Moving On

12 Jun, 2026

2807 words | 14 minutes

Ring tone jingle, my swan song // I’ll show you how to leave well enough alone

On Love

For the sixth year in a row, I took part in DSTA’s CDDC CTF competition. Perhaps saying “I took part” this year is a misrepresentation — I spent no more than three hours actually playing on-site this year, and even then to say I was “playing” is a distortion of the facts.

CDDC was the first CTF I ever took part in, back in 2021. I was technically too young to take part, but it’s not like I was going to win it anyways, so who’d find out? My maiden experience was a complete and utter shitshow, infamously so, but the appeal was there. My ragtag team got 7th place, not much of an accomplishment for a competition like that, but everyone starts from somewhere.

It satiated a curiosity.

When I was 8, I watched a YouTube video by danooct1 on Virus.Win9x.CIH and was utterly enthralled.

When I was 11, I wrote my first keylogger in Python. My idols at the time were Edward Snowden, Julian Assange and fuckin’, um, Anonymous from the 4 channel. Great things to be into at that age.

When I was 15, I wrote a stack visualization tool in JavaFX for school to better understand the concept of buffer overflows. It sucked. And I wouldn’t even take the time to learn ret2libc until two years later.

When I was 17, I won my first local CTF, and that was CDDC 2022. I was playing on a beat up triple booted Lenovo with a broken Arch install, baremetal Kali Linux and a copy of Windows 10 that definitely had an infostealer on it. The absolute pinnacle of portable computing. Our team won by the skin of the teeth, partially attributable to the fact that the dominant force at the time, nushmallows, weren’t at full strength. We would proceed to lose to them at what nobody knew would be the final iteration of Govtech’s Stack the Flags at the end of the year. Stack the Flags would later be replaced by the “Singapore AI CTF”. I’d win it twice with my team. I’ll never play it again.

It was always a curiosity, really. A passion, a love.

Love is a strong word, yet love is an apt word.

The weird machines. The guts and gore. The illogical. That was what drew me in. CTFs were simply the most accessible avenue to learn and explore. Top on the fact that I am, and have always been, relentlessly competitive, paired with my edge of unearned arrogance…

For the first two years of playing CTFs, I only played local CTFs. I loved the competition, yes, but I never let it subsume me. I was mesmerized, yes, but I never took the time to “grind” at it. It’s something I’ve always regretted. Think of all the binaries I could’ve fucking reversed! Or, or, erm… all the ROP gadgets I could’ve chained together!

After graduation, I took CTFs a bit more seriously. Hey, if I was good enough, maybe I can finally turn these skills into something real. Maybe I could get a job in cybersecurity! (Alas, in the words of Morissey, “I was looking for a job and then I found a job // And heaven knows I’m miserable now”. It’s not that I find my current vulnerability research job torturous, it just concretized my feelings towards… all this.) I could get good at this, right?

I’d spend almost every weekend playing international CTFs with my teammates on Discord. If I wasn’t playing a CTF, I was writing for a CTF, or organising a CTF. I was still pretty fucking shit at all this, but I could tangibly feel my improvement over time.

The 24 to 48 hour qualifiers I’d slog through with my teammates. The sleep deprivation, the irritation.

Catharsis. Ecstacy. Disappointment. Delusion.

The hours spent staring at a decompiler. I hit enter in gef fifty times in a row to literally trace control flow on a pen and paper. Another twenty minutes lost to using cast when I could’ve just written a fucking Forge script.

Am I seriously the only contestant in this room who knows what an STM32 Bluepill boot selector is?

The camaraderie. The community. The laughs. The shared annoyance at some indecipherable PCAP.

The love.

I won 9 local CTFs with slight_smile, formerly team maybe maybe not, and that shall be my final tally.

On Futility

So, this is the part where everyone tells the tale of how Codex and Claude Code sprung onto the scene and ruined everything. How rapidly the harnesses and the agents improved, how rapidly the gameplay of CTFs devolved into something indistinguishable from sitting in front of a fucking pokie machine. Woe to all that grace this Earth!

The Nile to Blood

The water became undrinkable. The river, with its freshly formed skin of rotting silver scales, undulating, writhing.

A challenge author spends a week workshopping an idea. Oh, this will be the best fucking auto-rev challenge these Sinkie kids have ever seen. Yet, a stench permeates. A miasma. “How do I make this challenge AI resistant?” they ask themself. More moving parts, more obfuscation. Hey. Would a player find this fun?

Gills choke, an eye rolls backwards.

A new GPT model was just released, and all your work has become undone.

Another fish floats to the surface.

