eCTF
Embedded Capture the Flag Competition
The Embedded Capture the Flag (eCTF) Competition is a design-build-attack-style exercise for designing secure embedded systems
The Embedded Capture the Flag (eCTF) is an embedded security competition run by MITRE that puts participants through the experience of trying to create a secure system and then learning from their mistakes. The main target is a real physical embedded device, which opens the scope of the challenge to include physical/proximal access attacks. The eCTF is a two-phase competition with attack and defense components. In the first phase, competitors design and implement a secure system based on a set of challenge requirements. The second phase involves analyzing and attacking the other teams’ designs.
2026 eCTF
In the 2026 eCTF, teams designed and implemented a secure storage solution for a chip foundry. The system must allow users with various roles to access the proper data without leaking sensitive chip designs to unauthorized parties.
Key dates:
- January 14: eCTF kickoff!
- January 31: Last day for late team registration
- February 25: Handoff
- April 15: Scoreboard closes
- April 21: Poster session
- April 24: eCTF Award Ceremony
For more information, reach us at ectf@mitre.org.
Countdown to 2026 Registration!
Day(s)
:
Hour(s)
:
Minute(s)
:
Second(s)
Thank you to our sponsors!
See our NICE K-12 Conference Talk
We presented at the 2022 NICE K-12 Conference about the eCTF and how the first and most successful high school team Delaware Area Career Center used the eCTF in their program.
How is the eCTF different from other competitions?
The eCTF is unique in three major ways. First, the focus is on securing embedded systems, which presents a new set of challenges and security issues that are not currently covered by traditional “online” CTFs. Second, unlike the standard attack-only CTF, the eCTF balances offense and defense by including design, build, and attack components. Finally, the eCTF runs over the majority of the spring semester through three phases, allowing time for development and for advanced attacks during the Attack Phase.
01
Focus on Embedded
02
Attack / Defend
03
Extended Time
Competitor Testimonials
eCTF-Related Works
-
Kornegay, M. A., & Arafin, M. T., & Kornegay, K. (2021, July), Engaging Underrepresented Students in Cybersecurity using Capture-the-Flag(CTF) Competitions (Experience) Paper presented at 2021 ASEE Virtual Annual Conference Content Access, Virtual Conference. 10.18260/1-2–37048 https://peer.asee.org/engaging-underrepresented-students-in-cybersecurity-using-capture-the-flag-ctf-competitions-experience
- Md Armanuzzaman, Ahmad-Reza Sadeghi, and Ziming Zhao. 2024. Building Your Own Trusted Execution Environments Using FPGA. In Proceedings of the 19th ACM Asia Conference on Computer and Communications Security (ASIA CCS ’24). Association for Computing Machinery, New York, NY, USA, 1584–1599. https://doi.org/10.1145/3634737.3637644
- Ma, Zheyuan & Liu, Gaoxiang & Eastman, Alex & Kaufman, Kai & Armanuzzaman, Md & Tan, Xi & Jesse, Katherine & Walls, Robert & Zhao, Ziming. (2025). “We just did not have that on the embedded system”: Insights and Challenges for Securing Microcontroller Systems from the Embedded CTF Competitions. 10.48550/arXiv.2503.08053. https://arxiv.org/abs/2503.08053
- Applegate, Justin. (2025). “MITRE eCTF memcmp() Side Channel Analysis” https://justinapplegate.me/2025/ectf-memcmp/
Do you have a paper, article, write-up, or anything else to add to this list? Let us know at ectf@mitre.org
Past eCTF Competitions
2025 - Satellite TV
Teams designed and implemented a Satellite TV System solution. The system had to securely encode and decode satellite TV data streams while protecting against unauthorized access to protected channels.
2024 - Medical Device Security
Teams designed and implemented a supply chain security solution for microcontrollers on a medical device. The system had to securely verify the device integrity while keeping sensitive data confidential.
2023 - Car Key Fob
Teams designed and implemented a secure key fob system for a car door lock. The system had to protect the car from unauthorized entry and prevent attacks like replays and key fob cloning.
2022 - Avionics Bootloader
2021 - UAV Communications
Teams designed a secure communications system for an unmanned aerial vehicle (UAV) package delivery system. The system had to be secure to prevent attackers from gaining access to the network to spy on and disrupt the UAV system.
2020 - Audio DRM
Teams designed a secure audio digital rights management (DRM) module for a next-generation multimedia player on the Digilent Cora Z7. The system had to be secure to prevent users from playing pirated music, support region locking, and prevent the creation of cloned bootleg players.
