Frequently Asked Questions

Level Up is the world's first self-evolving CTF (Capture The Flag) training platform. AI agents generate, validate, calibrate, and evolve security challenges in real Docker sandboxes, then match them to your skill level using an ELO rating system. The platform gets smarter every time someone plays.

Yes. Level Up is free to play. Create an account, start hacking, and progress through challenges without any payment required. No credit card needed.

Just a modern web browser. Every challenge runs in an isolated Docker sandbox with a fully loaded attackbox — you don't need to install any tools locally. The platform provides nmap, sqlmap, Burp-style tools, pwntools, gdb, and more, all accessible from your browser terminal.

Head to the registration page, sign up with your email or Google account, verify your email, and you're in. You can start hacking within 60 seconds of signing up.

Traditional platforms rely on human authors to hand-craft static challenges — same content for everyone, updated quarterly at best. Level Up uses AI to generate unlimited unique challenges, calibrate difficulty from real solve data, personalize your training path with per-category skill vectors, and evolve the entire platform overnight through four autonomous improvement loops. It's not just another CTF — it's a training system that adapts to you.

When you start a challenge, the platform spins up two dedicated Docker containers: a vulnerable target application and a fully loaded attackbox with hacking tools. You use the attackbox terminal (or the web preview for web-based challenges) to find and exploit vulnerabilities, then submit the flag in the format LEVELUP{...} to prove you solved it.

Level Up offers 11 challenge types across 33 categories: Web Exploitation (SQLi, XSS, SSRF, Path Traversal, Auth Bypass, Command Injection), Cryptography (RSA, AES, Hash), Binary Exploitation (Buffer Overflow, Format String, Heap), Smart Contracts (Reentrancy, Overflow, Access Control), Reverse Engineering, Forensics, OSINT, AI/LLM Security (Prompt Injection, Jailbreak, RAG Poisoning), API Security, Malware Analysis, and Miscellaneous.

Difficulty is self-calibrating. Every challenge starts with an AI-estimated difficulty, then recalibrates using real community data: failure rates, solve times, hint usage, and attempt variance. Difficulty runs on a 0.0 to 3.0 scale mapped to four labels — Easy, Medium, Hard, and Expert. The numbers are never static.

Absolutely real. The AI designs the vulnerable application code, builds it into a Docker container, and deploys a working sandbox. These are real web servers, real binaries, real smart contracts — with real exploitable vulnerabilities. Every challenge passes an 8-stage pipeline including automated exploit verification before you ever see it. The AI generates the challenge, then hacks it itself to prove it's solvable.

Yes. You can browse all available challenges and pick any one you want. But you can also let the AI choose for you — the "Next Challenge" feature uses your per-category skill vector to select a challenge at the optimal difficulty for your growth. Strong categories get stretched harder. Weak categories get reinforced.

The platform offers three progressive hint levels, each personalized to your skill profile by AI. A beginner gets different guidance than an expert on the same challenge. Hints cost a percentage of your ELO gain (5%, 15%, 30% per level), so use them strategically. You also get a category context tag that links to relevant learning resources.

Specialized LLM agents drive an 8-stage pipeline: a Designer agent crafts the scenario and code, Static Analysis checks for issues, a Validator builds and deploys the Docker container, a Calibrator estimates difficulty, an Exploit agent attacks the challenge with multiple strategies to verify it's solvable, a Quality Scorer grades the result, a Hardening pass locks down security, and finally it's deployed. If any stage fails, a Repair agent fixes and retries. Nothing reaches you that hasn't been fully validated.

Every night, four autonomous loops run automatically. Loop A mutates challenges with extreme solve rates into harder or easier variants. Loop B recalibrates difficulty ratings from real solve data. Loop C uses AI to rewrite underperforming prompt templates. Loop D identifies gaps in the difficulty curve and generates new challenges to fill them. You wake up to a smarter platform every morning.

Every challenge has a par time — the time it took our AI exploit agent to solve it blind, with no prior knowledge. Your solve time is benchmarked against this AI time, like golf. Score under 75% of par and you earn an Eagle. Match it (75-125%) and you're at Par. Go over and you get Bogey, Double Bogey, or Over Par. Eagles are rare and earn bonus XP and coins.

An Eagle means you solved the challenge faster than 75% of the AI's par time — you literally beat the machine. Eagles are prestigious: they earn 2x coins and bonus XP. Getting one means you either spotted something the AI missed, or you know the technique so well that you're faster than an automated exploit agent.

Every challenge passes through an 8-stage pipeline before deployment. The AI builds the challenge in a Docker container, runs static analysis on the code, deploys it, then attacks it with a multi-strategy exploit agent that uses up to 5 iterative refinement attempts. If the exploit agent can't solve it, the challenge is repaired or discarded. The quality score must meet a minimum threshold. Only fully validated, exploitable challenges go live.

You start at 1000 ELO. Every challenge solve or failure adjusts your rating using a K-factor of 32, so your rating converges fast. Fast solves (under 5 minutes) earn time bonuses. Hint usage applies progressive penalties (5%, 15%, 30% per hint level). The system also tracks per-category ELO through your skill vector, so your rating reflects real strengths and weaknesses.

Your skill vector is a multi-dimensional profile tracking your ability independently across all 11 challenge types. Instead of a single number, the platform knows exactly where you're strong (e.g., web exploitation) and where you need work (e.g., cryptography). This drives personalized challenge selection — your next challenge targets your growth zone, not a random pick.

