Standoff cyberbattle rules
Everything participants need to know

We’ve created a single document with everything participants need to know about the rules and key principles of the cyberbattle.

There are no descriptions of tasks or technical details, but there is information on what tasks different participants face, how to earn points, where to go for help, and what not to do to remain a Standoff participant.
What you will find in this document
Standoff 365
About the platform
Standoff 365 is a platform for anyone who wants to practically test and improve their cybersecurity skills. Depending on their goals and skill level, participants can choose the option that suits them best.
Cyberrange
A virtual infrastructure with realistic replicas of IT systems from various industries, where cybersecurity specialists can train 24/7 in security testing, vulnerability detection, and incident response.
Participation format
online
Cyberbattle
An annual international cyber exercise where infosec specialists use a simulated infrastructure to test the defenses of companies from various economic sectors.
Participation format
offline and online
Bug Bounty
Programs from platform partners with monetary rewards for discovering vulnerabilities.
Participation format
online
To conduct cyber exercises, cyberrange segments are deployed on the platform, simulating IT systems in a highly realistic manner. Typically, a segment is a specific economic sector or a company representative of it.
Examples of segments:
Banks
Utilities and public services
Metallurgy
IT
Each segment can include one or more services that regulate the activities of a virtual organization within the industry or ensure its information security.
For example:
  • Infrastructure services: mail server, FTP server, customer database, document management system
  • ICS: traffic light control system, wind generator control system
  • Information security tools: firewall

For each cyberbattle, a new set of segments with partially modified tasks is deployed. This helps regular participants gain new knowledge and test their skills in today's realities.
Roles of participants
All cyber exercises involve two key roles.
Attackers
Also known as red teams, white hats, or ethical hackers. The task of attackers is to trigger as many critical events and identify as many vulnerabilities as possible. Regardless of the type of cyber exercise, red teams always compete amongst themselves.
Defenders
Also known as blue teams.
The task of defenders is to swiftly identify incidents, investigate attacks, and in some cyber exercises, respond to attackers' actions and implement measures to defend against attacks. Blue teams do not compete against each other.
All participants
Regardless of their role, all participants become part of the Standoff community,
where they can exchange experiences, get up-to-date knowledge in the field of cybersecurity, and, of course, have a great time.
Important notice for all participants
The Standoff 365 Platform can host hundreds of researchers simultaneously, so it’s important to take care of your own security and follow a few rules when connecting:
  1. Block incoming SSH connections.
  2. Connect to the platform through a virtual machine.
  3. Periodically check your connections using the netstat -antlp command.
  4. Disconnect your VPN connection when you’re taking a break.
Standoff Cyberbattle
The Standoff Cyberbattle, or simply the cyberbattle, is an annual international cyber exercise held on the Standoff 365 Platform. For the cyberbattle, we prepare an extensive infrastructure with various industry segments and bring together the best teams of defenders and attackers to test their skills.
The cyberbattle usually lasts four days with breaks at night. There are three possible formats.
Offline
All teams gather at the offline event. In this format, in addition to the cyberbattle itself, participants can expect networking and a fun afterparty
Online
Teams can participate in the cyber exercise from anywhere in the world
Mixed format
Some participants attend the event in person, while others participate remotely
The format of each cyberbattle is announced in advance.
Key information for attackers
Cyberbattle structure
The participation format for attacking teams depends on the specific cyberbattle. A cyberbattle can take place:
  1. In a single stage. In this case, throughout the entire cyberbattle, attacking teams compete against each other for the victory.
  2. In multiple stages. For example, in the first stage, all teams can be divided into two rival states, and then the best teams from the winning state will make it to the second stage and compete for the main prize.

The structure of an upcoming cyberbattle will be outlined on the cyberbattle landing page and in our Telegram channel.
Preparation and connection
First, each team applies to participate in a cyberbattle via its website. Once the application is approved, the team will get access to the cyberbattle on the Standoff 365 Platform.

