WHAT IS ACDX?
More than 30 challenges
Web, cryptography, reverse engineering among others. Progressive difficulty from beginner to expert.
Open models
GPT-OSS, Qwen, Llama, Mistral — all under the Apache 2.0 license. No black boxes.
100% EU sovereign
Infrastructure and models on European servers. Native GDPR. No data outside the EU.
Everything monitored
Every prompt, every command, every HTTP request. Full visibility into the agent’s reasoning.
ROAD TO
Restrict AI
Hold CTFs in person, with supervision, extremely difficult challenges, and guarantees of individual identity. This approach works, and organizations like ECSC and DEF CON CTF already apply it successfully. But it excludes most students.
PATH B — OUR PATH
Force the AI
Instead of banning automation, we turned it into the game. Teams compete on engineering quality: agent design, model strategy, tool automation, cost management, and multi-step reasoning.
ACDX does not rely on proprietary APIs or infrastructure outside the EU. All available models are open-source—the same ones teams can inspect, download, and study: GPT-OSS (117B and 21B), Qwen3, Llama 3.3, Mistral. There are no black boxes. All infrastructure runs on servers in the European Union, operated by European providers.
Native GDPR
Data processed and stored exclusively in the EU. Explicit consent. Right to be forgotten.
ISO 27001
Certified information security management system. Access controls, encryption, periodic audits.
ENS High Level
Compliance with the National Security Framework at its most demanding level. A requirement for Spanish public administrations.
Open models
We are committed to open models in our projects, without restrictive licenses or dependence on proprietary vendors.
Spanish public universities operate under the ENS. Working with platforms that do not comply with these standards creates regulatory friction. ACDX is designed from day one to integrate seamlessly into the European institutional context.
STEP 1
Read the challenge description
Target IP, instructions, context of the vulnerable system.
STEP 2
Call an open-source LLM to reason
The agent asks the model which tool to use, which vector to exploit, and what to explore next.
STEP 3
Interact with the system
The agent runs nmap, sqlmap, curl, netcat, or other tools against the vulnerable application.
STEP 4
Analyze results and repeat
Until the flag is found. The reason → execute → observe cycle continues autonomously.
No in-house infrastructure is needed. The platform is deployed at the university. The platform captures everything: every prompt, every LLM response, every command, every HTTP request.
// PHASE 01
In-person workshops
Half-day workshops to kick-start teams. Introduction to AI-CTF, agent design, and a first live competition. We provide the platform and the trainers.
// PHASE 02
Training challenges
Continuous access to the platform with progressive challenges. Teams practice between workshops and measure their improvement in real time.
// PHASE 03
Formal League
Autonomous University of Madrid
Comillas Pontifical University — ICAI
Your university coming soon
Pontifical Comillas University: School of Engineering (ICAI)