Publicado enCTF project

Cyber Talented Framework, a CTF platform coded with Claude Code.

No hay comentarios

Across nearly 600 commits, we have turned the initial idea into what I believe is a solid CTF platform, featuring multiple capabilities, including multi-tenancy. Let me introduce “Cyber Talented Framework”, a professional CTF platform for cybersecurity competitions, developed with the assistance of Claude Code. Multi-competition management, dynamic Docker challenges, advanced team system, and real-time scoring. Also, It is possible to have a progressively advancing challenge tree design, or simply challenges that depend on one another in order to complete a level or a skill path, in a customizable way.

A dependency tree challenges.
Image showing the management of challenge dependencies.

Application developed with Claude Code assistance.

A clarification for vibe coding enthusiasts and critics alike.

The use of AI in software development continues to generate debate, but the paradigm shift is unavoidable. Just as modern software engineering no longer questions the use of CI/CD pipelines for vulnerability detection or automated scanners to analyze millions of lines of code, agent-assisted programming represents the next natural evolution in the toolchain. The real differentiator is not the tool itself, but how it is used: when combined with a well-defined architecture and deep mastery of the programming language—built through years of experience—these systems significantly amplify a developer’s effectiveness. Without that foundation, they tend to produce little more than noise.

This project has been developed with the assistance of Claude Code. Below are some reflections on this methodology:

  1. Productivity and facilitation — Agent-assisted programming significantly increases productivity and acts as a facilitator. Even with a senior technical profile, much of the time is spent on coordination and human relations tasks: team conversations, idea generation, meetings, and planning.

  2. Knowledge remains fundamental — Deep knowledge of the codebase and architecture—the result of years of experience—remains essential. These tools do not replace software engineering in the short term, but they significantly amplify developers’ capabilities. Not using them means missing out on clear value.

  3. Best practices become even more relevant — Adequate test coverage, clear documentation, vulnerability detection, and solid deployment and integration processes are elements that guide agents and improve the quality of results.

  4. Economics and human oversight — The economics of these systems is also a key factor. As with any paradigm shift, adaptation is necessary. Part of the investment goes toward token usage to allow people to focus their effort on verification and supervision. The “human in the loop” approach and tracking mechanisms allow for correcting deviations and validating model outputs.

Application Architecture

The architecture describes a multi-tenant CTF platform designed to be scalable, secure, and easily extensible. User access is handled through Cloudflare, which acts as the first perimeter security layer by providing WAF, CDN, DNS, and subdomain-based routing for each tenant. Traffic is then forwarded to an Nginx gateway running on a DigitalOcean droplet, responsible for TLS termination and reverse proxying into the internal Docker network. Within this network, an internal Nginx manages routing between the frontend (React/Next.js- Not vulnerable to react2shell!) and the backend API (Python/FastAPI), both decoupled and communicating with a PostgreSQL database configured with a multi-tenant schema.

The application lifecycle is supported by a CI/CD pipeline based on GitHub Actions, which automates build, testing, and deployment across different environments. Throughout this process, continuous vulnerability identification and management activities are carried out, integrated both into the CI/CD pipeline and the architectural design itself, with the goal of reducing the attack surface and maintaining a security posture appropriate for an offensive security-oriented platform.

 

Application Architecture.
Application Architecture

 

Key Features

Discover everything our platform can offer
Discover everything our platform can offer

Competition System

  • Simultaneous multi-competition – Manage multiple CTFs in parallel
  • Real-time scoreboard – Instantly updated rankings
  • Dynamic scoring – Points that adapt based on solves
  • Score freeze – Visibility control at critical moments
  • Competition templates – Create competitions from reusable templates
  • Participation certificates – Automatic digital diplomas for participants
  • Live monitoring – Activity tracking during competition
Competitions Management - Create and manage multiple competitions
Competitions Management, Create and manage multiple competitions

Challenge Management

  • Dynamic Docker challenges – Isolated instances per team/user
  • Dependency Tree – Interactive visual system for challenge prerequisites
  • Customizable categories – Flexible challenge organization
  • Challenge packs – Efficient grouping and distribution
  • Hint system – Unlockable hints with point cost
  • CTFd Import/Export – Compatibility with standard CTFd format
Manage Challenges
Manage Challenges

Team System

  • Complete team management – Creation, invitations, roles
  • Shared solves – Unified team progress
  • Team auto-unlock – Automatic unlocking of dependent challenges
  • Respect system – Recognition between players

Players

  • 2FA Authentication – Second factor with TOTP and backup codes
  • API Tokens – Programmatic access with configurable scopes
  • Badges and achievements – Recognition and medal system
  • Writeups – Post-competition solution publishing
Scoring System and Rankings
Scoring System and Rankings

Artificial Intelligence

  • Per-challenge AI assistant – Integrated chat with Claude for contextual hints
  • Conversation history – Persistence of interactions per challenge
  • Smart rate limiting – Usage control per user and challenge
IA Challenge, player view
IA Challenge, player view

 

IA Challenge, admin design view
IA Challenge, admin design view

Multi-Tenancy

  • Complete isolation – Total data separation between organizations
  • Per-tenant Docker management – Each admin manages their own Docker hosts
  • Plans and subscriptions – License and limits management system
  • Configurable limits – Users, competitions, challenges per tenant
Manage multi-tenant clients of the platform
Manage multi-tenant clients of the platform

Messaging System

  • Threaded conversations – Messages organized in collapsible threads
  • Read receipts – Real-time read confirmation
  • Instant notifications – Toast alerts for new messages
Communications - Send and receive messages
Communications – Send and receive messages. For team, admin and players.

Administration Panel

  • Dashboard with analytics – Activity, solves and participation metrics
  • User management – Granular roles and permissions (RBAC)
  • Remote Docker integration – Secure TLS connection for dynamic challenges
  • Audit logs – Action records and security alerts
  • Bulk Import/Export – Batch challenge management
  • Writeup moderation – Solution approval

REST API

  • Swagger documentation – Fully documented API
  • Scoped tokens – Granular API permission control
  • Rate limiting – Abuse protection
API Tokens - Developer Tools & Integrations
API Tokens – Developer Tools & Integrations

 

We are working on a stable version to ensure the best possible experience. Beyond the platform itself, the most important aspect is that challenges across different categories are being created for the initial packs. We will keep you informed 🙂.

 

No hay contenido relacionado



Comentarios

Aún no hay comentarios. ¿Por qué no comienzas el debate?

Deja una respuesta

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *

Este sitio usa Akismet para reducir el spam. Aprende cómo se procesan los datos de tus comentarios.