CCDC: The great, the good, and the ok.

• Who am I?
• Competition Experience
• What are cybersecurity competitions?
• What is CCDC?
  • CCDC and UCF
  • Why is UCF good at this…?
• CCDC: The great
• CCDC: The good
  • CCDC Red Team
    • My message to blue teams:
    • My message to red teams:
• CCDC: The ok
  • 2024 Nationals
  • 2025 Nationals
  • 2026 Nationals
• AI and Cybersecurity Competitions
• Tool Development at CCDC
• Other cyber-competitions:
  • CyberForce
    • Why go to CyberForce?
    • How to win CyberForce
  • CPTC
    • What is CPTC
    • How to win CPTC, I think?
  • ISTS
• Last thoughts

Who am I?

Hello everyone, my name is Noah Magill. My Discord username is planksconstant. I wanted to share a bit about my time doing cybersecurity competitions. I was the UCF captain for most of the 2025/2026 school year.

For starters, I went to UCF for my undergrad. I am currently pursuing my graduate degree there in cybersecurity and digital privacy. I participated in four years of cybersecurity-related competitions during my time at UCF as an undergraduate student.

Competition Experience

I competed in and had several podium finishes in:

• CCDC qualifiers (4 years) + regionals (4 years) + wildcard (1 year - alt) + nationals (3 years)
  • 2024 National Champion
• DOE CyberForce (4 years)
• CPTC regionals (2 years) + CPTC globals (2 years)
• ISTS (4 years)
  • 1st place team for 3 years
• NCL (1 year)
• Various other CTFs/etc

Needless to say, I have been doing cybersecurity competitions for quite a long time. I have very much enjoyed my time in these competitions, and now that I am no longer actively competing, I wanted to share some thoughts on the competition scene in general.

What are cybersecurity competitions?

If you are in college and want to work in cybersecurity, competing in collegiate cybersecurity competitions is a must. Most US colleges are actively competing in cybersecurity competitions in one way or another. Some are CTF-heavy, while others are more team-heavy. Find a cybersecurity club in your college or start one! UCF’s cybersecurity club is: https://hackucf.org/

What is CCDC?

CCDC stands for the Collegiate Cybersecurity Defensive Competition. It is the oldest, the largest, and most respected cybersecurity competition. It starts in a bracket-style elimination with 9 US-based regions sending one team to nationals, and the 10th nationals spot is decided through the wildcard.

CCDC style competitions usually involve multiple OS flavors of servers, including Unix, Windows, and BSD-like servers, workstations, and firewall appliances. These often-virtual computers host a wide range of “business critical” IT services, including websites (WordPress, Drupal, etc) to services such as file sharing (FTP/SMB/NFS). There are hundreds upon thousands of combinations of services you can see at play in a CCDC environment. Regions such as Southeast or Western do an excellent job of providing an ever-changing and wide range of service combinations that range from legacy PHP web applications to newer k8s deployments.

When you enter a CCDC-style environment, you often have either a small list of possible services or IP addresses. It is your job as the newly assumed network/IT/security administrators to find, secure, and monitor your services. All regions use a scoreboard to emulate “ghost” users performing actions on a cron-style cadence against your network. If these checks fail, you will lose points.

The premise is simple: unknown network, insecure services, and an ever-hungry APT group ready to wreak havoc.

CCDC and UCF

The University of Central Florida (UCF) has been doing cybersecurity competitions since 2013, long before I arrived. UCF holds an unmatched performance record in cybersecurity competitions with 198 “Top 3” finishes including 123 1st Place, 42 2nd Place, and 33 3rd Place finishes as of April 2026 (from CCDC style or CTF competitions). UCF has an established program for exposing students to these competitions, largely thanks to the efforts of students within Hack@UCF and the academic sponsor, Dr. Thomas (Tom) Nedorost. If you are interested in learning and competing with some amazing people, please reach out via the Hack@UCF website.https://hackucf.org/

Why is UCF good at this…?

UCF has won SECCDC 9 times and NCCDC 6 times.

In my years of doing this, I have heard some wild claims as to why UCF is consistent with their wins.  Despite rumors (lol), we do not have a crazy large budget, advanced courses, an expensive training platform, or a large AI spending budget.  Hack@UCF, our cyber club, is organized as a registered student organization and reports to the UCF Office of Student Involvement.  The club is open to all current UCF students and charges $10 annual dues per member.  While synergistically related, Hack@UCF is organizationally independent from the UCF Collegiate Cybersecurity Competition (C3) Team.  The C3 Team is organized as an academic team within the College of Engineering & Computer Science.  The college’s development office solicits donations from companies and alumni to defray the C3 Team’s competition registration fees and travel expenses.

