August 11, 2025 • 30 mins
Can you spot the difference between real cybersecurity talent and someone using ChatGPT to fake their way through interviews? In this episode of The Audit, Thomas Rogers from Meta CTF reveals how Capture the Flag competitions are becoming the ultimate litmus test for authentic cyber skills—and why traditional hiring methods are failing in the AI era.
Whether you're a CISO looking to revolutionize your hiring process, a security professional wanting to level up your skills, or just curious about what happens when cybersecurity meets escape room logic, this episode delivers actionable insights you can implement immediately.
Key Topics Covered:
- How Meta CTF's Jeopardy-style competitions work and why they're addictive
- Real examples of CTF challenges that test critical thinking over pure technical knowledge
- The shocking rise of AI-assisted interview cheating (and how to spot it)
- Why "CTF culture" is becoming the new hiring differentiator for top security teams
- Practical tips for using competitions to build team camaraderie and retention
- How smaller companies can compete with Big Tech for cybersecurity talent
Don't let your next hire fool you with AI-generated answers. Learn how CTF competitions reveal the real problem-solvers from the pretenders. Like, share, and subscribe for more cybersecurity hiring secrets that actually work!
#MetaCTF #CybersecurityHiring #CTF #InfoSec #CyberSecurity #AIInterviews #TechRecruiting
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 2 (00:04):
You're listening to the Audit presented by IT Audit
Labs.
I'm Joshua Schmidt, yourco-host and producer Today.
We're joined by Nick Mellum andEric Brown, and today our guest
is Thomas Rogers from MetaCTF.
Thomas, how are you doing?
Doing good?
Thanks for having me.
Absolutely Well.
We're going to jump right in.
I'd love to get a littlebackground on you, metactf, what
(00:25):
it is, what you're working on,and then we'd love to talk more
about hiring, and then employeetraining, cybersecurity, all
those good things.
So, without further ado, I'lllet you take the mic.
Speaker 3 (00:32):
Sweet Thanks.
Yeah, so I'm Thomas.
I'm the co-founder of MetaCTF,so we're a cyber skills platform
.
We got started basicallybuilding, managing, hosting,
running CTF competitions.
Our background is all aboutlearning by doing and making
cyber more accessible.
I think that's why we ran thefirst CTF competition about 10
(00:55):
years ago and it was really justmeant to be kind of this fun
thing.
And then we did it for a coupleof conferences, went well, and
then a couple of large companiesreached out and asked us to do
it for them and we sort of havegrown and evolved since then.
But yeah, really our wholemantra is just around helping
(01:15):
companies run better cyberskills programs, manage it,
measure it and all of the above.
Speaker 2 (01:22):
Absolutely Well.
We ran into your partner, Roman, the co-founder, at the recent
Secure360 conference and Ibelieve Nick and Eric have
something to work out here orsomething to share about how
that all went.
Speaker 1 (01:36):
Well, yeah, I'm really excited because Eric said
if I won he was going to doublemy salary for the next couple
of years.
And we tripled it.
There we go.
Speaker 2 (01:45):
You heard it here first.
I was trying to psych the guysup.
I'm like we're here to win boys.
Speaker 3 (01:48):
Let's go, make me proud.
Speaker 2 (01:50):
This is my first cybersecurity conference, so
just to give our listeners alittle background.
Thomas, for those who don'tknow what a CTF capture the flag
event is, can you give us anoverview and maybe how MetaCTF
likes to run theirs or createtheirs?
Speaker 3 (02:04):
Yeah, so there's a bunch of different types of
Capture the Flyer competitions.
The one that we typically do isa Jeopardy style competition,
so we provide a host on ourplatform website.
We provide a list of what wecall challenges.
They're really just questions,they're isolated, they're
generally bite-sized andcontained to a specific topic or
(02:25):
subject or technology orsomething like that and, yeah,
users basically just have tosolve a problem in exchange for
points.
It's time boxed, so I think thesecure 361 was like a few hours.
That's pretty.
You know that's a pretty goodamount of time.
We do a lot of them for bigcompanies, where they'll do it
as a part of you.
You know, security awarenessmonth or you know whatever sort
(02:46):
of security week or month theyhave, and we have some companies
that will run it for like aweek at a time.
That's pretty long.
But the good thing aboutJeopardy style is you can jump
in and out, like if you'reworking on it and you got to
like get lunch or run to thebathroom or something you're not
worried about.
You know, maybe lose a littletime, but you can really kind of
(03:07):
choose your own adventure withthese.
You can also like accomplish alot in a short period of time so
you can start with the easychallenges and get through a few
and then be like, hey, I just,you know, got you know a few
hundred points for my team.
But yeah, the idea is that youas your team are collaborating,
trying to score as many pointsas you can and beat the other
(03:32):
teams, but yeah, in doing so,hopefully also learning some new
things and getting exposed tonew concepts.
It's all very hands-on.
Speaker 2 (03:41):
It was fun to see the whole IT Audit Labs crew there.
Eric graciously put in the billfor breakfast.
We had the whole crew there andI could tell Eric was jazzed up
.
It was like a kid in the candyshop Christmas morning.
It was really cool to see Ericout of the office.
Eric, can you tell us why youlike doing these things and
bringing the whole team?
It felt like a really cool vibehaving the whole crew there.
It was a camaraderie and a lotof fun, absolutely.
Speaker 4 (04:04):
Yeah it's.
You know these sort of thingsthat are the kind of tease the
brain.
It's almost like an escape roomtype of thing, but you're
virtual and you can bringtogether a team of diverse
engineering skill sets andpeople don't even have to be
programmers or you know reallydeep security engineers to solve
(04:25):
some of the problems.
A lot of it is really justcritical thinking.
And there was one particularproblem that I recall in the CTF
.
That was the questionessentially prompted you to go
to a X feed and it was a pictureof Zuckerberg in front of a
(04:49):
building.
And the CTF question, the metaCTF question, was essentially
where was this taken?
And you had to give the GPScoordinates of the exact
location that Zuckerberg was inwhen he took the photo.
So you know it's like well, wow, how do we, how do we break
(05:10):
this problem down to get theanswer.
And you could be in a, anEnglish major or you know a
musician and still have thecritical thinking to be able to
break the problem down intobite-sized chunks to get to the
answer.
All the technology is freelyavailable.
You don't have to programanything, you just have to
(05:33):
figure out well, how do wefigure out where he is.
You could research to see thatday where he made the post.
Well, where was he?
Oh, he's at the headquarters.
Okay, let's go into Google Maps,zoom in on the headquarters.
What's the background of thebuilding?
Look like that.
He's in All right.
He's outside.
