Announcement
If you already have existing picoCTF login credentials created before May 8, 2026, you can log in with those credentials, and your progress, achievements, and history will all be intact.
Log in to your accountPost
A conversation with the director of CMU's Information Networking Institute on what it takes to grow the next generation of security leaders.
Read the interview
At a glance
1M+
Learners worldwide
14K+
Classrooms reached
10M+
Challenges solved
CyLab Security Academy teaches you to think like a hacker, then use that thinking to defend the systems the world depends on. Practice through Capture the Flag (CTF) challenges at your own pace, in your classroom, or live in a competition. No experience needed. Always free, and built by computer security experts at Carnegie Mellon University.
CyLab Security Academy is the next chapter of a cybersecurity education platform built by the team at Carnegie Mellon University's CyLab Security and Privacy Institute. What started as a competition for high school students has grown into a full learning ecosystem for middle schoolers through adults, serving over a million learners across 14,000 classrooms worldwide. The same team. A bigger mission.
Inside the platform
The platform has four moving parts, and you'll touch all of them.
The building blocks
Bite-sized problems organized by topic and difficulty. Each one hides a flag you find by reading, thinking, and sometimes breaking things. Hints are available one at a time when you're stuck.
How challenges connect
Curated sequences that build from simple to complex. Each path tells you what to tackle next, with readings, videos, and interactive games along the way.
Hands-on pressure
Timed challenge releases. Most carry a scoreboard, some carry prizes, some allow team play. Everything else stays self-paced.
The teaching layer
Teachers assign paths and challenges, track student progress, and run events scoped to their class. If your instructor sent you here, they may have a classroom waiting.
What you'll learn
Every challenge is built to be hacked, so the practice is legal and the experience is real.
The terminal, bash scripting, and quick file work. The tools you'll reach for in every other category.
Machine learning models can be tricked. Prompt injection, adversarial examples, model inversion. A fast-growing area as AI ends up everywhere.
Codes, ciphers, and locked data. Figure out how encryption and hashing work, then break them.
Websites trust user input more than they should. SQL injection, XSS, and broken logins are how attackers get in.
Hunt through files, images, and network traffic for data that wasn't meant to be found. Steganography, packet captures, and the metadata that gives the game away.
Programs handle memory, and they don't always handle it carefully. Buffer overflows, format string bugs, and return-oriented programming let you corrupt that memory and make software do unexpected things.
You have the program but not the source code. Disassemble it, decompile it, and trace its execution to figure out what it does.
Smart contracts run on code, and code has bugs. Reentrancy, integer overflows, oracle manipulation. Find the vulnerabilities before someone exploits them.
Always free, for everyone
Interested in having a CyLab Security Academy student ambassador visit your class? Carnegie Mellon University students help onboard your students to the platform and introduce core security concepts, methods, and terminology — making it easier for teachers to bring real cybersecurity skills into the room.
Email contact@cylabacademy.org for more information.
CMU students interested in volunteering as Academy ambassadors should reach out through the university's student programs office.
In-Person Summer Camp for Teachers
Carnegie Mellon University hosts an NSA GenCyber experience for high school teachers, online and in person. The CyLab Security Academy for GenCyber Teacher Program is designed for 10th to 12th grade U.S. high school computer science teachers who want to use CTF-style problems and competitions to introduce cybersecurity to their students.
Regional sponsors
Base sponsors
Made possible by generous gifts and grants from
DDoS protection generously provided by
Challenge resources provided by
CyLab Security Academy is free for everyone because of the people and organizations who believe cybersecurity education should have no barriers. We've reached over a million learners worldwide. And we're just getting started.