2025 Rules

The following are the official rules for the eCitadel Open.

  1. Competitor Eligibility
    1. All competitors must be at least 13 years old.
    2. Competitors may only compete on a single team during any given event.

  2. Team Composition
    1. Teams may consist of up to four competitors including the team captain.
    2. Once a competition has begun, team members may not be substituted or replaced.
    3. Each team will designate a Team Captain to act as the team liaison between the competition staff and the team before, during, and after the competition. Individuals may only serve as the Team Captain of one team at a time.
    4. International competitors are welcome to play, but will not be eligible to receive any awards.
    5. Individuals may only register and compete as part of one eCitadel team.

  3. Competition Conduct
    1. Teams have a limited time window which begins when the team logs into the competition portal. Once the time window has started it cannot be paused or stopped - teams must complete their work on all provided VMs within that time window. Points earned after the time window has expired will not be accepted.
    2. Teams may only have one instance or occurrence of any specific VM running at a time.
    3. Rolling back, resetting, or reverting VMs may result in point losses as the VM is returning to an earlier, less secure state.
    4. Teams are prohibited from conducting offensive operations against any system including but not limited to scoring systems, display systems, other teams, and so on.
    5. Teams must compete without "outside assistance" from non-team members. All private communications (calls, emails, chat, forum posts, conversations, requests for assistance, etc.) with non-team members that would help the team gain an unfair advantage are not allowed and are grounds for disqualification.
    6. Teams must not interfere with scoring agents or servers used by competition officials.
    7. Protests by any team must be presented in writing by the Team Captain to competition officials as soon as possible. The competition officials will be the final arbitrators for any protests or questions arising before, during, or after the competition.

  4. Scoring
    1. Scoring will be based on finding and fixing vulnerabilities, keeping required services up, controlling/preventing unauthorized access, and completing business tasks that will be provided throughout the competition. Teams accumulate points by addressing security issues, successfully completing injects, and maintaining services. Teams lose points by violating service level agreements, usage of recovery services, and successful penetrations by the Red Team.
    2. Official scores will be maintained by competition officials and may be shared after the competition. During the competiton, unofficial scores may be found on the scoreboard.
    3. Any action taken by a team or competitor that disrupts scoring agents or interferes with the functionality of the scoring engine or manual scoring checks are exclusively the responsibility of the teams.
    4. Any team member that modifies a competition system or system component, with or without intent, in order to mislead the scoring engine into assessing a system or service as operational, when in fact it is not, may be disqualified and/or the team assessed penalties.