About The Contest

The "VulnSec" Vulnerable Image Building contest is an event that breaks the traditional mold of DEFCON contests. This contest involves developing the most interesting environments to be hacked by the community at Defcon. Competitors will submit a vulnerable virtual machine which will be judged by our team, with prizes for the best images.

Who are we?

VulnSec is put on by a group of college students studying to improve their skills as information security professionals. Our team is committed to providing an opportunity for experienced professionals and newcomers alike, building and breaking images.

Our Team

Special thanks to the team members who have spent many sleepless hours putting together this contest












Engineer & Planner




Engineer & QA


Images are sorted into categories based on difficulty and experience level


Minimum Requirements:
ETC: 15 min
VMs in the Beginner Categories should be "Script Kiddie Friendly" so as to motivate beginner hackers to the table


Minimum Requirements:
ETC: 30 min
Common vulnerabilities, can be picked up by scanners


Minimum Requirements:
ETC: 60 min
Uncommon vulnerabilities, potentially not picked up by scanners


Minimum Requirements:
ETC: no time limit
Advanced or custom vulnerabilities, unidentified services,etc.

Code of Conduct

1. All images must be rated PG and not offensive (no obscenity or sexual suggestive content)
2. Images must not attempt to leverage vulnerabilities and escape the sandbox environment
3. Images must not attempt to compromise the VulnSec network, Defcon network, public internet, or other competition images
4. Images should reflect contestant’s creativity, no publicly available images (ex. VulnHub)
5. No images from previous competitions
6. Contestants must be 18 years of age if not attending DefCon
7. No other personal information will be required and personal information will not be stored


1. Contestants must provide a write up on the scenario. This will describe the image to the competitor to get them started, and to state the image objective, such as “dump the database” or “compromise the web application”. Maximum 300 words.
2. VM size is limited to 40GB for Windows & 15GB for Linux in VMDK format
3. File must be compressed (zip,7z,rar)
4. VMs should be self contained, with no requirements on other systems or internet resources
5. Contestants must provide a description for the upload image including:
a. Operating System: (Windows/Linux)
b. Category (Youth, Novice, Intermediate, Advanced)
c. List of implemented vulnerabilities and/or objectives
d. Description of any custom malware used
e. Root or administrator credentials for screening purposes
f. Estimated time of completion (ETC)

Upload Image Here

Contact Us

@VulnSecContest or Email