Without a doubt, most of the credit goes to our faculty sponsor and coach, Dr. Tom Nedorost. He is an excellent coach and organizer and does an amazing job at finding and recruiting students to come and compete at UCF. We regularly get students from across the United States who want to compete in cybersecurity competitions that come to UCF just to be part of our club/team. On the flip side, the majority of team members are from Florida and largely discovered the club when we arrived as freshmen (myself included). Again, our budget is limited (comparatively), the only incentive offered to students Dr. Nedorost recruits to compete on the C3 Team is a waiver of the out-of-state tuition surcharge for non-Florida residents.

Another reason we are consistent in our success is through alumni. We have had a few students who graduated and stayed involved, hiring from and providing direction to the team. Other UCF alumni help in CCDC regions, building the competition, or competing in the red team. Our alumni help us train, build practice environments, and mentor students. During the summer or part-time over the semester, most of us hold internships and jobs.

The secret sauce is quite simple, really: UCF has an established pipeline of students, involved alumni, and lastly, we do a lot of laughing. My time at UCF has yielded some great friendships, good memories, and some fantastic coworkers. We really try to put our all into winning what is at hand, but we have some great synergy going while we do it.

We do have a competitive roster, but our coaches value most the ability to be agile and learn. If you can, by all means come to UCF, and there will be a spot for you!

CCDC: The great

Spending the multitude of hours together, crammed together, pounding energy drinks produces some inside jokes, great quotes, and some high-quality memes.

By being on a CCDC team where more than likely you are not the smartest person, you quickly learn how to respect, grow, and learn in possibly one of the most stressful events you will encounter. Crap will hit the fan during a competition, no matter how many hours you prepare; these environments are meant to simulate the real world, and even the most well-prepared ones are designed to be impossibly intricate to understand in 24-48 hours, much less defend.

I struggle to articulate how much growth I have had personally, and also watching others experience this. I’ve heard alumni even outside of UCF long to be on a team as competent or as well-performing as their old CCDC team. CCDC produces some insane talent that is hard to compare to anything else.

Regardless of the “realism” that CCDC presents and how close it gets to “stepping into your first job”, the brand that it promotes offers the capacity for learning potential that I have not seen a classroom come close to. Regardless of my feelings for where the program is going, I hold much respect for the history of the program and the CCDC alumni it has produced.

Organizing a CCDC competition is very difficult. Working with budgets, sponsors, and coordinating upwards of close to 100 volunteers spanning a wide range of technical competencies is challenging. And it is largely unpaid. The organizers in the regions do this out of love for the program and a genuine desire to steer the cybersecurity industry in the right direction. I wish the rest of the cybersecurity learning industry would look at how these organizers selflessly devote time, produce results, and follow suit. Putting together even 10 servers that talk to each other in a meaningful way for 40+ teams for an event like SECCDC Qualifiers is a very difficult task.

Scoring is intricate, and the organizers more often than not treat the scores with utmost judicial precision, ensuring that teams are comfortable with the outcome being honest. This has especially been a trend in the regions as of late, which, as a competitor at the time, was very uplifting.

This is the great part about CCDC. The team that you are on, the work that goes into the regions, and the friends you make on the way.

CCDC: The good

CCDC Red Team

The red team at CCDC is also largely a volunteer/organizational effort. The time, dedication, and perseverance these volunteers bring to the table are very unique. Not to hype up my own region, but I am convinced that our region has the most capable red team in CCDC history and continues to bring insane obstacles to blue teams. This is one of the fun things in CCDC, sitting down on a machine trying to defend it while a red team is fighting tooth and nail to retain access.

Most regions do it slightly differently from each other. SECCDC allows the red team to “pre-plant” the boxes before the competitors sit down. This encourages an “assume breach” style competition where you have to secure, remove, and thwart their access while ensuring the house of cards does not come down.

Sometimes, the difference in red team capability per region introduces some misunderstandings about how competitions operate, especially between the different bracket-style wins.

My message to blue teams:

I like to think that I have seen almost everything possible at a CCDC event. I can not begin to describe the number of times I have glanced up at the scoreboard (a banned activity on our team lol), and had waves of despair thinking about the months of preparation for us to be close to last. Keep fighting. Keep continuing. UCF has crawled from last place to first place in a matter of hours. It is possible, and the score gap is often closer than you think. Performing basic arithmetic under pressure is not advised for your team members as it relates to the scoreboard, and often, you will be wrong, lol.

