21 horas hace

Image showing the management of challenge dependencies.

Across nearly 600 commits, we have turned the initial idea into what I believe is a solid CTF platform, featuring multiple capabilities, including multi-tenancy. Let me introduce “Cyber Talented Framework”, a professional CTF platform for cybersecurity competitions, developed with the assistance of Claude Code. Multi-competition management, dynamic Docker challenges, advanced team system, and real-time scoring. Also, It is possible to have a progressively advancing challenge tree design, or simply challenges that depend on one another in order to complete a level or a skill path, in a customizable way.

Application developed with Claude Code assistance.

A clarification for vibe coding enthusiasts and critics alike.

The use of AI in software development sparks debate, but the paradigm shift is inevitable. Just as no one today questions using CI/CD pipelines to detect vulnerabilities or code scanners to review millions of lines, agent-assisted programming is simply the next tool in the chain. The difference lies in who uses it: with a clear architecture and deep knowledge of the language—the result of years of experience—these tools amplify the developer’s capability. Without that foundation, they only generate noise.

This project has been developed with the assistance of Claude Code. Below are some reflections on this methodology:

Productivity and facilitation — Agent-assisted programming significantly increases productivity and acts as a facilitator. Even with a senior technical profile, much of the time is spent on coordination and human relations tasks: team conversations, idea generation, meetings, and planning. 1.

Knowledge remains fundamental — Deep knowledge of the codebase and architecture—the result of years of experience—remains essential. These tools do not replace software engineering in the short term, but they significantly amplify developers’ capabilities. Not using them means missing out on clear value. 1.

Best practices become even more relevant — Adequate test coverage, clear documentation, vulnerability detection, and solid deployment and integration processes are elements that guide agents and improve the quality of results. 1.

Economics and human oversight — The economics of these systems is also a key factor. As with any paradigm shift, adaptation is necessary. Part of the investment goes toward token usage to allow people to focus their effort on verification and supervision. The “human in the loop” approach and tracking mechanisms allow for correcting deviations and validating model outputs.

Application Architecture

The architecture describes a multi-tenant CTF platform designed to be scalable, secure, and easily extensible. User access is handled through Cloudflare, which acts as the first perimeter security layer by providing WAF, CDN, DNS, and subdomain-based routing for each tenant. Traffic is then forwarded to an Nginx gateway running on a DigitalOcean droplet, responsible for TLS termination and reverse proxying into the internal Docker network. Within this network, an internal Nginx manages routing between the frontend (React/Next.js- Not vulnerable to react2shell!) and the backend API (Python/FastAPI), both decoupled and communicating with a PostgreSQL database configured with a multi-tenant schema.

The application lifecycle is supported by a CI/CD pipeline based on GitHub Actions, which automates build, testing, and deployment across different environments. Throughout this process, continuous vulnerability identification and management activities are carried out, integrated both into the CI/CD pipeline and the architectural design itself, with the goal of reducing the attack surface and maintaining a security posture appropriate for an offensive security-oriented platform.

Manage multi-tenant clients of the platform

Key Features

Discover everything our platform can offer

Competition System

• Simultaneous multi-competition – Manage multiple CTFs in parallel
• Real-time scoreboard – Instantly updated rankings
• Dynamic scoring – Points that adapt based on solves
• Score freeze – Visibility control at critical moments
• Competition templates – Create competitions from reusable templates
• Participation certificates – Automatic digital diplomas for participants
• Live monitoring – Activity tracking during competition Competitions Management, Create and manage multiple competitions

Challenge Management

• Dynamic Docker challenges – Isolated instances per team/user
• Dependency Tree – Interactive visual system for challenge prerequisites
• Customizable categories – Flexible challenge organization
• Challenge packs – Efficient grouping and distribution
• Hint system – Unlockable hints with point cost
• CTFd Import/Export – Compatibility with standard CTFd format Manage Challenges

Team System

• Complete team management – Creation, invitations, roles
• Shared solves – Unified team progress
• Team auto-unlock – Automatic unlocking of dependent challenges
• Respect system – Recognition between players

Players

• 2FA Authentication – Second factor with TOTP and backup codes
• API Tokens – Programmatic access with configurable scopes
• Badges and achievements – Recognition and medal system
• Writeups – Post-competition solution publishing Scoring System and Rankings

Artificial Intelligence

• Per-challenge AI assistant – Integrated chat with Claude for contextual hints
• Conversation history – Persistence of interactions per challenge
• Smart rate limiting – Usage control per user and challenge IA Challenge, player view IA Challenge, admin design view

Multi-Tenancy

• Complete isolation – Total data separation between organizations
• Per-tenant Docker management – Each admin manages their own Docker hosts
• Plans and subscriptions – License and limits management system
• Configurable limits – Users, competitions, challenges per tenant

Messaging System

• Threaded conversations – Messages organized in collapsible threads
• Read receipts – Real-time read confirmation
• Instant notifications – Toast alerts for new messages Communications – Send and receive messages. For team, admin and players.

Administration Panel

• Dashboard with analytics – Activity, solves and participation metrics
• User management – Granular roles and permissions (RBAC)
• Remote Docker integration – Secure TLS connection for dynamic challenges
• Audit logs – Action records and security alerts
• Bulk Import/Export – Batch challenge management
• Writeup moderation – Solution approval

REST API

• Swagger documentation – Fully documented API
• Scoped tokens – Granular API permission control
• Rate limiting – Abuse protection API Tokens – Developer Tools & Integrations

We are working on a stable version to ensure the best possible experience. Beyond the platform itself, the most important aspect is that challenges across different categories are being created for the initial packs. We will keep you informed 🙂.