Rules & Policy

Read these guidelines before the event. Participation implies acceptance of all rules.

Participation

The Broadstreet IT Team Challenge 2026 is an internal event open exclusively to Broadstreet Group IT team members who have been assigned an account by the event administrator.

  • Only registered participants with a valid account may take part
  • Each participant belongs to one team, assigned before the event starts
  • Teams consist of 5 members drawn from across IT roles (IT Ops, Service Desk, Application Support, Developer, Security)
  • Participants must use their own assigned account — sharing credentials is not permitted
  • The event takes place during a defined time window announced by the admin

Challenge Rules

Levels are sequential
You must complete each level before unlocking the next. There is no skipping. Levels progress from networking fundamentals through to advanced web exploitation.
Hints are available but tracked
Each level may have an optional hint. Click "Show Hint" to reveal it. Hint usage is recorded in your activity log and visible to the administrator for reporting purposes.
Learning notes are always shown
Whether your answer is right or wrong, a learning note will appear explaining the concept. The goal of this challenge is learning — not just winning.
Bonus challenge
After completing all 40 levels, a link to a separate bonus challenge will appear. This is a standalone challenge hosted on a different address. The first person to capture the bonus flag wins the top prize.
No automated tools or scripts
All challenges must be completed manually. Running automated scanners, brute-force tools, or scripts against the platform is not permitted and may result in disqualification.

Code of Conduct

This is a team-building event. The spirit of the challenge is learning and friendly competition.

  • Do not share answers, flags, or solutions with other participants during the event
  • Do not attempt to access, tamper with, or disrupt other participants' sessions
  • Do not attempt to access the admin panel or any path not part of the official challenge
  • Do not attempt to access another team member's account
  • Report any platform bugs or unintended vulnerabilities to the admin immediately — exploiting unintended issues will result in disqualification
  • Treat all participants with respect throughout the event
Note: The challenge intentionally contains exploitable web vulnerabilities as part of specific levels (e.g. SQL injection). Participants are authorised to exploit only the designated challenge targets — attempting to attack the platform itself or its underlying infrastructure is strictly prohibited.

Scoring & Prizes

Prize Winner Tiebreaker
Apple iPad First individual to reach the highest level achieved by anyone during the event Exact timestamp of level completion
Apple MacBook First individual to capture the bonus challenge flag Exact timestamp of flag submission
Google Fit Band
(per member)
Team with the highest average level across all 5 members Sum of all member timestamps (lower = faster)

All milestone timestamps are recorded server-side at the moment of submission. Participant device time is not used for prize decisions.

Technical Guidelines

  • Use a modern browser (Chrome, Firefox, or Edge recommended)
  • Browser developer tools are permitted and encouraged — they are part of the challenge
  • You may use the command line, terminal, and standard utilities (curl, dig, nslookup, ping, traceroute, etc.)
  • Wireshark and packet analysis tools are permitted for designated levels
  • VPN or proxy tools may be used for personal privacy but must not be used to circumvent challenge restrictions
  • If the platform becomes unavailable during the event, the admin will notify participants and may extend the time window accordingly

Privacy & Data

Your participation data (levels completed, time spent, hints used, answers submitted) is recorded for the purposes of leaderboard rankings, prize decisions, and a post-event analytics report shared with IT leadership.

  • Data is stored on a Broadstreet-controlled Azure server and is not shared with third parties
  • Activity logs include timestamps, level attempts, and hint usage — not keystrokes or personal device data
  • The admin can view aggregated analytics but your individual answers are used only for scoring purposes
  • Data will be retained for 90 days after the event and then deleted

Questions about data handling can be directed to the event administrator.