One of my closest friends, and our previous team captain, had a saying, “trust the process”. It’s a cheap analogy, but if you walk into a test knowing you prepared, take confidence in that. Teams will walk away from first place or even podium finishes because they are not willing to continue, as they have lost hope. This is a huge mistake, and one I have been guilty of.

When I started as a freshman, I had no idea what in the world “iptables” or “AWS” was. The best team members are those willing to put aside ego and learn. Especially being the captain of our CCDC team last year, every team member who I had working on a task, I had the utmost confidence in them to get the job done, and if they could not do it, it could not be done. Be that person for your team.

The other message I want to share is that nobody is perfect. The organizers certainly understand this and are willing to help. Everyone understands the pressure, preparation, and sweat gone into getting into a CCDC event. I have found that organizers have been extremely nice to me when I have approached them about a problem.

Most red team members also want you to learn, and are doing this rather selflessly. Please understand this and do not take out your frustration on them.

My message to red teams:

As someone who has done this for four years, I have seen almost every trick in the book. The talent that the red teams bring to the table is unmatched. In the name of trying to prepare to bring an APT-level threat to a learning environment, some red teams have blown past this and are, frankly, scary. I have multitudes of respect for red teams.

On the flip side of this, some red teams get carried away and forget that it is hard to be a blue teamer, if not, in my opinion, harder. Quite a few successful UCF CCDC team members did red teaming before even knowing how to “blue team”. I was one of those.

Good red teaming is a rare craft and requires patience and tact. Especially at regions such as WRCCDC and SECCDC, the teams that make it to regionals are world-class. They could equally be scary red team members. As the expectation for blue teams at CCDC shifts more into “what could you do in the real world,” I think it is important that red teams adapt similarly and focus on being stealthy and careful, rather than obnoxious and breaking things they may have not intended to. I do think there is a balance that can be obtained in this. I want to discuss later in this blog, but it is disheartening as a blue team member with only free/no AI watch 50 paid Claude/codex sessions throw themselves at your environment.

For pre-plant environments, I do think there should be a distinction in the goals for the red teams. Blue teams do not want to change passwords because of the multitude of times that, after the competition, their passwords get leaked on a PowerPoint while on a box that is compromised. Reward teams that carefully weed out persistence, not check boxes.

CCDC: The ok

National CCDC is the goal for every CCDC team. It promises an environment where the top teams are represented and a chance to declare yourself the best US collegiate team in cyber-defense. Historically, it has come with a trip via the sponsor to DC to tour some cybersecurity career options for the government. I’ve had the pleasure of going to nationals three times and winning once.

That being said, the nationals competitions have recently changed the scoring, visibility, and processes in the name of preventing “gamification”. This, on paper, is a great idea, but it has largely modified the game. In my 4 years of doing cybersecurity competitions, I have seen competitions try to accomplish this by introducing “vague scoring”. This is most certainly not the answer, and I have refrained from participating in certain competitions for knowing they would be scored in this manner. I fear nationals is moving in this direction and by doing so, it loses the propensity of being a cybersecurity competition and more towards IT/business. The solution to this should be more intricate scoring mechanisms, which inherently create transparency due to live updates, prevent gamification because of the number of moving parts, and emulate the real world better. Looking over Discord channels that are public, this opinion is widely shared, especially among the regions.

I greatly appreciate the volunteering effort that the national red team does, but I wonder if there is a disconnect between them and the organizers. When asking for feedback any year post 2024, the feedback was helpful and relevant, but we felt that we were considering what they proposed prior to the competition, and determined that it would’ve “gone against the spirit of the competition”, and refrained from action out of worry from being penalized. Although penalties were promised to be systematic, the orange team category alone felt like a black void of scoring, and penalties through negation in this category could be applied for “non compliance”.

Throughout this stanza of the blog I do express some frustration with nationals. I really want to convey that I love competing in CCDC, and I want my frustration to be taken productively. Talking to some of the people close to the issue, I believe there is some division of interpretation and application, but that there is a genuine effort for receptive feedback and I hope to see change for the better. I believe this is possible without a doubt.

2024 Nationals

In San Antonio, in 2024, we won our region a month prior and were headed to nationals. This trip was insanely generous. The hotel, sponsors, and experience provided were one of a kind. The level of competition was unprecedented as there were a few very notable teams there with many returning students (us included). During the first day, we did not do well. We messed up quite a bit on some of the technical injects, which harmed our uptime relative to the other teams. On the morning of the second day before the event starts, the relative rankings are provided to all the teams, just a team # with little context. If I remember correctly, our team # did not get produced in any of the categories displayed.

