November 8, 2017 By Space Rogue 3 min read

Watching 10 different groups present on the same topic — one right after the other — might seem boring, but for me it was extremely exciting. Each presentation covered the results of a penetration test against a fictional company and lasted only 15 minutes. Each was conducted by groups of six students from 10 different universities and city colleges. That’s 10 presentations in two and half hours. It was actually way more fun than it sounds.

The presentations were part of the national Collegiate Penetration Testing Competition (CPTC) held at Rochester Institute of Technology this past weekend. The CPTC is similar to the Collegiate Cyber Defense Competition (CCDC), but instead of defending a network from external threats, these students actually got to attack it.

With a defined scope and defined areas of engagement, the scenario puts the student teams in the position of conducting a penetration test in as close to a real-world situation as possible. The teams test a fictional company with real infrastructure that has been developed for this test. They are then ranked on not only how well they were able to penetrate the corporate infrastructure, but also on the quality of their report and presentation.

Pen Testing Takes the Spotlight

As someone who has been doing the real-life version of this contest for over 20 years, I can tell you that the skills these students are developing as part of this contest are critical to the future security of our nation’s companies and data.

According to the Center for Cyber Safety, there will be a workforce shortage of nearly 2 million cybersecurity professionals in the next few years, and pen testing is consistently ranked as one of the biggest skills in demand. Much of what is needed to be a successful in this role is learned outside of the classroom: a unique mix of creativity, resourcefulness and hands-on practice with different techniques. Contests like these are a great way to refine those skills while learning from peers and mentors.

The teams competing at nationals were the leaders of the pack and advanced first through regional competitions. The top team from each region and the highest ranked teams at large from across all regions were invited, for a total of 10 teams competing at the national championships.

The scenario changes every year. Last year it was a medical device manufacturer. This year, the scenario involved Gotham Elections, a fictional global online election services company.

Not only were students challenged with testing the corporate network, but they were also tasked with determining if the voting system created for the test was secure. The students even evaluated a physical voting machine created specifically for this challenge to determine if it could be tampered with to alter the votes cast during elections.

On top of that, they had to test all of it, write their report and give their presentation within about 24 hours. That’s a lot of work and a lot pressure, but all the teams did a fantastic job.

Grooming Future Security Professionals

As one of the judges for the presentation portion of the competition, I was amazed at just how polished and well-prepared these students were. I’ve sat on the receiving end of many penetration testing presentations from firms that actually got paid for work that was not half as polished as the presentations from these students. Contestants were also judged on how well the content matched the audience, how well they managed their time during the presentation, whether the risk to the organization was well-communicated and how well they recommended solutions for the problems they found.

In the end only one team could win, and this year that honor goes to Stanford University, followed by the University of Central Florida in second place and the University at Buffalo in third. I’m already looking forward to next year; the competition will be intense.

IBM is the premier sponsor of this event because we know that there is a very strong demand for good penetration testers in the industry, and the demand for testers with solid technical skills is even higher. When you add in the ability to write reports and the skills needed to present findings at the executive level, the demand is astronomical.

Contests like these are a great way to develop the next generation of cyberdefenders. It is comforting to know that we have such talented cybersecurity professionals ready to step up, because we all know we need them.

More from

Cloud Threat Landscape Report: AI-generated attacks low for the cloud

2 min read - For the last couple of years, a lot of attention has been placed on the evolutionary state of artificial intelligence (AI) technology and its impact on cybersecurity. In many industries, the risks associated with AI-generated attacks are still present and concerning, especially with the global average of data breach costs increasing by 10% from last year.However, according to the most recent Cloud Threat Landscape Report released by IBM’s X-Force team, the near-term threat of an AI-generated attack targeting cloud computing…

Testing the limits of generative AI: How red teaming exposes vulnerabilities in AI models

4 min read - With generative artificial intelligence (gen AI) on the frontlines of information security, red teams play an essential role in identifying vulnerabilities that others can overlook.With the average cost of a data breach reaching an all-time high of $4.88 million in 2024, businesses need to know exactly where their vulnerabilities lie. Given the remarkable pace at which they’re adopting gen AI, there’s a good chance that some of those vulnerabilities lie in AI models themselves — or the data used to…

FBI, CISA issue warning for cross Apple-Android texting

3 min read - CISA and the FBI recently released a joint statement that the People's Republic of China (PRC) is targeting commercial telecommunications infrastructure as part of a significant cyber espionage campaign. As a result, the agencies released a joint guide, Enhanced Visibility and Hardening Guidance for Communications Infrastructure, with best practices organizations and agencies should adopt to protect against this espionage threat. According to the statement, PRC-affiliated actors compromised networks at multiple telecommunication companies. They stole customer call records data as well…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today