Safeguard
Security

Snyk CTF: What Fetch the Flag Is and How to Prepare

The Snyk CTF, branded Fetch the Flag, is a free annual capture-the-flag competition. Here is what the challenges look like and how to get ready for one.

Aisha Rahman
Security Analyst
6 min read

The Snyk CTF is Fetch the Flag, a free annual capture-the-flag competition hosted by Snyk that runs a set of timed security challenges across web exploitation, cryptography, reverse engineering, and supply chain security. If you have never done a CTF and the term sounds intimidating, it should not. Fetch the Flag is deliberately pitched at working developers, not just career red-teamers, and it is one of the friendlier on-ramps into hands-on security.

I have played it and I have coached a couple of first-timers through it, so this is a practitioner's read on what the Snyk CTF is, what the challenges feel like, and how to actually prepare instead of showing up cold.

What a Capture-the-Flag Event Is

A CTF is a competition built around solving security puzzles. Each challenge hides a "flag," usually a string in a recognizable format, that you recover by exploiting or analyzing something. Submit the flag, score the points. The challenges are sandboxed and intentionally vulnerable, so nothing you do touches a real production system or a real victim.

Jeopardy-style CTFs, which is the format Fetch the Flag uses, present a board of challenges grouped by category and difficulty. You pick what to attack, points scale with difficulty, and a scoreboard tracks standings in real time. That structure is what makes it approachable: you can spend the whole event on beginner web challenges and still finish with a score you are proud of.

What Fetch the Flag Looks Like

Fetch the Flag is a 24-hour event. The 2026 edition ran from noon Eastern on February 12 to noon Eastern on February 13, co-hosted by Snyk and the security educator NahamSec. It featured 15 hands-on challenges, and the format lets you compete solo or on a team of up to five.

The challenge categories track what you would expect from a modern appsec-flavored CTF:

  • Web exploitation covers injection, broken authentication, insecure direct object references, and the everyday flaws that show up in real applications.
  • Cryptography ranges from spotting a badly used cipher to breaking a homemade "encryption" scheme that never should have shipped.
  • Reverse engineering hands you a binary or some obfuscated logic and asks you to figure out what it does and where the flag lives.
  • Supply chain security is Snyk's home turf, so expect challenges around vulnerable dependencies and the kinds of issues an SCA tool is built to surface.
  • AI security scenarios have appeared in recent editions, reflecting where a lot of new attack surface lives.

Prizes vary year to year; recent editions awarded hardware to the top individual and team finishers. But the honest reason to play is the practice, not the swag.

How to Prepare

The single best preparation Snyk offers is its own Capture the Flag 101 workshop, a guided walkthrough that solves a sample challenge end to end and teaches the core techniques. If you do nothing else, do that. Beyond it, here is the plan I give first-timers.

Get your toolkit installed before the clock starts. You do not want to be apt install-ing during a timed event. At minimum have a browser with developer tools, an intercepting proxy such as Burp Suite Community or OWASP ZAP, a terminal with curl, nc, and Python 3, and something like CyberChef bookmarked for quick encoding and decoding. For reverse-engineering challenges, having Ghidra installed pays off.

Learn to recognize encodings by sight. A huge fraction of beginner challenges hinge on noticing that a blob is Base64, hex, ROT13, or URL-encoded. If you can eyeball SGVsbG8= and think "that trailing equals sign means Base64," you will move faster than half the field.

Practice on evergreen platforms first. PicoCTF is the canonical training ground and its challenges stay available year-round. Working through its web and crypto tracks will prepare you for the difficulty curve of a Snyk CTF beginner board better than any amount of reading.

A Worked Mindset, Not a Walkthrough

I am not going to hand you a step-by-step exploit, because the point of a CTF is the discovery. But the mental loop is worth naming.

When you open a web challenge, read the source. View source, check the network tab, look at cookies and headers, and read any JavaScript the page loads. An astonishing number of beginner flags are hiding in an HTML comment or a client-side check that never should have been trusted:

<!-- TODO: remove before launch. debug flag = ... -->

When you hit a login form, ask what the developer assumed. Did they trust a hidden field? Is the "admin" check happening in JavaScript you can bypass by talking to the API directly with curl? For crypto, the first question is always "did they roll their own?" because the answer is usually yes and that is usually the vulnerability. Real cryptographic primitives used correctly do not show up as beginner challenges; misused ones do.

Why Developers Should Bother

The strongest case for playing the Snyk CTF is that it makes the abstract concrete. Reading that IDOR is a common flaw is forgettable. Actually changing ?id=1002 to ?id=1003 and pulling another user's data out of a sandboxed app is the kind of thing that changes how you write your next endpoint. Developers who have exploited a vulnerability class once tend to defend against it instinctively afterward, which is the whole educational thesis behind these events.

If your team is trying to build security intuition, running a group through Fetch the Flag together, or through the free security academy content in the weeks beforehand, is a genuinely good use of a Friday. It is competitive enough to be fun and low-stakes enough that nobody is embarrassed to be learning in public.

FAQ

Is the Snyk CTF free to enter?

Yes. Fetch the Flag is free to register and play. Snyk runs it as a community and educational event, and the associated Capture the Flag 101 workshop is also free.

Do I need to be a security expert to compete?

No. The board is tiered by difficulty specifically so that beginners have solvable challenges. If you are a developer comfortable with a browser's dev tools and a terminal, you can score points. The event is a common first CTF for exactly this reason.

Can I compete alone or do I need a team?

Both are allowed. You can play solo or form a team of up to five, and recent editions have recognized top finishers in both individual and team categories. Teaming up is usually more fun and lets you cover more challenge categories at once.

When does Fetch the Flag happen each year?

It is an annual event that Snyk has run in February in recent years, as a roughly 24-hour competition. Dates shift year to year, so check Snyk's events page for the current registration window rather than assuming last year's date.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.