There's plants, there's aboardwalk, and you just keep
(05:55):
getting it narrower and narrowerand then you've got a few tries
to put the correct coordinatesinto the question and then
that's how we narrow it down andgot it.
But there are really technicalquestions too of cross-site
scripting that you do have toknow some coding or some
(06:18):
scripting capabilities and howwebsites work in order to solve
the problem.
But the great thing aboutbringing a diverse team is you
can have some people working onsome of those really technical
things and then other peopleworking on some more of the
general things.
And as long as you'recommunicating and able to break
down problems, you know you'regoing to do well and you know I
(06:39):
think part of the reason Nick'steam did so well is because they
were sitting near us and weprobably weren't real quiet as
we're discussing it.
Speaker 1 (06:46):
That's definitely the problem, definitely the problem
.
We have our secrets, but Ican't give them out here.
Speaker 2 (06:53):
That's great.
So, thomas, tell us more aboutMetaCTF.
What got you into this?
Speaker 3 (06:57):
space focused on providing that high quality
experience and, you know, givingpeople the confidence and the
exposure to these concepts.
I think it's a.
I think it is a good way tostep out of your comfort zone as
you're, as you're learning newthings in technology, not just
(07:20):
cyber, but technology, so you'relearning how you, you know
different ways that specifictechnologies, programming,
languages, computers, like howdo they work, how are they
connected, so that sort of beinglike the baseline problem that
we want to solve, and just likeproviding good experiences for
people who want to learn newthings.
I think our mission is sort ofevolved into actually helping
(07:44):
these security teams.
Generally, skills development iskind of a nebulous.
It feels like not super clear,like how do we do this, how do
we maintain it?
I think setting it up, you know, setting up training or setting
up skills development at first,at first maybe you can do that,
(08:05):
but how do you maintain it?
And then, how do you measurethe effectiveness of it?
And so those are some of thebusiness problems that we're
interested in helping managers,especially security teams, deal
with.
And then obviously, theindividuals, especially as you
move to big companies, for sure,but even smaller companies,
(08:26):
especially as you move to bigcompanies, for sure, but even
smaller companies.
People are hired in a lot ofways as they're going to get to
do a specific set of things intheir job, and so how do you
learn new things if you're doingthe same 10 to 15 tasks over
and over again?
I mean you can reach for toolslike ours, ideally, where you
can get exposure to new things,to kind of upskill.
(08:49):
So, yeah, helping managers torun and maintain and measure
these programs and then helpingthe individual to get exposure
and try new things.
Speaker 1 (08:59):
We've noticed too, thomas, all the reasons you said
before.
But for us it's also become areally big like camaraderie
event and we do them at one ofour accounts regularly.
We have a block on a day of theweek and everybody usually
jumps in and does that challengeeither together or separately,
and comes in, you know, later tothe meeting or we discuss it
(09:19):
later.
But it's been really fun.
We've been doing this for awhile now and it's really fun
just to come together and figureout if either somebody couldn't
solve it and then they learnfrom somebody that did, or we'll
do it together and or they'lldo it together and you figure it
out.
And it's been really fun to seethem learn that way.
But then it's also done.
The two things brought themtogether.
(09:40):
You get that collaborative itemand then you get that
camaraderie piece, but thenthey're learning new ways to
solve problems and in criticalthinking.
Speaker 3 (09:49):
I was in New York earlier this week it's funny you
say that because I was I hadcoffee with a woman who runs
detection response for a bigfintech company and she said the
way she put it.
I was like we need to talkabout that more often.
She was like my current companydoes not have a CTF culture and
(10:10):
like companies I've been at inthe past have a CTF culture and
it just builds like yeah, it'snot even like, it definitely is
partially.
Like you know, they encourageprofessional development and
growth and that kind of thingand the company like actually
prioritizes it.
But it's yeah, yeah, it's likethe collaboration like do we
work together as a team?
Do we do we do things welltogether?
But yeah, uh, funny youmentioned that because I was
(10:31):
thinking a lot about that thisweek yeah, it's like the.
Speaker 1 (10:34):
it's like, instead of just being a collection of team
members like everybody, can youknow, we want to be one team
that people can solve the sameproblem, work together and be
collaborative, and I think a lot, a lot of these you know
questions or the CTFs that yougo to you know, solve that
problem.
And one thing that I havenoticed going to other
cybersecurity conferences is,you know, you get a lot of great
(10:54):
talks and tracks and classes,but a lot of people, I think,
from my point of view at least,are going to the CTFs at the
conferences because they want toplay the games or they want to
do the badge challenges orwhatever is the side, the
parallel pieces to a conference.
But most notably to me, it'swhat are the CTFs?
Or that's what I'm interestedin.
What do they have for the CTF,what's going on, what's the game
(11:17):
, et cetera.
So it's cool to see everythinggrowing in this space.
Speaker 2 (11:21):
How do you see that really benefiting a company as a
whole?
I'm sure you get to work with alot of different people and see
a lot of different companycultures, right?
Yeah, I think.
Speaker 3 (11:31):
I mean there are kind of obvious ways.
I think maybe I would assume,eric, you've got a pretty strong
retention rate, employerretention rate, happiness, I
think in general People enjoyworking there.
I think in general, you knowpeople enjoy working there and I
think one of the challengesprobably with recruiting you
(11:53):
know for you all is like youneed talented people and
talented technical people andyou know if you're competing
against it, probably in somecases, like the, you know Google
and you know large techcompanies, you know what.
How do you differentiate?
And I think that's that's howyou differentiate.
(12:14):
So so yeah, I mean, I think Ithink the ability to recruit
well and just like get talentedpeople, that maybe are, you know
, going to be, maybe they'd beless happy there, but they can,
who knows, maybe pay better.
I would assume maybe Googlepays a little bit more, but yeah
(12:39):
, you get people in the door andthen you keep them, and there's
just so much to be said forcontinuity, I think, on Teams.
Speaker 2 (12:46):
We have a cat room.
Google has a nap room, but wehave a cat room, yeah.
Speaker 3 (12:51):
How do you beat that?
Google has a nap room, but wehave a cat room.
Speaker 4 (12:54):
Yeah, how do you beat that?
I was talking to a friend ofmine and he'll get mad if I name
the exact company, so I'll sayit's either Amazon, microsoft or
Google.
He works at one of those threeand he was kind of giving the
analogy that working for thatcompany is almost like bringing
(13:15):
the really attractive personwith you to say you know a prom
or a party or you know an eventwhere you know people are like
wow, you know high five orwhatever for bringing that
really attractive person.
And you know not everybody'sgoing to do that.
But you know you might get thatcliche of like wow, right,
(13:38):
that's cool.
But he said what they don'tknow is the craziness behind the
scenes.
Like that really attractiveperson might be crazy, kind of
outward appearances areattractive, but all the behind
the scenes nonsense is reallynot attractive.
