Cyber Exercises and Capture the Flag Competitions as UK Policy Tools

Cyber competitions and exercises are not simply training environments but can also function as strategic infrastructure for developing offensive cyber capability. If the UK wants to sustain its cyber power, it must treat these ecosystems as strategic policy tools and training environments rather than peripheral activities.

Introduction

Offensive cyber capability is not created the instant an operation is approved. Instead, it is developed years earlier through skills development, trust and exposure to complex, high-pressure environments. Yet the UK’s debate over offensive cyber often focuses on authorisation, oversight and the risk of escalation. These questions are essential, but they are not sufficient to ensure that the UK can generate and maintain the technical and human capabilities that offensive cyber operations depend on.

Cyber competitions and large-scale cyber exercises play a crucial role in building this upstream capability. Capture the Flag (CTF) competitions generate early interest and technical skills, while exercises simulate the organisational, collaborative and decision-making pressure that shape real-world operations. Increasingly, these environments also serve as a testing ground for how humans and artificial intelligence (AI) work together.

From my experience, participating in cyber competitions and defence-focused cyber exercises, I argue that the UK should treat these activities as strategic capability infrastructure, not peripheral training. They shape the talent pool, professional habits and cross-sector relationships which offensive cyber relies on.

What Structured Pipelines Get Right Internationally

Internationally, some countries, including Italy and China, have invested heavily in structured cyber talent pipelines that begin early and progress gradually. These tend to share these features:

• Age-appropriate entry points.
• Visible progression routes.
• Aspirational goals like national selection for competitive teams.

Where these models exist, participation becomes normalised. Students are repeatedly exposed to cyber security challenges, see peers succeed and can see clear pathways from school-level challenges to national representation. This creates both volume and depth in engagement, as more people enter the skills funnel and eventually develop real capabilities. For many, understanding the cyber security job market and the wide variety of opportunities available to them is crucial.

Italy provides a useful public example of how structured pathways can generate scale. It runs multiple, linked initiatives through the Cybersecurity National Lab of CINI (Consorzio Interuniversitario Nazionale per l’Informatica), supported by the Italian National Cybersecurity Agency.

In the Italian case, two features matter for policy:

• Earlier engagement: Italy’s ‘Italian Olympiads in Cybersecurity’ (OliCyber) is specifically designed for secondary school students.
• Structured progression: CyberChallenge.IT targets students aged 16-24, combining training and competitive selection.

This staged model has generated substantial participation. In the 2024 edition of CyberChallenge.IT nearly 5,000 students registered for the program and 942 progressed to the national finals. These figures show how clear pathways and competitive progression pipelines attract large numbers of participants while still identifying top talent. At the continental level, the European Cybersecurity Challenge brings together teams from more than 40 countries, further demonstrating the scale of interest in competitive cyber training across Europe. Italy’s program has proven successful, as it won in 2025.

China provides a different but equally instructive example of how cyber competitions can support national capability development. Research into China’s hacking competition ecosystem shows that large-scale contests are used not only for skills development, but also to identify talented participants. China builds databases of people who may later join security companies or state-linked cyber organisations. Competitions bring together university teams, private security researchers and government affiliated institutions which creates a comprehensive ecosystem for technical discovery and recruitment.

However, the structure differs from Italy’s more formal pipeline. Italy’s programmes deliberately create a pathway from secondary school into university level training and national teams. On the other hand, China’s ecosystem appears more heavily centred around the university students and professional researchers, with competitions functioning primarily as mechanisms for talent discovery, recruitment and exploit development rather than early stage outreach.

How the UK Structures its Pipeline

The UK has elements of the Italian approach. Previously, the UK had programs like Cyber Discovery and CyberFirst competitions and summer school. These are not yet coherent or sustained enough and some of the specified programs are no longer running or have taken years out while ownership has changed, for example, the NCSC no longer directly deliver CyberFirst courses to students.

Where early-stage initiatives diminish impact, it becomes visible later in the pipeline. This is not a failure of the individuals, but more a structural policy issue. The UK is, however, investing in a new program called TechFirst, which will hopefully rebuild this pipeline.

For an effective offensive cyber policy, this matters, because capability density is crucial. A small number of highly skilled individuals is not enough. The ecosystem that develops offensive cyber talent from early competitions to advanced exercises and operational training, must reliably replenish and diversify that skill base over time.

What Competitions and Exercises Do Well

Competitions are one of the most effective ways to generate early engagement in cybersecurity by encouraging active learning, incorporating rewards, curiosity and visible progress. Many people enter the cyber security sector through competitions because they offer something traditional education often does not, including rapid feedback, collaboration, engagement and a sense of achievement.

Cyber exercises vary significantly in design and purpose. Some create red-team vs blue-team scenarios where defensive teams respond to simulated intrusion conducted by professional attackers. These exercises focus on technical detection, response and system defence under time pressure. Others operate at a strategic level and test crisis decision making and government coordination during large-scale cyber incidents.

Another important category involves multinational or allied exercises where participants from different countries test how effectively they can share information, coordinate responses and operate within shared legal and operational constraints. These environments help by identifying practical challenges that emerge in coalition operations, such as differences in procedures, communication structures and authorities.

Across these formats, exercises introduce stress, time pressure and coordination across teams. Participants must prioritise tasks, communicate effectively and adapt to evolving scenarios. These conditions mirror aspects of real cyber incidents and operations where technical skill alone is insufficient.

