Published on: October 7, 2024
In this interview, SafetyDetectives hears from Mark Lane, co-founder and Director of Zero Days Cyber Security, to explore his unconventional journey into the world of cybersecurity. From being a cab driver to spearheading one of Ireland’s largest Capture-the-Flag (CTF) events, Mark shares how he built a unique, gamified approach to cybersecurity training. Discover the story behind ZeroDays CTF, the creative challenges it offers, and how gamification is revolutionizing the way students and professionals develop hands-on cybersecurity skills.
Can you tell us about your background and what led you to co-found Zero Days Cyber Security?
Believe it or not I used to be a courier and a cab driver. Driving the cab was the most soul-destroying job I ever had, so I made a big decision to go in a completely different direction, and enrolled to do a CCNA course. I really enjoyed this and one of the lecturers on that course convinced me to sign up for a degree, which I did. After finishing college I worked in various IT roles such as tech support and field engineer. I actually grew bored of these jobs, and eventually signed up for a Masters in Digital Forensics and Cyber Security, which turned out to be the best move I ever made. I absolutely loved it, and it reinvigorated me, and while I was studying for the Masters I also discovered Capture-The-Flag competitions.
This was around 2009, and CTFs in those days were a very different beast. There was no standardised flag formats, not regular categories, and everything was generally very confused and confusing. There was also often a certain level of elitism involved and they generally weren’t inclusive of beginners or new players.
So, after a few years and a particularly negative experience at one CTF, I thought “I could do better than this” and set about organising ZeroDays CTF. which was aimed at college students from Irish colleges. Obviously we had a captive audience with my own students, so it was a natural fit in developing their interest, but we also had teams from other colleges around Ireland, notably LYIT and TCD. The first event featured 22 teams and over 80 players, which made it the biggest CTF in Ireland.
It was a lot of fun (and a lot of work), but our aim was to make the event inclusive, fun and with a wicked afterparty, so it was really popular, and just grew from there into an annual event. The second instalment had over 120 players, and that interest has grown year-on-year to the extent that in 2023 and 2024 we hosted the CTF in Ireland’s national stadium, Croke Park and had well over 500 participants on around 140 teams. 2025 promises to be even bigger. We’ve also gone from the competition being exclusively for colleges, to now having an open section for graduates and professionals, and a rapidly growing Cyber Schools section, which has been really successful, and which has huge potential to grow and grow.
What was the inspiration behind creating a gamified approach to cybersecurity training through Capture-the-Flag (CTF) events?
One of the primary goals of ZeroDays CTFs was to create an inclusive, welcoming and engaging experience for participants. And this has really been one of the main factors in our success and growth. People really enjoyed the experience and wanted to come back to the next one. Students and graduates alike really engaged in the experience and genuinely had fun, while also learning new skills, new ways of thinking and new approaches to and problem solving.
Many of the IT professionals taking part in the competitions learned new skills, and reported back to their organisations on how much fun they’d had while actually developing their knowledge. The training side really came from this. One company asked us if we could develop some gamified challenges to test potential hires as part of an interview process. This in turn led to us creating full-fledged CTFs for in-house company training.
We work with the host companies to develop challenges matched to their requirements and to the skillsets of their employees and needs.
What are some of the most exciting or creative challenges participants face in your CTF events?
Really this is a difficult one to answer. There are many categories of challenges and everyone has their own favourite. Our CTFs include the regular categories of cryptography (crypto), binary exploitation (pwn), web exploitation (web), reverse engineering (rev), forensics, OSINT and miscellaneous (misc), and our CTFs cater to all levels with challenges that are noob-friendly and challenges that appeal to hardened CTF players.
However, as out CTFS are in person, we can also introduce more physical games such as a bomb-disposal team challenge, a relay game, lock-picking, treasure hunt and may more. My own personal favourites are the OSINT challenges, and I also have fun creating the treasure hunts. Our largest annual CTF is ZeroDays CTF, and that is themed, with teams encouraged to come in costume (some challenges are only available to teams where each member is in costumes), so it’s always fun to see lots of otherwise serious hackers running around dressed as a supervillain or a bishop 😊
How do you think gamification helps in improving cybersecurity skills, especially for students and beginners?
CTF challenges are often very real-world challenges, so the skills they learn are very hands-on. This makes the learning very useful, as well as fun. It’s not like a classroom where you would learn by rote or memorisation. CTFs challenges involve researching the problem, and then putting that learning into action.
So participants are learning how to learn on the job, using their own initiative and developing problem-solving skills. It can make them much stronger learners and more independent thinkers. They’re also working in a team, so they’re learning valuable teamwork and communication skills. The diversity of approaches can also enhance the experience and create shared knowledge and skills transfer, as well as showing different approaches and ways of thinking.
The competitive element can be great motivation too as students compete against friends or classmates, or rival schools and colleges. There can be a lot of pride and bragging rights as stake, as well as prizes and trophies!
What are the key benefits of hands-on CTF training over traditional learning methods like lectures or certifications?
The main benefit is the hands-on skills that are learned. Lectures and certifications have their place, but often for students these can just result in memorisation tests. With gamified CTF challenges the students often have to research first, learn something new and then apply that learning to solve the problem.
Their learning is more independent and can be more motivated. They must figure out the problem and apply their learning directly in novel ways. It’s not just following a list of instructions, it’s a way of thinking, and it’s an approach which can be taken in the wider world, not just within the confines of the CTF.
What do you believe are the biggest misconceptions about working in the cybersecurity field?
I think the old hacker stereotype is still going strong; the young male in a black hoodie crouched in a dark room over a Linux terminal. The reality is that modern cybersecurity teams are often much more diverse in age, gender, backgrounds and experience. They work in modern offices often with lots of perks, or work remotely from the beach, the bedroom or the bar.
Another misconception is that you need to be some sort of maths prodigy to do well in cybersecurity. For some elements that can definitely be true, but for most careers it doesn’t really make a difference. Within cybersecurity there’s a really wide range of careers available to suit a wide range of skills and backgrounds. Soft skills are also more important than ever. With lots of teamwork, communications and presentations skills are a valuable part of the armoury.