But nobody knows that.
(13:58):
And he equated that to workingat one of those three companies.
Like yeah, it's really cool,pays good, but it is a mess
behind the scenes.
Speaker 2 (14:08):
Really bad credit score.
I've seen this affect hiring.
A lot of people are using chatGPT now, so we've been talking
about Cluely around the IT AuditLab's office.
How are you differentiatingbetween people that can actually
move that mattress out of thehighway and people that are just
using tools or maybe answeringthings using some of these AI
(14:32):
tools that are coming online?
Speaker 3 (14:36):
I saw I think it was a tweet last week that was like
the cheating during hiring hasgotten so bad that I'm almost
ready to ask candidates to closetheir eyes when they answer
questions uh uh, we've heardthat too, I mean.
So I I think I think it goesback to what eric was saying
(14:58):
about the escape room.
It's like it's all aboutprocess, thought process, like
can this person problem solve?
And then how do they talk aboutsolving the problem?
You can't cheat your waythrough that like you're gonna,
and and I mean I guess the bestway would be like let's go back
to like the old school, likeinterview in person deal.
I don't remember ever having avirtual interview before 2019 or
(15:22):
2020.
But but yeah, I mean I think Ithink it's people use CTF
challenges and our platform.
We have kind of a candidateassessment portal that we
provide to help interview andit's basically like case you
know case interviews.
It's like here's a situationlike talk to me about how you
would solve it, and using thaton a live interview I think is
(15:47):
is a way to.
It's not just like here's a youknow assessment portal.
It's open for two hours.
Like you know assessment portal.
It's open for two hours.
Like you know, do it when youcan.
And I still think, with CTFchallenges, like you can use
LLMs and you know cheating tools, but it's only going to get you
so far for most challenges.
But yeah, I mean, I think it'sall about thought process and
(16:09):
like understand, like how doesthis person communicate?
How do they talk through?
You know solving a problem andyou know stuff like Clueless
will help you.
You can't you can't fake yourway through like true knowledge.
You can, I think you can fakeyour way through like knowing
bits and pieces, but it's justnot going to get you all the way
there.
Speaker 1 (16:29):
I'm the way there I'm .
I think I'm most curious aboutthis whole thing is, you know, I
guess, one good on thecandidate for being so tech
savvy, I'll give them that.
But two, let's say you getthrough the right, you, you get
through.
You know, you don't.
They don't find out that you'recheating.
What happens on day one?
Exactly what happens when youget there and start doing the
(16:49):
work, right?
I mean, most places have a 90day, or you, whatever it is,
grace period or whatever thatthey can let you go right.
Probation period is what I waslooking for A lot of times.
If this is the lengths you'regoing to, you're probably going
to get found out within the90-day period or whatever it is.
So I guess I'd like tointerview one of these people
(17:11):
that have come through there andasked like, what was your plan
when you actually got there,right?
Were you going to rely?
Speaker 2 (17:15):
on.
Speaker 1 (17:16):
AI so much and hope you were remote the whole time
that you could.
Just, I'm very interested inwhat the thought process is, but
to me it also is really coolthat this technology is here,
right, that we're able to seethis stuff and how people are
using it.
Obviously, not always in thebest light, right, we don't want
people to do this.
But I think, going all the wayback to the beginning of this
(17:38):
question, I think one thing thatwe've done or noticed when
we're talking to people isasking more cultural questions.
Not, you know, obviously wewant a strong technical basis,
but what do the soft skills looklike?
And I think then we can branchinto the technical.
But first off, especially at ITOutlives, for me, we look for
those soft skills first, right,how are you, like we talked
(18:00):
before, like a service desk,right?
What are those soft touchpoints?
How would you handle thissituation?
Not just you know what do you?
do in this case, or what are youdoing in an outage, or whatever
it is.
So I think the searching forthe soft and tech first before
you go to technical a lot oftimes can help just to see what
they're thinking, how they'rethinking about things and what
(18:21):
their cultural thought processis.
Speaker 2 (18:24):
So, eric, I know you have some juicy stories about AI
and hiring and some things thathave happened recently, maybe
around Cluely or ChatGPT.
Speaker 4 (18:36):
How have you seen that manifest when you're in the
hiring process?
So we were just going through aprocess where we're recruiting
for three technical roles andworking with several different
recruiting firms.
I think for one of the roles inparticular it was a technical
security role there were maybe11 vendors that were responding,
(18:59):
each with a maximum of threecandidates.
So it was a ton of resumes thatwere coming in and the thing
that struck me off the bat washow thorough and similar all of
the resumes were.
Each resume four or five pages.
(19:22):
That was just bullet leveldetail of everything that the
person did and it was very wellmatched to the job description
of the role that we had.
So it was like, okay, there'ssome AI going on here and there
was one recruiting firm or tworecruiting firms that each
(19:44):
submitted the same candidate andthe resumes were different but
just as thorough.
So it was like, okay, veryclearly, here they're taking AI
and creating these resumes,probably different AI platforms
that are doing it.
But then when we went and wewere interviewing the candidates
(20:05):
, we narrowed down all of thosecandidates to I think we maybe
interviewed through videointerviewed, maybe it was, I
don't know eight people,something like that, and some of
them were not native Englishspeakers, like English was not
(20:26):
their first language, and thequestions were all standardized.
So the way in which we askedthe questions was all very
structured and some of thecandidates that were clearly
using a tool to assist with theinterview process.
There were these really longpauses, like you'd ask a
(20:50):
question and then there's like along pause and then the
candidate would ask if you couldrepeat the question and the
question was not one that youknow really needed to be
repeated.
It was a pretty straightforwardquestion, but every time it was
(21:10):
I'm sorry.
Can you repeat the question?
And but every time it was, I'msorry.
Can you repeat the question?
And then the the answer.
They're just staring at thescreen and normally in
conversation when you're talkingwith somebody, you know they
may look up or to the side, oryou know they could be could be
a little more animated.
(21:33):
But some of the candidates, whenthey were responding, were just
fixated, looking straight ahead, and it was.
It was pretty clear that theywere.
They were the old presidentialteleprompter was going on.
Uh, so you know it was we.
We, after the first couple, the, the, the interview team has
like a side chat going on andit's like okay, clearly ai is
involved here.
Let's try to change thequestions a bit so that they're
(21:56):
harder to answer with AI.
Speaker 2 (21:58):
How are you talking to recruiters and things about
how to navigate this situation,or do you have any kind of tips
for them to maybe deal with thissort of a thing?
Speaker 3 (22:07):
Yeah, I mean, I think you just have to build in
processes and checks andbalances around, you know,
getting multiple people to sortof verify and then and then also
you got to.
