Binghamton University student team scores high in global cybersecurity competition

Learning about cybersecurity is a critical part of any computer science curriculum — but fighting off real-time cyber-attacks puts those skills to the test.

For the MITRE Embedded Capture the Flag Competition, students from around the world build what they hope is a secure software-and-hardware system, defend it against other teams, and then try to hack into those teams' creations. 

Last year, Binghamton University participated in the competition for the first time, finishing at #26 overall and #2 in New York — respectable for students doing the work on their own time.

This spring, the School of Computing at the Thomas J. Watson College of Engineering and Applied Science followed MITRE’s recommendation to make eCTF a formal part of the curriculum. A dozen students signed up and committed time outside of class, while two other students also participated without registering for the course.

This year's challenge was to design and implement a secure storage solution for a chip foundry. The system needed to allow users with various roles to access the proper data without leaking sensitive chip designs to unauthorized parties.

“The students work very hard,” said Associate Professor Aravind Prakash, who serves as team advisor. “This is not like any other course, because we don't have a set number of hours that you need to put in. There were weekends when they would come work in the lab to do their software development or attacks.”

The result? Binghamton ranked #13 among 114 competitors, and it was the only New York university in the top 20.

Team co-captain Samruddhi “Sammy” Deshpande, a computer science master’s student, also took part in the 2025 competition, and she thinks that made it easier to see weaknesses in other teams’ code base and design. They also tapped into new artificial intelligence tools. 

“We knew what our previous mistakes were, and how not to repeat those mistakes,” she said. “AI helped us to come up with new ideas, and really does well for the authentication side of things, but it also made it much harder to streamline into one specific goal.”

MITRE is a not-for-profit organization that operates federally funded research and development centers to provide technical expertise, stability, and continuity to government agencies. It advances technology in national defense, aviation safety, GPS, financial systems, healthcare, and cybersecurity.

The eCTF competition includes not just software but also hardware, which can offer different ways to break into a system and get to the valuable information inside.

Students started designing the firmware in January. The attack phase began on March 15, and it withstood all attacks for the first month. On April 15, the final day of the attack phase, four top-ranked teams captured three of the team’s five flags through hardware fault injection, which physically disrupts how a circuit board operates, causing malfunctions and bypassing security protocols.

Friendly rivalries

Even though they’re meant to be rivals, other teams generally keep things friendly. At an awards ceremony earlier this spring at MITRE’s Bedford campus in Massachusetts, Binghamton students spent some face-to-face time with other competitors who offered insights into their strategies.

“We'll try this fall to learn how to do better hardware attacks,” said team co-captain and doctoral student Pratik Kamble. “If we can do that, I think we will be among the top teams next year. We were 26th last year, and now we are 13th — so it's half. Maybe we can halve that again next year.”

Nathan Brauning, a senior this fall, said having tasks that they needed to complete by a certain deadline taught the students how to work as a team.

“We also learned how to think like an attacker or think like a defender from a cybersecurity standpoint,” he said. “Participating in eCTF is good for that, because it forces you to compete with other schools. You're not just taking a class — we want to do better than other universities.”

Applying cybersecurity principles in real-world situations offered key experience outside of the classroom, according to Sky Jiang ’26, who earned his degree in May.

“There were a lot of concepts that we applied in this competition,” he said. “Some are concepts that we would go over during classes, like cryptographic ideas, such as symmetric and asymmetric keys or the Diffie-Hellman key exchange method, as well as stuff like buffer overflows, which other groups took advantage of during the attack phase.”

Michael Florentino, a junior this fall, appreciated how he needed to read and review other people’s code — something he hadn’t done very much yet in his undergraduate career.

“I’d be checking multiple documents and sending code back to other people, telling them what I thought they could do better or what they should change,” he said. “Getting that skill in a team environment was very valuable.”

Hands-on experience

Some students joined the eCTF team with no cybersecurity background and faced a steeper learning curve, but they enjoyed working on both hardware and software hacking.

“I would go to the lab where we have the board set up, and I’d watch our team captains do what they're doing so I can try to learn from them,” said Bonnie Chen, a junior this fall.

Arianna Carchi ’26, who is returning for her master’s degree this fall, praised the unique opportunity that the eCTF competition offers to students.

“This was the first year in this competition for most of us, so the first month was tough, just trying to learn everything from MITRE,” she said. “It’s one of the best classes you can take if you want to learn cybersecurity, because it goes beyond the concepts. You get to do something hands-on — you actually work on something physical when you do hardware attacks on other schools.”

As the team’s advisor, Prakash is already looking ahead to next year, and he’s hoping to shepherd the team to an even higher ranking. Among the lessons they learned: Prepare students before the semester begins, agree on a complete security design before implementation, avoid separating students into defense-only and attack-only roles, use graded checkpoints to sustain engagement, and provision hardware infrastructure early.

“From my discussions with the organizers at MITRE, they are happy not only that we participated, but that our trajectory is going up and we are able to finish strong,” he said.