By Leonid Bezvershenko, Senior Security Researcher at Kaspersky GReAT.

Cybersecurity has stepped out of the server room and into the boardroom. Once a quiet concern for CISOs, it’s now a business-critical issue that demands attention from every level of the organization.

Cyberattacks against corporations have surged dramatically in scale. Kaspersky’s Global Research and Analysis Team (GReAT) constantly monitors over 900 APT (advanced persistent threats) groups and operations worldwide. Even though Kaspersky tracks some of APT actors for decades, they are continually evolving with new techniques and toolsets. For instance, in the beginning of 2025 Kaspersky discovered a complex APT attack on Russian organizations dubbed Operation ForumTroll, which exploits zero-day vulnerabilities in Google Chrome and, more recently, new Lazarus-led cyberattacks targeting organizations across the software, IT, financial, semiconductor, and telecommunications sectors in South Korea.

In this high-risk environment, the strongest cybersecurity strategies are built not just on tools, but on people. Getting experienced, well-trained professionals who can think critically under pressure is vital to keeping a business secure. However, that human element is precisely where the industry is struggling. The cybersecurity workforce shortage has become a global bottleneck, forcing organizations to reconsider how they recruit, train, and retain skilled defenders.

This is where Capture the Flag (CTF) competitions come into play. Once confined to hacker conventions and university classrooms, CTFs have rapidly evolved into serious tools for professional development. They are now used by security consultancies, government agencies, academic organizations and increasingly, by private-sector enterprises looking to develop and benchmark internal talent.

CTFs have recently reached new heights and now serve as an arena for collaborative learning, cutting-edge research, and talent scouting. As we at Kaspersky prepare to launch our own 24-hour online CTF challenge on August 30-31, specifically designed for corporate cybersecurity teams and academic institutions, it’s an ideal moment to look at how these competitions can help organizations build stronger, more resilient cybersecurity programs.

The cybersecurity skills gap: why businesses must build from within

Despite a surge in cybersecurity education programs, certifications, and government investment, the industry remains critically understaffed. The (ISC)² 2023 Cybersecurity Workforce Study estimates that the world is short 4.8 million skilled professionals needed to secure public and private systems.

Kaspersky’s own report, The Portrait of a Modern Information Security Professional, paints a similar picture. We found that, according to company bosses, the biggest challenges to find and employ the right caliber of InfoSec professional are discrepancy between certification and practical skills (52%). Compounding the problem, the report also found that many professionals currently working in cybersecurity feel underprepared for the evolving threat landscape, citing gaps in practical knowledge, access to tools, and real-world exposure.

With hiring pipelines constrained, many companies are turning inward for their cybersecurity needs. However, as threats continuously change, it can seem impossible to keep employees in the loop with the most recent, pertinent dangers.

Many corporate training programs rely on static materials, theoretical modules, or simulation labs that fail to reflect the pace and complexity of real-world attacks. Certifications can provide foundational knowledge, but they are rarely designed to simulate how threats emerge, evolve, and exploit live environments.

That is where CTFs offer something different.

What is a CTF and why is it so effective for professional development?

A Capture the Flag (CTF) competition is an interactive, problem-solving event where participants solve cybersecurity challenges designed to mimic real-world attack scenarios. These range from decrypting obfuscated data to exploiting web application vulnerabilities or reverse engineering malware samples. As participants progress, they collect “flags”, in other words, evidence that a particular vulnerability or task has been solved correctly.

CTFs typically fall into two main formats. The Jeopardy-style format presents a board of discrete challenges across categories such as cryptography, digital forensics, OSINT, and web exploitation. The Attack-Defense format is more dynamic: teams simultaneously defend their infrastructure while probing and exploiting others'. Both formats are useful depending on whether the goal is to test specific knowledge or stress-test team coordination and strategy – skills information security professionals will definitely need in case they have to deal with an incident in real life.

CTF competitions, which are frequently sponsored or entirely organized by global tech giants, have raised the bar for technical excellence. But CTFs are no longer limited to an elite community of security research teams. Today, many enterprises are developing internal CTF programs or encouraging employees to compete in public ones as part of their professional development.

But beyond training, CTFs are fun. They create a gamified environment where learning is active and competitive, fostering curiosity and motivation in ways that traditional training can’t. For businesses, they’re an opportunity to build a culture of continuous learning, reward initiative, and make cybersecurity a shared priority across teams.

Some companies even use CTFs as a recruitment or retention tool, offering standout performers the chance to represent their organization in external competitions or contribute to red team/blue team programs internally. It becomes more than a training event, it becomes part of a talent strategy.

Introducing Kaspersky{CTF}: August 30-31, 2025

To help organizations harness the full potential of this format, Kaspersky is launching its newest flagship Capture the Flag competition: Kaspersky{CTF}.

Commencing on August 30–31, this 24-hour online tournament will bring together academic and corporate teams from across five global regions—North America, South America and the Caribbean; Europe; the Middle East, Türkiye and Africa (META); Russia and the CIS; and Asia and Oceania. Teams will face cutting-edge challenges that test their real-world cyber defense and offensive capabilities in domains like cryptography, reverse engineering, web vulnerabilities, and AI security.

What sets Kaspersky{CTF} apart is not just the quality of its challenges, but the scale and opportunity it provides. Winning teams from each region will earn an exclusive invitation to the on-site finals at Kaspersky’s Security Analyst Summit (SAS) in Thailand, taking place from October 26–29, where they will compete for an $18,000 prize pool against the finalists of Kaspersky’s parallel SAS CTF qualifiers.

This new event builds on Kaspersky’s legacy of fostering the cybersecurity community through hands-on education and innovation. And with the support of organizations like the UAE Cyber Security Council, which is backing the META regional stream, Kaspersky{CTF} also serves as a model of public-private cooperation in developing cyber resilience at scale.

Turning challenge into preparation

Cyber threats aren’t slowing down, and neither can security teams. In this environment, Capture the Flag competitions demonstrate a company's willingness to challenge itself, grow its talent, and stay ahead of adversaries by staying sharp, creative, and connected.

By engaging in events like Kaspersky{CTF}, businesses not only build stronger technical capabilities but also cultivate a sense of purpose and unity within their teams. In a landscape where attacks can strike from anywhere, at any time, that shared resilience may be the most valuable defense of all.

The competition is waiting and registration for Kaspersky{CTF} is now open.