Educational Events

This section seems to primarily be scored in the final round and essentially involves scoring a team's ability to be responsible when pentesting.

• Note that it is still possible to get deducted points for incidents in regional events

When pentesting for CPTC, you can't treat the network like any random HackTheBox. This means no changing a user's password, no brute-forcing, no exfiltrating sensitive data, etc.

Here are some things that have been scored (as negative points) in the past:

• Running dangerous exploits without knowing what they do
• Brute-forcing accounts and causing account lockout
• Sending an inappropriate phishing email
• Overloading ICS or other systems to cause a denial of service
• Pasting sensitive info into websites like ChatGPT (even static ones like cyberchef)

Some things to keep in mind:

• If you make a mistake, own up to it ASAP.
• When you are told about a mistake, make sure to react appropriately and professionally.

It seems that if you respond appropriately to a mistake, you can earn back up to 95% of the points you would have lost.