I participated in at least six cybersecurity competitions during my time as an ISIN student at Ferris State University. Now that my degree is finished, I thought it would be a good idea to record what I remember from the experiences.
Apart from being a healthy thing to do, reflection is also a core analyst skill. Knowing how best to “make it mean something” after you finish a competition, certification, or other cyber engagement will give perspective to your experiences. Recording what happened or creating something like a lessons learned writeup can also benefit your peers and future analyst collaborators, so I feel grateful that the ISIN program reinforced this habit.
ISIA
The Information Security and Intelligence Alliance (ISIA) is a registered student organization at Ferris State University. As part of their event lineup, ISIA usually runs private CTF competitions for students in the cybersecurity program.
My first cyber competitions were the 2023 and 2024 ISIA CTF tournaments. Students worked individually or in teams of two to solve as many challenges as possible over a weekend. Although the ISIA competitions were generally less advanced than MWC3 and CyberForce, I think they were still my favorite experiences.
These tournaments served as a great reminder of what you can achieve by applying yourself and persisting to face challenges - even when it feels like you have no clue what you’re doing. It’s easy to feel like you aren’t capable of something because you lack experience. In reality, you can get surprisingly far by using what you already know to continue solving the next immediate problem.
2023
Jacob Derenzy and I teamed up for the 2023 ISIA CTF tournament. Despite being beginners with mostly introduction-level cyber coursework under our belts, we were still able to put on a respectable performance and earn second place.
I think much of our score be attributed to persistence with the CTF format - we pushed the boundaries of our abilities through trial and error, performing outside research, and using challenge hints. This is a core information security skill that was explained excellently during a presentation portion from the 2018 RSA Conference (7:06 - 9:03).
2024
I also participated in the 2024 ISIA CTF tournament. Unfortunately, I don’t have any leftover screenshots or recall much about the competition. I had less time to spend on CTF challenges over the weekend due to a heavier course load and more personal obligations during this period, so my memory of the competition is hazy.
Otherwise, the experience was very similar to the 2023 CTF. You get out what you put in, and you’re capable of solving more challenges than you think you are if you’re willing to stick with them.
MWC3
The Midwest Collegiate Computing Conference (MWC3) is a two-day event hosted by Grand Valley State University. It aims to provide students with learning and networking opportunities through competitions and workshops.
I attended twice with peers from Ferris State University in 2024 and 2025. I had the chance to attend in 2023, but this was extremely early in my cybersecurity education so I decided against it. In hindsight, I think I probably would have done well in the database competition since I was taking Database Security at the time.
MWC3 was an amazing opportunity for learning and networking, and I’m glad I took the time to participate in the conference, competitions, and workshops. I’m also proud to have contributed to a very strong overall competition performance from Ferris during both of the conference years I attended.
2024
Jacob Derenzy and I teamed up for the 2024 MWC3 cybersecurity competition. Although we hadn’t done many of the more advanced analysis courses yet, we still felt confident that our coursework up to this point would give us a solid foundation. We ended up receiving third place.
After the competition, I attended the cybersecurity workshop along with most of the other Ferris students. The content wasn’t groundbreaking, but it reinforced essential concepts and served as a good starting point for beginners. One activity flipped the script on phishing emails and asked us to pose as an attacker by creating our own message. The workshop instructor was a Star Wars fan, so our only limitation was that the emails had to fit the Star Wars universe.
The keynote address, Navigating the AI Revolution: A Software Developer’s Guide to Career Longevity, was presented by Joe Chrysler from Atomic Object. Joe offered an interesting perspective on AI and the use of AI tools. While he was enthusiastic about many of its abilities and its future potential (along with sharing examples of good usage), he also acknowledged that there were some things AI just isn’t good at. My takeaway was that the smart and resourceful thing to do is to learn how to take advantage of what AI can do while keeping your expectations in check and remaining mentally disciplined about using it. It was refreshing to hear somebody talk candidly about it, to be honest.
