Capture the Flag with ChatGPT: Security Testing with AI ChatBots


  • David Chamberlain Cardiff
  • Ellis Casey



cyber, ChatGPT, Chatbot, Penetration Testing, CTF, Hacking, cybersecurity, security


Penetration testing, commonly referred to as pen testing, is a process of assessing the security of a computer system or network by simulating an attack from an external or internal threat actor. One type of pen testing exercise that has become popular among cybersecurity enthusiasts is called Capture the Flag (CTF). This involves solving a series of challenges that simulate real-world hacking scenarios, with the goal of capturing a flag that represents a piece of sensitive information. Recently, there has been a growing interest in the use of natural language processing (NLP) and machine learning (ML) technologies for penetration testing and CTF exercises. One such technology that has received significant attention is ChatGPT, a large language model (LLM) trained by OpenAI based on the GPT-3.5 architecture. The use of ChatGPT in CTFs has several potential benefits for participants and organisers, including more dynamic and realistic scenarios and enhanced learning experiences, and enhance the effectiveness and realism of CTFs.. Future research can explore more sophisticated models and evaluate the effectiveness of ChatGPT in improving the performance of participants in CTFs.

Author Biography

David Chamberlain, Cardiff

David Chamberlain is a cyber security researcher at Airbus, with experience working in commercial, government and defence, providing research, architectural designs, configuration, deployment and support of security solutions, controls & frameworks, ensuring the protection of IT/OT systems, networks & assets. Personal and professional interests in Cyber Warfare have led to a part-time PhD Research program at Cardiff University, with his thesis on "Cyber War Against Critical National Infrastructure, Within Non-Linear Warfare". Holding a GCHQ certified Masters’ Degree in Advanced Security & Digital Forensics, with a dissertation focusing on "Cyber Warfare, Cyber Terrorism & Cyber Espionage", with BSc (Hons)s in Psychology, and Criminology, with a dissertation investigating state-sponsored terrorism & narco-terrorism. Various industry qualifications include ISC 2 SSCP, TOGAF, CCDA, CCNA & CCNA Industrial specialization, CEH, VCP, NSX, Prince2.