InstantCTF

Inspiration

We love CTFs and cybersecurity, but after weeks of doing CTFs through PicoCTF,
we realized our obsession and looked for other CTF websites. Dissatisfied by the lack of CTF websites like PicoCTF, we realized there was a large unmet need for CTFs to learn
about cybersecurity techniques, not just for our love of cybersecurity but also
to prepare for certification licenses and interviews. Additionally, CTFs lack a
fundamental stepping stone for mastering things — the best way to learn
something is to explain it.

Interviewers often reuse CTF interview questions, and interviewees don't have
a ton of CTFs to practice with. On top of that, making a CTF is a tedious process
that can take days for a designer to do. It is not a lack of a job market
(estimated 3.5 million unfilled cybersecurity jobs by the end of 2025¹) nor
job stability (positions for information security analysts will grow by 33% by
the next decade²). In fact, the need for cybersecurity professionals is so
dire that a study of 1850 companies by Sapio Research in January 2024 found 87%
(YES, 87%) of technology leaders report difficulties securing qualified
professionals, with 89% of respondents willing to pay for an employee to obtain
a cybersecurity certification, AND 97% of respondents say their board sees
cybersecurity as a business priority³.

As Cybersecurity and CTF lovers and enthusiasts, we decided to make a product
that addresses this dire unmet need — A Jurrasic Park themed CTF creator that
makes novel CTFs with every generation.

¹: Cybersecurity Ventures. "Cybersecurity Jobs Report: 3.5 Million Unfilled Positions In 2025." Cybersecurity Ventures, 4 Apr. 2024
²: University of Tulsa. "Is Cybersecurity in Demand? 8 Reasons Demand Keeps Rising." The University of Tulsa Online, 29 Jan. 2025.
³: Fortinet. "2024 Cybersecurity Skills Gap Global Research Report." Fortinet, 20 June 2024

What it does

In simple terms, it creates a new Jurassic-themed Capture The Flag (CTF) problem to solve based on a desired category and difficulty level, along with any other specifics the user wants to include. Then, it provides a terminal to write a report to and interface with for full-skill comprehension.

The flow of information is robust and elegant. For CTF creation, the following flowchart can be made:

User —> Prompter LLM (Large Language Model) —> Generator LLM

More specifically, the user picks a category type and difficulty level and can write additional specifics for their challenge (e.g., 'focus on image decoding'). This information goes to the 'prompter' LLM, which fills out our prompt-engineered outline to create a prompt for the 'generator' LLM.

Passing the detailed CTF prompt to the generator. The 'generator' LLM works like magic to create the Jurassic-themed CTF problem—it makes the necessary files (webpages, source code, etc.), along with an encrypted flag for the user to discover.

The Jurassic-themed title and description for the CTF are displayed on a subsequent page—providing an amazing, new CTF problem to solve.

At the bottom of this page, a terminal is provided for the user to interact with the LLM. It allows the user to summarize their steps to find the flag and 'teach' what they just did to a dummy person. The terminal also will enable users to pose questions or request hints for the challenge.

Upon successfully entering the flag, the LLM confirms that the user has completed the challenge, marking their accomplishment.

How we built it

For this hackathon project, we decided to build a full stack application which has a frontend SPA built with React using Remix as a framework. For the backend, we decide to use Python using FastAPI as a RESTful API framework. For data, we chose MongoDB as it was easy to implement using the odmantic ORM in our Python backend. For styling and data management on the frontend we chose to use TailwindCSS, shadcn, and React Query. Lastly, on the backend, we chose to use LangChain and OpenAI for our AI integration.

We hosted both of the applications on Render. We deployed the RESTful API using a Dockerfile and the frontend built as a client bundle.

