Capture The Flag Games in Role-Playing Games

I’ve recently been running a 5e-based game with my usual role-playing nerd circle on Sunday nights. The game is called The Spy Game. It started off as a Kickstarter campaign and doubled it’s original funding goal (well done!) It’s been fairly successful, but I’m not here to talk about that. This post is about how I’ve incorporated Capture the Flag elements to our role playing.

Yes, I’m a grown man who plays D&D-style games. We play D20 games, which are role-playing games that use dice to determine the outcomes of certain actions. They have become increasingly popularized in the media, with Stranger Things being a large contributor. I did not grow up playing D&D, but started playing when my poker group decided to mix it up. Yes that is true.

What is The Spy Game?

The Spy Game is a role-playing game that is built around telling stories set in a today-like world with… spies. That means your players pick what type of spy they want to play, and make up back stories, choose classes (Infiltrator, Assassin, Medic, etc.) Then the Game Master (me) makes up scenarios and missions for them to go on. The players decide what they want to do (e.g. attack a security guard) and they roll a die to see how devastating their attack on the poor guard was. And while this is a gross over-simplification, it’s good enough for our purposes.

Quickly, What is Capture the Flag?

Capture the flag (commonly CFP), is a style of network and systems security penetration-testing simulation for fun. The idea is that a security expert creates a small, simulated computer system that players try to break into, or crack a code to find a “flag”. The flag is the indicator of the player’s success. For example, you might be given a website that has some sort of password protection that is beatable with certain techniques. Once you bypass the security, you discovery a flag. These are often written as {Flag-name} or something similar to allow the players to know they have been successful. You can read all about them on Wikipedia, or play there with Hacker101 or even Google.

Combining CTFs and Role Playing

My roleplaying group is fairly nerdy (does that go without saying?) So I wanted to make the game a little technical and different from our usual swords and sorcery chaos romps. I thought it would be interesting for those in the group who are less technically minded to learn a little about actual hacking, rather than the “roll the dice to try and hack the system” that is built into the game. The more experienced computer-people in the group could screen share as they worked, and the team could work out the problems together. Everyone wins!

It has worked out really, really well. Everyone has enjoyed these CTFs, including me. I’ve only written a few so far, but they include:

Breaking a password to get into a security camera interface
Finding the GPS coordinates of an arms deal that is going down, hidden in a base-64 string
Decoding a message between two terrorists, hidden in an image
Cracking a cipher (spoilers) to get the code words for the security team on duty needed for a break-in!

You can find them the few I’ve written so far here on Github.

These ideas were heavily influenced by the excellent CTF run by the one and only Connor Tumbleson, at Sourcetoad.

Writing CTFs with ChatGPT

I would highly recommend adding a real world CTF to your next role playing adventure. But who has the time? Enter AI with ChatGPT. One of the scary things about ChatGPT is that it writes decent code, but it is only as good as the prompts you give it, and it is NOT secure. So basically anything you tell the bot to write for you has an exploit big enough to drive a bus through. This should be scary to anyone using it for production work, but it is amazing for CTFs.

I’ve also used ChatGPT to write quick and dirty interfaces (like the security camera on-off switch). Is it pretty? No! Would I use anything like that for a client or anywhere near a production environment? Hell no! But it’s MORE that good enough for a fun evening with friends, gathered around a Zoom table, working out how to hack into a secret vault.

Previous ArticleAre School Bus Tracking Systems Dangerous?Next ArticleHow to Land Your First Tech Job: Or at least what I will tell you

Greg

I help companies turn their technical ideas into reality.

CEO @Sourcetoad and @OnDeck

Founder of Thankscrate and Data and Sons

Author of Herding Cats and Coders

Fan of judo, squash, whiskey, aggressive inline, and temperamental British sports cars.

You must be logged in to post a comment.

The Internet Doesn’t Have Enough Love In It (And How We Can Fix It Easily)

April 20, 2026 10:54April 23, 2026In Technology

I’ve been thinking about all the wrong things when it comes to AI writing code.

