CTF as a Service: A reproducible and scalable infrastructure for cybersecurity training

TL;DR

This paper introduces a scalable, reproducible CTF platform built on virtualization, IaC, and container orchestration, aimed at simplifying cybersecurity training in academic settings.

Contribution

It presents a comprehensive design and implementation of a CTF as a Service platform using modern infrastructure tools, enabling easier deployment and management.

Findings

Supports automated challenge deployment via CI/CD pipeline.

Handles session persistence and external routing effectively.

Facilitates ad-hoc infrastructure provisioning for CTF events.

Abstract

Capture The Flag (CTF) competitions have established themselves as a highly effective pedagogical tool in cybersecurity education, offering students hands-on experience in realistic attack and defense scenarios. However, organizing and hosting these events requires considerable infrastructure effort, which frequently limits their adoption in academic settings. This paper presents the design, iterative development, and evaluation of a CTF as a Service (CaaS) platform built on Proxmox virtualization, leveraging Infrastructure as Code (IaC) tools such as Terraform and Ansible, container orchestration via Docker Swarm, and load balancing with HAProxy. The system supports both a development-centered workflow, in which challenges are automatically deployed from a Git repository through a CI/CD pipeline, and a deployment-oriented workflow for ad-hoc infrastructure provisioning. The paper describes the design decisions made, the challenges encountered during development, and the solutions implemented to achieve session persistence, external routing, and challenge replicability. The platform is designed to evolve into a CTF hosting service with commercial potential, and future lines of work are outlined regarding automatic scaling, monitoring integration, and frontend standardization.