Challenge Generation
Challenge generation is the core capability of CTFFactory. The AI engine takes your inputs β a category, a difficulty level, optional quality profile settings, and an optional natural-language prompt β and produces a complete, playable challenge including scenario text, infrastructure configuration, a hidden flag, optional hints, and an optional writeup.
The Generation Form
Every generation starts with the same form, whether you are generating a single challenge in the Playground or populating a CTF event. The fields are:
| Field | Required | Description |
|---|---|---|
| Category | Yes | The technical discipline (Web, Crypto, Forensics, etc.) |
| Difficulty | Yes | easy, medium, hard, or insane |
| CTF Orientation | Yes | Competitive or Educational |
| Scenarization | Yes | Neutral, Light Narrative, or Immersive |
| Assistance Level | Yes | No Hints (currently the only option) |
| Solution | Yes | Writeup or No Writeup |
| Theme | No | Visual aesthetic override |
| Universe | No | Narrative lore override |
| Challenge Spec | No | Constrain generation to a specific technical subtype |
| Prompt | No | Free-text directive to the AI |
Writing an Effective Prompt
The prompt is your natural-language instruction to the AI. It is optional but powerful.
Prompt Tips
- Be specific about the vulnerability class.
"An insecure deserialization challenge using Python's pickle module"yields a more focused result than"a hard web challenge". - Describe the environment. Mentioning a framework (Django, Flask, Express) helps the AI produce realistic scenario text and infrastructure.
- State what to avoid.
"Do not use SQL injection; I already have one"prevents duplicate techniques in a multi-challenge event. - Reference the audience.
"Suitable for university students who know basic Python"calibrates the expected knowledge level.
[!TIP] Prompts do not need to be long. One or two specific sentences outperform a vague paragraph.
Example prompt:
"Generate a medium-difficulty web challenge where the player exploits a Server-Side Template Injection
vulnerability in a Jinja2 Flask application. Include a realistic company backstory."
Quality Profiles in Detail
CTF Orientation
Competitive challenges assume the player already knows the domain. Descriptions are minimal, flags are opaque, and there is no pedagogical scaffolding. Use this for ranked competitions.
Educational challenges include a learning objective, contextual background, and step-by-step framing. Use this for training programs or onboarding events.
Scenarization
Neutral output contains no fictional framing. The challenge description explains the task directly.
Light Narrative adds a brief scenario β a fictitious company, a plausible breach premise β without deep lore.
Immersive challenges are fully embedded in the selected Universe's fictional world. Character names, organizations, and plot threads from the Universe appear in the challenge text.
Assistance Level
Currently, No Hints is the standard setting. Challenges generated without hints are leaner and better suited for competitive scoring environments.
Solution
Selecting Writeup instructs the AI to produce a detailed, step-by-step solution alongside the challenge. Writeups appear only in the organizer/ folder of the deployment bundle and are never exposed to players unless explicitly published post-event.
Challenge Spec Directives
Challenge Specs pre-constrain the AI to a specific technical area defined by three axes:
- Family β broad vulnerability class (e.g., Injection, Cryptanalysis, Memory Corruption)
- Subtype β specific technique within the family (e.g., SQL, RSA Low Exponent, Stack Overflow)
- Category β the CTF discipline the challenge belongs to
When a spec is selected, the free-text prompt supplements rather than replaces the spec directive. The AI honors the spec's technical constraints first.
[!NOTE] Challenge Specs are curated by the CTFFactory team. New specs are added with each platform release. You can request additions via the community forum.
Generation Modes
Single Challenge (Playground)
Generates one challenge in isolation. Ideal for prototyping, personal practice, or testing a new spec before committing it to an event.
Batch Generation (CTF Event)
Generates multiple challenges simultaneously within an event. You specify count, category distribution, and difficulty mix. The AI engine runs parallel jobs and returns all results when the batch completes.
Spec-Driven Generation
Selects one spec per challenge and generates exactly what the spec defines. Useful for building a syllabus-aligned event where each challenge maps to a learning objective.
Reviewing Results
After generation, the review panel shows:
- Description β the player-facing challenge text
- Flag β the solution string (hidden by default; click the eye icon)
- Hints β if generated, shown in reveal order
- Writeup β the solution guide (organizer only)
- Metadata β estimated solve time, category, difficulty
If the output is unsatisfactory, click Regenerate to produce a new variation using the same parameters. Inline editing is available for the title, description, and hints. Flag values can be regenerated independently without re-running the full generation.
[!WARNING] Each generation attempt consumes AI credits from your workspace quota. Review the output carefully before regenerating to conserve credits.