Three open-source CTF frameworks, three different answers to the same problem. Here's how they differ — and which one you should actually be running.
So you've decided to host your own CTF. You want full control, you don't want to pay per-seat licensing fees, and you have the technical bandwidth to manage infrastructure. The open-source route makes sense.
Now comes the decision that a lot of teams rush: which framework? CTFd, FBCTF, and rCTF are the three names you'll keep running into when you start researching, and they are genuinely different from each other in ways that matter.
This is the breakdown we wish we'd had before setting up our first event.
Why this decision matters more than people think
Picking a CTF framework feels like a technical choice. It's mostly a social and operational one.
The framework you choose shapes what kind of event you can run, how much ongoing maintenance your team will carry, how well the platform holds up under load, and how your participants experience the competition. A framework that's a poor fit for your audience creates friction at every step — from onboarding to final submission.
Three questions worth answering before you pick:
- How big is your expected participant count, and what does your peak load look like?
- Do you have developers on your team who can customize and maintain the platform, or do you need something more batteries-included?
- Is your event a one-time competition, a recurring program, or something that'll need to evolve over time?
Keep those in mind as we go through each platform.
CTFd: The incumbent
.png)
CTFd is the reference implementation for self-hosted CTF platforms. It launched in 2015, has been used at thousands of events worldwide, and remains actively maintained. When people say 'we run our CTF on open source software,' there's a decent chance they mean CTFd.
Architecture
CTFd is a Python/Flask application backed by a relational database (SQLite for development, MySQL or PostgreSQL for production). It's designed to be deployed on a single server or containerized via Docker Compose, with Redis for caching and queue management. The architecture is clean, well-documented, and familiar to most backend engineers.
Plugin ecosystem
This is CTFd's strongest differentiator. The plugin architecture is well thought out and the community has built extensions for: dynamic scoring, container-based challenges (CTFd-Whale is the most popular), Discord bot integration, custom theme support, team management workflows, and more. If you need something the core doesn't support, there's a reasonable chance a plugin already exists.
Scaling considerations
CTFd handles moderate scale well out of the box. For events under 1,000 concurrent participants, a properly configured instance on a reasonable server performs reliably. Above that, you're looking at horizontal scaling, load balancing, and database optimization — doable, but requiring real infrastructure work. Large-scale events (5,000+ participants) need significant operational investment.
CTFd in 2026
The project continues to be maintained, though the pace of core feature development has slowed compared to earlier years. The commercial CTFd Cloud offering has drawn some development attention away from edge open-source features. That said, the core platform is stable, the plugin ecosystem is mature, and for most use cases it remains the safest default choice.
Verdict: Best all-around choice for teams that want a stable, well-supported platform with a large community. The go-to unless you have specific reasons to look elsewhere.
FBCTF: The legacy option with a distinctive UX
FBCTF was built and open-sourced by Facebook's security team for their internal and public CTF events. It has a genuinely distinctive interface — challenges are presented on an interactive world map rather than a traditional category grid — and was widely used in the mid-to-late 2010s.
+(1).png)
We're going to be direct here: FBCTF has not received meaningful updates in several years. The repository has been effectively archived. It runs on older PHP and HHVM, which creates dependency management headaches in 2026, and the security surface of an unmaintained web application running a public competition is a real concern.
Where FBCTF still has appeal
The world map UI is legitimately fun for participants. If you're running a one-time event with a controlled, trusted audience (an internal company competition, a university event on an isolated network) and you want a visually distinct experience, FBCTF can still deliver that. The setup is more involved, but the payoff in participant engagement is real for the right crowd.
The honest recommendation
Don't deploy FBCTF for a public event in 2026. The maintenance situation makes it a security liability for anything externally facing. For internal, air-gapped, or tightly controlled environments where the aesthetic matters, it's still functional — but go in with eyes open about what you're taking on.
Verdict: Legacy choice with a unique interface. Only appropriate for controlled internal events. Not recommended for public-facing competitions in 2026.
rCTF: The modern challenger
.png)
rCTF was created by RedpwnCTF, a competitive CTF team, to solve problems they actually ran into using other platforms. It's written in Node.js/React, designed to be fast, and takes a more opinionated approach to features — fewer options, cleaner defaults, better performance characteristics for certain event types.
Architecture
rCTF is a Node.js backend with a React frontend, using PostgreSQL for persistence and Redis for caching. The architecture is more modern than CTFd's and the Docker deployment is straightforward. For teams comfortable with the JavaScript/Node ecosystem, the codebase is easier to navigate and customize.
What rCTF prioritizes
- Performance. rCTF was designed to handle high-concurrency events. Leaderboard updates, scoreboard queries, and submission handling are optimized in ways that CTFd requires more tuning to match.
- Clean, modern UI. The participant-facing interface is sleeker than CTFd's default theme, and the React frontend makes frontend customization more accessible to modern web developers.
- Simplicity by design. rCTF ships with fewer features than CTFd, but the features it does ship work reliably and require less configuration.
The trade-offs
The plugin ecosystem is much smaller than CTFd's. If you need container-based challenges, advanced scoring configurations, or deep custom integrations, you'll likely be building those yourself. The community is also smaller, which means less community support when things go wrong.
rCTF is also less battle-tested at extreme scale. It performs extremely well for mid-sized events but hasn't had the same volume of large-scale deployments as CTFd to prove out its upper limits.
Verdict: Strong choice for technically sophisticated teams who prioritize performance and modern architecture over plugin richness. Particularly well-suited for competitive events in the 500–3,000 participant range.
How they compare at a glance
A note on deployment in 2026
Regardless of which platform you choose, a few things apply universally in 2026 that weren't always on people's radar a few years ago:
- Container-based challenges are now standard. Both CTFd and rCTF support them, but you'll need to budget for the additional orchestration complexity (usually Kubernetes or a managed container service) and the cost of running isolated environments per-team.
- DDoS protection matters for public events. CTF events attract... enthusiastic participants. Put a CDN/DDoS layer in front of whatever you're running if it's public-facing.
- Automated challenge health monitoring saves events. Challenges break mid-competition. Having monitoring and automated restart logic in place before the event starts is worth every hour it takes to set up.
- Budget more time than you think for content, not infrastructure. Most first-time event organizers underestimate how long challenge creation, testing, and QA takes relative to platform setup. The platform is the easy part.
The bottom line
For most teams in 2026, CTFd is still the right default. The ecosystem, the documentation, the community support, and the stability record make it the lowest-risk choice for a successful event.
If you have a technically sophisticated team that cares about modern architecture and performance at scale, rCTF is worth serious consideration. It's lean, it's fast, and for competitive events where the participant experience matters, it delivers.
FBCTF is a historical artifact at this point. Respect the legacy, don't deploy it in production.
Whichever platform you choose, the platform is maybe 20% of what makes a CTF event good. The other 80% is challenge quality, fairness, and how your team shows up on the day. Start there.
