HF 2022 - Call for Papers

You can CTF but can you Pentest
10-29, 11:00–11:50 (Canada/Eastern), Track 2
Language: English

Are you new or looking to get into the security field, specifically penetration testing? You have been told that doing CTFs are a good way to gain some skills.

Doing a lot of CTFs and Boot to Root challenges give some required analytical and technical skills needed but it does skew a person's perspective about what is needed when they go into a penetration test for a client. So let us go over
some of the things that are different and might be jarring to a new penetration tester.


We will go over some of the good skills that doing CTFs can grow and help people who have only done CTFs prepare for some of the frustrations they may encounter if they decide to do penetration testing for clients. These points are meant to help reduce frustration, reduce feeling discouraged and improve success with
real world tests.

Slide Layout
- Types of CTF style challenges and explanation of skills they teach
- Windows AD
- Web Application
- Boot to root

  • Some skills CTF styles challenges don't teach
    - Chaining thing together ( some CTFs dont have zero to full exploit
    path/ windows environment)
    - Coming out of the rabbit hole

  • Some downfalls of just doing CTF style challenges
    - People skills still need work
    - Rabbit hole mentality

  • Some realities of doing real engagements
    - Scope is a thing
    - Client expectations
    - Good documentation
    - Sometimes not everything is exploitable
    - Cleaning up after yourself

What audience skill level are you targeting your talk for?

This talk is geared towards students, people looking to get into the security industry as well as people who are new to the industry and looking to expand their skills.

What will the audience take away from your presentation and/or do you have a call to action for the audience?

The audience will gain an understanding that CTF’s are good for building certain technical skills but there are some drawbacks when trying to apply the same methodology in a professional environment.

Some of the differences people may come across if they have only done CTFs and how to help them be aware of the differences so that it isn’t too shocking.

Some improvements that I would expect people to take away are helping them think about the other side of security engagements that they do not get exposed to during CTF style challenges so that when they come across them they aren't discouraged or put down by it.


Are you releasing a tool? – no Was this talk already given? – no

Stephen has been in the industry for over 10 years being a consultant, ISO, breaker of things, builder for programs, finder of bugs, and builder of CTF challenges. He can often be found looking into the sky complaining about the clouds and why they make the decisions they do. He is often found wearing a Santa hat throughout the year.