Core Concepts
This page defines the fundamental building blocks of CTFFactory. Understanding these concepts will help you navigate the platform and make informed decisions when generating challenges, configuring events, and managing your team.
Workspace
A workspace is the top-level tenant in CTFFactory. All resources β challenges, CTF events, API keys, webhooks, and billing β belong to a workspace. Every user account can belong to one or more workspaces, and each workspace has its own isolated environment.
Workspace Roles
| Role | Description |
|---|---|
| Owner | Full control, including billing and workspace deletion |
| Admin | Can manage members, generate challenges, and deploy events |
| Member | Can generate challenges and participate in workspace CTFs |
| Viewer | Read-only access to challenges and event results |
[!NOTE] Enterprise workspaces can enable SSO/OIDC so that users log in through your identity provider. Custom domain and white-label branding are also available at the enterprise tier.
Challenges
A challenge is the core unit of content in CTFFactory. Each challenge contains:
- A title and description presented to the player
- A flag β the secret string a player submits to prove they solved the challenge
- An optional set of hints β progressive clues that can be revealed at a cost
- An optional writeup β a step-by-step solution guide for organizers or post-event publication
Challenges belong to one of seven categories (Web, Crypto, Forensics, OSINT, OFFSEC, Binary Exploitation, Reverse Engineering) and one of four difficulty levels (easy, medium, hard, insane).
Quality Profiles
Quality profiles let you tune the style and pedagogical intent of generated challenges before the AI runs. Three dimensions are available:
CTF Orientation
| Option | Effect |
|---|---|
| Competitive | Challenges are terse, flag-focused, and assume prior knowledge |
| Educational | Challenges include context, learning objectives, and scaffolding |
Scenarization
| Option | Effect |
|---|---|
| Neutral | No narrative framing; pure technical challenge |
| Light Narrative | Brief fictional framing (company breach, etc.) |
| Immersive | Deep lore integration aligned to the selected Universe |
Assistance Level
| Option | Effect |
|---|---|
| No Hints | Challenges are generated without hint content |
Solution
| Option | Effect |
|---|---|
| Writeup | A full solution guide is included in the organizer bundle |
| No Writeup | No solution guide is generated |
Challenge Specs
Challenge Specs are predefined templates that constrain AI generation to a specific technical area. Each spec has a family, a subtype, and a category. For example, a spec might target SQL injection (family: Injection, subtype: SQL, category: Web). Using specs ensures reproducible, focused output rather than open-ended generation.
Themes and Universes
- A Theme controls the visual aesthetic of a challenge β color palette, iconography, and UI presentation within the platform.
- A Universe provides a narrative lore layer β a fictional world or scenario that wraps challenge descriptions when Immersive scenarization is selected.
Themes and Universes are independent settings that can be combined freely.
CTF Events
A CTF event is a collection of challenges organized into a timed competition or training session. Events are configured with start/end times, participant access rules, and scoring settings. CTFFactory provisions the underlying CTFd instance automatically when you choose a managed deployment.
Deployment Bundles
When you export a CTF or a single challenge, CTFFactory produces a dual ZIP bundle:
organizer/β contains the CTFd import file, challenge metadata, flags, writeups, and admin credentialsplayer/β contains only the player-facing content, safe to distribute publicly
Learning Paths and Open Badges
Learning Paths are structured curricula aligned to the CCSSF and NICE frameworks. Each step in a path is a learning card containing theory, a lesson outline, evidence requirements, and a challenge lab (always insane difficulty, no hints, no writeup). Completing a learning path earns an Open Badges v3 credential β a machine-readable, cryptographically signed badge that can be verified by third parties.
API and Automation
Every CTFFactory workspace exposes a REST API authenticated by API keys. You can automate challenge generation, event creation, and result retrieval programmatically. Webhooks deliver real-time event notifications (challenge solved, event started, badge issued) to your own systems.