The Standoff Rules

The Standoff

Last year, we offered participants at PHDays a new competition format: an attackers vs. defenders cyberbattle. This time we've taken the idea further still. The flagship competition at PHDays VII is The Standoff, while all the goings-on at the PHDays venue are united under the theme of "The Standoff: Enemy Inside."

Events will unfold in a (virtual) city that is recognizable from last year, but now much larger and more populated. Like in the real world, the Internet of Things has caught on in a big way in the city, and life revolves around technology, the Internet, and gadgets. Smartphones, used to manage all aspects of daily life, have effectively replaced wallets, keys, and identity papers. Even matchbooks are connected to the web and ice cream posts its temperature on Twitter. So in addition to a telecom operator, combined heat and power plant (CHPP), and office complex, hackers may target the city's flood of IoT devices of all shapes and sizes—or attack traffic lights and savor the chaotic results. After last year's drubbing at the hands of the Standoff defenders, attackers are sure to be merciless. Meanwhile, city residents and employees have become more trusting and complacent after the defenders' victory...

Overall rules

The Standoff will take place non-stop during Positive Hack Days, starting right after the forum opens and lasting until the end of the forum.

Teams participate in one of three roles:

  • Attackers
  • Defenders
  • Security operations centers (SOC)

Each team can play for one side only. A single company may not put up teams for opposing sides (for example, one team for attackers and another team for defenders or SOC). Teams consist of five or more people.

Teams can work locally (at the venue), remotely, or mixed (some team members at the venue and others remotely).

Preparation. One month before The Standoff, the organizers will hold a briefing for each side. The organizers will explain the game structure and rules, preparations and details of the game infrastructure, victory conditions, and awards. Defender and SOC teams will be given time for auditing infrastructures (1 week) and installing protection tools (3 weeks).

During The Standoff. The organizers will assign a space to the teams for team members and necessary equipment. Proper beds will not be present at the venue, so teams will need to organize any sleeping arrangements themselves. Food will be available both day and night.

At the start of the competition, each team will receive access to the game infrastructure. The connection will be made via a dedicated computer (if the team is at the PHDays venue) or via VPN (if the team is participating remotely).

On the in-game forum, the teams will be able to exchange information with each other and with the organizers. The forum will contain:

  • Basic information on the game infrastructure
  • List of targets
  • News from the organizers
  • Black Market of vulnerabilities and exploits
  • Threat Intelligence portal

The HelpDesk will be available before and during the game in case of technical issues. Requests will be handled by email from within the Standoff domain.

Game rules

The teams can do absolutely anything that is not forbidden by the rules. Teams may not:

  • Interfere with the functioning of The Standoff.
  • Attack the infrastructure of the game venue.
  • Attack the jury's computers.
  • Generate unreasonably large amounts of traffic (flood).
  • In addition to the foregoing, defenders may not block access based on IP addresses.

The game will be continuously monitored by the jury. If the rules are violated, the guilty team may be disqualified and be excluded from scoring. Important: the jury may clarify the rules at any time prior to the game start, as well as change the state of game infrastructure during the game.


Attackers may do anything they want, so long as they do not impair the logic or functioning of the game venue. There are no tasks or flags. Participants themselves decide what they want to "get" from the city. The job of the attackers is simple: to accomplish their objectives by any means available.

All objectives specify "what"—hacking ICS components, for example—not "how," and therefore can be accomplished in very different ways. Most of the objectives will be known to the hackers, but the game also has hidden objectives that are triggered by certain actions or events. Some objectives can be accomplished only on a particular timeframe and/or only by one team. Information about team progress in completing objectives will be available throughout the game, in the team profile on the Standoff website, as well as in the overall ranking of the teams.

Attackers may use any tools they like, so long as they do not break the core Standoff rules. At the start, all teams are provided with basic information about the attackable targets; this information will be available on the Standoff forum. All other information must be found by the teams themselves. Attackers are free to arrange information trades on the black market.

In the course of The Standoff, participants may give a presentation on the results of their work, voluntarily, unless stipulated otherwise.

The rules for determining winners in various categories will be distributed right before the start of competition. The overall winner is the team with the highest score. A team's total score is a function of its progress in completing all objectives.

The city administration has planned a bug bounty during The Standoff for its public services, in tournament format.


Defenders can be both corporate teams and individual specialists (pseudonyms are allowed for privacy). The defender teams will be split based on area of responsibility, each taking on security for one particular telecom operator, infrastructure site, and so on.

The teams' tasks include designing, installing, configuring, and using protection mechanisms, as well as ensuring the security and integrity of the assets of the company to which the relevant team is assigned. During the team, defenders must periodically report on the incidents that have taken place so far and the measures taken to respond.

A total of 5 sites are to be defended:

  • Telecom operator
  • Office
  • Combined heat and power plant (CHPP)
  • Oil company
  • Railway company

Any protection mechanisms available in software or virtual device form may be used. The organizer does not provide licenses for any protection mechanisms other than for the software produced by the organizer. Hardware solutions may be used, with limitations, only by ICS defender teams. The organizers reserve the right to selectively forbid use of particular protection solutions. ICS protection solutions are not allowed to perform disconnects; only monitoring is allowed.

Defenders are under a financial crunch this year. Due to budget cuts, each team is limited to a virtual budget of 10,000 credits, with which it can purchase protection mechanisms from a local distributor or procure SOC monitoring services. In the price list below, the price of each item is determined by its category and the complexity of integrating it into an IT infrastructure.

Defender teams do not participate in the scoring system; rather, they are evaluated and awarded by a jury of industry experts.

The organizers will apply guidelines to determine whether and how to make rules changing the game infrastructure for a team (network settings, protection methods in use, etc.) so as to ensure a balance between defense and offense. In order to maintain balance on the corporate infrastructures, a more-or-less constant number (within a certain range) of vulnerabilities will be present.

Each defender team will have a special business representative (equivalent to a CISO) assigned by the organizers. This person will be responsible for evaluating the team's work and their decision-making as it affects the company's business (such as disabling services), and will also serve as the single point of contact for any other questions concerning the game. Teams should follow the CISO's instructions immediately and completely. Failure to do so will incur score penalties in the form of a lower trust rating.

External SOCs

Like last year, SOC teams will come to the help of city companies. They will provide their expertise and well-honed processes for detecting and preventing incidents, making these services available to defenders, as well as monitoring the entire city network. SOCs will provide defenders only with the services for which the relevant defender team has paid from its virtual budget.

During The Standoff, SOCs will quickly inform defenders of attacks and take defensive measures. Like the defenders, SOC teams should publicly announce attacks and the methods used for them, as well as provide statistics on the overall state of play (attack trends and other metrics).

SOC teams do not participate in the scoring system; rather, they are evaluated and awarded by a jury of industry experts.

City residents

City residents interact with the attackers and other Standoff participants. They are vulnerable to social engineering and, in return for worthy compensation, are prepared to share secrets. Residents belong to various categories: some work at companies, while others are technonovices who nonetheless use smart gadgets every day.

Methods for interacting with city residents will be relayed to the attackers in the run-up to the Standoff start.


Victory in The Standoff overall, as well as in particular categories, is based on the objectives successfully accomplished within a specific role. The victors are determined on the totality of their accomplishments and points earned. The organizers will announce the victors after the end of the game, at the awards ceremony.

Game progress can be tracked on the Standoff website with the contest leader board and rankings with category leaders.

How to apply

If you want to join in The Standoff, write us at phd@ptsecurity.com. The application deadline is April 3, 2017.