Difficulty Levels and Challenge Categories
CTFFactory organizes every challenge along two axes: the category that defines the technical domain, and the difficulty level that calibrates the expected skill and time investment. Understanding both axes helps you build a balanced event and set appropriate expectations for participants.
Challenge Categories
CTFFactory supports seven cybersecurity disciplines. Each category maps to a distinct area of offensive and defensive security practice.
Web
Challenges in the Web category target vulnerabilities in web applications, APIs, and browser-side code. Common techniques include SQL injection, cross-site scripting (XSS), server-side request forgery (SSRF), insecure deserialization, broken authentication, and template injection. Players interact with a live or simulated web application and must exploit a flaw to retrieve the hidden flag.
Crypto
Cryptography challenges require players to break or circumvent cryptographic implementations. Topics include classical ciphers (Caesar, Vigenère), asymmetric weaknesses (RSA with small exponents, padding oracle attacks), hash collisions, stream cipher keystream reuse, and flawed protocol design. No network infrastructure is typically required; players receive files or ciphertext.
Forensics
Forensics challenges provide players with an artifact β a disk image, memory dump, network capture, log file, or media file β and ask them to recover hidden or deleted information. Techniques include file carving, metadata analysis, steganography detection, PCAP investigation, and timeline reconstruction.
OSINT
Open-Source Intelligence challenges test a player's ability to gather, correlate, and interpret publicly available information. Players may be given a name, a photograph, a username, or a partial URL and asked to trace it to a specific fact. OSINT challenges require no specialized tooling beyond a browser and careful investigative reasoning.
OFFSEC
[!NOTE] OFFSEC challenges are available on paid plans only. They are not accessible on the free tier.
Offensive security challenges simulate realistic attack scenarios: privilege escalation, lateral movement, Active Directory enumeration, and exploitation of known CVEs in realistic environments. These challenges typically involve network-accessible infrastructure and multi-stage attack chains.
Binary Exploitation
Binary exploitation challenges provide compiled binaries and require players to manipulate program execution by exploiting memory safety vulnerabilities. Techniques include stack buffer overflows, format string attacks, return-oriented programming (ROP), heap exploitation (use-after-free, double-free), and bypassing mitigations such as ASLR and stack canaries.
Reverse Engineering
Reverse engineering challenges supply a compiled binary, firmware image, or obfuscated script that players must analyze to understand its behavior and extract the flag. Techniques include static disassembly (Ghidra, IDA), dynamic analysis (GDB, Frida), bytecode decompilation, and anti-analysis bypass.
Difficulty Levels
CTFFactory uses four difficulty levels. Each level implies a target solver profile and influences how the AI calibrates challenge complexity, infrastructure depth, and the length of the solution path.
| Level | Target Solver | Expected Solve Time | Typical Challenge Depth |
|---|---|---|---|
| Easy | Beginners, students | 5β30 minutes | Single vulnerability, no chaining required |
| Medium | Practitioners with domain knowledge | 30β90 minutes | One or two steps, moderate tooling required |
| Hard | Experienced CTF players | 1β4 hours | Multi-step, requires domain expertise and custom tooling |
| Insane | Elite practitioners | 4+ hours | Novel techniques, deep exploitation chains, no scaffolding |
Easy
Easy challenges introduce a single, well-documented vulnerability class. Instructions or context within the challenge description provide substantial guidance. These challenges are appropriate for awareness training, onboarding, and beginner-track competitions.
Medium
Medium challenges require familiarity with standard tooling and domain knowledge. Players must apply a known technique correctly but may need to adapt it to the specific environment. Some trial and error is expected.
Hard
Hard challenges involve multi-step exploitation paths, less common vulnerability classes, or significant environmental complexity. Players are expected to have prior CTF experience and proficiency with professional security tooling.
Insane
Insane is the highest difficulty level and carries special meaning in CTFFactory.
- No hints are ever generated for insane challenges, regardless of the Assistance Level setting.
- No writeup is generated for insane challenges used in Learning Path challenge labs β the player must demonstrate independent mastery.
- Insane challenges may require chaining multiple vulnerabilities, developing custom exploits, or working with underdocumented protocols.
- They are used exclusively as the challenge lab component in Learning Path learning cards, ensuring that credentials are awarded only for demonstrated elite-level competency.
[!WARNING] Insane challenges are not appropriate for beginner or general-audience events. They are designed for skilled practitioners seeking to push the boundaries of their expertise.
Balancing Difficulty in an Event
A well-rounded CTF event typically follows a rough distribution:
| Difficulty | Recommended Share |
|---|---|
| Easy | 30β40% |
| Medium | 30β40% |
| Hard | 20β30% |
| Insane | 0β10% |
This distribution ensures that beginner players can score points and stay engaged while giving experienced players meaningful challenges to distinguish themselves on the scoreboard. Adjust the weighting based on the known skill level of your audience.