I think you probably kind ofgot to put people on the spot,
especially if you are suspiciousof of you know them, using some
of those tools to help themanswer questions help them
(22:33):
answer questions, Other thanbeing inexperienced in the
hiring process.
Speaker 2 (22:35):
what are some other pitfalls you're seeing that
recruiters are bringing to thetable when looking for talented?
Speaker 3 (22:41):
people.
I think recruiters are prettygood at getting a large.
They're good at sort ofmatching, like, hey, this is
what the company's looking forand this is what the you know
the people have, and there'sthere's some really great
recruiters out there, I think.
I think the main thing is, likewhat we've talked about a lot.
(23:02):
It's like the soft skills likehow do you, how do you measure,
for you know, problem solving,adaptability, cyber is intense.
You know it can be a veryintense and stressful field.
So how do you measure for thatand how people are going to
respond to these crazy andintense situations.
(23:26):
And then also, how are theygoing to work together as a team
?
The candidate assessments arenot, you know.
They make it out as if, like,they hire like the top five
scores from, like the candidateassessment.
Like that's not howinterviewing works.
It's like they either use it atthe beginning of the process
because they have way too manyapplicants and they're trying to
(23:46):
narrow that down, or, you know,they use it as like kind of a
benchmark, like, hey, we want tomake sure that we can.
You know, this person has somelevel of technical skill.
Like no, I don't know of anycompanies that are just like
sending these out as like testsand like hiring the tops.
You know it's not.
You're not just hiring like theA plus students, otherwise you
just hire people with thehighest GPA.
(24:07):
So that whole that whole thingis kind of silly to me.
Speaker 2 (24:11):
How have you seen that type of investment show up
in the day-to-day securitypractices and fortifying
organizations?
And where the rubber hits theroad, how have you really seen
that pay off?
Speaker 1 (24:21):
Yeah, it's huge and we touched on it already a bunch
and I think Thomas brought itup right.
You could go work for Microsoftor Google or whoever it is,
crowdstrike Palo, these biggreat jobs.
But if you can go work for asmaller organization, sure, like
Tom said, you might not makethat huge paycheck, but you
might be way happier way, wayhappier.
(24:43):
That company is going to investin you more, so they're probably
going to send you to training.
You're going to get hands-onwith a lot of different things.
You probably never had anopportunity at these other
organizations.
You might get to work with alot of different things.
You probably never had anopportunity at these other
organizations.
Speaker 2 (24:56):
You might get to work with a lot of different
organizations on a lot ofdifferent tasks Great.
Let's wrap up with a couple oftips maybe Eric and Thomas,
about people breaking into thespace and how they can use tools
to break into cybersecurity.
Any quick tips Get?
Speaker 1 (25:08):
a help desk job.
Speaker 4 (25:11):
Get a help desk job.
I was at Secret con yesterdayhere in town in Minneapolis,
which is a really coolconference my first time going
there and it's a reallyapproachable conference.
But I think, in general, josh,to answer your question, if
you're trying to break into theindustry or even just you know
you're in the industry and youwant to look at other
(25:32):
opportunities or you're happy inyour current role awesome.
But you got to get out frombehind your desk, from out of
your basement or wherever yourhome office is.
You got to get to theseconferences, you got to get to
the meetups and you got tosocialize in person.
I mean, the online stuff isgreat, it's cool, but there's
(25:52):
just so much that you miss inthe hallway conversations
interacting with people.
I mean, we're social animals,it's just you know, still you
know, but that's just the way itis.
And you got to get to theseconferences.
Us, there's likely within 100miles, some sort of a conference
(26:20):
that's happening in your areaat some point in time throughout
the year.
There's meetups of alldifferent security types that
are approachable and I would saythat's the best way to get out
and start this as a career.
Speaker 3 (26:32):
And there's.
Speaker 4 (26:33):
CTFs of those conferences there was.
Speaker 2 (26:37):
Thomas, maybe you could tell us if people are
interested in MetaCTF, where canthey get started and where can
they find you?
Speaker 3 (26:43):
Yeah, so we're pretty active on LinkedIn Just trying
to get as much information outthere as we can.
We have a lot of free resourcesso we run a free to enter
monthly.
We call it a flash CTF, thethird Thursday of every month.
So it's next Thursday Actually,the winner of that.
We have some pretty good prizes.
(27:03):
Usually with those, this monthis especially good we have a DEF
CON ticket available to thewinner, and then we have some
other like cash prizes and stufflike that, but we do that every
month and then we have, withthat flash CTF, we put all those
challenges in a practiceenvironment.
That's free, it's available.
All of the write ups are on ourblog, so that's a really good
(27:26):
place to learn because you cango try them and then read about
how to do it.
And then on-demand labs is outand that's uh.
You know we're giving away freetrials right now, so if anyone
wants that, um, I'm on linkedinand you can reach out anytime,
thomas, that that monthly ctf isno joke.
Speaker 4 (27:45):
We were doing it two months ago to prep for the, the,
the one that nick and I were in, and we were the, the, the team
that I was working with.
Some of us about half the teamjumped into to kind of practice.
We must've been 30 minutes inno answers to any of the
questions.
(28:06):
Looked on the leaderboard andit was all like zeros, like
nobody had answered anything.
It's like, wow, this is goingto be tough.
And then at the time,unfortunately there was an
incident that had started sosome of us kind of got
distracted.
But I think maybe we ended withI don't know, like 200 points
or something like that.
But it was a tough, muchtougher than the regional CTF
(28:29):
that we were in at Secure360.
Speaker 3 (28:35):
Good reminder for us.
Yeah, we always joke with ourhead of content because she's
always like oh, these are prettyeasy challenges and we're like
no, Samantha, easier please.
Speaker 2 (28:47):
Well, great.
Unless you guys have anyfollow-up questions, we can wrap
it up here today Cool.
Thanks so much, thomas.
You've been listening to ThomasRogers from MetaCTF, our guest
today.
Check out MetaCTF on LinkedInand online.
You've been listening to theAudit presented by IT Audit Labs
.
I'm your host, co-host andproducer, joshua Schmidt.
We've been joined by Eric Brown, managing director, and Nick
(29:09):
Mellum, security engineer.
Thanks so much for listening.
Thanks so much for listening.
Please like, share andsubscribe.
You can find us video onSpotify now and please leave us
a review or comment on YouTubeand see you in the next one.
Speaker 4 (29:20):
You have been listening to the Audit presented
by IT Audit Labs.
We are experts at assessingrisk and compliance, while
providing administrative andtechnical controls to improve
our clients' data security.
Our threat assessments find thesoft spots before the bad guys
do, identifying likelihood andimpact or all.
Our security controlassessments rank the level of
(29:42):
maturity relative to the size ofyour organization.