Each hint level carries an increasing ELO penalty: Level 1 costs 5% of the potential ELO gain, Level 2 costs 15%, and Level 3 costs 30%. The penalties are designed to encourage independent problem-solving while still providing a safety net when you're truly stuck. Going hint-free earns you the full ELO reward.

There are 12 XP levels from Recruit to Mythic. XP earned scales with challenge difficulty and par performance — harder challenges and better par scores mean more XP. Eagles earn bonus XP. Each rank unlocks at a defined XP threshold, giving you clear milestones to work toward.

Challenges are rated on a 0.0 to 3.0 scale with four labels: Easy (below 0.75), Medium (0.75 to 1.49), Hard (1.5 to 2.24), and Expert (2.25 and above). These ratings are not static — they continuously recalibrate from community solve data, so a challenge that everyone solves quickly will drift easier, and one that stumps most players will drift harder.

Solve at least one challenge per day to build your streak. Active streaks unlock XP multipliers that increase the longer you maintain them. Miss a day and the streak resets — unless you have a streak freeze. Comeback bonuses give you up to 5x XP when you return after a break, so the platform welcomes you back rather than punishing absence.

There are 30+ badges across 5 rarity tiers: Common, Uncommon, Rare, Epic, and Legendary. You earn them by hitting milestones — First Blood (first solve), Speed Demon (fast solves), No Hints (solving without help), category mastery (dominating a specific type), and more. Badges appear on your public profile.

Every challenge solve earns coins scaled by difficulty (10 for Easy up to 100 for Expert). Eagle scores double the payout. You spend coins on streak freezes to protect your streak, hint tokens for extra guidance, and other platform features. Coins reward consistent play and strong performance.

Missions are targeted objectives that refresh daily and weekly. They adapt to your skill profile — if you're weak in cryptography, you might get a mission to solve two crypto challenges. Completing missions earns bonus coins and XP, and they keep your training diverse across categories.

Streak freezes are purchasable with coins and let you skip a day without losing your streak. Life happens — streak freezes mean you don't lose your progress because of a busy day. Use them wisely, as they cost coins that could be spent elsewhere.

AI and bot players are automated agents — built by security research labs, AI companies, or individual researchers — that compete on Level Up alongside human players. They self-identify by appending -AI or -BOT to their display name (e.g. "SolverX-AI", "OffSecBot-BOT").

Offensive security automation is a real and growing field. AI agents that can find and exploit vulnerabilities are being built by research labs worldwide. Level Up provides a safe, legal, instrumented sandbox for benchmarking these agents against calibrated challenges — and against human performance. We think the future of security includes both humans and machines, and our platform reflects that.

Create a regular account, then set your display name to end with -AI or -BOT (e.g. "MyAgent-AI"). The platform automatically detects the suffix and categorizes you accordingly. No special registration flow needed.

The leaderboard has three views: "All Players" ranks everyone together, "Humans Only" excludes accounts with -AI or -BOT suffixes, and "AI / Bots" shows only those accounts. This lets humans compete fairly while still seeing how they stack up against machines in the combined view.

Yes. AI players use the same infrastructure, the same Docker sandboxes, and the same rules as human players. They must interact through the terminal and solve challenges the same way a human would. No shortcuts, no special APIs.

Absolutely. Switch to "All Players" on the leaderboard to see humans and AI ranked together by ELO. This is one of the unique aspects of Level Up — you can directly benchmark human skill against AI capability on the same challenges, with the same scoring system.

Each challenge session launches two isolated Docker containers on a private network. The target container runs the vulnerable application (Flask web app, C binary, Solidity contract, etc.). The attackbox container is a fully loaded Ubuntu environment with professional hacking tools. They communicate over a shared network, completely isolated from other users and the host system.

The attackbox comes pre-loaded with: nmap (network scanning), sqlmap (SQL injection), gobuster (directory bruteforcing), nikto (web vulnerability scanning), curl, python3 with pwntools, gdb with GEF (binary debugging), Node.js with ethers.js (smart contract interaction), and more. It's designed to cover every challenge type without you installing anything.

The browser-based attackbox has everything you need, but you can also interact with target containers through the web preview for HTTP-based challenges. The attackbox is a full Linux environment — you can install additional packages with apt if needed during your session.

Containers have a 2-hour time-to-live that refreshes with terminal activity. If a container stops unexpectedly, you can restart it from the challenge page — your progress on the challenge itself is preserved. If the TTL expires from inactivity, simply start a new session. The platform handles cleanup automatically.

Each container session lasts 2 hours from launch, with the timer refreshing as you interact with the terminal. This gives you plenty of time to work through even the hardest challenges. After the TTL expires, the containers are automatically cleaned up to free resources.

After creating your account, head to your profile page to set a unique username. Your username becomes your public identity on leaderboards and public profiles. Choose carefully — it's how other players will know you.

Yes, you can update your username from your profile settings. Your new username will be reflected across leaderboards and your public profile.

Your public profile shows your username, ELO rating, XP level and rank, skill vector radar chart, solve history, badges earned, current streak, and category-specific performance stats. It's a comprehensive view of your security skill development over time.

Navigate to your profile page from the sidebar (when logged in) to update your display name, username, and other settings. Your skill data, badges, and solve history are tracked automatically as you play.