For this, do the following:
  1. Create an account on the Standoff 365 Platform if you haven't already. All team members need to be registered on the platform.
  2. Submit a request to access the cyberbattle via a dedicated section that will appear on the Standoff 365 Platform closer to the event (a link to it will also be sent to team captains via email). The request must be submitted by the captain and list the Standoff 365 accounts of all team members. In some cases, the request has to be submitted twice: once for the qualifiers and once again for the cyberbattle. After your request is approved, each team member will be able to see the cyberbattle section in their personal account.
  3. Set up a VPN connection. For this, open your personal account, go to the cyberbattle section, select the "Access and resources" tab, and follow the instructions.
Attackers' tasks
The main goal of red teams is to score the maximum number of points by completing tasks. Usually, attackers only see the tasks once the event has started, but in some cases, we publish them in advance.
Triggering critical events
For each cyberbattle, we prepare a list of critical events that attackers can trigger in different cyberrange segments. For example, disrupting the traffic light system, contaminating water with chlorine, or derailing trains.
Finding vulnerabilities
Each cyberrange segment has a list of vulnerabilities. Attackers can earn points by finding them.
At the cyberrange, the attackers can only target services at specific addresses provided by the organizers. Attacks on other addresses will not earn points and may result in penalties or disqualification from the cyber exercise.
How to earn points
The task card indicates the following:
  1. Description of the critical event or the vulnerability
  2. Task description
  3. Points awarded for task completion

Here's an example of a task for triggering a critical event during a cyberbattle:
Critical event description
Task description
Points for triggering critical events
To earn points for triggering a critical event, you need to submit a critical event triggering report via the Standoff 365 Platfrom.
Objective
How to earn points
  1. Trigger the event according to the task and within the infrastructure of the cyberrange.
  2. Submit the critical event triggering report. The report should describe, step by step, the actions that led to the event's triggering.
For example, a shutdown of a steam turbine, confidential data leak, theft of funds from bank accounts, or train derailment.
Read our guide on how to fill out reports properly.

All reports are reviewed manually. Once the report has been submitted, what happens next will depend on the report's quality and completeness.
No comments
Number of corrected fields:
0
Report:
accepted without adjustments.
Points:
awarded according to the precedence of triggering the event.
Minor adjustments or clarifications needed
Number of corrected fields:
≤ 3
Report:
sent for revision with organizers' comments. The team should follow the comments to update the descriptions of the steps listed in the report.
Points:
assigned according to the precedence of triggering the event at the time of the first report submission and awarded after corrections are made.
Example:
Team X was the first to trigger the event, but the jury left comments on two fields. The team will receive points for the first triggering immediately after submitting the corrected report.
Significant changes needed
Number of corrected fields:
>3
Report:
rejected by the organizers. The team can resubmit the report after addressing all comments.
Points:
not awarded until the corrected report is submitted. After correction, points are awarded based on the precedence of event triggering at the time of submitting the correct report.
Example:
Team X triggered the event first, but the jury didn't accept the report. While the team was making edits, two other teams successfully submitted reports on triggering the same event.

After submitting the corrected report, Team X will be considered the third to trigger the event and receive points accordingly.
The higher the difficulty level of the task, the more points can be earned. Points are calculated dynamically: the first participant or team to trigger the critical event receives the maximum points; each subsequent triggering by other participants earns 15% less.

Points decrease in this way until they reach 40% of the initial value specified in the task. From then on, anyone who triggers the event will receive this number of points.

Example of point calculation based on the order of triggering:
Triggering order
Number of points
First triggering
1,000 (maximum value)
Second triggering
850
Third triggering
722
Fourth triggering
614
Fifth triggering
522
Sixth triggering
443
Seventh and later triggerings
400 (minimum value)
Points for discovering vulnerabilities
To earn points for vulnerabilities, you need to submit a vulnerability report or a flag—a set of characters that must be found in the analyzed information system. What exactly needs to be submitted depends on the location of the host.