I’m reminded of a short video essay I found regarding this topic. The main idea can be summarized with a quote from the author (1:41):
Thoughtlessness doesn’t mean you know nothing - it means you’ve stopped wondering. We are replacing the internal monologue with external tooling, and in doing so, we are building a society that rewards decision-making divorced from deliberation.
2025
Janek Vedock and I teamed up for the 2025 MWC3 cybersecurity competition. Both of us had completed more advanced cyber coursework by this point, and I had saved some of the unsolved questions from the 2024 competition for us to practice with. We felt confident that we would be able to take an award and ended up receiving second place.
Janek and I both have experience with Python, so we also thought we would try our luck in the Python competition. It was focused more on computer science and programming concepts rather the than scripting and cybersecurity concepts we’re most familiar with, but we ended up doing well regardless. We were excited (and surprised, to be honest) to receive second place in Python.
I also signed up for the solo IT configuration with Linux competition. Ferris CIT and GVSU students earned all the major awards, but I received an honorable mention (likely due to the amount of time I was pouring into configuring a Linux laptop at the time - expect a future post).
The 2025 keynote address brought Joe Chrysler back from Atomic Object again as the speaker. I don’t remember this presentation as much, but I recall seeing a few demonstrations of AI orchestration. We were also shown an open-source library that allows you to integrate functional LLM interactions into your personal project. For example, Joe had code set up that allowed him to prompt an AI model to turn a light bulb on and off at home.
CyberForce
CyberForce is an 8-hour full-stack competition and workforce development program organized by the U.S. Department of Energy. This was by far the most comprehensive and involved tournament that I participated in as a Ferris student. A few major points of distinction come to mind:
- Responsible for protecting multiple systems and services with real end users
- Simulated physical infrastructure and controls that exercise OT and IT cyber proficiency
- Realistic scenarios and constraints (i.e., little/no budget, incomplete information, unknown environments)
- Hands-on approach to security by examining machines, installing patches, writing documentation, and communicating system needs to decision-makers
2024
CyberForce 2024 would be the largest competition that most (perhaps all) of the students on our team had attended up to that point, so we didn’t exactly know what to expect.
We spent a significant amount of time reading the rules and official messaging in an attempt to determine how we should prepare for the scenario. Critical information about competition content (outside of things like rules) is presented in an in-universe format - teams resolve a cyber incident by reading the bulletin, examining the environment, and devising a response. Our plan was first created from investigation findings and then documented, presented for a C-suite target audience, and enacted during competition day.
I was an off-campus student at this point so it was harder to collaborate, but we made it work. I joined most meetings remotely while the team met at the CVL, and I was able to show up in-person for our presentation day. Individual time outside classes and team meetings was spent on practice and research using course materials, the CyberForce 101 library, and Internet resources.
Competition day was hectic, fun, and exhausting at the same time. The red team wouldn’t become active until later, so we began by getting to work immediately on the CTF challenges with monitoring for our systems and services pulled up in the background. Our team nearly earned full points for service integrity and availability due to the strength of our prepared controls and defenses. Assume breached infrastructure (noncritical machines with built-in backdoors for competition purposes), however, became harder to defend to over time. Half of our team would eventually need to pivot towards responding to breach activity before the competition ended, so most of our missed points were the result of challenges with balancing CTF problems against responding to the red team.
2025
CyberForce 2025 was my last competition as a Ferris student and certainly among the most memorable ones as well. I’m glad I had the opportunity to be on the team again!
Our team had a better idea of what to expect thanks to the 2024 competition experience. We planned to spend more time developing our presentation, practicing to solve anomalies, and responding to red team activity based on our scorecard from last time. Some ideas had also developed in the time since the last competition about how we could improve our security posture without using any budget or compromising system usability.
Competition rules stated that we were not allowed to deploy our own SIEM VM alongside the AWS VMs that were provided to us. However, there were no rules against SSH tunneling the VPC network traffic to one our physical laptops. Had we gotten this configuration working to pass traffic into our tools, I believe that an improved red team performance would have brought us into the top 15 contenders based on an analysis of our scorecard.
