Carnegie Mellon University
January 06, 2021

INI students advance to global finals in offensive-based competition

CMU among the teams from the world’s top 15 cybersecurity universities to face off in the virtual Collegiate Penetration Testing Competition (CPTC) global finals, January 7-10.

By Jessica Shirley

& Deana Lorenzo

Jessica Shirley

A student team from Carnegie Mellon University (CMU), including five Information Networking Institute (INI) students, will advance to the global finals of the Collegiate Penetration Testing Competition, an offense-based computing security event designed to train the next generation of cybersecurity professionals.

Last fall, more than 500 cybersecurity students from 64 schools competed in eight regional events around the world, with CMU placing first in the Northeastern Regional to advance to the global finals.

On January 7, INI security students Sears Schulz, Wil Luca, John Johnson, Bendie Minu and Hugrun Hannesdottir, along with Heinz College student Chase Pasciuto, will represent CMU in the world’s largest offensive-based collegiate cybersecurity competition.

A Hacking Competition with a Real-World Twist

Unlike other cybersecurity competitions, which focus on defending a network, searching for flags or claiming ownership of systems, CPTC is designed to mimic real-world penetration testing. Students attempt to break into computer networks created for the competition, then write and present a report sharing their findings along with suggestions for future risk mitigation. In this year’s scenario, students will test the energy grid infrastructure of a small city, including a hydroelectric dam, a nuclear power plant and a wind farm system that could be connected to a regional power utility company. 

“CPTC tests students' ability to not just hack into enterprise systems, but to exploit these systems in such a controlled manner that they avoid damaging the target network, assess the general strength of defensive countermeasures, and articulate each discovered vulnerability so that maintainers can keep the not-so-helpful hackers out,” explained Luke Jones, software engineer at Carnegie Mellon CyLab and the team’s coach.

He applauds Schulz, an INI first-year student, for finding and motivating such a talented and diverse group of fellow CMU students, attributing the team’s success to the unique balance of complimentary skill sets.

“Our team is excited to compete in the international finals this weekend, applying lessons learned from the regional competition. It will involve a assessing a more secure network and greater communication with company executives,” said Schulz.  

The scenario-based competition tests both technical and business acumen. Teams take on the role of consultant for the fictional company, testing and evaluating the organization’s computer systems and networks without impacting the operations of simulated business activities.

“The company would call us with problems and questions about our penetration test and cybersecurity in general. If we used a destructive exploit, they would contact us, and we would have to respond in character,” said Pasciuto. “This made the competition feel very real, allowing our team to gain a more realistic experience of what it is like to perform a real-life penetration test.”

Competitions like CPTC are designed to train the next generation of cybersecurity professionals at a time when the industry faces a severe talent shortage. Through the simulated exercise, students gain valuable practice applying concepts learned in the classroom to real-world problems.

“Students learn by doing,” said Dr. Hanan Hibshi, INI research and teaching scientist. “In CPTC, they get hands-on experience tackling vulnerabilities and protecting systems against them. These skills are highly sought-after in the U.S. job market and worldwide due to the increased demand to hire skilled cybersecurity personnel.”

"In CPTC, they get hands-on experience tackling vulnerabilities and protecting systems against them."

Dr. Hibshi also advises students involved in picoCTF,  Carnegie Mellon's educational platform that teaches players of all ages cybersecurity from scratch by playing an online game. picoCTF also hosts the world's largest hacking competition with prizes for top middle and high school student teams. Several of the INI team members competing in CPTC this year also participate in picoCTF as problem developers.

Where to Watch

Portions of the competition will be livestreamed on the CPTC YouTube channel on January 9 and 10. On January 9, representatives from each school will highlight the cybersecurity research and efforts taking place on their campuses.

Tune in to watch the closing ceremony, hear a keynote speech from experts at IBM Security and find out who will be the winner of CPTC.

Best of luck to the CMU CPTC team! 


"Competing in CPTC is an amazing opportunity to learn. The competition is very realistic, which makes it all the more fun since you gain a lot of knowledge." - Hugrun Hannesdottir, MSIS



"I compete in a lot of Capture the Flag events, but CPTC is unique because it is closer to a real world security assessment. It was a fun opportunity to practice a skill that may be a career some day." - John Johnson, MSIS


"CPTC has a report writing component as well as technical challenges. I think putting graduate students in a situation where they must use both makes them see the value in each." - Wil Luca, MSIS


"I am interested in both offense and defense, and find both important to understand since they are so closely related." - Bendie Minu, MSIS


"The competition tests both our technical and business acumen, helping us to develop into well-rounded cybersecurity professionals." - Chase Pasciuto, MSISPM, Heinz College


"This competition has given me the perspective that penetration testing is a lot more than just time on the keyboard, but it is still a career I'm definitely interested in." - Sears Schulz, MSIS