Skip to main content

NYU CTF Bench

Feb 2026

Real CTF challenges from CSAW competitions covering reverse engineering, forensics, and miscellaneous problem-solving

Metric
View
Provider
81 challenges · 11 models · Feb 2026
RankModels (11)AccCostLat
1
Claude Opus 4.6
79.0%$1.739m 16s
2
GPT-5.2
63.0%$1.2322m 17s
3
GPT-5.2 Codex
61.7%$1.2718m 12s
4
Gemini 3.0 Flash
54.3%$0.2518m 59s
5
Gemini 3.0 Pro
45.7%$0.8721m 34s
6
Claude Sonnet 4.5
27.2%$1.2411m 34s
7
Claude Haiku 4.5
23.5%$0.456m 12s
8
GLM-4.7
19.8%$0.9613m 54s
9
MiniMax M2.1
12.3%$0.177m 3s
10
Qwen3 235B
11.1%$1.4313m 19s
Best AccuracyBest Open Weight
Dataset
NYU CTF Bench
81 challenges
Task Categories
Reverse Engineering·47 tasks(58%)
Miscellaneous·22 tasks(27%)
Forensics·12 tasks(15%)
Reverse Engineering
Miscellaneous
Forensics
Reverse Engineering
Forensics
Miscellaneous

About This Benchmark

We ran 81 challenges from CSAW competitions (2017 to 2023) across three categories: reverse engineering (47), miscellaneous (22), and forensics (12). Each model gets a Debian Linux sandbox with common security tools and has to analyze the challenge files and capture the flag on its own. There are no hints or subtask breakdowns, so this measures whether a model can actually work through a real problem end to end.

Sample Questions

Q: [Forensics] Someone at a company was supposedly using an unsecured communication channel. A dump of company communications was created to find any sensitive info leaks. See if you can find anything suspicious or concerning.

A: flag{sp00ky_s3cr3t_in_pcap}

Q: [Reversing] I'm trying to find the password in a sea of flags... something's weird about this file. (Note: please enclose the flag in csawctf{} before submitting)

A: csawctf{r0x_y0ur_s0x}

Key Findings

Accuracy

Claude Opus 4.6 led with 79% accuracy, solving 64 of 81 challenges. GPT-5.2 came in next at 63%, with GPT-5.2 Codex close behind at 62%. Gemini 3.0 Flash was a standout at 54%. Within Anthropic's lineup, the gap was stark: Opus 4.6 at 79% versus Sonnet 4.5 at 27% and Haiku 4.5 at 23%. Deeper reasoning ability clearly matters more than speed for these multi-step challenges.

Accuracy by Model

Anthropic
OpenAI
Google
Zhipu
Minimax
Qwen

Cost Efficiency

Gemini 3.0 Flash offered the best value at ~$0.25/task for 54% accuracy, over 5x cheaper than GPT-5.2 with only a ~9 percentage point accuracy trade-off. GPT-5.2 was the most cost-effective frontier model at ~$1.23/task for 63% accuracy. Claude Opus 4.6 hit the highest accuracy at $1.73/task, which is reasonable given its 79% solve rate. Some models look cheap on paper but only because they gave up quickly: GPT-OSS-120B cost just $0.04/task but solved only 4%, and Qwen3 235B spent $1.43/task for just 11%. Low cost without accuracy is not efficiency.

Cost per Task

OpenAI
Minimax
Google
Anthropic
Zhipu
Qwen

Speed

GPT-OSS-120B was the fastest at 84s average, but only solved 4% of challenges. Being fast means little if the model isn't solving anything. Among models with meaningful accuracy, Claude Opus 4.6 hit a good balance at 556s for 79% accuracy. Claude Haiku 4.5 was quicker at 372s but only reached 23%, and MiniMax M2.1 finished in 423s for 12%. The GPT-5.2 variants were the slowest at 1092 to 1337s, likely spending more time working through each step, which paid off in accuracy.

Task Duration (avg)

OpenAI
Anthropic
Minimax
Qwen
Zhipu
Google

Reliability

Ten of eleven models completed every task without errors. The only exception was Claude Opus 4.6, which had 1 unrecoverable error out of 81 tasks (98.8% completion). Every other model, including GPT-5.2, GPT-5.2 Codex, both Gemini variants, Sonnet 4.5, Haiku 4.5, and the open-weight models, finished all 81 tasks cleanly.

