CTF Scene Declared Dead as GPT-5.5 Solves Insane Pwn Challenges

The Death of Open CTFs: AI Has Broken the Scoreboard

A top-tier CTF player with wins at DownUnderCTF and membership in TheHackersCrew has declared the open online CTF scene dead. The reason: frontier LLMs like Claude Opus 4.5 and GPT-5.5 can now one-shot medium and even hard challenges, turning competitions into automation races.

What Changed: From GPT-4 to GPT-5.5

When GPT-4 first launched, medium-difficulty CTF challenges became solvable with a single prompt. The author notes that pasting a cryptography challenge into ChatGPT and returning 10 minutes later with a solution became routine. But the impact was limited—hard challenges remained untouched.

Claude Opus 4.5 changed the game. According to the source, "Almost every medium difficulty challenge, and some hard challenges, became agent-solvable." Claude Code packaged everything into a CLI, making it trivial to build an orchestrator that used the CTFd API to spin up a Claude instance for every challenge. Teams could let the system run for the first hour, then only work on what was left.

GPT-5.5 seals the deal. The author states, "These models can one-shot Insane difficulty active leakless heap pwn challenges on HackTheBox." They can solve a large portion of what a smaller CTF organiser can realistically produce. If you orchestrate Pro against Insane challenges in a 48-hour CTF, there is a good chance you get the flag before the event ends.

The Scoreboard No Longer Measures Human Skill

The CTFTime leaderboard, the global ranking system, now feels wrong. Legendary teams appear less often. Player activity feels lower. The author notes, "The 2026 scoreboard is unrecognisable compared to every year before it." TheHackersCrew and other top teams either don't play, play with fewer people, or struggle to break the top 10.

The competition has shifted from security skill to orchestration ability and token budget. The author calls it "pay-to-win": "The more tokens you can throw at a competition, the faster you can burn down the board."

The 'Beginners Are Fine' Myth

Some argue beginners can still learn from CTFs. The author counters that CTFs were a ladder—you could see yourself improve, solve more challenges, place higher. That feedback loop is breaking. If the visible scoreboard is dominated by AI-using teams, beginners are pushed toward AI before building instincts. "Active struggle is the bit that actually teaches you." The author recommends picoGym and HackTheBox as better learning environments where the expectation is education, not competition.

Why Organizers Can't Fight Back

CTF organizers have tried techniques to break LLM solutions—refusal strings, prompt injections, challenges based on post-cutoff tech. None stick. "Claude Code does not meaningfully care about old refusal-string tricks anymore." Frontier models get better at noticing prompt injections. Web search capabilities weaken challenges based on recent technologies. Rules against LLMs are ignored and unenforceable.

Making challenges deliberately hostile to agents often makes them "guessy, overengineered, or unpleasant for humans too."

The 'Just Adapt' Argument Fails

The author finds this take infuriating. Adapting to what? If it means building better tooling, CTF players already did that. If it means harder challenges, organizers already tried. If it means accepting the scoreboard as an AI orchestration benchmark, then be honest about it. The trajectory of LLM security capability outpaces challenge design.

The Aftermath: Community Fracturing

Some of the best CTFs, like Plaid CTF, are not running anymore. The author's local team, Emu Exploit, shares these sentiments. Members include people who attend the International Cybersecurity Championship, compete in Pwn2Own, and present at Black Hat. "The people losing interest are not casual observers. They are exactly the kind of people the scene used to produce and retain."

The author concludes: "The format is dead. Something else may replace it, but pretending nothing fundamental has changed only makes the loss harder to talk about honestly."

What Now?

The community should stay together through security-adjacent social events like SecTalks, student conferences, local meetups, and Discord communities. The learning and connection that CTFs fostered shouldn't be lost, even if the competitive format is broken.