a given field), and create character profiles for individual employees. 

In preparing and participating in the competition, students are asked to complete tasks that are based on real, current events, or on our experience in the field.  Just as an example – every team that participated in CPTC10 needed to fill out a vendor security assessment (VSA) as part of their registration process.  The questions in the VSA we used were based on relevant areas of interest pulled from real security assessment questionnaires that myself and several other members of the CPTC team have seen in the field.  We’ve also worked to add timely elements to the competition, including activities around interacting with (and escaping the security controls of) AI models and setting up vishing campaigns using AI.  All of this helps make CPTC something truly special. 

One of the most amazing parts of this year was to get rave reviews from other industry professionals who were seeing CPTC for the first time and impressed with its realism and educational value.  Getting a chance to speak with Zach Hill from BHIS and see his enthusiasm for the event was something really special for me.  That, along with seeing the students who participate in CPTC each year go into industry and share how CPTC helped them in their careers.

How Hurricane Labs fits in

One challenge I faced when first getting started in supporting CPTC was figuring out how Hurricane Labs would fit in.  While we do offer pentesting services for a number of clients, it’s a relatively small part of our overall business. But fortunately, there still was a lot we could do to help support the event.

I’ve talked about this before, but CPTC has become one of my team’s favorite parts of every year.  They not only get to use CPTC to practice and improve their professional skills, but use the event as an opportunity to help prepare future cybersecurity professionals to be better equipped for the real world.  We do this by treating the CPTC environment like an actual Hurricane Labs managed security services customer.  

Prior to each CPTC event, our team works with the application and infrastructure teams within CPTC to ensure we’re bringing the right data into Splunk, which is our tool of choice for alerting.  When events are going on, there’s a team of analysts pouring over logs, dashboards, and threat hunting for potential rules violations that occur.  This gives the student competitors the added realism of working in an environment with an actual SOC team.  

If a team’s actions during their pentest cause an impact to the customer’s business, such as locking out a number of user accounts, they’ll have the opportunity to interact with the (potentially frustrated) customer and identify a way to resolve the issue. We call these interactions “educational opportunities”, as the goal here is to not penalize the team, but instead give them a chance to handle the issue in a professional way and get immediate feedback from our team on what they did well and what they could do to improve in the future. 

My Participation this Year

This year, I had the opportunity to help support four different on-site CPTC events – the Great Lakes, Central, and Western regionals, and the Global Finals event. It’s long been my goal to make it to every CPTC regional at some point, and I was able to add two new ones to my list for this year!

Leading up to the events

Prior to teams arriving on-site at a regional, there’s a ton of work to do.  In addition to planning out the theme and infrastructure for the competition, there’s a lot of other parts to CPTC that need to get done.  This includes coordinating any rule changes we wish to make for the upcoming season, preparing team registration and communication materials, answering team captain and coach questions, and doing our best to accommodate all the teams that want to participate at a regional event.  

Since one of our main goals as organizers is to support education, we try to make every effort we can to ensure that every team that’s interested in participating has the chance to do so.  With only a limited number of regional events and the challenges that come with obtaining travel funding for many schools, this often becomes a bit of a puzzle, where we’re working with different schools to identify the most cost effective regional event for them to attend. 

We also try to prioritize accommodations for teams that are first time competitors as well as community colleges, so that both established and new teams have a chance to experience CPTC.  Sometimes this can result in some weird placements (such as teams from Texas ending up in our New England or Western Regionals), but we’ve designed the event to offer a consistent experience across all regions and offer a wildcard scoring system to ensure that teams have a consistent chance to make it to Finals regardless of the regional where they participate. 

In the end, we’ve consistently been filling all of the open spaces at all of our US-based regional events, with a small waitlist developing closer to registration.  For teams that are interested in competing in CPTC in the future, our advice is to get your registration completed early once it opens to have the best chance of getting your first choice regional placement.

Great Lakes Regional, Baldwin Wallace University

The Great Lakes Regional took place in October and was our first regional weekend of the CPTC10 season.  This weekend had a couple challenges as it required us to handle the international events in Dubai and Jordan during the same timeframe as this US-based event, which gave us a good test of our infrastructure team’s ability to rapidly re-deply infrastructure with a very quick turnaround.  This first weekend gives us a good stress test of all of the components of the event, and sometimes when this event is occurring we’ll identify improvements to be made to the event in real-time in order to help ensure a positive experience for the student teams. 

One of the best parts of the Great Lakes Regional is its proximity to Hurricane Labs, and a lot of our teammates.  We consistently have around 10 current and former members of the Hurricane Labs team (many of who are Baldwin Wallace alumni) on-site for this regional, which is an amazing resource for ensuring that the event runs smoothly and that we always have someone who can jump in and help with whatever needs to be done. 

We’ve been fortunate enough to be able to host 3 different Great Lakes regional events at Baldwin Wallace, and they’ve not only been a great partner for CPTC but also for Hurricane Labs as well.  I’d especially like to thank Dr. Kenneth Atchinson for all of his support of cybersecurity education and for helping make this event (and so many others like it) possible. 

Central Regional, Tennessee Tech University

Being a midwesterner, I decided that the most effective way to end up at Tennessee Tech was to drive.  This is just a “short” 8 hour trip from Cleveland, but ended up having a cool CPTC connection.  Along the way, we saw a sign for Buc-ee’s and decided to make a stop, since I’d never experienced one before. 