2019 - Video Game Console
Teams designed a secure video game console on the Digilent Arty Z7. The system had to attempt to protect the intellectual property of game designers, prevent users from loading their own software, and allow verified users to install and play games that they have purchased.
2018 - ATM System
Teams were tasked with designing a modern chip-and-PIN ATM system. Teams had to design and implement the firmware, software, and protocols for the ATM card, the ATM, and the Bank Server to support secure cash withdrawals.
2017 - Car Bootloader
Teams were challenged to design and implement a system to support secure firmware distribution for automotive control.
2016 - IoT Door Lock
In the inaugural eCTF, teams designed a secure pin door lock system.
Past Competitors
Air Force Institute of Technology • Amherst College • Amrita Vishwa Vidyapeetham University • Arizona State University • Asia Pacific University of Technology and Innovation • Baldwin Wallace University • BASIS Chandler • Binghamton University • Boston University • Brigham Young University • California State University, Fullerton • California State University, Los Angeles • Carnegie Mellon University • Center I (Albemarle County Public Schools) • City College of San Francisco • Clemson University • Colombe Academy of Technology • Colorado State University • Columbia University • Cornell University • CyberAegis • Dakota State University • Delaware Area Career Center • Duke University • East Tennessee State University • Ecole Royale de l’Air • Embry-Riddle Aeronautical University, Prescott • Essex North Shore Agricultural and Technical School • Faculte des sciences Ain Chock • Fairport High School • Flinders University • Florida A&M University • Florida Atlantic University • Florida International University • Florida State University • George Mason University • Georgia Institute of Technology • Guru Gobind Singh Indraprastha University • Hampton University • Harmony Science Academy • Ho Chi Minh City University of Technology • HTL Pinkafeld • Indian Institute of Technology Dharwad • Indian Institute of Technology Indore • Indian Institute of Technology Madras • Indiana Institute of Technology • Institut Bisnis dan Teknologi Indonesia • Ipnet Institute of Technology • ISD 196 • Istituto di Istruzione Secondaria Superiore Marie Curie • Johns Hopkins University • Kansas State University • Kennesaw State University • Kilgore College • KL University • Lakota East High School • Lakota West High School • Lenoir Community College • Louisiana State University • Louisiana Tech University • Marriotts Ridge High School • Massachusetts Institute of Technology • Michigan State University • Michigan Technological University • Morgan State University • Mount Saint Dominic Academy • Mount Si High School • Mountain View High School • New Mexico State University • New York Institute of Technology • New York University • Norfolk State University • North Carolina State University • Northeastern University • Northern Virginia Community College • NorthWest Arkansas Community College • Nova Southeastern University • Oklahoma Christian University • Pace University • Parkway Spark! • Penn State Abington • Purdue University • Rensselaer Polytechnic Institute • Rice University • River Hill High School • Rochester Institute of Technology • Rose-Hulman Institute of Technology • Royal Melbourne Institute of Technology • Rutgers University • Saddleback College • San Francisco State University • Sathyabama University of Science and Technology • SDU University • Shawnee Mission Center for Academic Achievement • Singapore Management University • Smithtown High School West • Southeast Missouri State University • Southern University and A&M College • Springfield-Clark County Career Technology Center • SRM Institute of Science and Technology • Strayer University • Symbiosis Institute of Technology • Syracuse University • Tennessee Tech University • Texas A&M University • Thadomal Shahani Engineering College • The Citadel • The Harker School • The Ohio State University • The Pennsylvania State University • The University of Alabama • The University of Texas at El Paso • The University of Tulsa • Thomas Jefferson High School for Science and Technology • Tri-City College Prep • TrustSec • Tufts University • United States Air Force Academy • United States Coast Guard Academy • United States Cyber Games • United States Military Academy • Universidad Politécnica de Cartagena • University at Buffalo • University of Alabama in Huntsville • University of Arizona • University of Arkansas • University of California, Irvine • University of California, Los Angeles • University of California, Santa Barbara • University of California, Santa Cruz • University of Central Florida • University of Cincinnati • University of Colorado Boulder • University of Colorado, Colorado Springs • University of Connecticut • University of Dayton • University of Denver • University of Edinburgh • University of Florida • University of Illinois Urbana-Champaign • University of Maribor • University of Maryland College Park • University of Maryland, Baltimore County • University of Massachusetts Amherst • University of Massachusetts Lowell • University of Michigan • University of Nebraska Omaha • University of New Hampshire • University of New Haven • University of North Dakota • University of Pennsylvania • University of South Alabama • University of Texas at Arlington • University of Texas at Dallas • University of Trento • University of Washington • University of Wyoming • Veermata Jijabai Technological Institute • Virginia State University • Virginia Tech • Wellington High School • West Virginia University • Willis College • Worcester Polytechnic Institute • Xavier University
Interested in getting involved as a sponsor?
