Top cybersecurity students across the globe face-off at RIT’s pentesting competition

The best cybersecurity students in the world came to Rochester Institute of Technology to battle in the Collegiate Penetration Testing Competition (CPTC) global finals Jan. 9-11. The event wrapped up the largest offense-based cybersecurity competition for college students, which was created by RIT.

A team of students from University of California, Irvine took home the CPTC trophy for 2026. Princess Sumaya University for Technology (Jordan) placed second and University of Massachusetts, Amherst placed third.

At the competition, 12 teams used white hat hacking skills to break into fabricated computer networks, evaluate their weak points, and present plans to better secure them. The pentesting competition helps students build and hone the skills for a career in cybersecurity—an industry with a severe shortage of qualified professionals.

“The thing that sets CPTC apart from other competitions is the immersive mindset and realism—it’s as close as it gets to real-world pentesting,” said Justin Pelletier, director of CPTC and director of RIT’s ESL GCI Cyber Range and Training Center. “Since the beginning, we have been very innovative in the competition scene to include things like business communications—because if you can’t deliver your findings in a way that’s actionable and understandable to the client, then it’s not an effective pentest.”

In this year’s scenario, teams conducted a pentest for a cruise operator, testing both shipboard weaknesses—including a limited IT staff, high workload, and inconsistent patching—and high-level corporate risks, such as remote control platforms and Security Operations Center visibility.

Judges from the security industry evaluated the performance of competitors. Professionalism—along with technical findings, presentations, and reports—play a key role in scoring well.

Throughout the fall, more than 400 elite cybersecurity students from 70 schools gathered at seven regional events across the world. The top 12 collegiate teams from regionals and wildcard competitions were selected for the weekend-long 2026 CPTC global finals. Participating teams included:

• Al Hussein Technical University (Jordan)
• Brigham Young University
• California State Polytechnic University, Pomona
• Dakota State University
• Princess Sumaya University for Technology (Jordan)
• Rochester Institute of Technology
• Stanford University
• University of California, Irvine
• University of Central Florida
• University of Florida
• University of Massachusetts, Amherst
• University of New Haven

The competition environment was run through RIT’s ESL Global Cybersecurity Institute (GCI) Cyber Range and Training Center, which is capable of hosting more than 5,000 virtual machines for immersive scenarios. Students also have the opportunity to meet experts, hand out résumés, and interview with potential employers.

CPTC takes the next step

After 11 years of growth through RIT, the Collegiate Penetration Testing Competition is moving forward as an independent, nonprofit organization. The transition will allow more schools to host and further grow the event’s reach.

In 2015, RIT’s Department of Computing Security faculty created CPTC in order to fill a gap in the competition space. Bill Stackpole, who is now a retired professor of cybersecurity, explained that while different kinds of cyber competitions did exist at the time, they were constrained and didn’t offer realistic experiences.

The RIT professors wanted an event that put students in front of infrastructure and made them responsible for it. Competitors would be graded on the practicality of their work, including red team activities and explaining defensive actions.

As a leader in the cybersecurity industry, Bob Kalka ’89 (computer science), vice president of IBM’s Security Business Unit at the time, saw the need too. With support from IBM and RIT’s Golisano College of Computing and Information Sciences, the first competition took place with nine teams in 2015.

“The first one was messy, but it grew like gangbusters,” said Stackpole. “Everyone wanted to participate, but no one was willing to build it. So, we built it.”

Over 11 competitions, CPTC has grown to include regional events and international universities.

“Creating something like this really depends on having all the right people in the room at the same time,” said Stackpole. “We had faculty who were willing to invest the time above and beyond, management to support the event, and a vision for where it was going to go.”

In addition to building support for RIT’s cybersecurity degree programs, CPTC has taught students from many colleges what they need to know to be successful in the security industry.

For Sunggwan Choi ’20 (computing security), CPTC helped him land a job. He said that CPTC forces students to develop in several key areas.

“You’re constantly pushing into new technical domains, learning enumeration and exploitation techniques, building your soft skills so you can communicate technical work to both technical and non-technical audiences, and figuring out how to work effectively as a team,” Choi said.

Choi was a member of RIT’s second place finishing team in 2020 and captain of the first-place team in 2021. After his first finals competition, he was approached by IBM Security representatives for a summer internship with X-Force Red. He was eventually hired by IBM full time.

“I think they were impressed by the debrief presentation, communicating skills during the competition, and the Linux/Windows hacking cheat sheet that I open sourced specifically for CPTC,” said Choi.

Today, Choi lives in Korea and works as a red team operator at Samsung Electronics, focusing on adversary simulation.

“The folks at CPTC try to represent realistic scenarios,” said Choi. “Sometimes the client could get defensive, push back, or even get angry at your work. Simulating these types of difficult business situations helped me to adapt fast in real-world consulting when I first started my job.”