The most common reason people plateau in CTFs is not that they are not good enough. It is that they chose the wrong category at the wrong time. Jumping into binary exploitation before understanding how memory works, or attempting hard crypto challenges before grasping encoding basics, produces a specific kind of frustration that too many people mistake for a signal that cyber security is not for them.
CTF categories are not equally accessible at every skill level. They have different prior knowledge requirements, different learning curves, and different relationships to real-world security work. Choosing where to start based on your current level rather than what looks most impressive is the decision that determines whether CTFs accelerate your development or stall it.
This guide covers every major CTF category, what it actually involves, what you need to know before attempting it, and which categories make the most sense at beginner, intermediate, and advanced levels.
How CTF Competitions Are Structured
Most CTF competitions use a Jeopardy-style format. You see a board of challenges sorted by category and difficulty, each worth a certain number of points. You pick any challenge, solve it to extract a hidden flag (a text string, typically formatted as flag{something}), and submit it for points. Harder challenges are worth more. You can tackle them in any order.
The categories are consistent across most competitions, which means skills you build on one platform transfer directly to others. TryHackMe's CTF rooms, PicoCTF challenges, and competitive events like HackTheBox challenges and national CTFs all use the same core categories. Getting good at web challenges on TryHackMe makes you better at web challenges everywhere.
The Core CTF Categories
Web Exploitation
What it involves: Finding and exploiting vulnerabilities in web applications: SQL injection, cross-site scripting (XSS), insecure direct object references (IDOR), server-side template injection, local file inclusion, authentication bypass, and similar OWASP Top 10 classes. Web challenges typically present a deployed application and ask you to find a flag hidden behind a vulnerability.
What you need to know first: How HTTP requests and responses work, what the browser is doing when you interact with a web application, and the basics of how web applications handle user input. Burp Suite is the primary tool for intercepting and manipulating requests.
Skill level: Beginner to intermediate. Web is the most accessible technical category for newcomers because most people already have some intuition about how websites work. The attack techniques are learnable without deep programming knowledge, and the feedback loop is fast.
TryHackMe starting point: The OWASP Top 10 room, the Web Fundamentals module, and the Jr Penetration Tester path's web application section all cover the skills this category tests.
OSINT (Open Source Intelligence)
What it involves: Finding information about targets using publicly available sources: reverse image searches, metadata extraction, social media investigation, domain and IP research, geolocation from photos, and data correlation across platforms. OSINT challenges give you a starting point, usually an image, username, or domain, and ask you to find a flag hidden in the information trail it leads to.
What you need to know first: Very little technical knowledge. OSINT is the most accessible CTF category for absolute beginners because it primarily requires methodical research, creative thinking, and familiarity with online tools rather than programming or exploit development knowledge.
Skill level: Beginner. OSINT challenges are the fastest way to score points in a competition and build early confidence. They also develop reconnaissance skills that are directly transferable to real penetration testing work.
TryHackMe starting point: The OhSINT room, the Sakura room, and the Searchlight OSINT room are all free TryHackMe rooms that introduce the category well. WebOSINT adds domain and website investigation techniques.
Cryptography
What it involves: Breaking ciphers, cracking hashes, exploiting weaknesses in cryptographic implementations, and decoding encoded data. Beginner crypto challenges typically involve classical ciphers (Caesar, Vigenere, ROT13), base encoding (Base64, Base32, hex), and hash cracking with Hashcat or John the Ripper. Intermediate and advanced challenges involve exploiting mathematical weaknesses in RSA, elliptic curve cryptography, or custom implementations.
What you need to know first: For beginner challenges: encoding basics and familiarity with common cipher types. For intermediate: basic number theory and Python scripting. Advanced crypto requires significant mathematical background in modular arithmetic and algebraic structures.
Skill level: Beginner challenges are accessible early. The curve steepens quickly. Crypto has a wider difficulty range than most categories, making it important to start with challenges rated easy and work up gradually rather than jumping into medium difficulty.
TryHackMe starting point: The Crack the Hash room and the c4ptur3-th3-fl4g room both introduce encoding and hash cracking at beginner level.
Forensics
What it involves: Investigating digital artefacts to find hidden flags: analysing file metadata, extracting data from disk images, examining network packet captures (PCAPs), recovering deleted files, and finding steganographically hidden data in images or audio files. Forensics challenges are essentially mini-investigations where the flag is hidden in or derivable from the provided files.
What you need to know first: Familiarity with Linux command line tools (strings, file, binwalk, exiftool), basic understanding of file formats, and some exposure to Wireshark for PCAP challenges. Python scripting helps at intermediate level.
Skill level: Beginner to intermediate. Forensics is a good second category after web or OSINT because it builds investigation methodology and familiarity with a wide range of tools without requiring programming depth.
TryHackMe starting point: The TryHackMe forensics rooms and the CC: Steganography room cover the beginner end of this category well.
Reverse Engineering
What it involves: Analysing compiled binaries to understand what they do without access to the source code. RE challenges typically ask you to reverse engineer a program to find a hidden password, bypass a check, or understand a custom algorithm. Tools include Ghidra, IDA Pro, and Radare2 for static analysis, and GDB for dynamic analysis.