The Invasion of Frogs

And then the frogs emerged from the Nile. Into the palaces and the houses and the bedrooms and the beds and the ovens and into the people.

The first to go down the route of agent bashing were the ones that we felt were… immoral. Tis’ an art! This isn’t just a game, this is a declaration of our love for the craft! Don’t you see how profound this heap fengshui is? How dare you desecrate that which is before you, how dare you spit in our faces! Oh, curses, the sheer disrespect!

What’s the point if you don’t even engage with the challenges and offload it all to the stochastic death machine?

But the goal of a competition is to win, isn’t it? Wouldn’t you know best? You optimize, you min-max your effort. And I just so happened to put my effort into wiring in MCPs and harnessing for my LLMs to wreck the everloving shit out of your challenges.

So be it.

Gnats From the Dust

All the dust throughout the land of Egypt became lice.

It became inescapable. There was simply no way to remain competitive without at minimum a single paid LLM subscription. Challenges weren’t even being copy-pasted into chat windows anymore, people were automating the process of downloading challenges off CTFd and submitting flags entirely autonomously.

The system optimizes brutally for efficiency. CTFs are an abstraction, yes, yet still a reflection of the system. A competition with a monetary prize pool is an event with a clear objective function and a path towards profit. To profit, you must be fast. And there is a clear means to be fast in this day and age.

What’s that phrase again? Move fast, break faster?

Teems of Flies or Wild Animals

The chatter dies out. The atmosphere shifts.

Flies digest food externally before consuming it. They regurgitate their mixture of amylase and trypsin and lipase and lysozymes and it burns and tears before being absorbed by the labella and shooting up the proboscis.

Every last token. Every byte ruthlessly pattern matched. A binary goes untouched in a terminal, not even run, yet it has been completely and utterly dismembered, pulverized into its constituents and ingested by a tangle of Tensors and gradients and turned into vomit once more, wrapped in curly braces and a string prepended.

Up and in.

Nutritious.

What do you want out of this?

The Pestilence of Livestock

And the plague comes for the horses and sheep and cattle. And the goats. Oh dear, the goats.

It’s fine, this is just how the game is played now. I’ll toss the bot at the trivial tasks while I do the challenges with actual merit.

The consensus is that you still require a skilled operator to actually get anything done with these bots. You gotta grab the bull by the horns! “Steer” it until you get it done!

But you can feel it, can’t you?

When your job is throwing shit at a wall until something sticks, well, the shit throwing machine has you beat.

The Infection of Boils

Festering. Aching. Utterly disgusting.

How fitting, that this comes from Exodus. As the lesions and boils begin forming people begin… leaving. But, to where? Where shall you roam, with your bare feet, each scorching grain of sand licking your soles with each heavy step?

It’s ubiquitous. The plague has come for all. Another fucking AI generated report on my Twitter feed, distinctly not written by a security researcher that points whatever new model Anthropic has just released towards the same ol’, same ol’. The workplace is dominated by talks of how to “catch up” in the “AI race”.

A team finishes a CTF without knowing what a single challenge was about. The writeups are plucked from a distribution.

The illness, oh, the illness.

The Storm of Hail

Hear ye, hear ye! Remain unsheltered, and you shall die to the lightning and the hail and the thunder and it strikes and pummels and you bleed and bleed and bleed.

People still try.

Let me make my challenge so dense, so complex that an AI would get lost if left to its own devices!

I should try prompt injections in my challenge!

We can defend against this still!

It shatters like glass on impact. Sharpnel embeds deep in your skin. A CTF begins and within two minutes, a thunderous boom. Royalty free lighting sound effect reverberating as an announcer solemnly declares “first blood!”.

There is nobody to listen.

Swarms of Locusts

And after the hail, all that remained would be devoured by the locusts.

Slop in, slop out. Why should I spend all this time architecting a challenge that nobody will look at? A cool trick, a novel piece of research, just to become another data point for a frontier lab.

Hey, player. Are you looking for a job in cybersecurity? Do you think you’re proving yourself by being oh so adept at building all this harnessing so you can spend an entire CTF not playing the CTF? I’m sure you’d do great at a technical interview. Maybe you want a job at an AI shop? I’m sure they’ll be impressed at how many tokens you’ve burnt. Is it just the money? I’m sure you’ll be able to pay off that two hundred dollar Codex 20x subscription with or without the prize money, clearly this isn’t your concern.

So why are you here?

Three Days of Darkness

The qualifiers of CDDC 2026 already showed us exactly how the finals would play out. Teams full clearing challenges within, what, three? four? hours of the competition’s commencement.

