FSKM · UiTM Shah Alam

iHack 2026

Cybersecurity Event & Capture The Flag

A two-day cybersecurity gathering featuring CTF competitions, expert keynote talks, hands-on workshops, and industrial pitching — organized by FSKM, UiTM Shah Alam.

7–8 Oct Main Event
30 Finalists
5 Program Tracks

What is iHack?

iHack 2026 is an annual cybersecurity event organized by the Faculty of Computer and Mathematical Sciences (FSKM), Universiti Teknologi MARA (UiTM) Shah Alam. Held on 7 & 8 October 2026, the event brings together students, industry professionals, and security enthusiasts for an immersive two-day experience.

Beyond the flagship Capture The Flag (CTF) competition, iHack features a keynote talk from industry experts, three specialized workshops, and an industrial pitching session — connecting academic talent with real-world cybersecurity opportunities.

  • Main event: 7 & 8 September 2026 at Dewan Mawar Qaseh, UiTM Shah Alam
  • Preliminary round: 26 September 2026 (12-hour online Jeopardy) · RM 50 per team
  • Teams of 3–4 members (3 active + 1 reserved slot) · Undergraduate university students
  • Top 30 teams advance to the 24-hour Hack & Defence final
🎯

Our Mission

To cultivate cybersecurity talent, promote ethical hacking practices, and build a vibrant community of security enthusiasts within Malaysia's academic landscape.

Event Program

iHack 2026 comprises five core components across two days of learning, competition, and industry engagement.

🎤

Keynote Talk

An inspiring session delivered by a leading cybersecurity expert, sharing insights on industry trends, career pathways, and the evolving threat landscape.

🔵

Blue Team Workshop

Hands-on defensive security training — learn monitoring, incident response, log analysis, and strategies to protect systems from real-world attacks.

🔴

Red Team Workshop

Offensive security fundamentals — penetration testing techniques, vulnerability assessment, and ethical hacking methodologies used by security professionals.

🎓

Hacking Workshop for Secondary School

An introductory cybersecurity workshop designed for secondary school students, sparking early interest in ethical hacking and digital safety.

💼

Industrial Pitching

Industry partners showcase cybersecurity solutions, career opportunities, and innovations — bridging academia and the professional security community.

CTF Competition

Two rounds — a 12-hour online Jeopardy qualifying round, then a 24-hour on-site Hack & Defence final for the top 30 teams.

Round 1

Preliminary Round

  • Date: 26 September 2026
  • Format: Online · Challenge-based
  • Duration: 12 hours
  • Style: Jeopardy
  • Fee: RM 50 per team

All registered teams compete remotely in a Jeopardy-style CTF. Solve a series of challenges to qualify for the final round. Scoring is based on both correctness and speed of completion.

Round 2

Final Round: Hack & Defence

  • Date: 7 & 8 October 2026
  • Format: Face-to-face at Dewan Mawar Qaseh, UiTM Shah Alam
  • Duration: 24 hours
  • Qualifiers: Top 30 teams from preliminary
  • Fee: RM 200 per team

Finalists receive identical Vulnbox containers hosting intentionally vulnerable services. Teams simultaneously attack opponents and patch their own systems. Scoring rewards correctness and the fastest challenge completion.

Preliminary Challenge Categories

Jeopardy-style challenges in the 12-hour preliminary round cover these domains.

01

Cryptography

Classical ciphers, RSA, hashing, and encoding challenges.

02

Steganography

Hidden data in images, audio, and files — extract concealed flags.

03

Reverse Engineering

Disassembly, decompilation, and binary analysis.

04

Forensic

Memory dumps, disk images, and digital evidence analysis.

05

Web (OWASP)

SQL injection, XSS, SSRF, and OWASP Top 10 vulnerabilities.

06

AI & Prompt Injection

Bypass LLM safety guardrails — trick chatbots into revealing system prompts or API keys.

New
07

Cloud Security

Misconfigured S3 buckets, overly permissive IAM roles, and exposed cloud functions.

New

Preliminary Scoring Criteria

  • Correctness in completing challenges
  • Fastest to complete challenges

Hack & Defence Mechanics

How the 24-hour final round works — offense, defense, and service availability.

📦

The Vulnbox

Every team receives an identical set of containers hosting custom, intentionally vulnerable services — such as a buggy web application, an unauthenticated API, or a vulnerable C binary.

⚔️

Offense (Exploiting)

Teams reverse-engineer services, discover vulnerabilities, write automated exploit scripts, and fire them at every other team's Vulnbox. Successfully stealing and submitting a flag earns Attack Points.

🛡️

Defense (Patching)

Simultaneously, teams patch vulnerabilities on their own Vulnbox — modifying source code, altering binary execution flows, or implementing strict firewall rules to stop flag theft.

📊

Service Level Agreement (SLA)

Teams cannot simply shut down or break their services. Each tick, a scoring bot runs benign functional tests. If a service is down or responding incorrectly, the team loses SLA Points.

🤖

AI & Prompt Injection

Participants conduct prompt injection on competitors' exposed local LLM APIs (e.g. Ollama, LM Studio) and must also defend their own local LLM API from attacks.

🌐

Competition Network

During the final, participants connect via a provided wired switch or SSID. All known LLM websites (e.g. ChatGPT, Claude, OpenRouter) are blocked.

Final Round Scoring Criteria

  • Correctness in completing challenges
  • Fastest to complete challenges

Event Details

📅

Date

7 & 8 October 2026

Wednesday & Thursday
📍

Venue

Dewan Mawar Qaseh, UiTM Shah Alam

CTF Finals · Workshops · Keynote · Pitching
👥

Team Size

3–4 Members

3 active members + 1 reserved slot (min. 3 to register)
💰

Registration Fee

RM 50 / team

Preliminary round · Finals: RM 200 per team (top 30)
🏆

CTF Finals

Top 30 Teams

24-hour Hack & Defence (7–8 Oct)
🎓

Eligibility

Undergraduate Students

Age 26 or below · Valid student ID required

Competition Guidelines

🎓

Eligibility Criteria

  • Current students at a public or private university
  • Undergraduate students enrolled in a degree program
  • 26 years old or below at the time of registration
  • Must still be enrolled upon registering for the competition
📄

Documentation

Participants must provide proof of university enrollment and age during registration:

  • Matrix Card: University-issued student ID card
  • Other: Any official university document verifying enrollment and age
⚖️

Code of Conduct

  • All participants must adhere to ethical hacking practices
  • Cheating or unethical behaviour results in immediate disqualification

Schedule

1 Jun 2026

Registration Opens

Team registration and payment via the online form.

1 Sep 2026

Registration Closes

Final deadline to register for the preliminary round.

26 Sep 2026

Preliminary Round

12-hour online Jeopardy CTF (RM 50 per team). Top 30 teams qualify for the Hack & Defence final.

7 Sep 2026

iHack 2026 — Day 1

Opening ceremony, keynote talk, workshops, and 24-hour Hack & Defence final begins (RM 200 per team).

8 Oct 2026

iHack 2026 — Day 2 & Closing

Hack & Defence final concludes, industrial pitching, secondary school workshop, and prize ceremony.

Ready to Hack?

Register your team (3–4 members) for the 12-hour preliminary round — RM 50 per team. Top 30 teams advance to the 24-hour Hack & Defence final on 7 & 8 October 2026 (RM 200 per team).

Register Your Team