As sophisticated, targeted attacks become increasingly prevalent, today’s organizations are being challenged, now more than ever.  In effort to shed light on the nature of these types of attacks, Social-Engineer hosts an annual Social Engineering Capture the Flag (SECTF) competition at the DEF CON hacking conference in Las Vegas.  At this conference the security elite demonstrate vulnerabilities in everything from cars, to ATM machines, and medical devices. Our purpose at this event is to demonstrate the ease with which a human can be compromised and shed light on the repercussions of human-based attacks.


2014 marked the fifth anniversary of the SECTF contest, and we decided to spice things up a bit by changing the parameters of the competition from years past.  This year, we opted to group contestants into teams of two, requiring contestants to interchangeably engage with targets during the live call portion without raising suspicion. This year’s target companies encompassed large retail stores, those that handle sensitive customer data and credit card information for millions of US customers.

While the live call portion of the SECTF event typically draws thousands of spectators, we like to remind observers, students and fans that this is only one portion of the competition. Much preparation takes place in advance. For three weeks leading up to DEF CON, teams are tasked with gathering as much open source intelligence (OSINT) from assigned companies as possible. From there, contestants must generate an informational report and capture as many preliminary flags as possible without contacting the company. This information-gathering phase illustrates the planning and preparation necessary to execute a targeted attack, while simultaneously demonstrating the threat social media and open source intelligence pose to organizations.


Each year following the event,, the free educational arm of Social-Engineer, releases a thorough report covering the entire competition in efforts to promote security awareness.  The SECTF report outlines, in detail, the entire process contestants must go through for the competition.  From team performance, to flags obtained, and specific attack vectors leveraged by contestants, the report is full of valuable information. The report even provides a score for each targeted organization, focusing on ways the organizations can better protect themselves from human-based attacks. We’re proud to announce that the 2014 SECTF report is now available for download.


Following the widely anticipated release of the SECTF report, social engineering experts, and SECTF judges, Chris Hadnagy and, Michele Fincher will host a live webinar this Friday, October 31st,  to provide an in depth analysis of the report. This deep exploration will focus on specific attack vectors leveraged by social engineers and best practices for defending against them. The event will also feature a live question and answer session on all things SE, register for the event, which will take place on Oct 31 at 1pm ET.