Actually, we all knew this is how it’d be. We’ve had the last six months to look back upon. Yeah, my team qualified, but for every rev challenge I looked at where I get ragebaited for the umpteenth time by these organisers thinking that using Rust or Golang as “obfuscation” turns it into a challenge rather than just annoying busywork, I spend maybe five minutes on it before my teammate tells me “oh Claude’s got it. Actually you can look at something else, Codex got it.”

I didn’t want to come for finals. Yet at the same time, I couldn’t bear to see my team lose. We’ve got a four year winstreak. We’ve had our moments on-site, screaming when we solve some S-tier bullshit on stage. I’ve got good memories of this event. Surely, I’ve got to make the last one count too.

For the week leading up to the finals, knowing that I wouldn’t be taking leave for it, I instead focused my efforts on building harnessing so that we could stand a chance against the other teams with their sixty million Codex subscriptions. I’d spend my nights after work, putting myself in the soul crusher and wondering why my soul was getting fucking crushed.

A slave to the bloody machine. Did people actually find building this harnessing enjoyable? And this looming feeling that all of this would be for naught. What good is my own harnessing against somebody hitting a /goal in their seventh Claude Code window? It’s 3 a.m. and I’m taking challenges I’ve encountered before and throwing it into the blender to debug Docker issues just so the bot can churn faster, decompile quicker, iterate and iterate and iterate. 100 RMB Deepseek API credit. Another corporate Claude account. Why isn’t it calling my tools? Add in this command to steer the bot. Spin up subagents. Solve.

A pitch black void. A vast expanse with nothing, absolutely nothing to look at.

This is how it ends.

Death of the Firstborn

I don’t think my bot got anything done during CDDC Finals itself. Anything that it was close to solving was instead solved on-site by a teammate with a different Claude or Codex subscription and so did every other person in that ballroom. I’m grateful I didn’t step foot in there until the dying hours of the competition, and by then I had already reached the stage of acceptance. God knows how suffocating it would’ve been.

That was my first time ever building harnessing or performing bot wrangling or whatever you’d like to call it. I hadn’t even used Codex until five days prior to Finals. Anyways, the average player on site just lets Claude run amok with --dangerously-skip-permissions and hits it with a /goal and flags fall out of the sky. No special harness, no special tools.

And somehow, I was glad my bot floundered and got caught in debugging loops and rabbit holed and every single last agent spawned fucking died. I’m glad my efforts here were invalidated. I’m glad I didn’t completely give in and lose myself to the plague.

The ballroom reeked. Not because computer science students have yet to learn of deoderant. Well, partially. But it reeked of death. The death of curiosity (they’ve killed the cat killer!). The death of motivation. The death of passion. The death of thinking.

The death of love.

Onwards

The system optimizes brutally for efficiency.

There is no financial incentive to not put a bot on everything. It’s disheartening that this has extended to the youth taking part in these competitions. Oh, but I did so much steering! Yeah, tell that to yourself. I threw away so much of my dignity and integrity over this past week and was thankfully pulled from the edge by just, well, accepting the loss. I lost to myself to begin with. All this talk about passion and love and I didn’t spare any of it for this competition (besides the one DWARF expression challenge. Wow.) They’ll impale me on this ivory tower. They’ll beat my high horse to death. Et cetera.

Maybe it’s especially bad here in Singapore. “The rat race” and everything. Moulded and beaten to be ruthless optimizers from youth. But I shan’t be any more pretentious than I’ve already been for the last… 2.5k some words. Not a lot said, all things considered, but there isn’t much more to say and ruminate and despair over when it comes to this whole agent situation.

Are CTFs dead? You can answer that question yourself. The idea of there being any semblance of a legitimate competitive aspect is dead, from what I can tell. Man, just gut the competitive aspect at this point. Challenge authors, make that toy and share it still. Share the love, share the passion, share what you’ve learnt, hope someone picks up what you’ve done and goes “wow, that was cool.” I may be jaded, but even one person is enough.

Sigh.

Wishful thinking.

Bummer of a writeup, huh?

With this, I bid farewell to CTFs. An odd four-and-a-half-year detour in my life.

I’ve gained a lot. I’ve made so many friends, I’ve learnt so much, I found a community. Oh, how deeply intertwined my life has become with all this, and how grateful I am that I got to experience it all the way that I did. Do I pity those entering the scene now? Yeah. As I’ve started moving more towards organising and teaching and being Employed, I have started to care a lot more about the impact that LLMs are having. Perhaps I care too much. But my sympathy only extends so far.

Your passion is yours, after all.

There’s still hope, there’s still love to be had.

It’s up to you to seize it.

Flag: flag{we'r3_m0r3_7h4n_ju57_da7a_p0inT5}