* [Blog](https://www2.paloaltonetworks.com/blog)
* [Security Operations](https://www2.paloaltonetworks.com/blog/security-operations/)
* [Playbook of the Week](https://www2.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/)
* Introducing New XSOAR Cap...

# Introducing New XSOAR Capture the Flags!

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fintroducing-new-xsoar-capture-the-flags%2F)  
[](https://twitter.com/share?text=Introducing+New+XSOAR+Capture+the+Flags%21&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fintroducing-new-xsoar-capture-the-flags%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fintroducing-new-xsoar-capture-the-flags%2F&title=Introducing+New+XSOAR+Capture+the+Flags%21&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/security-operations/introducing-new-xsoar-capture-the-flags/&ts=markdown)  
\[\](mailto:?subject=Introducing New XSOAR Capture the Flags!)  
Link copied  
By [Sasha Sokolovich](https://www.paloaltonetworks.com/blog/author/sasha-sokolovich/?ts=markdown "Posts by Sasha Sokolovich")  
Dec 14, 2023  
5 minutes  
[Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)  
[Cortex XSOAR](https://www.paloaltonetworks.com/blog/tag/cortex-xsoar/?ts=markdown)  
[playbook of the week](https://www.paloaltonetworks.com/blog/tag/playbook-of-the-week/?ts=markdown)  
[Security Orchestration Automation and Response](https://www.paloaltonetworks.com/blog/tag/security-orchestration-automation-and-response/?ts=markdown)  
[SOAR](https://www.paloaltonetworks.com/blog/tag/soar-2/?ts=markdown)  
[XSOAR playbook](https://www.paloaltonetworks.com/blog/tag/xsoar-playbook/?ts=markdown)

### Introduction

Does the game of capture the flag bring back childhood memories?

Well, we have infused the fun element of the game into our capture the flag (CTF) content packs which take you on an interactive "treasure hunt" in Cortex XSOAR.

### How Are Capture the Flags Used in Cybersecurity?

CTF challenges are cybersecurity competitions where participants tackle hands-on tasks, solving security-related puzzles and navigating through simulated scenarios to capture "flags." These flags represent sensitive information, and these exercises allow participants to showcase their prowess in areas like penetration testing, cryptography, and incident response.

CTFs can bridge the gap between theory and practice. Participants not only learn about cybersecurity concepts but also apply that knowledge to solve intricate problems. This approach cultivates problem-solving skills, critical thinking, and adaptability -- crucial attributes in the ever-evolving field of cybersecurity.

### Introducing the XSOAR CTF Playbooks

In this case, participants explore Cortex XSOAR as security analysts investigate and respond to an incident.

Since XSOAR delivers SecOps automation through its playbooks, which are automated sequences orchestrating security processes, we built these CTFs using playbooks. As participants navigate through the CTFs and tasks that mirror the complexity of real-world incident investigations, they will understand the underlying structure and components associated with building automated workflows. The modular and extensible nature of XSOAR playbooks empowers users to tailor challenges to specific learning objectives.

### Preparing for the XSOAR CTF Challenge

Each CTF content pack comes with a playbook guiding you through setting up the CTF for your participants. This playbook ensures that your environment has all the requirements enabled to run your CTF.

Our CTF contains two different challenges:

* **The first CTF challenge walks participants through XSOAR 8, SaaS version**  
  For many customers, XSOAR 8, released in Jan 2023, is built on a new unified Cortex architecture and is a fully cloud-native SOAR solution. The CTF tasks guide the user through the system, introducing them to the key features of XSOAR.
* **The second CTF challenge allows participants to wear an analyst's hat and investigate an incident using XSOAR** Our mission with this CTF is to acquaint analysts with using XSOAR to respond to incidents, including identifying the type of malicious indicator detected in the incident, related indicators associated with the same campaign, severity of the attack, etc.

