Can AI Lower the Barrier to Cybersecurity? A Human-Centered Mixed-Methods Study of Novice CTF Learning

TL;DR

This study investigates how agentic AI frameworks like CAI can lower entry barriers for novices in cybersecurity Capture-the-Flag competitions by providing guidance and reducing cognitive load, while also highlighting new challenges in trust and dependency.

Contribution

It provides the first human-centered, mixed-methods case study on AI's role in novice cybersecurity learning, combining performance metrics with reflective analysis.

Findings

AI reduces initial entry barriers by offering guidance and structure.

Extensive exploration and quick strategy switching facilitate learning.

Challenges include trust, dependency, and responsible AI use.

Abstract

Capture-the-Flag (CTF) competitions serve as gateways into offensive cybersecurity, yet they often present steep barriers for novices due to complex toolchains and opaque workflows. Recently, agentic AI frameworks for cybersecurity promise to lower these barriers by automating and coordinating penetration testing tasks. However, their role in shaping novice learning remains underexplored. We present a human-centered, mixed-methods case study examining how agentic AI frameworks -- here Cybersecurity AI (CAI) -- mediates novice entry into CTF-based penetration testing. An undergraduate student without prior hacking experience attempted to approach performance benchmarks from a national cybersecurity challenge using CAI. Quantitative performance metrics were complemented by structured reflective analysis of learning progression and AI interaction patterns. Our thematic analysis suggest that agentic AI reduces initial entry barriers by providing overview, structure and guidance, thereby lowering the cognitive workload during early engagement. Quantitatively, the observed extensive exploration of strategies and low per-strategy execution time potetially facilitatates cybersecurity training on meta, i.e. strategic levels. At the same time, AI-assisted cybersecurity education introduces new challenges related to trust, dependency, and responsible use. We discuss implications for human-centered AI-supported cybersecurity education and outline open questions for future research.