Penetration Testing

The Collegiate Penetration Testing Competition is a red team competition which simulates a professional penetration test. Students act as security engineers tasked with identifying, exploiting, and reporting vulnerabilities in a fictional company infrastructure. The competition not only emphasizes technical prowess and familiarity with a variety of industry tools, but also the ability to communicate risk and promote plans of action to both corporate leadership and fellow engineers.

The competition runs over 24 hours long; teams infiltrate targets throughout the first day, then build their technical reports and presentations overnight to present the next morning. Each team of six is given access to the same configuration, which involves a mix of Windows and Linux hosts, cloud and physical machines. Professional conduct is paramount, and judges dock points for unprofessional actions, such as going out of scope or interrupting normal business traffic, accordingly.

Applied Cyber competes in the Western Region for CPTC, with the regional event held in November hosted here at Stanford. The top team, as well as selected wild card teams, advances to the Global Finals, held in Rochester, NY in late April.

Who can participate?

Up to 6 team members from the school roster may compete. The team roster can have up to 8 members.

Team Rosters and Accomplishments

2023-2024

Roster: Paul Crews, Cody Ho, Glen Husman, Donovan Jasper, Yasmine Mitchell (captain), Aditya Saligrama, Ben Tripp, Brian Ni (alternate).

Placements:

  • 2nd place, CPTC Global Finals, January 12-14, 2024.
  • 1st place, Western Regional CPTC, November 11-12, 2023.

2022-2023

Roster: Glen Husman, Mav Levin, Yasmine Mitchell (captain), Cooper de Nicola, Ben Tripp, Eli Wald, Donovan Jasper (alternate), Aditya Saligrama (alternate).

Placements:

  • 2nd place, CPTC Global Finals, January 13-15, 2023.
  • 2nd place, Western Regional CPTC, November 19-20, 2022.

Team responsibly disclosed CVE-2023-34854 discovered during the course of the competition.

2021-2022

Roster: Jack Cable, Glen Husman, Pierce Lowary, Yasmine Mitchell (captain), Cooper de Nicola, Eli Wald.

Placements:

  • 2nd place, CPTC Global Finals, January 7-9, 2022.
  • 2nd place, Western Regional CPTC, November 13-14, 2021.

Team responsibly disclosed CVE-2022-35420 discovered during the course of the competition.

2020-2021

Roster: Jack Cable, William DeRocco, Kyla Guru (captain), Glen Husman, Pierce Lowary, Katie Watson.

Placements:

  • 2nd place, CPTC Global Finals, January 7-10, 2021.
  • 3rd place, Western Regional CPTC, October 24-25, 2020.

2019

Roster: Jack Cable, Colleen Dai, William DeRocco, Pierce Lowary, Micah Murray, Anna Zeng (captain), Raymond Hernandez (alternate), Antoni Rytel (alternate).

Placements:

  • 1st place, CPTC National Finals, November 22-24, 2019.
  • 1st place, Western Regional CPTC, October 12-13, 2019.

Team responsibly disclosed CVE-2019-19249 (QueryTree authorization bypass) and CVE-2019-19250 (OpenTrade SQL injection) discovered during the course of the competition.

2018

Roster: Paul Crews, Colleen Dai, Wilson Nguyen, Kate Stowell, Matthew Tan, Anna Zeng, Dillon Franke (alternate), Ali Malik (alternate).

Placements:

  • 1st place, CPTC National Finals, November 2-4, 2018.
  • 1st place, Western Regional CPTC, October 6-7, 2018.

Team responsibly disclosed CVE-2018-16293 (OpenAudIT authenticated remote code execution) discovered during the course of the competition.

2017

Roster: Paul Crews (captain), Colleen Dai, Travis Lanham, Albert Liang, Wilson Nguyen, Kate Stowell, Ali Malik (alternate), Arthur Tsang (alternate).

Placements:

  • 1st place, CPTC National Finals, November 3-5, 2017.
  • 1st place, Western Regional CPTC, October 7-8, 2017.

Alex Keller has coached the team since its inception in 2017.