Bishop Fox named “Leader” in 2024 GigaOm Radar for Attack Surface Management. Read the Report ›

Return to NetWars: Tournament of Champions

Netwars championship 4 men with trophy


There’s an inherent thrill to hacking. When I find loopholes in the logic and end up somewhere I wasn’t meant to be, I feel the rush of a personal victory. But how can operators like me really know how we stack up against each other?

SANS NetWars competitions are one of the great arenas to see where your name stands on the leaderboard and to witness feats of problem solving from your peers. They are two-day Capture the Flag (CTF) tournaments that test quick thinking, problem solving, and a wide knowledge base of systems and vulnerabilities. As Ed Skoudis, the director of SANS Cyber Ranges put it, “For the cybersecurity community, the NetWars Tournament of Champions is like our Super Bowl.”

Last month, I took part in a SANS NetWars Tournament of Champions (ToC): an invite-only version of the CTF competition where winners of past SANS NetWars events power up their skills in a fun, multi-disciplinary, and collaborative environment. Let me walk you through how it felt to return as a champion. Spoiler alert: my team won.

Barrett Darnell wins SANS NetWars CTF, photo showing the winning team.

Team Altus_BishopFox_and_Friends (I’m the one on the right).
Photo credit: SANS NetWars

How it works

The most recent Tournament of Champions kicked off December 15 in Washington DC as part of the SANS Cyber Defense Initiative training conference. Over the course of six hours spread across two evenings, 288 players (including 118 returning champions) engaged in a hands-on, interactive learning scenario that stressed both offensive and defensive skills.

The event started with four levels of creative problem solving wrapped up in an entertaining scenario (e.g., blowing up the Death Star or capturing Willy Wonka’s Golden Ticket). NetWars offers players a chance to play solo or in teams, but since the scenarios can take an individual 30 hours to complete, grouping up is the way to go for serious competitors. Even when teamed up, only a small percentage of players make it through all four levels the first time they play a scenario.

If players do complete the scenario, they are dumped into a wild network known as Level 5 or Castle versus Castle. Here you must protect your team’s Linux and Windows server while attacking your opponents’ servers. Each team must maintain a total of eight services during this phase, and each of your services has at least one vulnerability that must be diagnosed and patched. Once a vulnerability is discovered, it’s a race to weaponize the exploit and launch it against opposing teams. Your team gets points for maintaining uptime on your critical services while simultaneously hacking into other teams’ servers and planting your scoring flag to steal points. When the scoreboard suddenly turns red to indicate that another team’s flag is on your service, it’s a mad scramble to kick out the attackers and restore your flag to preserve points.

Altus BishopFox and Friends at CTF Competition working on CTF

Team_Altus_BishopFox_and_Friends at work. Photo credit: SANS NetWars


This was the third NetWars ToC that my team (Altus_BishopFox_and_Friends) has won. The first time was in December 2018 with version 5 of NetWars, which was Star Wars themed. For the July 2019 ToC in Europe, SANS released version 6 with a Willy Wonka theme. (I love digging into the new SANS NetWars scenarios that come out every year.) After nearly completing that scenario at the European tournament, we prepped for three months to master its new puzzles for this most recent event. We wrote and tested a custom exploit framework that had integrated command and control. This system allowed for rapid exploitation, hardening, and management of opponent servers. The system also integrated with Slack to provide real-time notifications to address issues or claim opponent flags.

So when the chaos of Castle versus Castle hit in Level 5, we were ready for everything that came our way. Our team organized tasks by platforms and skill sets to maximize our time and avoid internal conflicts. We divided up the tasks of defending our castles, initial exploitation, and maintaining access to opponent servers. Having played together before, we knew each other's strengths and weaknesses and could communicate effectively throughout the event. Your heart rate really spikes when you start blocking out the rightful owners while they fight to kick you out of their system. Thanks to our system though, we could enjoy the cyber knife fights and friendly banter that come along with trading fire with competitors. We were thrilled with the results after the second evening and celebrated with the other teams. The networking and camaraderie that come after the dust settles is a truly valuable aspect of NetWars that doesn’t get enough of a mention.

Final leaderboard at NetWars CTF showing winning CTF teams

The final leaderboard. Photo credit: SANS NetWars

Our golden ticket

It felt great to motor through the first four levels of problem solving and then burst out into the wild network and fight our way to the top at NetWars. But even more than that, it felt great to return to this community that introduced me to my teammates in the first place. There will always be new challengers elevating their skills to test us, and that’s good. It makes it worth returning to CTF competitions again and again.

My tips for the tournament

If you find yourself at a CTF, I recommend you keep these broader tips in mind during the flurry of the two-day event:

  • Take notes! Always take and keep meticulous notes. Whether you are working on an engagement or playing a CTF for fun, notes will always come in handy. For NetWars, no matter how many challenges you play through and solve in each scenario, your system will start from zero the next time you play. The same scenario will be used for about a year, so warp back to where you left off by keeping good notes.

  • Grow from the challenges. Solving a challenge isn't the end. If a challenge made you research a particular technology or tool, go back and research it some more after the event. The more you look under the hood of a particular technology, the better prepared you'll be when you see it again.

  • Make friends at each event. I have a personal goal of making at least one new contact at each conference, training event, or tournament. Strike up a conversation, find a shared interest, and exchange contact information. You never know when that person’s experience or expertise might help you in the future. That is exactly how I met everyone on this winning team. These contacts are great resources when you're pushed up against a hard problem, and a great source of community as you learn and grow together.

The Altus_BishopFox_and_Friends team is a group of five hackers who met online at Capture the Flags and conferences: Nick Ippolito (@ippsec), Kyle Fiducia (@kfiducia), Eirik Nordbø (@enordbo), David Forsythe (@0xdf_), and me, Barrett Darnell (@pwneip).

Subscribe to Bishop Fox's Security Blog

Be first to learn about latest tools, advisories, and findings.

Barrett darnell

About the author, Barrett Darnell

Bishop Fox Alumnus

Barrett Darnell was a Senior Operator at Bishop Fox and a technical lead for the Continuous Attack Surface Testing (COSMOS) Managed Security Service. Prior to coming to Bishop Fox, he served as an exploitation operator in the US Department of Defense's most elite computer network exploitation (CNE) unit. As a top-rated military officer, Barrett led an offensive operations team in the US Air Force's premier selectively-manned cyber attack squadron. Barrett also teaches SANS SEC660: Advanced Penetration Testing, Exploit Writing, and Ethical Hacking to a worldwide audience. Barrett holds a Bachelor of Science in Computer Science from Washington State University and a Master of Science in Software Engineering from the University of West Florida.

More by Barrett

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.