The jury only accepts reports on certain types of vulnerabilities.
LPE
(local privilege escalation to root or administrator level)
RCE
(remote code execution)
SQLi
(SQL injection)
Path Traversal
(also known as directory traversal)
SSRF
(server-side request forgery)
XXE
(XML external entity injection)
How to earn points for vulnerabilities
Location
Vulnerability type
Gate
Path Traversal, SSRF, SQLi, RCE и LPE
DMZ and beyond
Path Traversal, XXE, SSRF, SQLi, RCE и LPE
How to earn points
  1. Identify the vulnerability.
  2. Submit the flag.

The way to get the flag depends on the vulnerability type:
  • Path traversal: retrieve the contents of the /etc/pt.flag file.
  • SSRF: access the internal address via port 9732 (http://127.0.0.1:9732).
  • SQLi: retrieve the contents of the "flag" cell from the "secret" table.
  • RCE: execute the /home/rceflag script.
  • LPE: execute the /home/lpeflag script.

All submitted flags are checked automatically

  1. Identify the vulnerability.
  2. Submit a vulnerability report.

The report should include the following:
  • Vulnerability type.
  • System where it was found.
  • Example of vulnerability exploitation.
  • Depending on the type of vulnerability detected, you also need to obtain a DBMS version, read a local file, send an arbitrary HTTP request, or display the output of the ipconfig/ifconfig, whoami, or id commands.

All vulnerability reports are reviewed manually by the jury.
Example of point calculation
Vulnerability type
Point value
Path Traversal
100
SSRF
XXE
200
SQLi
RCE
300
LPE
500
To increase your chances of earning points, consider the following when submitting a flag or a vulnerability report:
  1. Root privileges must be obtained on the main system, not in a container. The report must provide output from /etc/shadow.
  2. Each LPE method for Windows can only be submitted once for each segment of the cyberrange. If another method is found, it can be submitted for the same segment.
  3. Identical vulnerability classes with different parameters on the same host are considered duplicates.
  4. Points for vulnerabilities on Gate nodes are issued when submitting a flag. Reports on them will be rejected.
  5. For vulnerabilities reviewed by the jury you can get up to 1,500 points per host.
  6. For an autochecked vulnerability you can get up to 500 points.
What to do if you need assistance
To get technical support, write to our Telegram bot for attackers. Technical Support specialists only reply to requests submitted this way.

