CTF Event
A two-round Capture The Flag competition — a 12-hour online Jeopardy preliminary followed by a 24-hour on-site Hack & Defence final for the top 30 teams.
View CTF rounds →Cybersecurity Event & Capture The Flag
A two-day cybersecurity gathering featuring CTF competitions, expert keynote talks, hands-on workshops, and industrial pitching — organized by FSKM, UiTM Shah Alam.
iHack 2026 is an annual cybersecurity event organized by the Faculty of Computer and Mathematical Sciences (FSKM), Universiti Teknologi MARA (UiTM) Shah Alam. Held on 7 & 8 October 2026, the event brings together students, industry professionals, and security enthusiasts for an immersive two-day experience.
Beyond the flagship Capture The Flag (CTF) competition, iHack features a keynote talk from industry experts, three specialized workshops, and an industrial pitching session — connecting academic talent with real-world cybersecurity opportunities.
To cultivate cybersecurity talent, promote ethical hacking practices, and build a vibrant community of security enthusiasts within Malaysia's academic landscape.
iHack 2026 comprises five core components across two days of learning, competition, and industry engagement.
A two-round Capture The Flag competition — a 12-hour online Jeopardy preliminary followed by a 24-hour on-site Hack & Defence final for the top 30 teams.
View CTF rounds →An inspiring session delivered by a leading cybersecurity expert, sharing insights on industry trends, career pathways, and the evolving threat landscape.
Hands-on defensive security training — learn monitoring, incident response, log analysis, and strategies to protect systems from real-world attacks.
Offensive security fundamentals — penetration testing techniques, vulnerability assessment, and ethical hacking methodologies used by security professionals.
An introductory cybersecurity workshop designed for secondary school students, sparking early interest in ethical hacking and digital safety.
Industry partners showcase cybersecurity solutions, career opportunities, and innovations — bridging academia and the professional security community.
Two rounds — a 12-hour online Jeopardy qualifying round, then a 24-hour on-site Hack & Defence final for the top 30 teams.
All registered teams compete remotely in a Jeopardy-style CTF. Solve a series of challenges to qualify for the final round. Scoring is based on both correctness and speed of completion.
Finalists receive identical Vulnbox containers hosting intentionally vulnerable services. Teams simultaneously attack opponents and patch their own systems. Scoring rewards correctness and the fastest challenge completion.
Jeopardy-style challenges in the 12-hour preliminary round cover these domains.
Classical ciphers, RSA, hashing, and encoding challenges.
Hidden data in images, audio, and files — extract concealed flags.
Disassembly, decompilation, and binary analysis.
Memory dumps, disk images, and digital evidence analysis.
SQL injection, XSS, SSRF, and OWASP Top 10 vulnerabilities.
Bypass LLM safety guardrails — trick chatbots into revealing system prompts or API keys.
NewMisconfigured S3 buckets, overly permissive IAM roles, and exposed cloud functions.
NewHow the 24-hour final round works — offense, defense, and service availability.
Every team receives an identical set of containers hosting custom, intentionally vulnerable services — such as a buggy web application, an unauthenticated API, or a vulnerable C binary.
Teams reverse-engineer services, discover vulnerabilities, write automated exploit scripts, and fire them at every other team's Vulnbox. Successfully stealing and submitting a flag earns Attack Points.
Simultaneously, teams patch vulnerabilities on their own Vulnbox — modifying source code, altering binary execution flows, or implementing strict firewall rules to stop flag theft.
Teams cannot simply shut down or break their services. Each tick, a scoring bot runs benign functional tests. If a service is down or responding incorrectly, the team loses SLA Points.
Participants conduct prompt injection on competitors' exposed local LLM APIs (e.g. Ollama, LM Studio) and must also defend their own local LLM API from attacks.
During the final, participants connect via a provided wired switch or SSID. All known LLM websites (e.g. ChatGPT, Claude, OpenRouter) are blocked.
7 & 8 October 2026
Dewan Mawar Qaseh, UiTM Shah Alam
3–4 Members
RM 50 / team
Top 30 Teams
Undergraduate Students
Participants must provide proof of university enrollment and age during registration:
Team registration and payment via the online form.
Final deadline to register for the preliminary round.
12-hour online Jeopardy CTF (RM 50 per team). Top 30 teams qualify for the Hack & Defence final.
Opening ceremony, keynote talk, workshops, and 24-hour Hack & Defence final begins (RM 200 per team).
Hack & Defence final concludes, industrial pitching, secondary school workshop, and prize ceremony.
Register your team (3–4 members) for the 12-hour preliminary round — RM 50 per team. Top 30 teams advance to the 24-hour Hack & Defence final on 7 & 8 October 2026 (RM 200 per team).