openECSC is a cybersecurity competition open to everyone that invites enthusiasts to participate without any kind of limitations. Launched in 2022 as an extension of the European Cybersecurity Challenge, it aims to broaden participation beyond traditional age and nationality restrictions, featuring a series of jeopardy-style CTF competition rounds. openECSC 2025 will run September 29th through October 5th
Overview
The European Cybersecurity Challenge (ECSC) stands as a collaborative effort between the European Union Agency for Cybersecurity (ENISA) and multiple European nations. Its primary goal is to foster cybersecurity talent across the continent while forging connections between promising individuals and industry leaders.
Each year, thousands of aspiring talents from diverse European regions participate in national selection competitions. Their ultimate aim is to represent their respective nations at the prestigious ECSC Grand Finals. However, this event accommodates only a limited number of participants due to stringent age and nationality criteria. Consequently, many contestants miss out on the opportunity to showcase their skills at the international level.
To address this disparity and broaden participation, the openECSC has been introduced since 2022. Unlike ECSC, which is restricted to individuals aged 25 and under, the "open" designation of this program signals inclusivity. It welcomes participation from individuals of all ages, backgrounds, and nationalities, effectively inviting cybersecurity enthusiasts worldwide to engage, demonstrate their skills, and join the ECSC community.
The 2025 edition of openECSC will consist of only one round, instead of multiple rounds as in previous years. See the schedule section for more details.
The goal behind openECSC is to accommodate both not very experienced players and top level ones. Expect challenges with a wide range of difficulty levels.
Top performers in each openECSC rounds will be rewarded with unique openECSC merchandise.
Schedule
| Event | Timeframe |
|---|---|
| Challenge draft submission deadline | September 8th, 2025 |
| Challenge final submission deadline | September 21st, 2025 |
| openECSC 2025 | September 29th 18:00:00 CEST - October 5th, 2025 23:59:59 CEST |
Discord server
The main point for all the communication between players and organizers is the official Discord server, available here. Every announcement regarding the competition will be published on the dedicated announcement channel. The server includes a ticketing system, which can be used by players to request any kind of support during the competitions.
Competition format
The competition is a Capture The Flag (CTF) event, played in a jeopardy-style fashion.
The CTF platform (Berg) used for the openECSC competition will be available under this domain soon.
Challenge details
The CTF will feature up to 91 challenges in total, distributed as follows.
7 categories with 13 challenges each:- Web
- Reverse Engineering
- Cryptography
- Forensics
- Steganography
- Binary Exploitation
- Miscellaneous
Each category will have challenges with different difficulty levels:
- Easy: up to 3 challenges
- Medium: up to 5 challenges
- Hard: up to 3 challenges
- Leet: up to 2 challenges
Scoring
The scoring for each challenge is identical and every challenge weighs the same number of points at the time of its release. Scoring is dynamic: the more a challenge is solved, the less points it weighs. Every challenge starts at 500 points and decreases to a minimum of 100 points after 50 solves. The scoring formula is the following:
def challenge_score(num_solves, max_score=500, min_score=100, decay=50):
score = ((min_score - max_score) / (decay * decay)) * (num_solves ** 2) + max_score
return max(min_score, math.ceil(score))
The table below describes an example set of scores for a challenge, depending on the numer of solves:
| Number of solves | Score |
|---|---|
| 0 solves | 500 points |
| 1 solve | 500 points |
| 5 solves | 496 points |
| 10 solves | 484 points |
| 45 solves | 176 points |
| 50 solves | 100 points |
| 61 solves | 100 points |
The final score for a single player is computed as the sum of the points given by the challenges the player has solved. Players will be sorted in the final scoreboard using descending order of points. Ties are broken using the last correct submission timestamp: earlier submissions win over later ones.
No additional points are given for early submission (i.e. first blood) or for particularly good solutions to the challenges.
Rules
Eligibility
Everyone is eligible to participate in openECSC; no age,country or any other kind of restriction applies. Challenge authors can play, but won't appear on the public scoreboard.
Competition
- Each player can have only one account and must play under only one name/nickname
- Email confirmation (or social login with Discord) is required to play. Email addresses used during registration will also be used to contact the winners. They won’t be publicly visible to the other players.
- Announcements regarding the competition will be posted on the official Discord server. In case of challenge-specific announcements, they will be mirrored in the challenge description.
- Collaboration with other players is prohibited. This includes (but is not limited to) sharing hints, exploits or flags.
- If not specified otherwise in the challenge description, only targets inside
*.challs.openec.scare in-scope for the challenges. Attacking anything outside is forbidden. - Flags are in the format
openECSC{l33t_string}if not specified otherwise. - The use of automatic scanning tools, or in general tools generating large amounts of traffic is prohibited.
- Support is given using the official Discord server only. In particular, the correct way to ask for support is by using the ticketing system.
- If you are not sure if something is allowed or not, use the ticketing system to ask before doing it.
Fair play
- Attacking other participants or the contest infrastructure is prohibited. Targets are clearly stated in the challenge descriptions. This also includes social engineering and all the actions aimed to gain access to other player's accounts.
- Any action aimed at altering the behavior of a challenge for other players is prohibited. This includes modifying/deleting flags, patching them via RCE, backdooring, etc.
- Any action aimed at generating excessive load to the contest infrastructure is not allowed. Any kind of action resulting in DoS is not allowed (e.g. network, logical, …)
- Asking privately for hints (to authors or players) is prohibited. This is valid for both asking and giving hints.
- Sharing exploits, solutions or writeups publicly on the internet during the competition is not allowed.
- If any bug or flaw is found in the infrastructure platform, players are kindly asked to report it by opening a ticket. Reports will be awarded with a special mention published on the platform itself.