No Outside Help: Participants are allowed to use outside help during the event, but for educational purposes and only to help guide the team not give the answers (no unregistered players are allowed). Google/internet research is allowed.

No Collateral Damage: Only attack systems for which they have explicit permission and are running in the competition infrastructure (these will be clearly indicated). No attacks on any systems or equipment outside of this environment are allowed.

Brute Forcing: Avoid generating large amounts of traffic and/or brute forcing; none of the challenges can be solved by running automated scanners, so please do not do so. This includes scanning with Nikto, Skipfish, Vega, Nessus etc. (Nmap and Sqlmap are fine!).

No Fratricide: Sabotaging or in any way hindering the progress of other competing teams is strictly not allowed. This includes attempting to alter or disrupt a challenge or service after you have completed it.

One Team/Multiple Challenges: Each individual team can work on multiple challenges at one time, with some restrictions, based on the portal backend software.

Challenge Progression: Challenges may be attempted in any order. If your team is stuck on a challenge, move on to a different challenge.

Bring Your Own Attack Platform: All teams need to bring their own attack platform(s). We recommend Kali Linux, but this is not a requirement.

Restrictions: Students or professionals, ages 18 and over, enrolled at a participating college or university during the 2023 academic year are eligible to participate. Partners, Principals, and employees of Deloitte LLP and its subsidiaries are not eligible to participate in the competition. Government employees may enter, but may not win a prize.

In the Event of a Tie: The fastest participant wins.