Much like I described earlier, we picked ourselves up and carried on as if we were going to win. We had a sharp comeback when the red team started to be more aggressive with the access they obtained the first day against other teams, and that carried into a win on the third day when the awards were announced. I walked away with much awe from this event. The red team assigned to our team was _very _competent and behaved how I would expect an APT group to. They were clever, quiet, and even their testing appeared quiet. This event was among my favorite memories of CCDC.

2025 Nationals

I do not have many comments to say about this year outside of:

• We took the rule changes too seriously and were not rewarded proportionally for it.
• There was a major infrastructure outage on the second day about halfway through that resulted in an environment reset. Although the organizers did their best to placate the teams that the competition was essentially decided before then, it left quite a bit of heartburn knowing that the second day often decided the competition, especially given our experience with the year prior.

2026 Nationals

The first day went alright for us, and the second day rolled around, and we were a bit surprised when our team # did not get into any of the categories. Nonetheless, we kept on and within minutes we were in the top three teams in uptime, and were back and forth for 1st in uptime for most of the first half of the second day. I will not go into terrible detail, but the red team used access “given to them” (semantically no different than a pre-plant) on the hypervisor (this is public knowledge). We reacted quickly, did something clever, and… lost access to everything 30 minutes later from a red team action. From then on, it was pretty much over for us with hours to go.

Looking back, there were things we could’ve done better without a doubt. It wasn’t perfect. We did feel very disadvantaged as our access was, as far as we can tell, the only one with access removed permanently (red team later attributed it to our ESXI setup). My major problem with this event was that, by all accounts, historically, NCCDC has no “pre-plants”. Every team operated under that assumption. Nothing was further communicative of this change before the competition. Other teams shared similar opinions.

AI and Cybersecurity Competitions

This is a very heated subject at the moment, and for good reason. AI has influenced most of the tech world over the past few years. I remember being in CCDC practice in 2023 using ChatGPT for the first time.

For CTFs, I’m not quite sure what the solution is here. Possible remote VMs with limited copy/paste permission and key-stroke monitoring. I think CTFs have always been a learning event, and I personally do not mind AI being heavily restricted so people can still understand the basics.

For blue-team competitions, AI was heavily used in the 2026 national competition. This was for the worse. The AI we had access to was not “agentic” and just chat-based. The red team, however, had no restrictions. They quickly lost the allure of being a quiet, APT-like, methodical red team, and we were swamped in reacting to Claude’s “pen-testing” of all of our web applications at once.

Giving AI to blue teams, I think, should happen. However, as a fellow blue team member, I would caution against the adoption mid competition, especially with CLI-based AI tooling that could (let me rephrase, WILL) destroy your servers.

Red team members should also, by all accounts, use AI, as this is currently happening in the wild. However, volume is not necessarily quality here, and as a blue team member, I can confidently say there is not a learning opportunity to be had when it is just you vs a $200 Claude subscription and a red team member eager to burn through it.

Trust me, doing red team work, this would be hilarious and funny, but not educational.

Tool Development at CCDC

You may have heard the term “Red Baron” (rb2) recently if you have been involved in CCDC. This is UCF’s best attempt at using AI to expedite development to bring a somewhat decent EDR to a cyber competition. This has been very challenging for us to develop, test, and be confident in it. It grew to be a massive 30K lines of code Rust project.

We are still figuring out if this is worth it. This has been our second year doing it. First off, we become an immediate target of the red team. At both nationals and regionals, the red team developed specific rb2 breaks and was actively looking for rb2 running to figure out who was UCF. I was surprised at how forward the red team was in admitting this fact. Both times, their defense was almost verbatim: “Well, we figured a team was going to do something like this, so we were going to target this type of tooling regardless of the team”.

We saw teams straight-up copy our code last-minute into their repos, which admittedly was flattering. Other teams created weird knock-offs that did not make sense to us lol? We learned quite a bit during the process, and got familiar with some technologies that we would not otherwise have been, so I think it was a net gain for us this year.

Due to the time commitment and creating a red team target for ourselves, we are unsure if we want to continue on this thread. It also seemed to encourage the red team to change their beacons to avoid detection more than it helped us find cheap beacons. Most black team members seem to want to encourage tool development within reason, so I wonder if they will eventually communicate to red teams not to target tooling specifically. We did have fun doing it, however.

Other cyber-competitions:

CyberForce

Another competition that I very much enjoyed is DOE’s CyberForce. This unique chance gives students an in-person competition that covers most aspects of cybersecurity. It combines CTF, vulnerability management, preparation, C-suite interaction, code patching, monitoring, and observability, and some hands-on blue teaming. This is another opportunity to be fully immersed in doing cybersecurity work for 8 or so hours.

