Everything You Need to Know About the NCL Season

Welcome to the National Cyber League (NCL)!

NCL is a Jeopardy-style capture-the-flag (CTF) game for college and high school students. There are a variety of topics covered: Open Source Intelligence (OSINT), Cryptography, Scanning, Password Cracking, Log Analysis, Network Traffic Analysis, Web Application Exploitation, Enumeration and Exploitation (reverse engineering), and Forensics. Each category will have multiple questions rated easy, medium, and hard. Some questions will be straight-up questions, some will have artifacts for you to explore and solve to extract a flag.

A very important point, important enough to scream it—THERE IS NO EXPERIENCE REQUIRED. Going into my first season, I knew virtually nothing. I knew how to make sure the anti-virus was running, I knew how to port forward for a Minecraft server, but when it came down to actually knowing security… I talked myself out of even signing up the first season my school was involved. Our second season, I almost talked myself out of even signing up again. I knew I wanted to get into security, and I thankfully had this moment of clarity: if I sign up, I get to actually see first-hand what’s involved with security, I’ll be working with a bunch of other students who may very well be as noob as I am, and if I screw up, it’s just a game—I can’t get fired. So with a lot of fear and trepidation and praying to the YOLO gods, I clicked that register button. In retrospect, I wish I would have joined that first season. Yes, you will bang your head on the screen trying to solve problems, but it is addictive as [REDACTED] and a helluva lot of fun.

You’ll have the entire length of the Game, which will be several days, to take part. Points are scored by correct answers. Accuracy is used as a tie-breaker. If points and accuracy are the same, then time is used as a further tie-breaker. Take a deep breath, join when you can, and enjoy the madness.

If you are complete noob to this, I recommend starting with the Open Source Intelligence (OSINT) domain, aka How-Well-Do-You-Google? It’s a common question: are you allowed to use search engines? YES! The OSINT category is designed entirely to hone your search engine skills that you will likely use in every category! Start in OSINT, get a few correct answers under your belt to build the confidence, and tally ho!

Registration and Season Play

Registration for NCL runs from February 1st and lasts thru March 5th, with a $35 registration fee covering the Gymnasium, Preseason Game, Individual Game, and Team Game.

The Gymnasium opens February 15th and lasts until May 28th and is a practice ground. It is the exact same environment as the rest of the event, so you can familiarize yourself with the Game environment, take part in practice challenges that will include walk-throughs, and start familiarizing yourself with different tools and techniques. This is open long before the start of season play and stays open long after the end.

The Preseason lasts March 15th to March 22nd and this is a mandatory game to determine your bracket. There are four brackets you could end up in: Pewter, Bronze, Silver, and Gold.

Pewter is reserved for those who do not take part in Preseason, but otherwise the main difference between the brackets is to create different leaderboards so you are able to judge how you are doing compared to others who are at a similar skill level. There will be players with far more experience who reach the top of gold bracket, so it may not do anything helpful comparing yourself against those with more experience. Instead, it’s an opportunity to see who your peers are and compete against them. Everyone gets the same challenges regardless of their bracket.

The Individual Game lasts from March 26th to March 28th. This is like the Preseason and Gym but with all new challenges. Odds are very few, if any, players will solve every challenge. Solving everything is shooting for the moon. There are going to be thousands of people participating, the goal is to do your best and learn along the way.

The Team Game lasts from April 9th to April 11th. This is almost exactly the same as all previous Games, with brand new challenges, except now you can collaborate with your teammates to try to solve stuff together. This can be intimidating your first time around, thinking you know nothing and not wanting to let the team down. One of the stories I like relating is this:

I was my school’s resident pcap person. We’re in Team Game, and I’m pretty much working on my own but pasting all my notes in a Slack channel—for the most part for myself because I really wasn’t expecting anyone else to want to look at pcaps. There’s two challenges I’m stuck on, been working on for days, but I have all my notes in Slack. In comes a new teammate who enters the channel: “I don’t know anything about Wireshark, but maybe I can help.” It really can’t be more than maybe 90 seconds or so, and he’s found one of the answers. When he starts going through the second question that was giving me trouble, it is probably close to five minutes before he finds the answer.

Notes help, and fresh eyes and noob eyes can question things more experienced eyes ‘know’ are meaningless details and overlook. Absolutely epic.


I mentioned Slack in the Team Game, and Slack or Discord or some form of real-time communication tool (like the ones listed here or here) is essential for communicating in real-time if your team is not physically together.

Speaking of Slack, once you register for the NCL, there is a link to the Cyber Skyline Slack channel at the top of your dashboard. Please do join—this is a great way to communicate with the game makers as well as your fellow students from across the country.

Screenshot from the Cyber Skyline website. Update reads "For any questions or comments, please join us on our community slack or file a support ticket"
This is the update you will see at the top of your Cyber Skyline dashboard with the link to access the Slack channel.


Yeah, I know, ethics and rules is the boring stuff everyone just clicks next/next/next/agree to and forgets to ever read. The NCL rules can be found at https://nationalcyberleague.org/ncl-rules, and CryptoKait talks about how not to cheat in this blog post. Probably the big one to pay attention to is during Preseason and Individual Games: there is no collaboration allowed. Yes, you can Google to your heart’s content, but you cannot ask for help—not on Slack, not on Reddit, not on CourseHero, not on any other website you can think of to ask for help. During Team Game, the only people you are allowed to ask for help are your teammates. This may sound annoying, but consider this: security is a field where you will often have access to tools and information that are private and/or sensitive. There is a lot of power in learning security, so it becomes necessary to demonstrate ethics and responsibility in power. The entire field is built on trust, so it behooves us to act in a manner that generates trust.

In the end, NCL is a competition and a learning environment all at once. For many of your peers, this event is their very first foray into practicing real-world skills, perhaps for you as well. Do not stress trying to solve everything—not gonna happen :D. The real magic is comparing your growth from season to season, meeting peers that will someday be professional peers, and actually digging in and sinking your teeth into actual challenges meant to simulate the real-world skills we will use. You only live once, so dive in! ❤

2 thoughts on “Everything You Need to Know About the NCL Season

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.