Thanks to our devoted listenersand followers, as well as our
producer, Joshua J Schmidt, andour audio video editor, Cameron
Hill, you can stay up to date onthe latest cybersecurity topics
by giving us a like and afollow on our socials and
subscribing to this podcast onApple, Spotify or wherever you
(30:05):
source your security content.
You're listening to the Audit presented by IT Audit
Labs.
I'm Joshua Schmidt, yourco-host and producer Today.
We're joined by Nick Mellum andEric Brown, and today our guest
is Thomas Rogers from MetaCTF.
Thomas, how are you doing?
Doing good?
Thanks for having me.
Absolutely Well.
We're going to jump right in.
I'd love to get a littlebackground on you, metactf, what
(00:25):
it is, what you're working on,and then we'd love to talk more
about hiring, and then employeetraining, cybersecurity, all
those good things.
So, without further ado, I'lllet you take the mic.
Speaker 3 (00:32):
Sweet Thanks.
Yeah, so I'm Thomas.
I'm the co-founder of MetaCTF,so we're a cyber skills platform
.
We got started basicallybuilding, managing, hosting,
running CTF competitions.
Our background is all aboutlearning by doing and making
cyber more accessible.
I think that's why we ran thefirst CTF competition about 10
(00:55):
years ago and it was really justmeant to be kind of this fun
thing.
And then we did it for a coupleof conferences, went well, and
then a couple of large companiesreached out and asked us to do
it for them and we sort of havegrown and evolved since then.
But yeah, really our wholemantra is just around helping
(01:15):
companies run better cyberskills programs, manage it,
measure it and all of the above.
Speaker 2 (01:22):
Absolutely Well.
We ran into your partner, Roman, the co-founder, at the recent
Secure360 conference and Ibelieve Nick and Eric have
something to work out here orsomething to share about how
that all went.
Speaker 1 (01:36):
Well, yeah, I'm really excited because Eric said
if I won he was going to doublemy salary for the next couple
of years.
And we tripled it.
There we go.
Speaker 2 (01:45):
You heard it here first.
I was trying to psych the guysup.
I'm like we're here to win boys.
Speaker 3 (01:48):
Let's go, make me proud.
Speaker 2 (01:50):
This is my first cybersecurity conference, so
just to give our listeners alittle background.
Thomas, for those who don'tknow what a CTF capture the flag
event is, can you give us anoverview and maybe how MetaCTF
likes to run theirs or createtheirs?
Speaker 3 (02:04):
Yeah, so there's a bunch of different types of
Capture the Flyer competitions.
The one that we typically do isa Jeopardy style competition,
so we provide a host on ourplatform website.
We provide a list of what wecall challenges.
They're really just questions,they're isolated, they're
generally bite-sized andcontained to a specific topic or
(02:25):
subject or technology orsomething like that and, yeah,
users basically just have tosolve a problem in exchange for
points.
It's time boxed, so I think thesecure 361 was like a few hours.
That's pretty.
You know that's a pretty goodamount of time.
We do a lot of them for bigcompanies, where they'll do it
as a part of you.
You know, security awarenessmonth or you know whatever sort
(02:46):
of security week or month theyhave, and we have some companies
that will run it for like aweek at a time.
That's pretty long.
But the good thing aboutJeopardy style is you can jump
in and out, like if you'reworking on it and you got to
like get lunch or run to thebathroom or something you're not
worried about.
You know, maybe lose a littletime, but you can really kind of
(03:07):
choose your own adventure withthese.
You can also like accomplish alot in a short period of time so
you can start with the easychallenges and get through a few
and then be like, hey, I just,you know, got you know a few
hundred points for my team.
But yeah, the idea is that youas your team are collaborating,
trying to score as many pointsas you can and beat the other
(03:32):
teams, but yeah, in doing so,hopefully also learning some new
things and getting exposed tonew concepts.
It's all very hands-on.
Speaker 2 (03:41):
It was fun to see the whole IT Audit Labs crew there.
Eric graciously put in the billfor breakfast.
We had the whole crew there andI could tell Eric was jazzed up
.
It was like a kid in the candyshop Christmas morning.
It was really cool to see Ericout of the office.
Eric, can you tell us why youlike doing these things and
bringing the whole team?
It felt like a really cool vibehaving the whole crew there.
It was a camaraderie and a lotof fun, absolutely.
Speaker 4 (04:04):
Yeah it's.
You know these sort of thingsthat are the kind of tease the
brain.
It's almost like an escape roomtype of thing, but you're
virtual and you can bringtogether a team of diverse
engineering skill sets andpeople don't even have to be
programmers or you know reallydeep security engineers to solve
(04:25):
some of the problems.
A lot of it is really justcritical thinking.
And there was one particularproblem that I recall in the CTF
.
That was the questionessentially prompted you to go
to a X feed and it was a pictureof Zuckerberg in front of a
(04:49):
building.
And the CTF question, the metaCTF question, was essentially
where was this taken?
And you had to give the GPScoordinates of the exact
location that Zuckerberg was inwhen he took the photo.
So you know it's like well, wow, how do we, how do we break
(05:10):
this problem down to get theanswer.
And you could be in a, anEnglish major or you know a
musician and still have thecritical thinking to be able to
break the problem down intobite-sized chunks to get to the
answer.
All the technology is freelyavailable.
You don't have to programanything, you just have to
(05:33):
figure out well, how do wefigure out where he is.
You could research to see thatday where he made the post.
Well, where was he?
Oh, he's at the headquarters.
Okay, let's go into Google Maps,zoom in on the headquarters.
What's the background of thebuilding?
Look like that.
He's in All right.
He's outside.
There's plants, there's aboardwalk, and you just keep
(05:55):
getting it narrower and narrowerand then you've got a few tries
to put the correct coordinatesinto the question and then
that's how we narrow it down andgot it.
But there are really technicalquestions too of cross-site
scripting that you do have toknow some coding or some
(06:18):
scripting capabilities and howwebsites work in order to solve
the problem.
But the great thing aboutbringing a diverse team is you
can have some people working onsome of those really technical
things and then other peopleworking on some more of the
general things.
And as long as you'recommunicating and able to break
down problems, you know you'regoing to do well and you know I
(06:39):
think part of the reason Nick'steam did so well is because they
were sitting near us and weprobably weren't real quiet as
we're discussing it.
Speaker 1 (06:46):
That's definitely the problem, definitely the problem
.
We have our secrets, but Ican't give them out here.
Speaker 2 (06:53):
That's great.
So, thomas, tell us more aboutMetaCTF.
What got you into this?
Speaker 3 (06:57):
space focused on providing that high quality
experience and, you know, givingpeople the confidence and the
exposure to these concepts.