Multiple teams from a school can attend, which is very cool! CyberForce is also geared towards exposing students to PLCs/SCADA/ICS adjacent systems. They usually bring in an industry partner to provide enterprise-grade software, and you have to secure/monitor it. I know some students who got cybersecurity jobs working for companies with these technologies that specifically hire interns to use over-the-wire monitoring for intrusions/flows and to write firewall rules for them.

Why go to CyberForce?

One of the best parts about CyberForce is that you get to be hands-on, in person, with close to 100 other schools. Especially considering that most competitions are virtual, this is a one-of-a-kind experience, a great way to connect with other students who may offer connections that share similar career trajectories. We have had UCF alumni help with their red team there as well. It’s refreshing to interact with the CyberForce competition organizers, who are very down-to-earth and understanding.

You have to prepare for weeks prior to coming. They provide your team with an AWS environment with limited permissions, and you have the ability to use freeware/trial software. We love this as we get to use some fancy tooling that is generous with their free tier. The c-suite video that you pre-record has been a fun way for me to kick off my fall semester the past few years and catch up with teammates. We have so many takes that it usually fills up my phone storage lol.

How to win CyberForce

UCF has won 6 CyberForce championships, 5 consecutively. A good reason why UCF continues to win CyberForce is that they are very transparent regarding scoring. Their scoreboard updates live, the material submitted beforehand is scored against a very binary rubric and added to the scoreboard as the competition progresses, and their feedback is verbose. Some amount of subjective scoring in regard to the documentation is expected, but they have enough rounds of reviewing that often there is a shared consensus among the “judges” reviewing it. I love that despite the high volume of teams, competitors, and deliverables, they have been very consistent with their scoring. It is very encouraging as a competitor.

They will say this during the intro videos year over year, but follow their rubrics and do as much preparation as possible. It really is that simple.

Take the PLC/SCADA stuff seriously before the competition. Take the time to really sit down and learn the enterprise software they provide. Expect there to be CTF adjacent tasks related to it.

They also discourage AI usage during the competition, so I would suggest not using AI to write up the report or using it as a crutch for the in-person CTFs.

CPTC

I did CPTC for two years, winning third at globals in 2023. We usually win the South-East regionals when we go. This was one of the frustrating competitions for me. That being said, I think this might just be a personal preference rather than a flaw in the competition style itself.

What is CPTC

CPTC is one of the few “role-playing” cybersecurity competitions. You are officially a firm that the fictional business at the time will hire or onboard to perform a pentest against their company’s fictitious IT systems. Usually, the regional environment is reused to an extent at the global level after you progress.

As a client, the moment you walk into the building, you are in this role. You have to respond to emails, and do your best not to accidentally lock a user out, which might be enough to cost you a podium finish. Some of the expectations that get derived from this role-playing end up being a bit unrealistic, at least in my opinion.

How to win CPTC, I think?

The teams with the best red-teamers/pentesters do not win. I think that is a very well-known fact across the board. I believe even with our region, this is true. The teams that win are the best at putting together reports, highlighting the vulnerabilities in a business in a forward way, and doing presentations. Obviously, the teams that win are very competent and do not win by a roll of the dice. Sometimes scoring is more vague one year than another, and I know that was the frustrating portion for me.

They do provide good resources from past teams that have won or advanced to CPTC globals, which I applaud. That being said, we have tried to find winning threads in past teams and emulate them, and to no avail. I think part of their scoring methodology is ever-changing in nature just to prevent teams from having one winning MO. I think I understand this?

ISTS

ISTS is a wonderful competition, put on by student organizers at RIT. Much like CyberForce, it is a “multi-color” competition where there are blue, purple, and red teams occurring. The folks up at RIT have some serious infrastructure, and the environment is a blast. You have a unique opportunity to play KoTH (king of the hill), which is a rare occurrence in the competition world these days, that combines the ability to pwn servers and secure your access in a limited environment. ISTS is also more flexible than most on the tooling they allow you to bring it in, so random crazy malware or other software ends up on your box most frequently.

Last thoughts

I share these thoughts and opinions after doing these competitions for years. The main takeaway of my four years is one of great appreciation for these good folks who put on these events and provided students with a world-class opportunity. If you are a student reading this, then I cannot urge you enough to get involved. The best moments of your career are just ahead! Please feel free to connect with me on the various platforms. I largely wrote this in the name of transparency and wanting the general competition scene to improve!