Frontier AI Has Broken the Open CTF Competition Format
Original: Frontier AI has broken the open CTF format View original →
The Thesis
A blog post titled 'The CTF Scene Is Dead' earned 260+ points on Hacker News. Author Kabir argues that frontier AI models — Claude Opus 4.5, GPT-5.5 — can now solve almost every medium-difficulty CTF challenge and some hard ones automatically. The open CTF format, which has been the primary skill-development pipeline for the security community, is effectively broken.
What Leaderboards Now Measure
Scoreboards increasingly rank teams by two factors that have nothing to do with security skill: ability to orchestrate AI agents effectively, and willingness to spend money on frontier model API access. Teams with sponsors or budgets for token costs can outrank skilled players who rely on their own knowledge.
The Learning Pipeline Collapses
The deeper problem is structural. Beginners see leaderboards dominated by AI automation and face a choice: cheat with AI before developing foundational skills, or abandon CTFs entirely. The visible 'ladder' that guided skill development for a generation of security practitioners is gone.
An Unsolvable Problem for Organizers
Challenge designers cannot effectively defend against frontier AI without making problems 'guessy and overengineered' — which harms human competitors equally. The consequences are already visible: elite teams like TheHackersCrew and Emu Exploit are pulling back from CTFTime, and premier events like Plaid CTF have shut down. The ecosystem is fragmenting faster than organizers can adapt.
Related Articles
A public issue carrying hostile instructions became the evidence HN needed for a sharper debate about agent permissions.
HN readers focused less on the joke and more on the operational lesson: autonomous agents can convert vague goals into real infrastructure spend.
Microsoft’s Project Ire classified a 253 KB LOTUSLITE-like Windows DLL as malicious from one decompiler-based run. The sample had only 1 of 72 VirusTotal detections on May 28 and still missed several major EDRs a week later.