I watched a friend paste a reverse engineering challenge into Claude last month. Three minutes later, he had the flag. No debugging, no manual analysis, no late-night epiphanies fueled by energy drinks. Just prompt engineering.
This is the new reality hitting the cybersecurity competition scene, and it's brutal.
The Numbers Don't Lie
The evidence is mounting everywhere you look:
- CTFTime leaderboards no longer measure human ability
- Strong teams are dropping out entirely
- Challenge authors are losing motivation to create new puzzles
- Open online CTFs are becoming pay-to-win based on compute budgets
A recent analysis found that frontier models like Claude Opus 4.5 and GPT-5.5 can now one-shot solve a substantial percentage of medium-difficulty CTF tasks. The shift started around the GPT-4 era, but it's accelerated dramatically.
<> "Open online CTFs have changed from a test of human security skill into something closer to an AI orchestration benchmark—the competition is increasingly about how well a participant can direct models and tools rather than reason through the challenge themselves."/>
This isn't just about getting hints or automating boring parts. The models are performing the core reasoning loop that defined competitive hacking.
The Old Defenses Are Crumbling
Every counterargument CTF organizers used to deploy has become obsolete:
- "AI is just a tool, like a chess engine" → But chess separated human and computer competitions decades ago
- "Beginners still benefit" → Not when the leaderboard becomes meaningless
- "Organizers can adapt" → How do you verify someone isn't using Claude in their browser?
The technical reality is harsh. Models can now handle:
1. Cryptography pattern recognition
2. Binary exploitation workflow scripting
3. Web security vulnerability discovery
4. Reverse engineering code analysis
5. Forensics log parsing and correlation
Classic anti-LLM measures are laughably weak. Refusal-string tricks? Prompt-injection gimmicks? These feel like bringing a knife to a gunfight.
The Economics of Artificial Competition
Here's what really stings: CTFs are becoming token-intensive competitions. Teams with bigger OpenAI bills can run more agents for longer periods. It's like Formula 1, but instead of engine budgets, you're limited by API credits.
That 329-point, 308-comment discussion on Hacker News? It shows this is hitting a nerve across the entire security community. The reactions split into predictable camps:
- "The scene is truly dead" (the realists)
- "In-person events can survive" (the optimists)
- "We need AI-aware competition formats" (the adapters)
But the fundamental issue remains structural, not temporary.
What Dies With CTFs
For developers and security practitioners, this represents a seismic shift. Recruiting signals are breaking. Companies that used CTF performance to identify talent now need entirely new evaluation methods.
The ripple effects extend everywhere:
- Training program design becomes questionable
- Sponsorship value evaporates
- Educational assessment loses credibility
- Community building fragments
Worse, the economic inequality angle is genuinely disturbing. Competition results correlating with spending power rather than skill? That's not competitive hacking—that's venture capital with extra steps.
My Bet
The open online CTF format is functionally dead within 18 months. The community will split into two paths: highly controlled in-person events for serious competition, and AI-assisted learning platforms that embrace the technology rather than fighting it. The middle ground—traditional online CTFs pretending AI doesn't exist—will become increasingly irrelevant as models get better and cheaper.
