In this post of the How to Win CCDC series, I have a high level overview of various roles on a CCDC Team and cover the basics of what each role should be doing in the competition.

Roles

Writer / Captain

I call this role the "Writer" because that's what we called it on my competition team, but I've heard other teams call it "Scribe". Realistically this person is a project manager combined with the team's point of contact with competition officials. I strongly suggest that teams make this person the Team Captain for reasons that will be clear as I continue defining this role. Your Writer is the single most important role on your team as they have the most influence on points awarded to the team. If you have a bad Writer you are going to have an extremely rough time in the competition.

The most important thing that the Writer should be working on is Injects. Injects count for ~40% of your total score and are the place where teams end up losing the most points. In the 2025 Minnesota State competition, the best team managed a score of 58%, so the person in charge of Inject responses shoulders a lot of responsibility. The Writer is in charge of making sure that Injects are completed, and completed on time. Points are not given for late submissions, therefore in order to get Inject responses in on time, the Writer must effectively manage the team's time spent on specific tasks. This means the Writer is in charge of making sure that the team is aligned with priorities and keeping interpersonal conflict within the team to a minimum. If you want to learn more about the duties of the Writer, here is a post I wrote to serve as a guide on how to properly respond to Injects. Before Injects start dropping left and right, the Writer should initially focus the team on their First 15, to make sure that systems are appropriately hardened. When red team eventually gets in, the Writer works with the affected admin to remediate, write an incident report, and keep their morale up.

Since Writers manage most of the team's time, the job of liaison between competition staff essentially falls to them too, as they need to make adjustments to plans. Just like a manager in the real world. They are the team member who will have access to the Inject Submission Panel, so this also puts them in charge of requesting a scrub if it's required. Finally, writers coordinate communications with the competition staff to the rest of the team. As the liaison, they have three additional responsibilities. The first additional responsibility is controlling physical entry into the competition room by requesting ID from competition staff and ensuring it matches their badge, then barring them from entry if it doesn't match. The second and third of which are leading the audit response and orange team customer service calls, if that's applicable within your competition.

Do you understand why I suggest making this person the Team Captain? This person needs to be someone who is great at coordination, keeping people on task, and needs to excel in interpersonal communication alongside other people management skills. Just like a manager in the workplace. Technical skill here should not be a defining factor of who you choose to put in this role. This person needs to stay off a terminal. When I competed, we had issues with Captains not being as effective as they could have been in both Regional competitions because they were too focused on what they were doing in a terminal, rather than leading a team.

I think merging the Captain role with the Writer role in our competitions would have significantly increased our chances of placing in Regionals. Having the Captain role assigned to a technical person can cause the chain of command and more importantly, operational knowledge within the team to get messy. Both the Captain and the Writer end up missing critical pieces of information that causes delays or are difficult to explain clearly and concisely under a high level of stress. With the roles merged you look to the front of the room for advice, and it's crystal clear that the person sitting there is who you need to talk to. I understand that there may be some hesitation from schools that have a more defined club. Schools in this postilion may want to make the Club President the Team Captain. Which makes sense on paper, but please I urge you to reconsider this. Choose a Captain based on leadership qualities once the competition season begins, even if that person is not within club leadership.

Firewall Admin

Your Firewall Admin is your Paladin with a tower shield. The primary job of the Firewall Admin is to ensure that the services in and out of your perimeter are only scored services. This can be done quickly with scripting, which allows the admin to start locking down other access areas of the firewall, change credentials, change management interfaces, disable unneeded services, edit configs, and patch if necessary. If there are no exploits available, don't bother patching. When you patch, you are going to take down your network segment while the firewall reboots, costing you valuable uptime score.

The firewall admin also needs to monitor outbound connections to see if there is anything outside what should be expected from the scoring engine. If you have traffic going to port 4444, going to a weird domain or IP, it's likely us. They'll also want to ensure IPv6 is shut down, because unless the scoring engine uses IPv6 for some reason, all the protections you put on IPv4 isn't going to help on IPv6. So if the call is to either double up on work, or just turn it off, it's probably best to turn it off. Firewall admins are also responsible for understanding normal communications in and out of their environment, then flagging and blocking traffic that looks abnormal or suspicious. Firewall telemetry is one of the best sources of data teams have to determine what traffic is malicious or benign.

The Firewall Admin should be the person who knows and understands networking best. Ideally going a little farther than understanding differences between TCP and UDP, common ports, and basic stateful firewall concepts. Having a fundamental understanding of how routing and switching work is important, as a firewall acts as a router. Additionally, the firewall admin needs to understand network hardening through traditional firewall rules, and how firewalls interact with the application layer if the firewall provided by your competition does application inspection. The Midwest, Mid-Atlantic and Rocky Mountain regions use Palo Alto firewalls, which have application inspection capabilities. Palo Alto publishes a library containing the default application information for their firewalls here. There are also some courses that you can enroll in to help with Palo Alto available here. Additionally, in my opinion, this person should have most of the domain knowledge of CCNA or Network+ in an ideal world, or at least working to get there.

Other Network Responsibilities

In Regional and National competitions, it's not uncommon to see a hardware switch, router, or other networking equipment in the environment. As the firewall admin is most likely to have the best grasp on networking, it makes sense that these should fall under the purview of the firewall admin. This essentially expands their scope to network admin. Regional environments are likely to be pre-seeded with vulnerabilities or other weird configurations. Switches, Access Points, and Routers are managed quite differently from traditional servers. They often have different command structures and threat mitigations that you can put in place, so make sure that your network admins study up on common hardware and OSes that could appear in the competition. If you enjoy network administration, then I would highly recommend Todd Lammele's CCNA Study Guide book. It's big, but it's the best (and a cheap) resource for learning networking in-depth and it'll allow you to get hands on with Cisco IOS.