Defence Cyber Marvel and Cross-Sector Integration

One of the most policy-relevant aspects of defence-focused cyber exercises, such as Defence Cyber Marvel (DCM), is the environment they create for cross-sector interaction. These exercises integrate technical challenges, operational coordination and strategic decision-making into a single environment, making them not just technical challenges but also social and institutional laboratories. The exercise creates realistic environments by utilising tooling and live personnel to attack. Some essential elements of the exercise that enhance realism include phishing user simulations, psychological operations (psyops) with media, simulating legal trouble for teams, reporting and situational reports (SITREPs), all of which are accompanied by additional skill enhancement challenges, including AI, Forensics and communications.

DCM-style exercises bring together military personnel, government staff, industry partners and academic participants into the same simulated operational space. Each group brings different strengths, assumptions and constraints. Industry participants often contribute tooling expertise and operational experience on a large scale; military and government participants bring a mission-focused approach and structured decision-making process. Academics, on the other hand, often approach problems analytically and creatively, questioning assumptions that others may take for granted.

Large-scale exercises bring together participants from government, industry, academia and the military. This matters more than is often acknowledged. Offensive cyber operations should not occur in organisational silos and exercises are one of the few places where communities can experience shared constraints and objectives. These environments test how these different organisations can collaborate, share knowledge and push boundaries.

This mix is valuable because it exposes gaps that are invisible within single communities. It also fosters informal trust and shared understanding, both of which are essential for real-world cooperation but difficult to generate through policy documents alone.

Exercises as Soft Power and International Signalling

Large-scale cyber exercises have an underappreciated diplomatic dimension. Participation by allies, observers and industry partners sends signals about alignment, capability maturity and willingness to cooperate. These signals matter in offensive cyber, where deterrence and assurance often rely on perception rather than disclosure.

Exercises allow states to explore collaboration models in a low-risk environment. Questions about information sharing, division of labour and how coordination can be tested without the political cost of failure. For the UK, this has implications for how it positions itself as a partner within alliances and coalitions.

Policy discussions about offensive cyber often focus on legal thresholds and norms. Exercises offer complementary tools: practice without provocation.

The Realism Gap – Why it Matters for Policy

Despite their strengths, competitions and exercises have limitations. Some competitive formats reward speed over discipline and can unintentionally encourage sloppy habits. Participants may learn how to ‘solve the problem’ without understanding broader consequences, trade-offs or long-term impact.

Certain CTF categories are intentionally designed to be artificial or puzzle-like. While these are valuable for developing specific skills, they should not be mistaken for professional training. Even in more realistic categories, competition constraints can simplify complexity in ways that obscure operational realities.

This is not an argument against competitions. It is an argument for clarity purposes. Policy should recognise competitions as discovery and development tools, not end-state training.

AI is Reshaping Exercises – and Exposing New Policy Questions

AI is now embedded in the cyber competition ecosystem. Participants use AI tools for ideation, code generation, defensive patching and analysis. Exercises are increasingly focused on challenges related to AI systems themselves, such as identifying weaknesses or attributing outputs.

In international competitive environments, there is a wide variation in the teams that use AI. Some avoid it entirely, while others integrated it deeply into their workflow. Importantly, access to AI resources varied significantly. Teams with greater financial or institutional backing can effectively scale their problem-solving capabilities by leveraging paid AI services and computing resources.

This raises a policy dilemma. On the one hand, AI literacy and human-AI teaming are increasingly essential skills for real-world cyber defence and offence. On the other hand, if competitions become resource-dependent, they risk reinforcing inequality and distorting the identification of talent.

Exercises provide a controlled environment in which to explore these tensions. They allow policymakers to observe how AI accelerates work, where it introduces risk and why human oversight remains essential. When used incorrectly or without sufficient expertise, AI tools can introduce new vulnerabilities just as easily as they resolve existing ones.

If the UK treats cyber competitions as peripheries, it will miss one of the few environments where AI-enabled cyber work can be tested without strategic risk. Exercises already reveal how uneven access to AI reshapes outcomes, how easily automation introduces new vulnerabilities and why human oversight remains indispensable. Ignoring these lessons would not preserve fairness or control it would just defer them to operational environments where mistakes carry far greater consequences.

Conclusion

The UK now faces a choice about how it develops its offensive cyber capabilities. It can continue to focus primarily on downstream questions of authorisation, oversight and escalation, or it can pay greater attention to the upstream conditions that make those capabilities possible in the first place. For the UK this implies the need to treat cyber competitions and exercises as part of the national cyber capability infrastructure like China has done. This means sustaining talent pipelines like Italy, supporting large-scale exercises and ensuring that these environments evolve alongside emerging technologies such as AI.

Cyber competitions and exercises are not substitutes for operations, nor are they a solution for workforce challenges. However, they are one of the few mechanisms through which the UK can consistently generate interest, identify talent and expose future practitioners to pressure, collaboration and emerging technologies. They also shape how humans and AI learn to work together in security-critical contexts.

Treating these activities as marginal would be a strategic mistake. Offensive cyber capabilities are not conjured at the moment of need; they are cultivated over time. If the UK is serious about sustaining its position in cyberspace, it must recognise that capability begins long before operation is ever approved.

© RUSI, 2026.

The views expressed in this Cyber Effects Perspectives are the author's, and do not represent those of RUSI or any other institution.

For terms of use, see Website Terms and Conditions of Use.