What you need to know first: Understanding of how compiled programs work at a basic level, familiarity with assembly language concepts (registers, stack, function calls), and comfort reading C or C-adjacent code. This is a significant barrier that requires deliberate preparation before CTF challenges feel productive.
Skill level: Intermediate. Reverse engineering is not a beginner category. Attempting RE challenges without assembly language fundamentals produces almost no productive learning. Building those fundamentals first through structured content, then approaching easy RE challenges, is the right sequence.
TryHackMe starting point: The Malware Analysis introduction rooms and the Assembly and RE fundamentals content within the Jr Penetration Tester path build the prerequisite knowledge before RE CTF challenges become tractable.
Binary Exploitation (Pwn)
What it involves: Exploiting memory corruption vulnerabilities in compiled programs to gain control of execution. Stack buffer overflows, heap exploitation, format string vulnerabilities, and return-oriented programming (ROP) chains are the techniques this category covers. Successfully exploiting a pwn challenge typically gives you a shell on a remote server.
What you need to know first: Solid reverse engineering skills, deep understanding of C, assembly language, how the stack and heap work at a low level, and familiarity with exploit mitigation techniques like ASLR, NX, and stack canaries. Pwn is the technically deepest CTF category and the one with the steepest prerequisite stack.
Skill level: Advanced. Binary exploitation is where experienced CTF players go to develop the skills closest to real-world vulnerability research. Attempting it without the prerequisites is the most common source of the plateau described at the start of this guide.
TryHackMe starting point: The Buffer Overflow Prep room and the introductory buffer overflow content in the Jr Penetration Tester path are the right entry points, providing the foundation before moving to competitive pwn challenges.
Category Selection by Skill Level
| Category | Skill level | Key tools | Real-world relevance | Start here on TryHackMe |
|---|---|---|---|---|
| OSINT | Beginner | Google, Reverse image search, WHOIS, Shodan, ExifTool | Reconnaissance phase of penetration testing; threat intelligence | OhSINT |
| Web Exploitation | Beginner to Intermediate | Burp Suite, browser dev tools, SQLmap, Gobuster | Web application penetration testing; bug bounty | Jr Penetration Tester path |
| Cryptography | Beginner (easy only) to Advanced | CyberChef, Hashcat, John the Ripper, Python | Password cracking; secure comms; cryptographic review | Crack the Hash |
| Forensics | Beginner to Intermediate | Wireshark, Autopsy, Binwalk, ExifTool, Volatility | DFIR; SOC investigation; incident response | SOC Level 1 path |
| Reverse Engineering | Intermediate | Ghidra, IDA Free, GDB, Radare2 | Malware analysis; vulnerability research; binary auditing | Jr Penetration Tester path |
| Binary Exploitation (Pwn) | Advanced | GDB with pwndbg, pwntools, ROPgadget | Vulnerability research; exploit development; red teaming | Buffer Overflow Prep |
Green rows: suitable for beginners. Yellow: intermediate prerequisites needed. Red: advanced skill level required.
How to Progress Through Categories
The recommended progression for someone starting from scratch is not to pick one category and go deep immediately. It is to build breadth first across the accessible categories, then specialise.
Start with OSINT and Web Exploitation simultaneously. OSINT gives you early wins and builds reconnaissance methodology. Web gives you the most directly transferable technical skills and the widest range of challenge availability across competitions. Aim to complete at least twenty challenges across these two categories before moving on.
Add Cryptography and Forensics once you are comfortable with the first two. Beginner crypto sharpens your analytical thinking and introduces tools like CyberChef and Hashcat that appear across other categories. Forensics builds investigation methodology and introduces Wireshark and file analysis tools that are equally useful in real SOC work.
Move to Reverse Engineering after you have solid foundations in the above areas. Start with crackme challenges, which are stripped-down programs that ask you to find a password or bypass a check, before moving to full CTF RE challenges. The gap between "I understand the concept" and "I can solve a challenge" is larger in RE than in any other category, and it closes through repetition rather than study.
Approach binary exploitation only after you are genuinely comfortable with RE. The prerequisite chain for pwn is the longest of any category: C programming, assembly, RE skills, memory management, and exploit mitigation bypass techniques all need to be in place before challenges feel productive.
CTFs and Structured Learning: How They Work Together
CTFs are not a replacement for structured learning. They are a testing environment for skills that structured learning builds.
Someone who attempts CTFs before having foundational skills in place learns mainly frustration. Someone who completes structured learning paths and then uses CTFs to test and extend those skills in unguided, competitive scenarios develops significantly faster than either approach alone.
TryHackMe's structured paths build the knowledge. The CTF rooms on the platform, from the beginner-friendly OhSINT and Crack the Hash through to medium and hard CTF rooms, provide the testing environment. The Jr Penetration Tester path in particular covers the web, network, and Active Directory skills that directly underpin the Web Exploitation and forensics categories, and the Cyber Security 101 path builds the foundational layer that makes every category more accessible.
The combination of structured paths for skill building and CTF rooms for applying those skills under challenge conditions is how competitive players at every level develop most efficiently.
Nick O'Grady