![Fig 1: One of the gifs in the CTFs](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/12/word-image-310562-1.gif)
Fig 1: One of the gifs in the CTFs

### Using the CTF Content Packs

First, you need to download the [Capture The Flag 01](https://cortex.marketplace.pan.dev/marketplace/details/ctf01/) pack. In this pack, you will find the following playbook that will assist you in preparing your environment and setting up. The playbook name is - "Prepare your CTF"
![A screenshot of a computer Description automatically generated. Fig 2: Prepare your CTF playbook](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/12/a-screenshot-of-a-computer-description-automatica.png)
Fig 2: Prepare your CTF playbook

You may run it as an incident or directly from the Playbook debugger section
![Fig 3: Running the Prepare your CTF playbook](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/12/a-screenshot-of-a-computer-description-automatica-1.png)
Fig 3: Running the Prepare your CTF playbook

The playbook will guide you through the setup tasks, including integrations and other settings required. In the example shown below, two missing integrations need to be enabled. You need to navigate to your integration tab in XSOAR to configure the integrations.
![Fig 4: Missing integrations](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/12/a-screenshot-of-a-computer-flowchart-description.png)
Fig 4: Missing integrations

The end goal is to run this playbook without any stops or errors until you reach the final task which informs you that you are set.
![Fig 5: Successful playbook run](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/12/a-screenshot-of-a-computer-screen-description-aut.png)
Fig 5: Successful playbook run

### Starting the CTF

To start interacting with the CTF, run the first CTF playbook by creating a new incident with the following playbooks - "CTF 1 - Get to know XSOAR 8".

As a part of the game, participants will be required to search for clues (or flags) throughout XSOAR (such as in integration settings, reports, or playbooks). They will answer a series of questions related to their quest and the playbooks will prompt them with the correct answers.
![Fig 6: Sample task in CTF with prompts](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/12/word-image-310562-6.gif)
Fig 6: Sample task in CTF with prompts

If a participant gets stuck on a specific task, they can use the hint option to get a quick hint about the flag. If their answer is incorrect, they can re-run the task and check their answer as many times as they like - although this being a competition, there is a timer to determine who is the fastest at retrieving all the clues or flags.

### Scoring Progress

The pack allows you to run this game for multiple users on the same tenant while providing a dashboard where you can see their progress.
![Fig 7: Scoreboard using XSOAR’s incident dashboard](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/12/a-screenshot-of-a-computer-description-automatica-2.png)
Fig 7: Scoreboard using XSOAR's incident dashboard

Using this dashboard, you can track who finished the CTF and sort it by completion time (to determine the winner of the game). Note: An SLA timer starts when an incident is triggered.

**To learn more about how you can automate security operations with Cortex XSOAR, check out our virtual self-guided [XSOAR Product Tour](https://www.paloaltonetworks.com/resources/infographics/xsoar-product-tour)**

**We also host virtual and in-person events, so check [here](https://www.paloaltonetworks.com/resources/cortex-events) for upcoming ones.**

*** ** * ** ***

## Related Blogs

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### An Automated Response to Malicious Pod Activity](https://www2.paloaltonetworks.com/blog/security-operations/an-automated-response-to-malicious-pod-activity/)

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### Rapid Response for Fighting Ursa Phishing Campaign](https://www2.paloaltonetworks.com/blog/security-operations/rapid-response-for-fighting-ursa-phishing-campaign/)

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown)

[#### Playbook of the Week: Automating Response to Living-Off-the-Land (LOTL) Attacks](https://www2.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-automating-response-to-living-off-the-land-lotl-attacks/)

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### Playbook of the Week: Prisma Cloud Compute - Compliance Alert v2](https://www2.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-prisma-cloud-compute-compliance-alert-v2/)

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### Playbook of the Week: Streamlining Suspicious Data Upload Alert Investigations](https://www2.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-streamlining-suspicious-data-upload-alert-investigations/)

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown)

[#### Playbook of the Week: Automating Management of XDR Identity Analytics Alerts](https://www2.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-automating-management-of-xdr-identity-analytics-alerts/)

### Subscribe to Security Operations Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language