Skip to main content
A screenshot from the picoCTF "PicoLock" start page.

CMU’s picoCTF Seeks To Make Cybersecurity Education More Accessible

Media Inquiries
Name
Peter Kerwin
Title
University Communications & Marketing

picoCTF, a cybersecurity Capture The Flag (CTF) competition created and run by Carnegie Mellon University's CyLab Security and Privacy Institute in 2013, is now the largest high school hacking competition in the world.

In its first year, the program saw participation from approximately 6,600 students and teachers and saw increased enrollment in the years which followed. Today, 11 years after its inception, picoCTF has expanded beyond the range of a simple competition and now serves as an educational digital platform for various concepts in cybersecurity.

At the national level, picoCTF seeks to help bring principles of cybersecurity to educators and students.

"There is no standardized cybersecurity education in the United States, so there is a need for this contact. Our national security is kind of dependent on the fact that people get interested in cybersecurity," said Megan Kearns, a special projects administrator for CyLab. Kearns has served as the project manager for picoCTF since 2017.

Megan Kearns, project manager for picoCTF.

The program started at CMU as one of the first of its kind, and has been open to the public since 2013 and has seen engagement around the world, including through partnerships in JapanCanada and across the continent of Africa(opens in new window).

This global accessibility — availability to anyone, anywhere, at any academic level — has become a key focus of picoCTF and one of its distinguishing features in the career development landscape. For instance, picoCTF-Africa increased female participation across its entire program by 102% between 2022 and 2023.

For Kearns, one of the most important goals of picoCTF has been to help establish such a benchmark for cybersecurity placement across the country. “I'd like to see picoCTF be integrated into a U.S. Department of Education high school curriculum, similar to AP computer science, so that students have the opportunity to test their interest and their aptitude for cybersecurity,” she said.

The program as it stands has created an entry point for future cybersecurity professionals regardless of their familiarity level. Many who participate in picoCTF also compete in competitions like the MITRE Embedded Capture the Flag (eCTF) competition, and even return to picoCTF as problem writers for the yearly competition. Others go on to work in the technology industry or in government, and those who don’t still walk away with greater literacy in cybersecurity concepts.

While the competition’s decade-long course saw increased participation, picoCTF's growth was also due to the increased demand for accessible cybersecurity education. Many engaged with picoGym, the noncompetitive learning platform that accompanied its competitive environment, simply to learn. CyLab found that individuals wanted to practice using picoCTF's platform even if they weren't interested in ranking against others.

"People were emailing us saying, 'Can you just keep the content open, or even reopen it after the competition closes? Because I'm not here to compete, I just need to learn this stuff.' We decided that's where we would focus our energy — on creating an open platform where people can learn and practice," Kearns said.

To this end, picoCTF has taken an open-to-public approach to sharing cybersecurity resources, even publishing free introductory lectures on the picoCTF YouTube channel. After opening up the program to anyone who can access the web, the site has seen its undergraduate user base grow to 100,000 and its total user base to over 600,000.

Carnegie Mellon has a proud history of advancing the field of computer science, dating back to the work of computer science pioneers Allen Newell and Herbert Simon. Today, the university offers a wide variety of academic programs focused on cybersecurity, including an undergraduate concentration in privacy and security for computer science majors and several degrees from the College of Engineering related to information security. 

picoCTF, like CyLab's work as a whole, relies on the interdisciplinary contributions of faculty and staff across CMU, including the College of Engineering, School of Computer Science(opens in new window), Heinz College of Information Systems and Public Policy, and the Tepper School of Business. It offers a full list of programs related to security and privacy on its website.

On June 24, the top three ranking teams of the 2024 picoCTF competitions were announced in the Simmons Auditorium at Carnegie Mellon’s Tepper School of Business. Students from across the U.S. were recognized for their achievements, and had the chance to speak to a panel of experts, including several CMU faculty members and a professional cybersecurity expert from the National Security Agency.

Panelists talk to students at the picoCTF awards ceremony.

Panelists speak to students at the picoCTF awards ceremony.

For the high school students who earned a victory in this year’s picoCTF, the passion and excitement to deepen their skill set and take part in world-renowned research is palpable — so much so that the winning team’s moniker was “cmu let me off the waitlist.”

However, because of the caliber of their success — having bested around 4,400 other U.S. students in 47 different challenges — the panel emphasized that CMU is only one of many places that their skills could potentially take them.

Some panelists, including picoCTF founder David Brumley, spoke about their own paths. Many did not always begin with a school-to-college trajectory. Some go directly into the cybersecurity industry and find success, and the speakers encouraged the winners not to limit themselves to one path or place.

“You are now the experts,” Brumley told the 2024 picoCTF winners. “This isn't a high school hacking competition. The problems that you guys completed put you in that top bracket.”

The faculty members explained how their performance in picoCTF made them competitive in both the academic and professional spaces — so much so that many participants go on to leave college or high school early to pursue careers in cybersecurity. 

Those who do become Tartans also find success in the field, joining groups like the MITRE eCTF hacking team or even going on to write problems for picoCTF itself. Some past picoCTF contributors, it was noted, ended up working on world-renowned teams like Google’s Project Zero. But picoCTF continues to help those passionate about cybersecurity transcend traditional paths and boundaries.

"You don't have to have a computer science background,” Kearns explained. “You just need a Chromebook or a PC and internet access to get started. We have a virtual server that allows people to do the programming required for challenges without downloading anything. This is especially helpful if they're using a school computer and can't download software."

Those interested in signing up for picoCTF and learning more about the program can watch the tutorial below.

— Related Content —