I think it's a.
I think it is a good way tostep out of your comfort zone as
you're, as you're learning newthings in technology, not just
(07:20):
cyber, but technology, so you'relearning how you, you know
different ways that specifictechnologies, programming,
languages, computers, like howdo they work, how are they
connected, so that sort of beinglike the baseline problem that
we want to solve, and just likeproviding good experiences for
people who want to learn newthings.
I think our mission is sort ofevolved into actually helping
(07:44):
these security teams.
Generally, skills development iskind of a nebulous.
It feels like not super clear,like how do we do this, how do
we maintain it?
I think setting it up, you know, setting up training or setting
up skills development at first,at first maybe you can do that,
(08:05):
but how do you maintain it?
And then, how do you measurethe effectiveness of it?
And so those are some of thebusiness problems that we're
interested in helping managers,especially security teams, deal
with.
And then obviously, theindividuals, especially as you
move to big companies, for sure,but even smaller companies,
(08:26):
especially as you move to bigcompanies, for sure, but even
smaller companies.
People are hired in a lot ofways as they're going to get to
do a specific set of things intheir job, and so how do you
learn new things if you're doingthe same 10 to 15 tasks over
and over again?
I mean you can reach for toolslike ours, ideally, where you
can get exposure to new things,to kind of upskill.
(08:49):
So, yeah, helping managers torun and maintain and measure
these programs and then helpingthe individual to get exposure
and try new things.
Speaker 1 (08:59):
We've noticed too, thomas, all the reasons you said
before.
But for us it's also become areally big like camaraderie
event and we do them at one ofour accounts regularly.
We have a block on a day of theweek and everybody usually
jumps in and does that challengeeither together or separately,
and comes in, you know, later tothe meeting or we discuss it
(09:19):
later.
But it's been really fun.
We've been doing this for awhile now and it's really fun
just to come together and figureout if either somebody couldn't
solve it and then they learnfrom somebody that did, or we'll
do it together and or they'lldo it together and you figure it
out.
And it's been really fun to seethem learn that way.
But then it's also done.
The two things brought themtogether.
(09:40):
You get that collaborative itemand then you get that
camaraderie piece, but thenthey're learning new ways to
solve problems and in criticalthinking.
Speaker 3 (09:49):
I was in New York earlier this week it's funny you
say that because I was I hadcoffee with a woman who runs
detection response for a bigfintech company and she said the
way she put it.
I was like we need to talkabout that more often.
She was like my current companydoes not have a CTF culture and
(10:10):
like companies I've been at inthe past have a CTF culture and
it just builds like yeah, it'snot even like, it definitely is
partially.
Like you know, they encourageprofessional development and
growth and that kind of thingand the company like actually
prioritizes it.
But it's yeah, yeah, it's likethe collaboration like do we
work together as a team?
Do we do we do things welltogether?
But yeah, uh, funny youmentioned that because I was
(10:31):
thinking a lot about that thisweek yeah, it's like the.
Speaker 1 (10:34):
it's like, instead of just being a collection of team
members like everybody, can youknow, we want to be one team
that people can solve the sameproblem, work together and be
collaborative, and I think a lot, a lot of these you know
questions or the CTFs that yougo to you know, solve that
problem.
And one thing that I havenoticed going to other
cybersecurity conferences is,you know, you get a lot of great
(10:54):
talks and tracks and classes,but a lot of people, I think,
from my point of view at least,are going to the CTFs at the
conferences because they want toplay the games or they want to
do the badge challenges orwhatever is the side, the
parallel pieces to a conference.
But most notably to me, it'swhat are the CTFs?
Or that's what I'm interestedin.
What do they have for the CTF,what's going on, what's the game
(11:17):
, et cetera.
So it's cool to see everythinggrowing in this space.
Speaker 2 (11:21):
How do you see that really benefiting a company as a
whole?
I'm sure you get to work with alot of different people and see
a lot of different companycultures, right?
Yeah, I think.
Speaker 3 (11:31):
I mean there are kind of obvious ways.
I think maybe I would assume,eric, you've got a pretty strong
retention rate, employerretention rate, happiness, I
think in general People enjoyworking there.
I think in general, you knowpeople enjoy working there and I
think one of the challengesprobably with recruiting you
(11:53):
know for you all is like youneed talented people and
talented technical people andyou know if you're competing
against it, probably in somecases, like the, you know Google
and you know large techcompanies, you know what.
How do you differentiate?
And I think that's that's howyou differentiate.
(12:14):
So so yeah, I mean, I think Ithink the ability to recruit
well and just like get talentedpeople, that maybe are, you know
, going to be, maybe they'd beless happy there, but they can,
who knows, maybe pay better.
I would assume maybe Googlepays a little bit more, but yeah
(12:39):
, you get people in the door andthen you keep them, and there's
just so much to be said forcontinuity, I think, on Teams.
Speaker 2 (12:46):
We have a cat room.
Google has a nap room, but wehave a cat room, yeah.
Speaker 3 (12:51):
How do you beat that?
Google has a nap room, but wehave a cat room.
Speaker 4 (12:54):
Yeah, how do you beat that?
I was talking to a friend ofmine and he'll get mad if I name
the exact company, so I'll sayit's either Amazon, microsoft or
Google.
He works at one of those threeand he was kind of giving the
analogy that working for thatcompany is almost like bringing
(13:15):
the really attractive personwith you to say you know a prom
or a party or you know an eventwhere you know people are like
wow, you know high five orwhatever for bringing that
really attractive person.
And you know not everybody'sgoing to do that.
But you know you might get thatcliche of like wow, right,
(13:38):
that's cool.
But he said what they don'tknow is the craziness behind the
scenes.
Like that really attractiveperson might be crazy, kind of
outward appearances areattractive, but all the behind
the scenes nonsense is reallynot attractive.
But nobody knows that.
(13:58):
And he equated that to workingat one of those three companies.
Like yeah, it's really cool,pays good, but it is a mess
behind the scenes.
Speaker 2 (14:08):
Really bad credit score.
I've seen this affect hiring.
A lot of people are using chatGPT now, so we've been talking
about Cluely around the IT AuditLab's office.
How are you differentiatingbetween people that can actually
move that mattress out of thehighway and people that are just
using tools or maybe answeringthings using some of these AI
(14:32):
tools that are coming online?
Speaker 3 (14:36):
I saw I think it was a tweet last week that was like
the cheating during hiring hasgotten so bad that I'm almost
ready to ask candidates to closetheir eyes when they answer
questions uh uh, we've heardthat too, I mean.
So I I think I think it goesback to what eric was saying
(14:58):
about the escape room.
It's like it's all aboutprocess, thought process, like
can this person problem solve?
And then how do they talk aboutsolving the problem?
