plfanzen CFT

What originally started as a joke at DHM has now evolved into a CTF with chall authors from all across the DACH region, and more :)

The CTF is aimed at more experienced players, but will (probably) also contain a few intro challenges, and some zaje, maybe even both :)

Plfanzen CTF is a team event for teams of any size. You can also participate on your own!

CTF will start 2026-05-08 18:00 and end 2026-05-10 14:00 (CEST)

Join us on Discord!

clanker policy

As I'm sure everyone is aware, over the last couple months, especially with rather recent models, LLMs have reached a point where they can autonomously (or near autonomously) solve most of what would have previously been difficult and interesting CTF challenges.

While LLMs are undoubtably becoming a core tool in many disciplines of cybersecurity, many of the challenge types now deemed "lost" still test very relevant skillsets, or teach techniques and patterns, which are still very relevant for a modern security professional or enthusiast to understand.

It is also incredibly discouranging for us challenge authors, for "our work" to be "slopped open", without any human in the loop...

Our goal with plfanzen CTF was to share some interesting/fun findings through CTF challenges, while also allowing a place for teams to compete with more difficult challenges across ~~most categories~~ all of misc (yea idk, deal with it).

We believe that we have multiple challenges which should pose a challenge for even the strongest LLM setups (e.g. windows kernel pwn). However we are also aware that some/most of our challenges are likely trivially solveable using LLMs (this used to not be the case like a month ago 😭😭😭).

Rather than butchering our challenges in an attempt to make them "LLM proof", we decided to include them as is, and let teams decide to what extent they wish to use LLMs in their CTF process.

We really liked the KalmarCTF 2026 Low-LLM policy, and are also providing a seperate, opt-in bracket for "human" teams; we heavily reccomend playing this way, instead of throwing money at big slop.

For the "human" (low LLM) bracket, consider the following guidelines on LLM usage:

LLMs may be used to to explain general concepts that are not specific to a particular challenge.
Okay: How is a HTTP request structured?
Not Okay: How do I factor this formula?
LLMs may be used to help write stumps of code you fully understand.
Okay: Write a function that establishes a TCP connection to a given IP and port.
Not Okay: Write a function that exploits this buffer overflow.
LLMs may be used to help find the correct command line arguments for tools or as a search engine to find relevant resources and tools.
You may not to utilize LLMs to solve specific problems directly.
You may not to paste challenge code directly into LLM chats.
You may not to utilize tools such as GitHub Copilot, Codex, or Claude in a way that would allow them to directly interact with challenge code/handouts.
You may not to ask LLMs to implement a full solution based on a high-level description or a few buzzwords.
You may not to use LLMs for writeups (for writeup prizes).

We reserve the right to disqualify teams from the "humans" bracket if we find evidence of LLM usage that violates the rules, or to disqualify teams from the writeup prizes for the same reason.

applying for the "humans" bracket

Have your team captain / representative email us at vorstand@plfanzen.lol with a filled out version of the form. Opt-in for the "humans" bracket will apply to your whole team. We may disqualify teams from the "humans" bracket if we find evidence of LLM usage that violates the rules.

prizes

not final, WIP

placement

25€
15€
10€

writeups

50€ for best writeup for windows kernel challenge
~200€ distrubuted among writeups for other challenges (exact distribution TBD)

state of this document

This page is not final and will be updated as we get closer to the CTF.