Everyone else seems to be too. Job displacement. Security vulnerabilities. The ten-times-faster developer who now bills the same and delivers four times as much. These are real conversations worth having, just not the one I want to have right now.

The one I want to have is about teaching a six-year-old multiplication.

Here’s what I mean. Imagine you’ve been sitting with your kid every night for two weeks trying to explain multiplication. You’ve tried drawing rows of dots. You’ve tried songs (don’t judge me). You’ve tried the “just think of it as groups of things” approach that works for literally every other math concept but, mysteriously, not for your kid. Then one night, something clicks. You found the explanation, YOUR explanation, the one that worked for your actual kid with your actual kid’s brain, and it finally, beautifully, clicks.

Now imagine you could spend a Saturday morning turning that into a small web app. Not a startup. Not a SaaS platform. No login. No backend. No one’s going to hack it (there’s nothing to hack). Just a little thing that walks through multiplication the exact way you figured out it works, step by step, the way you’d explain it. You send it to the WhatsApp group for your kid’s class. Some of those other parents, also quietly losing their minds over multiplication, try it. And it helps.

You just made the world a tiny bit better. That’s it. That’s the whole thing.

Claude Code exists now, and a handful of other tools like it, and the reason I think this matters isn’t productivity. It’s access. The barrier between “I have an idea for something that could help people” and “I have a thing that helps people” used to require knowing how to code, or hiring someone who does, or talking a developer friend into your project over enough beers that their guilt exceeded their better judgment. Now it’s a Saturday morning and a good description of what you want to build.

The internet already has beautiful things in it that were built out of love. Free coding education for kids. Open-source video editors. Someone’s incredibly detailed home-brewing app with no monetization plan whatsoever. Artists making interactive experiences because they wanted to see if they could. These things exist because someone cared more about making the thing than making money from the thing. I think that ratio is about to shift dramatically in favor of the people who just want to make something good.

I’m not saying we should all stop paying for Salesforce (we should probably keep paying for Salesforce, there’s a reason that thing costs what it costs). I’m saying the category of software that was previously not worth building because it wasn’t commercial enough to justify the cost, that category just got a lot more interesting.

What’s in that category? Things like:

An app that helps beginning judo students understand the concepts behind a throw, not just the mechanics, because judo is where I learned confidence and discipline and I want other kids to find that
A private family memory vault (not Instagram, not Facebook, not anything with an algorithm deciding what matters), just a place where the people who love my son can send photos and stories somewhere safe, for him to open when he’s older (Maybe I’ll turn this into something?)
A system that reminds companies to send their employees gifts on the days that actually matter to them, because I know from running a company that it fills the cup of the person giving just as much as the person receiving (Thankscrate, if you’re curious, and yes, that one is turning into something real, but that is genuinely not why I built it)

None of those were commercial ideas first. They were just things I cared about.

I think the most interesting software that gets built in the next few years won’t come from developers moving faster. It’ll come from people who previously had no path from “I care about this” to “I built something about this,” and now they do. Parents. Coaches. Teachers. The person in your office who could explain that one complicated process better than anyone and has always secretly wanted to turn it into something.

The stakes are low. The bar to launch is low. The cost is low. The only thing required is that you actually give a damn about what you’re building.

One small caveat before you go off and change the world. If your passion project involves storing the medical records, credit card numbers, or personal information of vulnerable people (childhood leukemia patients, say, or really anyone who has enough going on without also becoming the victim of a data breach), please, for the love of God, do not take that on as a Saturday morning vibe-coding exercise. That is not a passion project, it’s a terrifying lack of judgment and a huge liability. Please hire professionals, follow compliance frameworks, and treat the security of people’s sensitive data with the seriousness it deserves. The whole spirit of what I’m describing here is low stakes, and nothing raises the stakes faster than a database full of information that could ruin someone’s life if it leaks. Build the multiplication app. Build the judo app. Do NOT build the “I’ll just store some PHI real quick” app.

So… What do you give a damn about?

Go build it. I still sometimes have to count on my fingers, but I’m told the app helps.

Greg Ross-Munro