While wandering around the massive expanse of beaver-themed snacks and souvenirs, someone approached me and asked if I was one of the guys who worked with CPTC.  We chatted for a bit, and it turns out that I had run into an alum of CPTC from around the CPTC8 season.  He mentioned that the lessons learned at CPTC really helped him when he was getting started in his career.  That brief interaction alone started the trip on a high note, and really shows the impact that CPTC is having on the lives of young cybersecurity professionals. 

Tennessee Tech has been a long-term regional partner for us and Travis and Jeremy do a great job putting the event together.  We also got to be one of the first events held in their brand new Ashraf Islam Engineering Building, which was a lovely space to use for the teams. I’ve been looking forward to making the trek to the Central regional since Tennessee Tech started hosting back in 2019, and glad I finally had the chance to do so.  

Western Regional, Stanford University

For the last CPTC10 regional weekend I did something totally different – I decided to embrace the fact that airplanes exist and visit one of the events we have on the Pacific coast.  Stanford University has been a long-time regional partner and has hosted the Western regional since we’ve had a Western regional.  It was great to finally get a chance to visit their campus for the regional event and help ensure that this event went smoothly.  Thanks to Alex and Kerri at Stanford for their work to make this event happen. 

This weekend ended up being a bit more chaotic than expected due to the fallout of Hurricane Helene, which forced us to push the Southeast regional back a month.  Despite the logistical challenges, we were able to successfully complete three regional events this weekend, which set us up for Global Finals. 

CPTC10 Global Finals

The culmination of the CPTC season is the Global Finals, which took place during the Martin Luther King weekend at RIT’s campus.  We were fortunate to have seven different Hurricane Labs team members on site at this event, which ends up being about a quarter of the total onsite volunteers.  

One of the highlights of the weekend was reflecting on a decade of CPTC, and what it means to all of us. There are four of the original founding volunteers of CPTC still involved who have poured the last 10 years of our lives into making this event something truly special, and being able to see the evolution of the competition over that timeframe is nothing short of astounding. 

Three of the four 10-year CPTC volunteers: Lucas Morris, Tom Kopchak, and Bob Kalka

We also had something really unique happen this year – all three of the teams that placed at finals (Dakota State University – 1st; University of Florida – 2nd; and Penn State University – 3rd) are all schools that have never placed before at CPTC finals.  To me, this really shows that being successful in CPTC isn’t based on who you are or where you come from, but instead what you put into preparing for the event and how you execute on your plan. 

What an incredible team

I owe a great deal of thanks to all of my peers at Hurricane Labs for their involvement in support of CPTC this year.  We are a small but mighty force who have a massive part in making the event function.

• Casey Bitting: Casey is one of the newest members of the HL leadership team as our SOC Manager, but that doesn’t mean he’s forgotten all technical skills (yet). Casey is a key member of the CPTC monitoring team, investigating alerts and threat hunting for potential rules violations during the event. 
• Cameron Schmidt: Cameron uses his development skills to take the CPTC monitoring team to the next level.  He’s created custom dashboards and apps in the CPTC Splunk environment, built Splunk searches faster than I can read Slack messages, and even has stepped up to handle the Splunk admin tasks I should be doing.  
• Erin Call: Erin’s role at HL and CPTC are surprisingly similar – she’s a SOC Architect for both.  She builds out detections and correlation searches to help the CPTC monitoring team find anomalous activity in record time, and takes what we learn at CPTC back to HL to better support our customers and their security use cases. 
• Jonathan Gavris: Jonathan is our SOARchitect at HL, and brings the same enthusiasm he has for everything to CPTC.  From designing Splunk SOAR playbooks to automating responses to in-game alerts, you can clearly see his passion for CPTC and all things Splunk come through in everyone he interacts with. 
• Meredith Kasper: Meredith has been at my left hand since starting as a CPTC volunteer.  Without her, we simply wouldn’t have students at the events.  She leads competitor communication, helps us build team materials for the event, and is a huge part of responding to the hundreds of support tickets we get over a CPTC season.  For finals this year, she also took on the rollout (and covered costs for) of our AI Vishing system that students used as part of the event.
• Rocio Slobodzian: Rocio – our project management team lead at HL – also leads our outreach efforts for CPTC.  She took on the massive task of coordinating discussions with CPTC sponsors and ensuring that they were welcomed at CPTC events.  There were so many ways that her involvement this year helped support the event – from onboarding volunteers, to building out competition materials and slide decks, to coordinating all of the details for the CPTC10 banquet at Global Finals. 
• Ryan Kazubski: Ryan is one of our SOC analysts at HL, and he enjoys working with alerts so much that he ends up doing the same thing during his free time in support of CPTC.  Handling and investigating security alerts is often an exhausting, thankless job, but Ryan’s personality and enthusiasm always brings a smile to everyone’s face. 

And I would be amiss to not thank Hurricane Labs for all their support of my insanity around CPTC over the past decade.  From initially giving me the ability to get involved, to supporting me both financially and professionally across dozens of CPTC events over the past 10 years – I am very grateful. 

We’ve done so much over the decade, and I can’t wait to see what the future holds.