You can't cheat your waythrough that like you're gonna,
and and I mean I guess the bestway would be like let's go back
to like the old school, likeinterview in person deal.
I don't remember ever having avirtual interview before 2019 or
(15:22):
2020.
But but yeah, I mean I think Ithink it's people use CTF
challenges and our platform.
We have kind of a candidateassessment portal that we
provide to help interview andit's basically like case you
know case interviews.
It's like here's a situationlike talk to me about how you
would solve it, and using thaton a live interview I think is
(15:47):
is a way to.
It's not just like here's a youknow assessment portal.
It's open for two hours.
Like you know assessment portal.
It's open for two hours.
Like you know, do it when youcan.
And I still think, with CTFchallenges, like you can use
LLMs and you know cheating tools, but it's only going to get you
so far for most challenges.
But yeah, I mean, I think it'sall about thought process and
(16:09):
like understand, like how doesthis person communicate?
How do they talk through?
You know solving a problem andyou know stuff like Clueless
will help you.
You can't you can't fake yourway through like true knowledge.
You can, I think you can fakeyour way through like knowing
bits and pieces, but it's justnot going to get you all the way
there.
Speaker 1 (16:29):
I'm the way there I'm .
I think I'm most curious aboutthis whole thing is, you know, I
guess, one good on thecandidate for being so tech
savvy, I'll give them that.
But two, let's say you getthrough the right, you, you get
through.
You know, you don't.
They don't find out that you'recheating.
What happens on day one?
Exactly what happens when youget there and start doing the
(16:49):
work, right?
I mean, most places have a 90day, or you, whatever it is,
grace period or whatever thatthey can let you go right.
Probation period is what I waslooking for A lot of times.
If this is the lengths you'regoing to, you're probably going
to get found out within the90-day period or whatever it is.
So I guess I'd like tointerview one of these people
(17:11):
that have come through there andasked like, what was your plan
when you actually got there,right?
Were you going to rely?
Speaker 2 (17:15):
on.
Speaker 1 (17:16):
AI so much and hope you were remote the whole time
that you could.
Just, I'm very interested inwhat the thought process is, but
to me it also is really coolthat this technology is here,
right, that we're able to seethis stuff and how people are
using it.
Obviously, not always in thebest light, right, we don't want
people to do this.
But I think, going all the wayback to the beginning of this
(17:38):
question, I think one thing thatwe've done or noticed when
we're talking to people isasking more cultural questions.
Not, you know, obviously wewant a strong technical basis,
but what do the soft skills looklike?
And I think then we can branchinto the technical.
But first off, especially at ITOutlives, for me, we look for
those soft skills first, right,how are you, like we talked
(18:00):
before, like a service desk,right?
What are those soft touchpoints?
How would you handle thissituation?
Not just you know what do you?
do in this case, or what are youdoing in an outage, or whatever
it is.
So I think the searching forthe soft and tech first before
you go to technical a lot oftimes can help just to see what
they're thinking, how they'rethinking about things and what
(18:21):
their cultural thought processis.
Speaker 2 (18:24):
So, eric, I know you have some juicy stories about AI
and hiring and some things thathave happened recently, maybe
around Cluely or ChatGPT.
Speaker 4 (18:36):
How have you seen that manifest when you're in the
hiring process?
So we were just going through aprocess where we're recruiting
for three technical roles andworking with several different
recruiting firms.
I think for one of the roles inparticular it was a technical
security role there were maybe11 vendors that were responding,
(18:59):
each with a maximum of threecandidates.
So it was a ton of resumes thatwere coming in and the thing
that struck me off the bat washow thorough and similar all of
the resumes were.
Each resume four or five pages.
(19:22):
That was just bullet leveldetail of everything that the
person did and it was very wellmatched to the job description
of the role that we had.
So it was like, okay, there'ssome AI going on here and there
was one recruiting firm or tworecruiting firms that each
(19:44):
submitted the same candidate andthe resumes were different but
just as thorough.
So it was like, okay, veryclearly, here they're taking AI
and creating these resumes,probably different AI platforms
that are doing it.
But then when we went and wewere interviewing the candidates
(20:05):
, we narrowed down all of thosecandidates to I think we maybe
interviewed through videointerviewed, maybe it was, I
don't know eight people,something like that, and some of
them were not native Englishspeakers, like English was not
(20:26):
their first language, and thequestions were all standardized.
So the way in which we askedthe questions was all very
structured and some of thecandidates that were clearly
using a tool to assist with theinterview process.
There were these really longpauses, like you'd ask a
(20:50):
question and then there's like along pause and then the
candidate would ask if you couldrepeat the question and the
question was not one that youknow really needed to be
repeated.
It was a pretty straightforwardquestion, but every time it was
(21:10):
I'm sorry.
Can you repeat the question?
And but every time it was, I'msorry.
Can you repeat the question?
And then the the answer.
They're just staring at thescreen and normally in
conversation when you're talkingwith somebody, you know they
may look up or to the side, oryou know they could be could be
a little more animated.
(21:33):
But some of the candidates, whenthey were responding, were just
fixated, looking straight ahead, and it was.
It was pretty clear that theywere.
They were the old presidentialteleprompter was going on.
Uh, so you know it was we.
We, after the first couple, the, the, the interview team has
like a side chat going on andit's like okay, clearly ai is
involved here.
Let's try to change thequestions a bit so that they're
(21:56):
harder to answer with AI.
Speaker 2 (21:58):
How are you talking to recruiters and things about
how to navigate this situation,or do you have any kind of tips
for them to maybe deal with thissort of a thing?
Speaker 3 (22:07):
Yeah, I mean, I think you just have to build in
processes and checks andbalances around, you know,
getting multiple people to sortof verify and then and then also
you got to.
I think you probably kind ofgot to put people on the spot,
especially if you are suspiciousof of you know them, using some
of those tools to help themanswer questions help them
(22:33):
answer questions, Other thanbeing inexperienced in the
hiring process.
Speaker 2 (22:35):
what are some other pitfalls you're seeing that
recruiters are bringing to thetable when looking for talented?
Speaker 3 (22:41):
people.
I think recruiters are prettygood at getting a large.
They're good at sort ofmatching, like, hey, this is
what the company's looking forand this is what the you know
the people have, and there'sthere's some really great
recruiters out there, I think.
I think the main thing is, likewhat we've talked about a lot.
(23:02):
It's like the soft skills likehow do you, how do you measure,
for you know, problem solving,adaptability, cyber is intense.
You know it can be a veryintense and stressful field.
So how do you measure for thatand how people are going to
respond to these crazy andintense situations.
(23:26):
And then also, how are theygoing to work together as a team
?
The candidate assessments arenot, you know.
