Gameplay and Delivery


  • Users log into the platform to get access to the vulnerable sites, cheat sheets, hints store, scoreboard and their personal progress page.
  • Each player has their own instance of each site so their play does not affect others.
  • Players can reset the database or do a full system restore on their own.
  • Each challenge/vulnerability has a name, type and point value (10 to 2500),
  • Points are scored upon successful exploitation of vulnerabilities and scoreboard is automatically updated
  • Other than built-in browser tools, players don’t need additional tooling. Password-crackers, proxies, and other utilities can be useful with a skilled operator but aren’t required. Scanners can be used, most vulnerabilities will elude them
  • Web site challenges are language- and framework-agnostic, designed to teach security concepts like input validation and strong access controls. The one exception is Runstoppable, which primarily covers Android-specific mobile application vulnerabilities.

Delivery Options

Security Innovation-Staffed Hackerthon

These events are a combination of on-site instructor-led training and a real-time capture the flag (CTF) contest.  Our experts handle setup and provide continuous on-the-spot guidance throughout.  

  • Offered as 1 or 2-day events at location of your choice
  • Kickoff session provides an overview of the game, how to think like an attacker, and getting started tips
  • Customizable learning labs throughout arm players with specialized skills
  • Gameplay allows newly acquired knowledge to be tested and skills practiced
  • Reveal session summarizes the attacks, vulnerabilities, and mitigation tactics
  • Coverage reports for each player: by defect category, difficulty, etc.
  • Company branding on all digital and printable assets

Client-Staffed Hackerthon

Can be run online and/or at a specific geographic location. We help with registration and setup; you manage users and gameplay during the event.

 Security Innovation will provide:

  • Player documentation including FAQs and cheat sheets. 
  • Answer keys, operational guide and training for administrator(s)
  • Administrator panel for user data, event/player management, bonus points administration and event dashboard.
  • Remote support
  • Reveal guide includes walkthroughs for all of the vulnerabilities so that participants can learn more about vulnerabilities they missed  

Stand-Alone Practice Range

For organizations that need a safe sandbox to regularly practice new skills and techniques, our SaaS version is ideal. 

  • Individual or competitive gameplay mode
  • Administrator panel for user data, system documentation, troubleshooting, and tips on managing events and users
  • Dashboard and reporting to measure progress over time