Platform THCON 2026 (Toulouse Hacking Convention) Difficulty Easy OS OSINT Tags Social media OSINT, leetspeak THCON’s Socials is the kind of warm-up OSINT challenge that’s not about tooling — it’s about reading the prompt twice and noticing the CTF authors have done something cute with their social media presence. The flag is split between two posts on two platforms, with each post hiding the other half behind an ellipsis. Visit both, stitch the halves, done. ...

Platform BKISC CTF 2026 Difficulty Hard OS Android (arm64-v8a) Points 250 Tags APK extraction, AES-GCM, ELF patching, qemu-aarch64, NDK basic_string, meet-in-the-middle Boring APK was the 250-point reverse engineering challenge of BKISC CTF 2026. The hook is the title’s bait — Android is “boring” until you realise the flag check has been moved out of the Java/Kotlin layer into a native library, the assets it depends on are AES-GCM-encrypted, and the check itself is a 27-step graph walk with three running state words whose final values are all that the verifier compares. None of those stages is hard in isolation; stacking them is what makes the challenge. ...

Platform BKISC CTF 2026 Difficulty Easy OS Encoding Points 50 Tags JDK source reading, custom Base64 alphabet, UTF-16 BE Cryptografie is a 50-point crypto challenge from BKISC CTF 2026 that hangs off a single, very specific hint: FileSystemPreferences.dirName(). If you’ve never had to look at the OpenJDK source before, this challenge is a tour of an internal Base64-like helper that almost nobody outside the JDK uses — and the decoder only takes about ten lines once you know where to look. ...

Platform BreakTheSyntax CTF 2026 Difficulty Easy OS Web Tags IDOR, JWT, OWASP API1:2023 Broken Object Level Authorization Pokecollector is the kind of web challenge that sits right inside the OWASP API Top 10’s number one slot — API1:2023 Broken Object Level Authorization. The application enforces its access rules in the UI and forgets to enforce them on the API. The fix is a single server-side validation; the cost of missing it is a leaked flag. ...

Platform BreakTheSyntax CTF 2026 Difficulty Hard OS Linux Tags TLS, RSA, Go memory forensics, EMS PRF, session resumption FCP was a multi-step reverse-engineering and network-forensics challenge. You get a Go MCP (“Model Context Protocol”) server binary plus a PCAP of someone using it earlier. Buried in the capture is a get_flag call — but the live server’s get_flag endpoint has been rewritten to just return "no", so re-running it is useless. The challenge is to decrypt the historical traffic. Two specific design choices make this both possible and nontrivial. ...

If you’re new to offensive security, the choice between HackTheBox Academy and TryHackMe is the first major one you’ll make. Both are excellent. They are not interchangeable. TL;DR TryHackMe: gentler learning curve, broader topic coverage, lower cost. Best for beginners and breadth. HackTheBox Academy: deeper technical content, more rigorous assessments, structured paths to industry certs. Best for intermediate to advanced and depth. For most learners: start with TryHackMe, transition to HTB once you’re comfortable with the fundamentals. ...

The cybersecurity job market in 2026 is bifurcated: thousands of unfilled senior positions, vicious competition for entry-level roles. This guide is for the person trying to land that first SOC analyst, GRC analyst, or junior pentest job — written from the perspective of someone who reviews resumes for those exact roles. ...

CVSS 10.0 · CRITICAL In December 2021, the open-source log4j2 library’s ${jndi:...} lookup feature was disclosed as a remote code execution vulnerability — the now-famous Log4Shell, CVE-2021-44228. Three years on, the bug is fixed, but the lessons keep landing. ...

Most newly-built SOCs spend twelve months becoming a dashboard wall before they detect their first real intrusion. Here’s how to skip the theatre and ship value from week two. Define the Mission First Before any tool selection, agree on: Scope — what assets, what environments, what hours. Detection vs response split — are you running 24/7 or business hours + on-call? Mandate — does the SOC have authority to isolate hosts, or is it advisory? Reporting line — CISO, CIO, Risk? Without these settled, every tool decision later becomes a politics fight. ...

IAM is the AWS control plane. Almost every public AWS breach traces back to an IAM misconfiguration — over-permissive roles, leaked access keys, or trust policies that accidentally trust the entire internet. This is the modern playbook. The Foundation Lock the Root Account The root user has powers no other principal can have (closing the account, modifying the support plan). Treat it like nuclear codes: ...