Skip to main content

CyberPatriot Introduction

CyberPatriot is a national K–12 youth cyber education program in the United States, created by the Air Force Association. Its goal is to guide students toward careers in cybersecurity and other STEM (science, technology, engineering, and mathematics) fields. The program's centerpiece is the National Youth Cyber Defense Competition, which culminates in an in-person National Finals Competition for high-performing high school and middle school teams.

Competition Rounds

Practice rounds

  • Open to all participants
  • Very basic images. Similar to R1 and R2 in difficulty, if not easier.

Round 1

  • Open to all participants except the Middle School Division.
  • Beginner-level virtual machine images.

Round 2

  • Open to all divisions.
  • Intermediate-level images.

State Round

  • All teams compete using intermediate to advanced images.
  • Based on performance in Rounds 1 and 2, teams are placed into one of three tiers:
    • Platinum
    • Gold
    • Silver
  • Tiers apply across all divisions: All Service, Open, and Middle School.

Semifinals

  • Only the top 25% of each tier (plus wildcard teams) advance.
  • Advanced-level images are used.

National Finals

  • Top teams from each division qualify.
  • Features advanced images and the presence of a Red Team (offensive security team).

Vulnerability Categories

Each virtual machine (VM) contains vulnerabilities grouped into categories. This guide focuses on these categories:

  • Account Policies
    Password and lockout policies.

  • Application Security Settings
    Critical services, required settings, and permissions.

  • Application Updates
    Update status and automatic update configurations.

  • Defensive Countermeasures
    Firewalls, antivirus software, encryption, etc.

  • Forensic Questions
    Scenario-based questions assessing investigative skills.

  • Local Policies
    Audit policies, user rights assignments, and security options (e.g., network security, privilege elevation).

  • Operating System Updates
    Windows updates, service packs, and automatic update settings.

  • Policy Violation: Malware
    Includes backdoors, remote admin tools, keyloggers, sniffers, etc.

  • Policy Violation: Prohibited Files
    Unauthorized software archives, confidential files, etc.

  • Policy Violation: Unwanted Software
    Games, scareware, adware, PUPs, hacking tools, etc.

  • Service Auditing
    Enable/disable services.

  • Uncategorized OS Settings
    Remote access, file sharing, screen locking, group policy settings, OS permissions, etc.

  • User Auditing
    Authorized users, groups, and user-specific settings.

Main Challenges

The primary challenges include Windows, Windows Server, Linux, and Cisco. This guide groups Windows and Windows Server together due to their similarities. Semifinals introduce additional challenges such as the Boeing and Web-based Challenges.

Unofficial practice images are available for preparation here.

Common Mistakes in CyberPatriot

Many competitors fall into the “Gotta Catch ‘em all!” mindset. Some competitors only try to get all the points they can, and don't focus on the what and why of what they're actually doing. This is a dangerous practice, and you won't learn anything practical in the end.

Many competitors don't know that they're breaking the rules or cheating in CyberPatriot, as they haven't read the rulebook or been informed about it. Rules and misconceptions can be found here. If you cheat in CyberPatriot, you'll never learn anything and you'll only be harmful to the community.

Research

CyberPatriot is a very research heavy competition, and it's vital to be able to research effectively. You'll never know everything there is to know, and you'll always have to research.

Tips

More information and helpful tips can be found on Akshay Rohatgi’s blog, a three-time CyberPatriot Open Division National Champion and a CyberPatriot All-American Award recipient:
https://akshayrohatgi.com/blog/posts/How-To-Win-CyberPatriot/

FAQ

Where can I find the practice image spreadsheet?
What can I do to practice for the competition?

Playing CTFs, doing practice images, and doing research are some simple ways to get more proficient. There's also similar competitions to CyberPatriot such as eCitadel.

How do I open a virtual image?
  1. Download zip file
  2. Unzip
  3. Enter password if any
  4. Open Vmware
  5. File > Open
  6. Go inside folder
  7. Click .vmx file
  8. Power on
What's the current competition schedule and challenges?
Am I allowed to take virtual image snapshots?

Yes. According to section 3012E, "Using image snapshots or similar capabilities is allowed during the competition. Snapshots include host system file copy mechanisms to create a backup copy of an image. Snapshots or backups may be used to roll back to a previously known good state. If the competition image becomes corrupted or unusable, snapshots are an acceptable way of attempting to recover the competition image."

Why am I seeing an Overtime Penalty?

A team’s 4-hour competition window begins the moment they open the first virtual image in VMware. If you open an image before your planned competition time, your time will begin. If you re-open the image later, you’ll notice on the scoring report that the clock has been running, and your four hours may already be expired.

What's a multiple instance penalty?

During a competition round, no more than a single copy of the same virtual image may be opened at the same time. For example, if you are running the Windows 10 images on Computer 1, you cannot open a second copy of the Windows 10 image on Computer 2 or 3.

There's an issue with my score. Who should I contact?

Score Correction Requests will only be accepted via the official Score Correction Request Form. The Score Correction Request Form allows coaches to self-report scoring discrepancies or issues during and immediately after the competition (until 11:59 PM ET on the last the day the round ends – Late requests are NOT accepted). Please do not email the CyberPatriot Program Office with documentation unless requested.

Once the score correction requests are reviewed, coaches will receive an email with the preliminary scores. The email provides information about the Preliminary Score Discrepancy Form​, which is the last opportunity for coaches to request changes to their scores before the scores are finalized. Technical issues and scoring issues such as not recieving points for a fix, image crashes, etc. will not be considered in the Preliminary Score Discrepancy Report Form.

When / where are final scores published?

Final scores are published on www.uscyberpatriot.org under Competition > Current Competition > Scores. It takes 7-10 business days after the end of the round for scores to be published. Coaches will be notified once the final scores are posted. Until then, please refrain from contacting us about when scores will be available.

How do I access official training/round images and the NetAcad course?

Your coach will provide you with these materials. DO NOT ASK OTHERS FOR THESE.

References