SydneyFrontier models one-shot most CTF challenges now.
Since Opus 4.5, medium capture-the-flag challenges are agent-solvable in under an hour, rewarding orchestration over security skill, a top-ranked competitor argues.
The format trained a generation of security engineers; competitive teams are migrating to closed, in-person events.
Sources: Hacker News
WHAT A CTF ACTUALLY IS
Capture-the-flag contests hide a string — the 'flag' — behind a vulnerability. Solving means exploiting a buggy binary, cracking a weak cipher, or reversing obfuscated code to retrieve it. The format was invented at DEF CON in 1996 and became the dominant on-ramp into offensive security.
WHY THE FORMAT WORKED
CTFs compressed a multi-year apprenticeship into a weekend. A student who could not afford a pentest internship could still build a public scoreboard ranking, which hiring managers at NSA, Google Project Zero, and Trail of Bits learned to read as a credential. The format democratized entry into a field that otherwise gatekept through clearances and referrals.
THE AGENT PROBLEM
A medium CTF challenge typically requires recognizing a vulnerability class, writing exploit code, and iterating against a remote service — exactly the loop a coding agent runs natively. When the model can read the binary, propose an exploit, run it, parse the error, and retry, the human's edge collapses to whoever scripts the orchestration fastest.
THE PRECEDENT: CHESS ENGINES
Correspondence chess — once a serious competitive format — effectively ended when engines surpassed grandmasters in the 2000s. The remaining human tournaments moved to fast time controls and in-person, screen-free settings. CTFs are repeating the migration two decades later for the same reason: a format that allowed remote, time-unlimited play cannot survive a tool that plays it perfectly.
WHY IN-PERSON IS THE FIX
Closed, in-person events with no internet access and supervised hardware shift the bottleneck back to what a human knows under time pressure. DEF CON Finals has always run this way; what changes is that qualifier rounds — historically remote — now have to follow suit, which raises the cost of competing and narrows the talent funnel CTFs were designed to widen.
THE DEFENSIVE FLIP
The same agents that solve CTFs also scan real codebases. A vulnerability class that takes a competitor 40 minutes in a contest takes an attacker the same 40 minutes against production software. The training-pipeline crisis and the defender-pipeline crisis are the same event, viewed from two angles.