OpenSOC is a Digital Forensics, Incident Response (DFIR), and Threat Hunting challenge meant to teach and test practical incident response skills in an environment that closely resembles a real enterprise network. This virtual environment is representative of what you would find in an enterprise network, including: workstations, servers, firewalls, email, web browsing, user activity, etc. Simulated users are browsing the Internet, downloading files, watching videos, and accessing LAN resources. This creates a high-fidelity training environment for unleashing real-world attacks and testing responders’ abilities to filter and detect malicious activity on the network.

This isn’t just another CTF. We’ve built this platform to train real-world responders to handle real-world situations, and each year we incorporate new scenarios that are modeled after threat actors and breaches experienced by the OpenSOC team. From APT attacks using 0-days and heavily weaponized shellcode to sneaky lateral movement and exfiltration techniques, we expose contestants to a wide-range of techniques that we see actively used in the wild.

We encourage team participation, and always have folks on hand to assist those just getting started out.Even better – 100% of the security tools demonstrated within OpenSOC are Free and/or Open Source! These projects include Velociraptor, Sysmon, osquery, Suricata, Moloch, pfSense and Graylog + ELK bringing it all together in an awesome way. This allows our contestants to not only have fun at GrayHat, but also learn skills and tools they can take back to work on Monday.


  • Contest Type: CTF
  • Twitter: @Recon_InfoSec
  • Maximum Participants: 100
  • Pre-Conference Sign-Up: Yes
  • Days Active:
    • 10/29 (9am – 4pm CDT)
    • 10/30 (9am – 4pm CDT)
  • Participant Type:
    • Individual
    • Team
  • Participant Skill Level:
    • Beginner
    • Moderate
    • Expert
  • Requirements:
    • Laptop