Most people who complete CTF challenges treat completion as the end point. They finish a room, collect the flag, move on to the next one, and wonder six months later why their CV does not feel any stronger despite all the work they have put in.
The problem is not the CTF work. It is the absence of anything to show for it. A TryHackMe profile with hundreds of rooms completed is evidence of effort. A folder of documented write-ups that describe what you found, how you found it, and what it means is evidence of ability. Hiring managers care about the second thing.
This guide covers how to turn CTF work into genuine portfolio evidence: what to document, how to structure it, where to publish it, and which types of CTF achievement signal most strongly to the roles you are targeting.
What Hiring Managers Actually See
When a technical hiring manager looks at a candidate's CTF portfolio, they are not evaluating score or rank primarily. They are asking three questions: can this person think methodically under uncertainty, can they communicate technical findings clearly, and does the work they have done relate to what this role actually requires?
Many people trying to break into cybersecurity ask the wrong portfolio question. The answer is that none of the individual elements, certifications, a blog, a GitHub, a few CTF wins, or a home lab, are sufficient on their own. A useful portfolio proves that you can do bounded technical work that resembles a real job.
A CTF writeup that says "I used Gobuster to enumerate directories, found /admin, and logged in with default credentials to get the flag" is not a portfolio piece. It is a summary. A writeup that explains what enumeration revealed, why the /admin directory was significant, what the default credential vulnerability indicates about the application's security posture, and what a developer would need to do to remediate it answers all three of the hiring manager's questions.
The difference is not length. It is the presence of methodology and analysis rather than just steps.
The Writeup Framework
Every CTF writeup worth including in a portfolio follows a consistent structure. This is not about template rigidity. It is about ensuring that every piece of evidence in your portfolio demonstrates the same professional standard.
Context and scope. What was the challenge? What category was it? What was the difficulty rating? What platform was it on? This gives the reader the frame they need to evaluate everything that follows.
Initial reconnaissance. What did you find first, and how did you find it? Which tools did you use and why? This section demonstrates your enumeration methodology. A good tester does not just run Nmap. They choose specific flags for a reason, interpret the output, and decide what to investigate next based on what they see.
Vulnerability identification. What was the actual vulnerability? Name it precisely. If it is a SQL injection, what type? If it is a misconfiguration, what should have been configured differently? Precision here signals that you understand the class of vulnerability, not just the specific instance.
Exploitation. How did you exploit it? Include the relevant commands, payloads, or steps in enough detail that a technically literate reader could reproduce them. Include screenshots of significant moments: the tool output that confirmed a vulnerability, the shell you received, the flag location.
Impact and remediation. What could an attacker do with this access? What would a developer or administrator need to do to fix it? This section is what most CTF writeups omit entirely and what most hiring managers remember. It demonstrates that you are thinking like a security professional, not just a puzzle solver.
What you learned. One or two sentences on what this challenge taught you or reinforced. This is particularly valuable for challenges that required you to learn a new technique or tool.
Where to Publish Your Portfolio
The writeup is only half of the equation. Where you publish it determines whether it reaches the people who matter.
GitHub is the primary home for technical portfolio work. A well-organised repository with a clear README, a writeups folder organised by platform and category, and consistent formatting signals that you treat your work professionally. Hiring managers for technical roles routinely check GitHub profiles before interviews. A repository that shows consistent activity over several months communicates more than a collection of certifications.
A personal blog gives you a public URL that can be linked from a CV and LinkedIn. Static site generators including Jekyll and Hugo are free, deploy easily to GitHub Pages, and produce clean, readable output without requiring web development skills. The advantage of a blog over a GitHub repository is that it is accessible to non-technical hiring managers and recruiters who might be uncomfortable navigating a code repository.
Your TryHackMe public profile is the third layer. It is not a substitute for documented writeups, but it provides instant verification that the work happened. A hiring manager who visits your TryHackMe profile and sees a consistent record of room completions over six months, aligned with the paths relevant to the role they are hiring for, has immediate context for every writeup you share with them. The profile also tracks your rank, rooms completed, and badges, giving your portfolio a quantified dimension that written evidence alone does not provide.
LinkedIn is where you make the work visible to the people doing the hiring. A short LinkedIn post summarising a completed challenge or a key learning from a TryHackMe path, with a link to the full writeup, puts your portfolio in front of your professional network without requiring anyone to seek it out. Consistency matters more than volume: one post per week showing active, documented progress builds the kind of presence that gets you contacted rather than ignored.
Which CTF Work Signals Most Strongly to Each Role
Not all CTF achievements are equally relevant to every role. Matching your portfolio emphasis to the role you are targeting is the decision that makes your evidence specific rather than generic.
SOC analyst roles value forensics and OSINT challenge writeups most directly. Investigation methodology, log analysis, and the ability to reconstruct what happened from available evidence are the skills these roles test at interview. Blue team CTF platforms and TryHackMe's forensics and SIEM-focused rooms produce the most relevant portfolio material. DFIR writeups that walk through a full investigation chain, from initial alert through root cause identification, are particularly compelling.
Penetration testing roles value web exploitation and network penetration challenge writeups. The methodology section matters most here: a hiring manager for a penetration testing role wants to see that you enumerate systematically, test thoroughly, and document findings in the format that a professional report requires. Build a portfolio of detailed writeups from labs and CTFs, focusing on how you found, exploited, and remediated vulnerabilities rather than just "I got root." Walkthroughs that end with a root shell and no analysis of impact or remediation are not professional evidence.
DFIR roles value forensics and reverse engineering challenge writeups. Malware analysis writeups that walk through a suspicious binary, identifying its capabilities, its network indicators, and its persistence mechanism, are exactly the kind of evidence that DFIR hiring managers find meaningful. Memory forensics challenges that demonstrate Volatility proficiency are similarly valued.
Common Mistakes That Waste the Portfolio Value of CTF Work
Waiting until you are "good enough" to publish. Writeups published at beginner level that document genuine learning, including what you tried that did not work and why, are more honest and often more compelling than polished walkthroughs of challenges you found easy. The willingness to document your process at every level signals the kind of reflective practice that produces good analysts.
Copying walkthroughs without understanding. A writeup based on a walkthrough you followed without fully understanding is immediately obvious to a technical reader. The explanation of why each step was taken is the part that cannot be faked, and it is the part that matters most.
Publishing writeups for live challenges. Active CTF challenges should not have public writeups. Publishing solutions to challenges that are still running is a community norm violation that reflects poorly on your professional judgment. Always wait until a challenge is retired or the competition has closed before publishing.
Not linking your portfolio from your CV. A portfolio that exists but is not surfaced on your CV and LinkedIn profile does not help you. Every application you send should include a direct link to your GitHub or blog, and your LinkedIn profile should have it prominently in the featured section.
Build the Skills, Then Document Them
TryHackMe's Jr Penetration Tester path and SOC Level 1 path both provide structured learning that maps directly to portfolio-relevant CTF content. Every room you complete is a potential writeup. Every path you finish is a body of evidence that demonstrates role-aligned skill development over time.
The public TryHackMe profile, combined with documented write-ups published on GitHub or a personal blog, and linked consistently from your LinkedIn and CV, is the portfolio structure that answers every question a hiring manager is trying to resolve before they decide whether to bring you in.
Nick O'Grady