For the first time, the eCTF is accepting commercial sponsorships. See the sponsorship page or email us at ectf@mitre.org for more information.
Frequently Asked Questions
Who can participate?
Anyone! The eCTF is open to all US citizens 13 or older and most non-US citizens 18 or older (see the participant agreement for all eligiblilty information and exceptions). Students at all academic levels are welcome to participate.
However, to be eligible for prizes, students must be US Citizens as of the start of the competition.
Please see the 2025 Participant Agreement for full terms and conditions.
Are there restrictions on team size or composition?
Team sizes are unlimited, and we have seen teams of one and teams of over thirty succeed. However, teams under 3 students may struggle with the workload and teams over 10 may require more dedicated project management to ensure everyone is engaged.
Sponsorship of a teacher or faculty member to act as a team advisor is required. We encourage advisors to help support and guide their team through the competition, but teams can also be entirely student-run and -led.
Can international students and teams compete?
We welcome international students 18 years and older to compete, with limited exceptions (see the participant agreement for details). However, prize money can only be distributed to US citizens and legal permanent residents atending US-based institutions.
What does MITRE provide to help?
MITRE provides teams with a reference implementation, embedded hardware (and/or hardware emulator), and technical guidance.
Does the eCTF cost anything?
Participation in the eCTF is entirely free! MITRE will provide the resources to complete the competition including one set of development boards per team and an additional set for the Attack Phase, however teams may choose to purchase additional resources to aid with development or attacking.
Are there awards?
Winning teams receive a cash prize, publicity from MITRE, and typically earn accolades from their university as well. The prize amount for 2025 will be announced at the kickoff, though the 2024 eCTF awarded $25,000 in prizes and an additional $30,ooo in travel grants to support attendance at the Award Ceremony. Students have used their participation in eCTF to build resumes, present at conferences, and open the door to valuable internship and career opportunities, including engineering positions at MITRE and the eCTF sponsors.
Can I earn college credits?
Most students can earn college credit. Work with your professor(s) / faculty advisor to determine how to earn credit at your institution. Remember that this is a significant time commitment, typically commensurate with the credit hours you may receive. An example syllabus is available from the eCTF organizers upon request.
What level of experience is required to compete?
We encourage teams of all levels of experience to compete in the eCTF and aim to make the eCTF accessible to students new to security and embedded systems. We do recommend an understanding of development in C and Python, as the reference design will be implmented in those languages.
However, while the competition may be approachable, the depth of embedded systems enables teams with more experience to attempt more advanced countermeasures and attacks, providing an engaging experience for students of all levels of experience.
Do I need to travel for the competition?
The competition can be done 100% remotely. MITRE will provide teams with hardware and/or servers to develop and compete on. Once teams have a completed design, they submit the code to MITRE for testing and MITRE will ensure that all challenge requirements are met. Once this verification process is completed, your implementation (source code and protected binaries) will be provided to all of the attacking teams.
After the competition concludes, MITRE hosts an Award Ceremony in April where teams are invited to share in their accomplishments, meet participants from other schools, interact with MITRE staff, and see the final standings revealed! The 2024 eCTF Award Ceremony was in-person at the JFK Presidential Library in Boston, MA. Stay tuned for details about the 2025 Award Ceremony.
How do I sign up?
When team registration opens in September, work with your faculty advisor to fill out this form.
Individual competitor regitration will open in December.
Can students who are MITRE employees compete?
Yes! Current and former MITRE employees frequently compete in the eCTF. To ensure fairness, competitors who are MITRE employees will have no additional access to the organizers or any internal eCTF resources and will be treated the same as any other competitor.
Other questions?
Please contact the eCTF team at ectf@mitre.org
Can high school teams compete?
Yes! We have had high school teams compete and succeed in the eCTF. See our talk at the 2022 NICE K12 Conference for more information (slides) (DACC Video).
However, the competition is only open to US citizens 13 or older and non-US citizens 18 or older.
QUESTIONS? EMAIL US AT ECTF@MITRE.ORG
MITRE is a not-for-profit organization that operates research and development centers sponsored by the federal government. MITRE works with industry and academia to apply science, technology, and systems engineering that enables the government and the private sector to make better decisions. Learn more at www.mitre.org