Everything You Need to Know About the NCL From Someone Who Has Been Around as Long as Kait

The National Cyber League (NCL) is a cyber security capture-the-flag (CTF) competition for high school and undergraduate students in the United States. Whether you’re just getting started in cyber security or have prior experience, competitions are a great way to hone your skills.

NCL attempts to combine the polish of other academic competitions with the low barrier-to-entry of a casual online competition. It’s formal enough to be worthy of including on a resume, but it’s inexpensive and doesn’t require showing up in person.

CTF competitions typically involve solving a variety of challenges which, when completed, yield “flags”—special tokens that participants redeem for points. In NCL, challenges typically fall into categories depending on the skills required—as it turns out, there are quite a few distinct cybersecurity skill sets.

It’s not unusual for new players to find NCL intriguing but overwhelming. NCL isn’t a test: you aren’t expected to complete all of the challenges. Don’t be discouraged if you only complete a small fraction of the challenges on your first attempt. Take notes during the competition so you can research any questions that gave you trouble. Aim to improve each time you compete, but don’t feel pressured to finish every challenge. Even the best players rarely achieve 100% completion.

Season Timeline

As of writing, there are two NCL seasons each year in spring and fall to align with school semesters. Each season is divided in several parts:

  1. The Gym is a practice area that opens before the actual competition. It usually stays mostly the same between seasons. It only contains a few questions in each category, but it gives new players a chance to familiarize themselves with the game platform. While use of the Gym is encouraged, it doesn’t contribute to your score, so you’re free to experiment with the platform. Solutions are provided for most challenges.
  2. The Preseason is a week-long condensed game used to divide players into brackets. The Preseason is individual: you can’t request assistance from anyone else; all your efforts must be your own. Consulting pre-existing resources on your own, such as search engines or notes from previous seasons, is encouraged. While the Preseason is technically competitive, you’re only aiming to get placed in a bracket, so your exact score isn’t important unless you’re on the border of two brackets.
  3. The Individual Game is the competitive individual portion of the season. Like with the Preseason, players aren’t allowed to receive assistance.
  4. The Team Game is the competitive team portion of the season and is the only time you’re allowed to collaborate with others. You can work with other players in your team to solve challenges, though your team can’t receive assistance from anyone else.

Rankings, Brackets, and Scoring

Most players shouldn’t pay too much attention to their rank: you should aim to improve and hone your skills. However, if you’re interested in friendly competition, it’s important to know how scoring works.

The Preseason divides eligible players into three brackets, with a fourth bracket being reserved for participants who are ineligible to compete:

  1. Gold: Top 15%
  2. Silver: Next 35%
  3. Bronze: Remaining 50%
  4. Pewter: Participants who aren’t eligible to compete, such as coaches and those who do not participate in Preseason.

All brackets receive the same challenges, and all players can see their rank relative to all other players, but there are also per-bracket leaderboards. There will be winners from each of the three major brackets, and you’ll be able to see how you compare to other players within your bracket.

Rankings are determined based on points, accuracy, and completion time, in that order. For example, if players A and B both scored the same number of points, the tie will be broken by accuracy. If they have the same accuracy, the first player to the finish line comes out ahead. This has a few important consequences if you’re playing competitively, but that’s a topic that deserves its own blog post.

NCL vs. Cyber Skyline

NCL is a non-profit organization that arranges cyber security competitions, but they don’t usually make the challenges themselves. That responsibility is delegated to Cyber Skyline; they maintain the platform and the challenges.

If you have questions about a challenge during a competition, your questions must be directed to Cyber Skyline; you cannot ask anyone else for help or clarification. You’ll be able to access Cyber Skyline’s support system through the competition platform once you’re logged in. They won’t be able to provide hints, but they can make corrections and resolve technical issues.

Cyber Skyline hosts an NCL-centric channel on their Slack server. Once you have a Cyber Skyline account, register for an account on Slack. Be sure to stay in Slack during the competition and throughout the whole season. You’ll be able to network with other players, and Slack is the best way to receive important announcements in a timely manner.

Receiving Assistance

During the competition, you can’t ask anyone for help. The only exception to this is the team game, during which you can collaborate exclusively with other members of your team.

NCL isn’t a test: there’s no advantage to cheating. It’s meant to be both an educational tool and a friendly game. Please don’t ruin the game for others: don’t ask for help from your professors, coaches, fellow students, or by posting the questions on internet forums. Even basic clarifications are off-limits. If you’re not sure, file a support ticket with Cyber Skyline; while they can’t provide hints, they can post clarifications to all players and correct any technical issues.

Bringing Home the Trophy

There’s nothing quite like the thrill of working on a difficult challenge for days and finally making a breakthrough. Undoubtedly, many other players will want to know how to managed to solve the challenge as soon as the competition is over.

There’s just one caveat: NCL pays Cyber Skyline to run the competition, but Cyber Skyline continues to own the challenges. This is how we keep costs low. Unfortunately, that means neither we nor the players are licensed to distribute challenge content or solutions. Please be respectful of this: we can’t keep NCL priced accessibly if challenges are distributed publicly.

To compensate for this, at the end of each season, Cyber Skyline opens a special channel on Slack where challenges can be discussed, with some restrictions. Players are encouraged to share hints and general techniques there as long as they avoid major spoilers or outright solutions. This is quite an event; it’s amazing to hear all the creative ways players approached challenges. Even if you solved a challenge, you might learn something from another person’s solution.

It’s not all hush-hush, though. At the end of each season, you’ll receive a Scouting Report. This is NCL jargon for “resume enhancement.” The Scouting Report will break down your achievements during the competition; even if you have no plans of sending it to future employers, it’s a great way to track your progress as you learn and identify areas of potential improvement.

And sometimes there are actual prizes and trophies.

Credit: @joshbrunty on Twitter


One thought on “Everything You Need to Know About the NCL From Someone Who Has Been Around as Long as Kait

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.