CMU Cybersecurity competition

What is picoCTF?

picoCTF is a computer security game targeted at middle and high school students. The game consists of a series of challenges centered around a unique storyline where participants must reverse engineer, break, hack, decrypt, or do whatever it takes to solve the challenge. The challenges are all set up with the intent of being hacked, making it an excellent, legal way to get hands-on experience.

This year’s competition features a brand new adventure. When your friend disappears unexpectedly, you must learn and use computer security skills to uncover and decipher critical evidence behind their whereabouts. Can you find your friend before it’s too late?

Game overworld: Investigate the room for more clues.
Challenge: Grep Is Your Friend


Thanks to the support of our sponsors, we have received over $30,000 to support development of picoCTF and give prizes this year.

Rules & restrictions

Prize eligibility

Only middle or high school students in the United States are eligible for prizes.

Winners may be asked to produce written solutions for several challenges before receiving prizes. Winners will need an advisor or faculty member at their school to serve as a point of contact. For all prizes we reserve the right to verify the identity and eligibility of contestants.


Outside of the eligibility rules, picoCTF has a few guidelines. While there are no limitations on the resources or tools that you can use, only students may solve challenges. Advisors or others may help facilitate work, such as by helping set up tools or providing resources, but may not provide direct assistance on any problems.

Additionally, competitors may not interfere with the progress of other competitors, nor with the operation of the competition’s infrastructure. More specifically, attacking the scoring server, other competitors, or machines not explicitly designated as targets is cheating. This includes both breaking into such machines, and denying others access to them or the ability to solve problems (for example, by altering a key or ping-flooding). Sharing keys or providing overly-revealing hints with other competitors is cheating, as is being directly assisted by other personnel (using tools from the internet is okay; asking people on the internet to help you solve the problem is not). We encourage you to solve problems in novel and creative ways using all available resources, but we do require that you solve them yourselves.

Breaking any of these rules will result in disqualification and notification of the affiliated school.

We want to hear from you!

If you have any questions or comments about picoCTF (or just want to get in touch) please do not hesitate to contact us. A member of PPP will respond as soon as possible.

Educators can contact us at

Members of the press can contact us at

Potential sponsors can contact us at

All others please email

Who we are

picoCTF is hosted by cybersecurity experts from the Plaid Parliament of Pwning in Carnegie Mellon University’s Security and Privacy Institute, CyLab.

David Brumley

Project Lead

Marty Carlisle

Technical Lead

Sarah Bien

Story Lead

Azer Wang

Story Lead

Bill Parks

Problem Development Lead

Melanie Rich-Wittrig

Problem Developer

Beth Goldman

UI Developer

Kevin Cooper

Problem Developer

Jake Olkin

Problem Developer

Samuel Kim

Problem Developer

Zach Wade

Problem Developer

Corwin de Boor

Problem Developer

David Hashe

Problem Developer

Carolina Zarate

Problem Developer

Keane Lucas

Problem Developer

Tim Becker

Problem Developer

William Yang

Problem Developer

Ryan Montgomery

Web Developer