Carnegie Mellon University Scholars’ Team Wins 7th DEF CON Capture the Flag Title

The winningest team in DEF CON(opens in new window)’s Capture the Flag (CTF) competition history, Carnegie Mellon University’s Plaid Parliament of Pwning(opens in new window) (PPP), was at it again, defending its title and earning its seventh victory in the past 11 years.

PPP joined forces with CMU alumnus and University of British Columbia Professor Robert Xiao’s team, Maple Bacon, as well as hackers from CMU alumni and PPP founders Brian Pak and Andrew Weise’s startup Theori.io(opens in new window) (The Duck). Together, the group competed under the name Maple Mallard Magistrates (MMM).

DEF CON’s three-day flagship competition was held this year from Aug. 10-13 in Las Vegas. Widely considered the ‘Olympics’ of hacking, DEF CON brought together cybersecurity professionals, researchers and students, as 12 of the world’s top teams (who qualified from a field of 1,828 teams) attempted to break each other’s systems, stealing virtual flags and accumulating points while simultaneously protecting their own.

As the number of cybersecurity attacks continues to increase worldwide, competitions like DEF CON’s CTF provide the opportunity for leading cybersecurity engineers to measure up against one another, learning and developing new techniques as they work through various challenges.

Carnegie Mellon students, faculty and alumni once again demonstrated the university’s prowess in cybersecurity, finishing in the top spot on the leaderboard at the end of days one and two, and holding on in the competition’s final 24 hours to secure the victory. For the win, the team earned eight black badges, the most elite recognition in hacking.

“It feels great to win once again, and the team is incredibly pleased that we built and maintained a lead throughout the entire contest,” said Jay Bosamiya(opens in new window), PPP’s team captain for DEF CON CTF, a Ph.D. student in Carnegie Mellon’s Computer Science Department(opens in new window), and member of CMU’s CyLab Security and Privacy Institute(opens in new window). “Our victory as MMM shows how well our three teams work together.”

“It’s hard to understate the impact our students have in cybersecurity,” said David Brumley(opens in new window), professor in CMU’s Electrical and Computer Engineering Department(opens in new window). “Aside from DEF CON, CMU students were the first to hack a Tesla and the iPhone, have founded multiple successful companies like Theori, ForAllSecure(opens in new window) and Comma(opens in new window), and have become professors at top universities. Graduates of CMU’s cybersecurity programs are simply among the best in the field, and DEF CON is just one very specific way that proves it.”

PPP was first formed in 2009 and began competing at DEF CON in 2010. The team’s previous wins came in 2013, 2014, 2016, 2017, 2019 and 2022, with second place finishes in 2015, 2018, 2020 and 2021. The team runs and competes in several cybersecurity competitions each year, and recently defended its title(opens in new window) at the MITRE embedded Capture the Flag(opens in new window) event.

Members of PPP contribute to Carnegie Mellon University’s annual student-focused hacking competition, picoCTF,(opens in new window) developing challenges of varying levels of complexity. picoCTF has long been the go-to CTF for middle and high school students looking to build and hone their cybersecurity skills, and in recent years has expanded to include an undergraduate leaderboard, as well as several country and continent-specific leaderboards.

Home to the CyLab Security and Privacy Institute, U.S. News and World Report’s top-ranked undergraduate cybersecurity program(opens in new window), and several world-class graduate programs and courses, Carnegie Mellon University continues to lead the way in cybersecurity education and research.