Though our specialists can help you solve infrastructure-related technical problems impeding your attacks, they provide no hints about actual viability of your attack vectors.
What not to do during the cyberbattle
When searching for vulnerabilities and triggering critical events, red teams have a number of restrictions. If a team violates the rules and does any of the forbidden actions listed below, that team may be penalized or disqualified from the battle.
1. Attack the platform.
Hack the Standoff 365 Platform.
Attack and disable information security tools in the cyberrange infrastructure.
Attack services located outside the infrastructure provided by the organizers.
2. Attack employees or organizers.
Attempt to gain access to service accounts.
Conduct phishing attacks on Positive Technologies employees.
Implement DoS and DDoS attacks on services and applications of the cyberrange infrastructure.
Change the staff passwords in services and applications within the cyberrange infrastructure.
3. Apply hardware tools to the 3D model.
Physically connect to the model.
Disable the hardware of the model.
4. Provide false information.
Falsely present a report prepared by another team or participant as their own.
Submit a report with knowingly false information.
5. Make changes to the platform or cyberrange.
Fix vulnerabilities embedded by the organizers.
Make changes to the Standoff 365 Platform or cyberrange.
6. Generate flags and pass them to other teams.
7. Use "king of the hill" methods.
Occupy or block another team's resources to prevent access to them.
Create conditions where other teams cannot attack or defend their assets.
Interfere with another team's traffic to prevent attacks or protect infrastructure without directly interacting with vulnerabilities.
Block other participants' attempts to exploit vulnerabilities.
If attackers manage to penetrate a SCADA system host, they should report this in the chat with the organizers. This way, if multiple teams penetrate the same host almost simultaneously, the organizers will put the participants in a queue, allocating from 1 to 1.5 hours to each team.
8. Be rude or otherwise show disrespect.
Be rude to the organizers and other participants.
Spam Technical Support.
Persistently argue with decisions made.
9. Be a member of a team as a Positive Technologies employee.
Positive Technologies employees must not take part in the Standoff Cyberbattle, even if invited by a team captain.
10. Create multiple accounts for the same participant (burner accounts) and use them to form teams.
Create new teams using burner accounts.
Join other teams under burner accounts.
11. Join forces with other red teams.
Share ways to complete tasks with other teams.
Conspire to collaborate with another team. Teams can collaborate only if it's explicitly allowed by the rules of a particular cyberbattle.
12. Participate as a team with more than 10 members.
Penalties for violations
First violation
Warning issued and points deducted. The organizers decide on the number of penalty points depending on the level of negative impact on the competition
Second violation
Disqualification of the team or participant for a certain period, during which they are unable to attack or defend
Third violation
Final disqualification of the team or participant from the competition with no possibility to return
In case of disagreement over a penalty or disqualification, the team captain can submit an appeal once per competition day. The procedure and format of submission can be clarified in the chat with the organizers. In the appeal, the captain must prove that the team made no violations.
Key information for defenders
Preparation and connection
About a month before the cyberbattle, defender teams are given access to the infrastructure to get familiar with it.

To get access to the cyberbattle:
  1. Get your team together and create an account on the Standoff 365 Platform if you haven't already. All team members need to be registered on the platform.
  2. Submit a request to access the cyberbattle via a dedicated section that will appear on the Standoff 365 Platform closer to the event (a link to it will also be sent to team captains via email). The request must be submitted by the captain and list the Standoff 365 accounts of all team members. Once your request is approved, your team's account will be created on the platform.
  3. Set up a VPN connection. For this, open your personal account, go to the cyberbattle section, select the "Access and resources" tab, and follow the instructions.

Prior to the cyberbattle, all teams receive a VPN configuration file.

Additional options:
  1. As part of the cyberbattle prep, the organizers scan and audit the infrastructure using MaxPatrol products. This data is then saved and can be used by participants when working with MaxPatrol SIEM.
  2. Each team can request the deployment of a Kali Linux host to scan the infrastructure using their own tools or tools other than MaxPatrol products.

After familiarization, the team shall provide the organizers with a list of which security tools they plan to use and where. In general, teams are limited to the following classes of security tools:

SIEM
(MaxPatrol SIEM)
NTA
(PT Network Attack Discovery)
Sandbox
(PT MultiScanner, PT Sandbox)
WAF
(PT Application Firewall Pro)
Industrial NTA
(PT Industrial Security Incident Manager)
Defenders participating in response mode also gain access to MaxPatrol EDR (an endpoint detection and response solution).

The use of other tools must be agreed upon with the organizers.
How defenders' performance is evaluated
The primary objectives of defenders are to detect and investigate incidents caused by attackers' actions. Team performance is evaluated based on the number of detected incidents and the average time to investigate an attack.

Each defender team is assigned to a particular industry in which they are to detect and investigate attacks during the cyber exercise. Information about the team's results is published on the cyberbattle website and on the Standoff 365 Platform.

For example, here are the results of defenders during the Standoff 13 Cyberbattle.
Defender team results in the Standoff 13 Cyberbattle
Defenders should only submit reports on successful attacks. The following kinds of reports will be dismissed: reports on phishing attacks where users didn't click any malicious links, unsuccessful brute-force attack attempts, or investigation reports regarding facilities that don't belong to the cyberrange infrastructure.