Windows Admins

Windows here consists of 2 components: the individual Windows devices and Active Directory. For the purposes of this article, I am going to assume that you have some previous experience with Active Directory, likely from a class. If not, then I highly recommend learning how it works and how to harden it. Note, the Microsoft documentation I linked here will show various versions of AD and Windows Server. One of the best features of AD is that it's extremely backwards compatible, so this shouldn't be a big deal. Windows Admins are mostly going to be working on user account and authentication hardening. Make sure to run a credentialed Nessus scan when you have access to the environment before the competition begins to help figure out your attack surface. I would also recommend running BloodHound, as Active Directory is will be more prevalent in the coming years. A quick note, I want to disclose that I work for SpecterOps, the company behind BloodHound. That being said, I've used the tool for years before working here, and obviously I use it regularly for Active Directory assessments.

On competition day the first priority is changing default credentials and throwing up a host-based firewall. Windows Firewall sucks, but it's what you have, and what you are stuck with. You can download a third party one if you want, but you potentially open up a whole new can of worms full of outages if you don't completely understand how it works. Granted you can do that with Windows Firewall just as easily. If you ran BloodHound, remediate any issues that affect Tier 0 assets. Next is disabling all anonymous access to system resources for things like SMB shares and Security Account Manager (SAM). Disable Link Local Multicast Name Resolution (LLMNR), you can probably disable NTLM authentication all together, but if not then enforce NTLMv2. Enable SMB Signing. You will also want to disable all accounts that are not being used, since it can drastically slow Red Team down. Keep in mind that disabling accounts may cause issues in Regionals, however.

When you are confident that you have things locked down, you can install Sysmon and Process Explorer to start threat hunting. Start looking for anomalous relationships between processes, and network traffic. For instance, if you see an admin user running PowerShell, then some binary, then Notepad, and Notepad is reaching out to the internet, you probably have a compromise on your hands. You can also look at process creation events in Event Viewer if you have Sysmon installed to look at historical data. Both of these can be used on incident reports, which can help you get some points back. If you have time to do that, work with your splunk person to ship the logs to splunk. If you feel like you have lot of free time and are bored, implement WDAC or AppLocker (I don't expect any team to actually do this except maybe in nationals, but it would be funny to see).

Linux Admins

Linux within the environment is usually much simpler than Windows, but they tend to have more complicated applications on them. Regardless, basic security concepts apply regardless of system. First thing's first, change your default credentials in your OS, applications and databases. Next, harden your host firewall. Once again, only scored services or applications the the box runs that you need to use should be exposed outside your box. Install and configure fail2ban to keep us out of SSH, or disable it entirely and remove any needless users. Know your Systemd services and which binaries have SUID or GUID applied to them. Watch for changes. Patch your system if needed, especially if there is a kernel exploit. Ensure permissions on your files are reasonable, and keep an eye out for suspicious processes. if you have access to the environment beforehand, run Nessus to determine the attack surface. Afterwards, look into some file integrity monitoring. Since everything on Linux is a file, knowing what's changing in your system can be simpler than Windows if you have a good idea of how your file integrity monitoring tool works. Then get logs shipped off to the logging server and start threat hunting.

Application Admins

This one is harder than the rest to give a general overview for, because it varies so much. Hardening an application hosted in Docker or Kubernetes is different than a website running on Apache, which is different than a BIND server, which is different than a DB engine. Really, the best advice I can give for applications is the same as any other security process. Change passwords, lock down needless interfaces with application settings or firewall rules, update if you can, etc. It can be incredibly diverse, and I could probably write a series of blogs on just that, but since the applications change it would be of limited use. Exact security settings are application specific, so you will need to dive into documentation before competition day to ensure that you understand how to secure your apps. Sometimes your applications can have free training! Splunk is a good example of this. If you can use Splunk or some other logging engine, that helps you find us significantly easier. Here and here are some good places to get Splunk training.

Mixing and Matching

Now, these are mostly ideas that are packaged in a manner that I find convenient. In the competition however, you are likely to take some of these approaches and blend them together. With the teams I competed with, we had unilateral authority over the boxes we were in charge of, which allowed us greater flexibility for getting specific things done on specific servers. Now this comes with some drawbacks, such as having some team members overworked, or unable to respond in a reasonable amount of time. It should be the responsibility of the Team Captain to ensure that workload is distributed sensibly and reassign server ownership, even temporarily if required. This can could potentially cause some issues where admins get territorial, but generally most teams don't tend to have issues letting someone else into their servers (provided it isn't red team).

Of course, this is not the only way to run a CCDC team. Each individual team should discuss leadership and administrative structure, preferably early into the season to determine what works best for your specific team. Then you'll want to figure out potential roles and responsibilities, and start coming up with a practice plan. This post is to give some ideas to explain what I think works and not, but please make any tweaks that you and your team feel are necessary. A final thought, I've seen a trend in recent years where teams have a second Writer, or a dedicated assistant/runner for the team. While I can't vouch personally for how well this works, I figured I would highlight this because it seems to be increasingly common over time.

If you found this post useful, please consider reading the rest of the series! If you want to discuss the competition, meet with fellow and former competitors, please feel free to join this Discord server.

Changelog

2026-03-27: Added note for second writer/assistant

2026-03-26: 2026 updates

2025-02-19: Reworked some aspects of this after the 2025 MN state season, and added some links to additional resources.

2024-11-20: Cleaned up some grammar.

2024-07-16: Reworded a few sentences, and removed references to a cancelled blog post.

2024-06-05: Added a link to Red Team article.

2024-05-03: Added a link to Injects article.