Back to blog

Operation Cyber Flag '26 - What does an Attack & Defense CTF exercise look like from the inside

Operation Cyber Flag '26 - What an Attack & Defense Exercise Looks Like from the Inside

Introduction

In February 2026, I had the opportunity to participate in Operation Cyber Flag '26 (OCF'26) - an Attack & Defense CTF exercise organized by the Cyberspace Defence Forces Component Command (DKWOC) as part of the Cyber Legion program. We competed as team ByteBattlers - and managed to finish the qualifiers in 3rd place 🥉. This is one of the most demanding forms of competition in cybersecurity - and definitely one of the most realistic.

In this post, I want to share my impressions and a general overview of the exercise - without going into technical details of the exploits, but capturing the atmosphere and the nature of what actually happens there.

What is Cyber Legion and OCF'26?

Cyber Legion is a DKWOC program aimed at consolidating the Polish cybersecurity community around the Armed Forces of the Republic of Poland. It connects civilian IT experts with defense structures, creating one of the strongest cybersecurity ecosystems in the country.

Operation Cyber Flag '26 is the flagship exercise within this program. The format? CTF Attack & Defense - which means it's not enough to know how to attack. You must simultaneously defend your own infrastructure, keeping services fully operational, while other teams actively try to take them over.

The entire exercise consists of four qualification phases (January–February 2026), after which the top 12 teams out of approximately 40 advance to the grand finale in May 2026.

The Attack & Defense Format - What Does It Actually Mean?

For those who haven't encountered this CTF format before - imagine a scenario where:

🔴 You attack - you look for vulnerabilities in opponents' services, write exploits, and steal their flags (dynamically generated tokens that confirm a successful breach).

🔵 You defend - you patch your own services, monitor logs, respond to incidents, and make sure your applications are still functioning correctly (because you lose points for downtime).

⚖️ SLA (Service Level Agreement) - the organizers regularly check whether your services are working properly. If you patch something too aggressively and break functionality - you lose points just as fast as if someone had hacked you.

This requires simultaneous work on multiple fronts: reverse engineering, exploit development, patching, monitoring, and constant priority management under time pressure.

Our Services - What Did We Defend and Attack?

During the exercise, we dealt with eight main services (4 on the first day and 4 more on the second), which every team hosted on their own infrastructure. The services were diverse in both functionality and technology:

  • Multi-layered web applications - from classic monoliths to microservice architectures, built with various technology stacks (Java, Go, Python, C). Each required a different approach to analysis - decompilation, reverse engineering, Docker container configuration auditing.
  • Multi-component systems - services combining frontend frameworks, backends in different languages, databases (SQL and NoSQL), queues, caches, reverse proxies, and SSH access. The more moving parts, the larger the attack surface.
  • Custom protocols and APIs - besides traditional web applications, some services used internal binary APIs, custom serialization mechanisms, or non-standard communication protocols, requiring deeper low-level analysis.

The diversity of services demanded flexibility - you couldn't specialize in just one technology. The team had to quickly adapt to new stacks and identify vulnerabilities in completely different environments.

What Did Our Day Look Like?

Phase 1: Reconnaissance and Analysis

The first hours were pure analysis. Code decompilation, endpoint mapping, vulnerability identification. Each service had multiple layers to analyze - from network configuration, through business logic, to authentication mechanisms.

Right from the start, we managed to map the attack surface and set priorities - which vulnerabilities provide the fastest access to flags, and which require chaining multiple steps.

Phase 2: Exploit Development

Writing exploits is the heart of the offensive phase. We worked on scripts automating attacks against individual vulnerabilities - from simple one-liner requests to complex multi-stage chains. The key was automating the process so we could attack all teams simultaneously and collect flags every round.

For exploit orchestration, we used the Ataka framework - a tool that allows automatic execution of exploits against all targets, flag parsing, and automatic submission to the scoreboard.

Phase 3: Hardening and Defense

In parallel with attacking, we had to secure our own services. This meant:

  • Source code patching - modifications directly in decompiled sources, recompilation, and replacement in the running Docker container
  • Secret rotation - rotating passwords, API keys, and authentication tokens that were hardcoded in configuration
  • Authentication mechanism overhaul - for example, replacing insecure Java object serialization with secure, signed tokens
  • Log monitoring - real-time log analysis to detect attacks and respond to incidents

The most important challenge of defense was balance - every patch had to fix a vulnerability without breaking the functionality checked by the SLA checker. More than once, an overly aggressive fix caused a point drop due to service unavailability.

Phase 4: Analyzing Opponent Attacks

A very interesting aspect was analyzing attack logs coming from other teams. We could see in real time what payloads our opponents were trying, what techniques they were using, and whether our patches were effective. This provided not only the satisfaction of a successful defense, but also inspiration for our own exploits.

What Did I Learn?

1. Attack & Defense Is the Most Realistic Form of CTF

Unlike classic Jeopardy CTFs, the A&D format forces both offensive and defensive thinking. It's the closest experience to a real security incident that you can get under controlled conditions.

2. Priority Management Is Key

With limited time and many vulnerabilities, you have to make tough decisions: what to patch first, what to write an exploit for, and what to leave for later. You can't do everything - you have to choose what yields the most points.

3. Automation Is Mandatory

Manually exploiting a single target is one thing. Automatically attacking 30+ teams every round - that's a whole different ball game. Without solid scripts and an orchestration framework, there's no chance of keeping up the pace.

4. Defense Is More Than Just Patching

Monitoring, log analysis, rapid response to new attack vectors - defense in A&D is a continuous process, not a one-time task. You need to stay vigilant throughout the entire exercise.

5. Teamwork Determines the Outcome

You can't do this alone. Role division, communication, rapid sharing of information about new vulnerabilities and exploits - these are skills that in A&D are just as important as technical ones.

Summary

OCF'26 is one of the best cybersecurity exercises I've ever had the chance to participate in. Realistic scenarios, a high level of competition, time pressure, and the need to operate on multiple fronts simultaneously - all of this makes it an experience that truly develops your skills.

As ByteBattlers, we finished the qualifiers in 3rd place, which gives us a ticket to the grand finale in May. We're proud of this result - especially considering over 30 teams competing across the entire cycle.

Huge respect to DKWOC for the organization and the Cyber Legion program, which gives Polish cybersecurity experts a platform for growth and collaboration with the Armed Forces of the Republic of Poland.

We look forward to May and the finale 🏆

This post describes general impressions from the OCF'26 exercise as part of the Cyber Legion program. Technical details of exploits and service configurations have been intentionally omitted due to the nature of the exercise.