Once the report has been submitted, what happens next will depend on the report's quality and completeness.
No comments
Number
of corrected fields:
0
Report:
accepted without adjustments.
Minor adjustments or clarifications needed
Number
of corrected fields:
3
Report:
sent for revision with organizers' comments.
Significant changes needed
Number
of corrected fields:
>3
Report:
rejected by the organizers. The team can resubmit the report after addressing all comments.
Number of detected incidents
During a cyber exercise, defenders can submit reports on detected incidents. We've compiled a guide to help defender teams understand how to fill out reports properly.

All defenders' reports are reviewed and evaluated by the organizers. If a report doesn't contain sufficient information, the organizers will not accept it and instead leave a comment. After correction, the report can be resubmitted.

The count of detected incidents doesn't include false positives, such as reports on legitimate activities by checkers and bot users or reports of non-existent incidents.
Average attack investigation time
After the organizers accept a report from the attackers on the triggering of a critical event, this information becomes available to the defenders.

The defenders' tasks are to investigate this event and submit a report. When the investigation begins, a timer appears on the portal, timing its duration.

All reports are evaluated by the jury. If a report does not contain sufficient information about the attackers' actions, the organizers will not accept it and instead leave a comment on the portal. In response to the comment, the defenders may perform an additional investigation, revise the report, and resubmit it.

Once the organizers have accepted an investigation report from the defenders, the time it took to complete the investigation is recorded. The time taken by the organizers to verify the report is not counted.

The process for calculating the average investigation time looks something like this:
Jury accepts attackers' event triggering report
Information about the triggered event appears on the portal
Defenders begin an investigation
Defenders submit an investigation report
Investigation timer starts
Investigation timer is paused
Jury accepts the report
Total investigation time is recorded
Jury rejects the report
Investigation timer is resumed
Defenders submit their report
Investigation timer is paused
For clarity, we've compiled a table with the types of reports that defenders need to submit:
Type of event
When the investigation can start
Immediately after the incident is discovered
Only after the attacking team successfully submits a critical event triggering report
Report type
Incident report with a description of a detected action performed by attackers and affecting the availability, integrity, and confidentiality of data
Critical event investigation report with a step-by-step description of the actions that led to the event's triggering
Responding to attacks
In some cyberbattles, it's possible to participate in response mode. In this case, in addition to identifying incidents and investigating attacks, defenders can also thwart attackers' actions. To do this, they can use the following tools:
MaxPatrol EDR
(as the main protection tool)
PT Application Firewall
(to protect web applications using targeted blocking rules)
Defenders can:
  • Temporarily block infrastructure hosts.
  • Delete and quarantine files.
  • Block accounts.
  • Terminate processes.
  • Isolate hosts.
  • Block attackers by the IP address.
  • Redirect DNS queries.
  • Send files to PT Sandbox for checking.
  • Terminate SSH, RDP, and VPN sessions.

This list may be expanded or reduced due to organizational or technical changes.
The blocking time for attackers' assets is determined by the conditions of the cyberbattle (usually no more than 10 minutes). Such limitations are necessary so that red teams can ultimately develop their attacks and trigger critical events.

To respond to attacks, defenders need to write custom rules for PT Application Firewall. Only some of the built-in rules will be enabled. To find out more, you can contact our Technical Support for blue teams. Technical Support will also check the custom rules used by defenders and, if necessary, suggest changes or improvements (for examples of how custom rules can affect the competition, see the What not to do in response mode section below).

When participating in response mode, blue teams aim to do the following:
  1. Monitor network activity and analyze traffic and logs for signs of unauthorized access or other suspicious actions.
  2. Respond to incidents in such a way as to swiftly block attackers' actions and mitigate their impact.
  3. Reveal potential attack vectors to take timely countermeasures.

The results of the defender teams participating in response mode will feature not only general information about the detected incidents but also the number of prevented incidents.
In addition to detected incidents, the number of prevented incidents is indicated
What not to do in response mode