Challenges we ran into

We ran into a lot of challenges, being mostly a team of noobie coders: 1 software engineer, 2 electrical engineers, and 1 biomedical engineer. For us as a team, this was our first time creating a hackathon together. Learning how to work synchronously was a complete headache. When one of us would add code, and this code was pulled and run on another computer, the code would be riddled with errors. Or when pushing simultaneously on the same file, making a merge mistake. After hovering over the errors and crashing out, we learned that the problem usually comes from an extension not being installed on a device or the dependencies not running. Learning to use uv and bun to initialize dependencies was an enormous stepping stone. Being meticulous about set-up (watching YouTube videos on properly setting up our program using Command Query Responsibilty Segregation, otherwise known as CQRS), we had to learn a lot very painfully.

Using VS code and GitHub for our project, we also had to learn how to add extensions and navigate VS code, which was a large challenge. After finally climbing this seemingly insurmountable mountain, the program would run correctly on each person's device, and more progress would be made. Most errors came from a device not being up to date with the software of another device.

When we tried to run the UI for the first time, apart from spending a while figuring out how things like shadcn and tailwind worked, we found none of the buttons would perform their intended purpose even with perfect code. The button allowing the user to traverse from the first page to the second would not function, the button for the dropdown menu would darken rather than display the menu, and the button for writing wouldn't do anything. We soon realized that the backend was not being run alongside the front end, thus depleting the functionality of the UI and making every button static. Once the backend and the frontend were working alongside each other, the website functioned as intended, the buttons worked, and we finally got past the first UI page. Developing past that, the enormous amount of backend code and making it all pretty using biome highlights how much we learned and did — and our meticulousness in researching what libraries and things we should use for our code. We are all extremely proud of how far we went and how much we've learned to make a product we ourselves will use a lot.

Accomplishments that we're proud of

We completed our first Hackathon as a team and solved a problem that at one point seemed insurmountable. We are all proud of one another and ourselves for how much we learned in this one hackathon and for solving a problem that we had all been experiencing.

We are just uber proud that we created something that does something. We will all be using it and likely continue our late CTF-solving sessions that we bond over. We wanted a deeper understanding of how to code, and we're proud to say we do have a much deeper understanding. We created something amazing: an app that will help us understand how the web works, learn how to prevent attackers from exploiting vulnerabilities and determine the software we write. We can use this website to further enhance our abilities in tracking and correcting vulnerabilities — letting us gain skills to get certifications easier for cybersecurity and skills in cybersecurity that are helpful no matter where we, as electrical, biomedical, and computer science engineers, go. Completing this project also strengthened our ability as a team, letting us bond as a group and have an enjoyable experience of the Georgia Tech campus and Atlanta.

What we learned

During my learning journey, I comprehensively understood front-end web development, particularly crafting UI components using CSS, shadcn, and TypeScript. I successfully implemented a dynamic dropdown menu that allowed users to select their preferred CTF category, integrating code from various external libraries, including ShadUI. I familiarized myself with the Bun package manager, effectively installing and configuring it on my local machine, and leveraged it to spin up a local development server for real-time website monitoring and collaboration with my team. I honed my debugging skills, meticulously identifying and resolving subtle errors that surfaced throughout the program. Additionally, I deepened my proficiency in collaborative development using Git, mastering the process of pushing and pulling code to synchronize changes with teammates. I navigated the complexities of merging divergent codebases with a single pull request, ensuring smooth integration. Finally, I identified essential VS Code extensions that significantly enhance productivity and streamline development. I learned an insane amount about setting up and deploying, front end and back end, and pretty much everything there is for coding. As a Biomedical engineer, coding is not my first field, but as someone who makes biomedical devices that need heavy cybersecurity to pass HIPAA and many, many audits. I can understand just how important cybersecurity and knowing how to code is. I struggled and struggled and struggled. But through blood, sweat, and tears, I learned how to run servers via uv and bun, how to format commands-controllers-models-queriers-databases, as well as how to set up a moderator for proper coding (CQRS), and how to use tools that make everything easier like a docker file, CQRS stuff, Zod, as well as incorporating and creating a professional UI design with shadvn elements easily.

What's next for InstantCTF

The next steps for InstantCTF is to expand the categories to include cryptography, binary exploitation, etc. Hopefully, this project contributes to a safer internet for all everyone to enjoy.