They make it out as if, like,they hire like the top five
scores from, like the candidateassessment.
Like that's not howinterviewing works.
It's like they either use it atthe beginning of the process
because they have way too manyapplicants and they're trying to
(23:46):
narrow that down, or, you know,they use it as like kind of a
benchmark, like, hey, we want tomake sure that we can.
You know, this person has somelevel of technical skill.
Like no, I don't know of anycompanies that are just like
sending these out as like testsand like hiring the tops.
You know it's not.
You're not just hiring like theA plus students, otherwise you
just hire people with thehighest GPA.
(24:07):
So that whole that whole thingis kind of silly to me.
Speaker 2 (24:11):
How have you seen that type of investment show up
in the day-to-day securitypractices and fortifying
organizations?
And where the rubber hits theroad, how have you really seen
that pay off?
Speaker 1 (24:21):
Yeah, it's huge and we touched on it already a bunch
and I think Thomas brought itup right.
You could go work for Microsoftor Google or whoever it is,
crowdstrike Palo, these biggreat jobs.
But if you can go work for asmaller organization, sure, like
Tom said, you might not makethat huge paycheck, but you
might be way happier way, wayhappier.
(24:43):
That company is going to investin you more, so they're probably
going to send you to training.
You're going to get hands-onwith a lot of different things.
You probably never had anopportunity at these other
organizations.
You might get to work with alot of different things.
You probably never had anopportunity at these other
organizations.
Speaker 2 (24:56):
You might get to work with a lot of different
organizations on a lot ofdifferent tasks Great.
Let's wrap up with a couple oftips maybe Eric and Thomas,
about people breaking into thespace and how they can use tools
to break into cybersecurity.
Any quick tips Get?
Speaker 1 (25:08):
a help desk job.
Speaker 4 (25:11):
Get a help desk job.
I was at Secret con yesterdayhere in town in Minneapolis,
which is a really coolconference my first time going
there and it's a reallyapproachable conference.
But I think, in general, josh,to answer your question, if
you're trying to break into theindustry or even just you know
you're in the industry and youwant to look at other
(25:32):
opportunities or you're happy inyour current role awesome.
But you got to get out frombehind your desk, from out of
your basement or wherever yourhome office is.
You got to get to theseconferences, you got to get to
the meetups and you got tosocialize in person.
I mean, the online stuff isgreat, it's cool, but there's
(25:52):
just so much that you miss inthe hallway conversations
interacting with people.
I mean, we're social animals,it's just you know, still you
know, but that's just the way itis.
And you got to get to theseconferences.
Us, there's likely within 100miles, some sort of a conference
(26:20):
that's happening in your areaat some point in time throughout
the year.
There's meetups of alldifferent security types that
are approachable and I would saythat's the best way to get out
and start this as a career.
Speaker 3 (26:32):
And there's.
Speaker 4 (26:33):
CTFs of those conferences there was.
Speaker 2 (26:37):
Thomas, maybe you could tell us if people are
interested in MetaCTF, where canthey get started and where can
they find you?
Speaker 3 (26:43):
Yeah, so we're pretty active on LinkedIn Just trying
to get as much information outthere as we can.
We have a lot of free resourcesso we run a free to enter
monthly.
We call it a flash CTF, thethird Thursday of every month.
So it's next Thursday Actually,the winner of that.
We have some pretty good prizes.
(27:03):
Usually with those, this monthis especially good we have a DEF
CON ticket available to thewinner, and then we have some
other like cash prizes and stufflike that, but we do that every
month and then we have, withthat flash CTF, we put all those
challenges in a practiceenvironment.
That's free, it's available.
All of the write ups are on ourblog, so that's a really good
(27:26):
place to learn because you cango try them and then read about
how to do it.
And then on-demand labs is outand that's uh.
You know we're giving away freetrials right now, so if anyone
wants that, um, I'm on linkedinand you can reach out anytime,
thomas, that that monthly ctf isno joke.
Speaker 4 (27:45):
We were doing it two months ago to prep for the, the,
the one that nick and I were in, and we were the, the, the team
that I was working with.
Some of us about half the teamjumped into to kind of practice.
We must've been 30 minutes inno answers to any of the
questions.
(28:06):
Looked on the leaderboard andit was all like zeros, like
nobody had answered anything.
It's like, wow, this is goingto be tough.
And then at the time,unfortunately there was an
incident that had started sosome of us kind of got
distracted.
But I think maybe we ended withI don't know, like 200 points
or something like that.
But it was a tough, muchtougher than the regional CTF
(28:29):
that we were in at Secure360.
Speaker 3 (28:35):
Good reminder for us.
Yeah, we always joke with ourhead of content because she's
always like oh, these are prettyeasy challenges and we're like
no, Samantha, easier please.
Speaker 2 (28:47):
Well, great.
Unless you guys have anyfollow-up questions, we can wrap
it up here today Cool.
Thanks so much, thomas.
You've been listening to ThomasRogers from MetaCTF, our guest
today.
Check out MetaCTF on LinkedInand online.
You've been listening to theAudit presented by IT Audit Labs
.
I'm your host, co-host andproducer, joshua Schmidt.
We've been joined by Eric Brown, managing director, and Nick
(29:09):
Mellum, security engineer.
Thanks so much for listening.
Thanks so much for listening.
Please like, share andsubscribe.
You can find us video onSpotify now and please leave us
a review or comment on YouTubeand see you in the next one.
Speaker 4 (29:20):
You have been listening to the Audit presented
by IT Audit Labs.
We are experts at assessingrisk and compliance, while
providing administrative andtechnical controls to improve
our clients' data security.
Our threat assessments find thesoft spots before the bad guys
do, identifying likelihood andimpact or all.
Our security controlassessments rank the level of
(29:42):
maturity relative to the size ofyour organization.
Thanks to our devoted listenersand followers, as well as our
producer, Joshua J Schmidt, andour audio video editor, Cameron
Hill, you can stay up to date onthe latest cybersecurity topics
by giving us a like and afollow on our socials and
subscribing to this podcast onApple, Spotify or wherever you
(30:05):
source your security content.
Popular Podcasts
Fudd Around And Find Out
UConn basketball star Azzi Fudd brings her championship swag to iHeart Women’s Sports with Fudd Around and Find Out, a weekly podcast that takes fans along for the ride as Azzi spends her final year of college trying to reclaim the National Championship and prepare to be a first round WNBA draft pick. Ever wonder what it’s like to be a world-class athlete in the public spotlight while still managing schoolwork, friendships and family time? It’s time to Fudd Around and Find Out!
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.
The Breakfast Club
The World's Most Dangerous Morning Show, The Breakfast Club, With DJ Envy, Jess Hilarious, And Charlamagne Tha God!