We have been hard at work developing our industry-focused CTF, and we're ready to start teasing what we've been making.

CTF Categories and Rules

BSides 2026 CTF Categories

RF

Hunt, decode, analyse and abuse signals, spectrum and wireless systems in challenges built for people who like their packets over the air.

Crypto

Crack codes, reverse ciphers and unravel cryptographic mistakes hiding secrets where they definitely should not be.

AI (!)

Break, test, prompt, manipulate and defend AI systems in challenges that explore where machine learning gets weird, risky or unexpectedly useful.

OSINT

Follow the breadcrumbs across the universe and turn scattered public clues into answers, attribution and flags.

GRC (?!)

Yes, really! Governance, risk and compliance turned into challenges that reward sharp thinking, good judgement and security-minded decision-making.

Forensics

Pick through logs, files, memory and captures to work out what happened, how it happened and what was left behind.

Web

Find the bugs, break the logic and dig through web apps full of vulnerable code, shaky auth and questionable developer choices.

Others…

The wildcard category for strange, experimental or last-minute challenges that do not fit neatly anywhere else, because sometimes the best ideas appear right before game day.

BSides 2026 CTF Rules

CTF Rules — Jeopardy Format with Dynamic Scoring

1. Competition format

This is a jeopardy-style CTF.

Challenges are organised by category, with points varied based on difficulty.

Teams may attempt challenges in any order, unless otherwise specified.

1.1. Dynamic scoring

Each challenge has:

  • a base score when unsolved

  • a minimum score floor

  • The score awarded decreases as more teams solve that challenge.

  • Scores never drop below the minimum.

This means early solves are worth more points. So no flag-hoarding in this one!

1.2. Flagship Challenges

  • The CTF includes three flagship challenges.

  • These are the highest-value challenges in the competition by far.

Unlocking

  • Flagship challenges are locked initially.

  • They are unlocked by completing a few designated story challenges.

Characteristics

  • Represent the most complex and comprehensive challenges.

  • May combine multiple disciplines, such as RF, Web, Crypto, Forensics, OSINT, or Reverse Engineering.

  • May rely on - or be assisted by - information obtained elsewhere in the CTF or conference.

1.3 Flagship Challenge Verification

Due to their high value, flagship challenge solves require manual verification.

Teams must privately submit a proof-of-solve write-up to the CTF Organisers including:

  • Solve path

  • Key observations and decisions

  • Tools or techniques used

  • Evidence of independent solution

Failure to provide sufficient evidence of human engagement with core aspects of the flagship challenge may result in:

  • withheld points

  • ineligibility for prizes

This may provoke a further set of questions from the CTF management. This is not designed to be a punitive measure, but to encourage human learning and technical growth in participants.

2. Use of AI tools is permitted

  • This is including for flagship challenges. However, AI use does not exempt teams from the requirement to demonstrate meaningful human understanding and engagement with the solve.

3. Educational Write-Up or Video Explainer Prize

A separate prize will be awarded for the best educational write-up or short explainer video.

Judging criteria:

  • Clarity

  • Technical accuracy

  • Educational value

  • Reproducibility

  • Submissions may cover:

    • a single challenge

    • a category

    • a technique or concept

More details to be announced regarding this prize.

4. Flag submission

  • Flags must be submitted via the official platform.

  • Flags must be obtained by solving challenges in alignment with the spirit of the competition. Brute-forcing flags or exploiting the platform itself to reveal them is prohibited.

  • Do not publicly disclose solutions, flags, write-ups, walkthroughs, or challenge-specific hints until after the event is over.

  • Unintended solve paths may be patched without notice during the event.

5. Scope of activity

Only interact with systems explicitly provided.

Do not attack:

  • the scoring platform

  • infrastructure outside scope

  • other teams

Specific external help from non-participants or non-team-members is against the rules.

General learning and reference use is allowed.

Scope clarifications included in challenge descriptions are

For example,

you may:

  • ask someone to remind you how a specific feature of a technology works or consult public documentation.

You may not:

  • send the problem statement, challenge files, service endpoint, or solve context to a friend, colleague, or external expert and ask them to solve it for you.

6. Teams

  • Teams must register with an appropriate name.

  • Teams compete independently; flag sharing is prohibited.

  • Each participant may have only one account.

  • Teams may have a maximum of five participants.

  • Organisers and challenge authors may participate informally if approved by the CTF organisers but are ineligible for prizes.

7. Availability and fairness

Organisers may:

  • fix or update challenges

  • patch unintended solve paths

  • restart services without notice

No guaranteed uptime is provided during the event.

No compensation, score adjustment, or prize adjustment is guaranteed for downtime.

Best effort will be made to inform all participants of technical issues and resolve them quickly.

Tie-breaks will be resolved in favour of the team with the earlier final solve timestamp.

CTF Organisers release hints for unsolved challenges (optionally with a score adjustment to the challenge) provided these hints are shared to all participants.

8. Conduct

  • Respect other participants and organisers.

  • Disruptive or unsportsmanlike behaviour may result in disqualification or ineligibility for prizes.

RF Safety & Spectrum Use

9. Authorised RF activity only

  • RF challenges are designed for receive-only participation by competitors.

  • Participants must not transmit RF unless explicitly authorised by organisers.

  • Only designated operators, such as AREG or approved organisers, may operate transmitters.

10. Regulatory compliance

  • All event RF activity must comply with Australian Communications and Media Authority (ACMA) requirements.

  • Event transmissions, where used, will occur within appropriate allocations and operating conditions.

  • Participants must follow organiser instructions regarding RF equipment, antennas, SDRs, receivers, and foxhunt activity.

11. Receive-only participation

  • Participants may use receive-only equipment to observe, capture, decode, or analyse signals that are part of the event.

  • Participants must not:

    • transmit

    • jam

    • spoof

    • replay

    • interfere with public communications, emergency services, event infrastructure, or other participants

12. Equipment safety

  • Do not tamper with, reconfigure, damage, relocate, or interfere with provided RF equipment, antennas, SDRs, receivers, transmitters, or supporting infrastructure.

  • Follow organiser instructions at all times.

13. Foxhunt

  • Only organisers may deploy foxhunt transmitters.

  • Participants must not:

    • move foxhunt transmitters

    • tamper with foxhunt transmitters

    • shield, obscure, or damage foxhunt transmitters

14. Enforcement

  • Violations of any of the above rules may result in:

    • withheld points

    • prize ineligibility

    • disqualification

    • removal from the event

    • escalation if serious safety, legal, or regulatory breaches occur

Enforcement is at the discretion of the CTF leads.

Organiser decisions are open to appeal through the broader B-Sides committee.