UMassCTF 2026: “Old Fashioned” Division

In recent months, advances in LLM models’ cybersecurity capabilities have allowed CTF teams to develop autonomous challenge-solving agentic systems. These are genuinely impressive, and we are very, very excited about the future of cybersecurity with LLMs. That said, when the core purpose of a CTF is learning, autonomous agents risk undermining the experience (especially for beginners). When agents clear out the easy and medium challenges without any human engagement, some teams find it destroys the fun and spirit of the competition. However, in an effort to not fall behind, these same teams are forced to use agents begrudgingly. This sentiment seems to be widely echoed in the broader CTF community.

At UMassCTF, we want to keep up with the evolving technological landscape, while creating a space for players who miss and value the traditional, human-centric CTF experience. This is an admittedly hard problem to solve well. Some ideas at a solution have been thrown around - such as embedding adversarial prompts into challenges to trip up agents, or requiring players to install monitoring software. However, these feel more invasive and counterproductive than anything, and also fail to reflect the reality that LLMs are here to stay.

So this year, we are trying something different. UMass CTF 2026 will have two divisions: a Regular division and an “Old Fashioned" division.

Rules

Here are the guidelines:

• Same challenges, two environments. The challenges, and the infrastructure hosting the challenges, is completely identical in both the Regular and Old Fashioned divisions. The only difference is that each division has its own separate CTFd instance for creating a team, submitting flags, tracking progress, etc.
• Choose one. A team may only compete in either the Regular or Old Fashioned division, not both. We will only be updating CTFtime points with accounts from the Regular division. However, if your team is competing in the Old Fashioned division but still wants CTFtime points, you may also have an account on the Regular division to submit your flags there as well. Your flag submissions in both the Old Fashioned division + the Regular division should be identical, and make sure to not use autonomous LLMs while solving any of your challenges.
• Prizes are exclusive to the Regular division. Official placements (1st, 2nd, 3rd) and all advertised prizes are awarded only through the Regular division. The Old Fashioned division will have an unofficial leaderboard, but no prizes. Unfortunately, any tangible incentive in the Old Fashioned division would risk incentivising cheating with agentic systems. The only “incentive” we can offer is good old clout.
• The Old Fashioned division allows - and even encourages - the use of LLMs as learning tools (i.e. chatbots for asking questions, writing scripts, debugging, etc.). What is not allowed is the use of autonomous LLM agents that “one-shot” a challenge - where you hand the agent a challenge and it returns the flag with no meaningful human involvement.
• Enforcement is based on the honor system. We are not installing monitoring software or building in any technical guardrails. We hope the absence of prizes, the existence of the Regular division where LLM agents are completely allowed, and a basic respect for fellow players - especially beginners and “traditional” teams who still want to compete without feeling pressured to adopt autonomous tooling - will be sufficient to preserve the spirit of this division.

An Experiment for the Community

We see this as an experiment - not just for UMass CTF, but also for the broader CTF community - as we all navigate how to balance learning cybersecurity in an era of increasingly capable AI. We acknowledge it is entirely possible that the Old Fashioned division fails - but even if it does, we hope it will be a valuable learning exercise. After the CTF concludes, we intend to publish our findings in a blog post on umasscybersec.org.