2026 Rules

The following are the official rules for the eCitadel Open.

  1. Competitor Eligibility
    1. All competitors must be at least 13 years old.
    2. Competitors may only compete on a single team during any given event.
    3. All competitors must register and compete using their primary Discord account. Alternate accounts are not permitted without prior approval from competition officials.

  2. Team Composition
    1. Teams may consist of up to four competitors including the team captain.
    2. Once a competition has begun, team members may not be substituted or replaced.
    3. Each team will designate a Team Captain to act as the team liaison between the competition staff and the team before, during, and after the competition. Individuals may only serve as the Team Captain of one team at a time.
    4. International competitors are welcome to play, but will not be eligible to receive any awards.
    5. Individuals may only register and compete as part of one eCitadel team.

  3. Competition Conduct
    1. Throughout the competition, competition officials will occasionally need access to a team's system(s) for scoring, troubleshooting, etc. Teams must immediately allow competition officials access when requested.
    2. Teams have a limited time window which begins when the team logs into the competition portal. Once the time window has started it cannot be paused or stopped - teams must complete their work on all provided VMs within that time window. Points earned after the time window has expired will not be accepted.
    3. Teams may only have one instance or occurrence of any specific VM running at a time.
    4. Rolling back, resetting, or reverting VMs may result in point losses as the VM is returning to an earlier, less secure state.
    5. Teams are prohibited from conducting offensive operations against any system including but not limited to scoring systems, display systems, other teams, and so on.
    6. Teams must compete without "outside assistance" from non-team members. All private communications (calls, emails, chat, forum posts, conversations, requests for assistance, etc.) with non-team members that would help the team gain an unfair advantage are not allowed and are grounds for disqualification and/or a penalty assigned to the appropriate team.
    7. Teams are free to examine their own systems but no offensive activity against any system outside the team's assigned network(s), including those of other eCitadel teams, will be tolerated. Any team performing offensive activity against any system outside the team's assigned network(s) will be immediately disqualified from the competition. If there are any questions or concerns during the competition about whether or not specific actions can be considered offensive in nature contact the competition officials before performing those actions.
    8. Teams are allowed to use active response mechanisms such as TCP resets when responding to suspicious/malicious activity. Any active mechanisms that interfere with the functionality of the scoring engine or manual scoring checks are exclusively the responsibility of the teams. Any firewall rule, IDS, IPS, or defensive action that interferes with the functionality of the scoring engine or manual scoring checks are exclusively the responsibility of the teams.

  4. Professional Conduct
    1. All participants, including competitors, coaches, and competition officials, are expected to behave professionally at all times during all eCitadel events, including meetings, ceremonies, online forums, competitions, and so on.
    2. Activities such as swearing, consumption of alcohol or illegal drugs, disrespectful or unruly behavior, sexual harassment, improper physical contact, becoming argumentative, willful violence, or willful physical damage have no place at the competition and will not be tolerated.
    3. Violations of the rules can be deemed unprofessional conduct if determined to be intentional or malicious by competition officials.
    4. Competitors behaving in an unprofessional manner may receive a warning from competition officials for their first offense. For egregious actions or for subsequent violations following a warning, competitors may have a penalty assessed against their team, be disqualified, and/or permanently banned from the competition.
    5. Individual(s), other than competitors, behaving in an unprofessional manner may be warned against such behavior by competition officials or banned from the competition entirely by competition officials.

  5. Questions, Disputes, and Disclosures
    1. Prior to the Competition: Team captains are encouraged to work with the competition officials to resolve any questions regarding the rules of the competition or scoring methods before the competition begins.
    2. During the Competition: Protests by any team must be presented in writing by the Team Captain to the competition officials as soon as possible. The competition officials will be the final arbitrators for any protests or questions arising before, during, or after the competition. Rulings by the competition officials are final. All competition results are official and final as of the Closing Ceremony.
    3. In the event of an individual disqualification, that team member must cease participation immediately upon notification of disqualification and may not resume participation at any time. Disqualified individuals are ineligible for individual or team awards, or a refund of any registration fees.
    4. In the event of a team disqualification, the entire team must cease participation immediately upon notice of disqualification and is ineligible for any individual or team awards, or a refund of any registration fees.

  6. Scoring
    1. Scoring will be based on finding and fixing vulnerabilities, keeping required services up, removing unauthorized access, and completing business tasks that will be provided throughout the competition. Teams accumulate points by addressing security issues, successfully completing injects, and maintaining services. Teams lose points by violating service level agreements, usage of recovery services, and successful persistence by the Red Team.
    2. Official scores will be maintained by competition officials and may be shared after the competition. During the competiton, unofficial scores may be found on the scoreboard.
    3. Any action taken by a team or competitor that disrupts scoring agents or interferes with the functionality of the scoring engine or manual scoring checks are exclusively the responsibility of the teams.
    4. Any team member that modifies a competition system or system component, with or without intent, in order to mislead the scoring engine into assessing a system or service as operational, when in fact it is not, may be disqualified and/or the team assessed penalties.