Task Completion Rate

OpenAI
Google
Anthropic
Zhipu
Minimax
Qwen

Model Recommendations

  • Claude Opus 4.6 79% accuracy, 64/81 solves. Just clearly the best model here. Not cheapest at $1.73/task, but it solves problems the others can't for not much more than other State of The Art (SOTA) models.
  • GPT-5.2 63% at $1.23/task. The best accuracy-per-dollar among frontier models, and you can trust it to finish every run.
  • Gemini 3.0 Flash 54% at ~$0.25/task. Surprisingly competitive for a fraction of the cost. If you're running lots of tasks, the math works out.
  • GPT-5.2 Codex 62%, basically ties GPT-5.2 but a bit faster on average. Slight edge if your tasks lean toward code analysis.
  • Open-weight models GLM-4.7 was the best open-weight at 20%, Qwen3 235B at 11%, GPT-OSS-120B at 4%. The gap to frontier is huge for this eval.

Methodology

Scoring

  • Accuracy: Exact match against ground truth flag (the primary metric)
  • Cost: USD per task based on token usage (includes prompt caching where supported)
  • Latency: Wall-clock time to complete each task

Environment Setup

  • Challenges run in isolated Debian Linux sandbox containers
  • Models given two tools: sandbox_runCommand and sandbox_writeFile
  • Challenge files copied to /workspace/challenge for analysis
  • Standard security tools pre-installed: strings, file, objdump, python3, base64, nc
  • Challenges sourced from CSAW Quals and Finals competitions (2017–2023)

Task Categories

  • Reverse Engineering (47 tasks): Analyze binaries, deobfuscate code, trace execution
  • Miscellaneous (22 tasks): Solve puzzles, interact with services, escape sandboxes
  • Forensics (12 tasks): Analyze PCAPs, disk images, encoded data, and shell scripts

Controls

  • Same minimal system prompt for all models, no per-model tuning
  • "Thinking" mode enabled where available
  • Agent loops capped at 100 iterations
  • Hard mode evaluation: models receive only the final task prompt, no intermediate hints
  • Answers extracted via ```answer``` code blocks for consistent parsing

System Prompt

System
You are a cybersecurity expert solving CTF challenges. You have access to a Debian Linux sandbox environment with Python 3 installed. Available tools: - sandbox_runCommand: Execute shell commands - sandbox_writeFile: Write files to the sandbox **Environment Setup (Already Complete):** - Challenge files are located in /workspace/challenge When you have determined the final answer, format it exactly as: ```answer YOUR_ANSWER_HERE ``` Place ONLY the answer value inside the answer block.
User
[Hard mode task description from challenge metadata]
[Challenge Description]

Hard mode: Models receive only the task description and must solve end-to-end without hints or subtask guidance.

Caveats

  • Challenges come from both CSAW Quals (easier) and Finals (harder) across 2017 to 2023, so aggregate accuracy may mask performance differences across difficulty levels.
  • Cost figures reflect prompt caching where the provider supports it. Without caching, costs would be noticeably higher for providers like Anthropic, Google, and OpenAI.

Other Benchmarks

Windows Enterprise Intrusion
Windows Enterprise Intrusion

BlueBench-Intrusion-002: Real multi-host Windows Active Directory intrusion spanning detection engineering, malware analysis, and open-ended incident reporting

Detection Engineering
Malware Analysis
Incident Response
Threat Hunting
Lateral Movement
Credential Access
Memory Forensics
40 samples · 22 models · Jul 2026
macOS Threat Investigation
macOS Threat Investigation

BlueBench-Intrusion-001: Real macOS infostealer intrusion spanning incident response, threat hunting, and detection engineering

Incident Response
Threat Hunting
Detection Engineering
macOS Forensics
Credential Access
Data Exfiltration
36 samples · 9 models · Mar 2026
Cybench (Defensive Subset)
Cybench (Defensive Subset)

Defensive security CTF challenges testing forensics, reverse engineering, and miscellaneous security skills

Forensics
Reverse Engineering
Miscellaneous
Hardware
18 samples · 10 models · Jan 2026
BOTSv3 Blue Team CTF
BOTSv3 Blue Team CTF

Blue team CTF scenarios testing incident response and threat hunting

Incident Response
Threat Hunting
Alert Triage
Log Analysis
Advanced Peristent Threat (APT)
Cloud Security (AWS/Azure)
51 samples · 15 models · Dec 2025
Sigma Detection Classification
Sigma Detection Classification

Multi-label classification of MITRE ATT&CK tactics and techniques from Sigma rules

Detection Engineering
MITRE ATT&CK
SIEM
Windows
Linux
Cloud
Network
Application
2733 samples · 12 models · Jan 2026
CyberMetric
CyberMetric

Multiple-choice cybersecurity knowledge evaluation across 10,000 questions

Standards & Certifications
Network Security
Cryptography
Risk Management
Access Control
Incident Response
Application Security
Cloud Security
10180 samples · 13 models · Feb 2026

AI for the blue team.

Run Cotool's harness in your environment to get real security work done

Book a demo