The use of a CTF in formal education: challenges and perspectives
Abstract
Games are effective for engaging and promoting learning. In Cybersecurity courses, one of the most commonly used games is capture the flag (CTF). The competitive factor can be motivating, but it is essential that the primary goal be learning. Therefore, games should be designed to align challenge and pedagogical content, ensuring that the experience contributes to educational objectives. This paper describes challenges and prospects regarding the maintenance of the TreasureHunt, a CTFs generator that has been used in Cybersecurity classes for the last eight years.References
Burket, J., Chapman, P., Becker, T., Ganas, C., & Brumley, D. (2015). Automatic problem generation for Capture-the-Flag competitions. 3GSE’15.
Cheung, R. S., Cohen, J. P., Lo, H. Z., & Elia, F. (2011). Challenge based learning in cybersecurity education. SAM’11, 1.
De La Cruz, J. & Das, S. (2022). SoK: a proposal for incorporating accessible gamified cybersecurity awareness training informed by a systematic literature review. USEC’22.
Feng, W. C. (2015). A Scaffolded, Metamorphic CTF for Reverse Engineering. 3GSE’15.
Furnell, S., Helkala, K., & Woods, N. (2021). Disadvantaged by disability: examining the accessibility of cyber security. HCI International, 197-212.
Irvine, C. E., Thompson, M. F., & Allen, K. (2005). CyberCIEGE: gaming for information assurance. IEEE Security & Privacy, 3(3), 61-64.
Kuo, C. C., Chain, K., & Yang, C. S. (2018). Cyber attack and defense training: Using emulab as a platform. IJICIC, 14(6), 2245-2258.
Ladeira, R. R. (2018). TreasureHunt: Geração automática de desafios aplicados no ensino de segurança computacional (Dissertação de mestrado). UDESC, Joinville.
Otto, V. A. U., & Ladeira, R. R. (2021). Uma Análise de Critérios de Acessibilidade em Interfaces web de Jogos de Segurança Computacional. COTB’21, 12, 563-566.
Renaud, K. (2021). Accessible cyber security: the next frontier?. International Conference on Information Systems Security and Privacy, 9-18.
Schreuders, Z. C., Shaw, T., Shan-A-Khuda, M., Ravichandran, G., Keighley, J., & Ordean, M. (2017). Security Scenario Generator (SecGen): A Framework for Generating Randomly Vulnerable Rich-scenario VMs for Learning Computer Security and Hosting CTF Events. ASE’ 17.
Stelea, G. A., Sangeorzan, L., & Enache-David, N. (2025). When Cybersecurity Meets Accessibility: A Holistic Development Architecture for Inclusive Cyber-Secure Web Applications and Websites. Future Internet, 17(2), 67.
Tseng, S. S., Yang, T. Y., Shih, W. C., & Shan, B. Y. (2024). Building a self-evolving iMonsters board game for cyber-security education. Interactive Learning Environments, 32(4), 1300-1318.
Vigna, G. (2003). Teaching network security through live exercises: Red team/blue team, capture the flag, and treasure hunt. WISE 2003, 3-18.
W3C. (2023). Web Content Accessibility Guidelines (WCAG) 2.2. World Wide Web Consortium (W3C). [link].
Zouahi, H. (2023). Gamifying Cybersecurity Education: A CTF-based Approach to Engaging Students in Software Security Laboratories. CEEA.
Cheung, R. S., Cohen, J. P., Lo, H. Z., & Elia, F. (2011). Challenge based learning in cybersecurity education. SAM’11, 1.
De La Cruz, J. & Das, S. (2022). SoK: a proposal for incorporating accessible gamified cybersecurity awareness training informed by a systematic literature review. USEC’22.
Feng, W. C. (2015). A Scaffolded, Metamorphic CTF for Reverse Engineering. 3GSE’15.
Furnell, S., Helkala, K., & Woods, N. (2021). Disadvantaged by disability: examining the accessibility of cyber security. HCI International, 197-212.
Irvine, C. E., Thompson, M. F., & Allen, K. (2005). CyberCIEGE: gaming for information assurance. IEEE Security & Privacy, 3(3), 61-64.
Kuo, C. C., Chain, K., & Yang, C. S. (2018). Cyber attack and defense training: Using emulab as a platform. IJICIC, 14(6), 2245-2258.
Ladeira, R. R. (2018). TreasureHunt: Geração automática de desafios aplicados no ensino de segurança computacional (Dissertação de mestrado). UDESC, Joinville.
Otto, V. A. U., & Ladeira, R. R. (2021). Uma Análise de Critérios de Acessibilidade em Interfaces web de Jogos de Segurança Computacional. COTB’21, 12, 563-566.
Renaud, K. (2021). Accessible cyber security: the next frontier?. International Conference on Information Systems Security and Privacy, 9-18.
Schreuders, Z. C., Shaw, T., Shan-A-Khuda, M., Ravichandran, G., Keighley, J., & Ordean, M. (2017). Security Scenario Generator (SecGen): A Framework for Generating Randomly Vulnerable Rich-scenario VMs for Learning Computer Security and Hosting CTF Events. ASE’ 17.
Stelea, G. A., Sangeorzan, L., & Enache-David, N. (2025). When Cybersecurity Meets Accessibility: A Holistic Development Architecture for Inclusive Cyber-Secure Web Applications and Websites. Future Internet, 17(2), 67.
Tseng, S. S., Yang, T. Y., Shih, W. C., & Shan, B. Y. (2024). Building a self-evolving iMonsters board game for cyber-security education. Interactive Learning Environments, 32(4), 1300-1318.
Vigna, G. (2003). Teaching network security through live exercises: Red team/blue team, capture the flag, and treasure hunt. WISE 2003, 3-18.
W3C. (2023). Web Content Accessibility Guidelines (WCAG) 2.2. World Wide Web Consortium (W3C). [link].
Zouahi, H. (2023). Gamifying Cybersecurity Education: A CTF-based Approach to Engaging Students in Software Security Laboratories. CEEA.
Published
2025-10-16
How to Cite
LADEIRA, Ricardo de la Rocha; TILLMANN, Luana; ESPIG, João Vitor.
The use of a CTF in formal education: challenges and perspectives. In: REGIONAL SCHOOL OF INFORMATICS OF ESPÍRITO SANTO (ERI-ES), 10. , 2025, Espírito Santo/ES.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2025
.
p. 154-157.
DOI: https://doi.org/10.5753/eries.2025.15989.
