Pentiq

Industry Events

Pentiq Places 2nd in Great Britain at Hack The Box CTF 2026: Project Nightfall

Pentiq finished 2nd in GB and 38th globally (top 7%) at the Hack The Box Global Cyber Skills Benchmark CTF 2026, solving 116 of 126 challenges.

Author: Lewis Warner

Date:

Pentiq Places 2nd in Great Britain at Hack The Box CTF 2026: Project Nightfall

A few words from inside the team that played.

Hack The Box Global Cyber Skills Benchmark CTF 2026 team achievement card: Pentiq team ranked 38th globally, top ~7%, with 116 of 126 challenges solved for 69,475 points. Team members Devand MacLean, Ignas Petreikis, Jack Pringle, Lewis Warner.

I will lead with the headline because I am genuinely proud of it. Between 15 and 20 May, four of us competed for Pentiq at the Hack The Box Global Cyber Skills Benchmark CTF 2026: Project Nightfall and finished 2nd in Great Britain and 38th globally out of 589 teams. That put us in the top 7% worldwide, with 116 of the 126 challenges solved on the way to a final score of 69,475 points.

The verified results, including the per-category breakdown, are at the foot of this article. They are worth a look.

By the numbers

  • Event: Hack The Box Global Cyber Skills Benchmark CTF 2026: Project Nightfall
  • Dates: 15 to 20 May 2026
  • Rank, Great Britain: 2nd
  • Rank, global: 38th of 589 teams
  • Percentile: top 7% worldwide
  • Challenges solved: 116 of 126
  • Final score: 69,475 points

What was actually in the box

Project Nightfall is Hack The Box's annual flagship CTF, and it is one of the few events I take seriously as a benchmark of where our team's skills sit against the global field. The reason is breadth. 126 challenges, no easy spread, no narrow specialism that lets you carry a team. To finish anywhere near the top, you have to be credible across all of it:

  • Technical exploitation. Web, binary, and infrastructure challenges modelled on the vulnerability classes we actually meet on engagements, not the contrived puzzles older CTFs were guilty of.
  • Digital forensics. Memory and disk artefact analysis, log reconstruction, timeline building from incomplete evidence. The same muscle we use when we are pulled into incident work after the fact.
  • OSINT. Open-source reconnaissance against synthetic personas and infrastructure, scored by automated checks. No partial credit for a good story.
  • Cryptography. Classical and modern, covering both protocol weaknesses and implementation flaws.
  • Pressure. Most challenges have a hard ceiling on points, so staying productive across the window is part of what the event is measuring. By the second night, your judgement is the thing that wins or loses challenges, not your raw skill.

I have run enough internal exercises to know that breadth is a different problem from depth. You cannot place near the top of a 589-team international field by being narrowly excellent at one discipline. You have to be credible across all of them, under time pressure, with no scope document, no client SME on the call, and no ability to wave at something and call it out of scope. That is the bit that maps most cleanly onto real consulting work.

Why we keep doing this

I am the one who peer-reviews Pentiq engagements before reports leave the door, and I have strong opinions about what is in them. I want to see real exploit chains, real privilege transitions, and realistic attack paths. Not scanner output reformatted into a PDF, and not findings padded to fill a page count. That standard is only sustainable if the people doing the testing are continuously sharp, not just certified once and quietly rusting.

CTFs are one of the highest-signal ways we keep that edge. They expose the team to vulnerability classes outside our day-to-day client mix. They force fluent use of unfamiliar tooling, fast. They benchmark technical depth against an external, independently scored field. And they surface gaps quickly, because there is no way to bluff a binary exploitation challenge.

A 2nd in Great Britain finish, against 588 other teams that included large consultancies and university squads, is the kind of external benchmark I think clients should look for when they are choosing a testing partner. It does not replace CREST certification, methodology, or references. It complements them, with verifiable evidence that the people whose names appear on the engagement can actually do the work the report describes.

The team

The four of us who competed:

  • Devand MacLean
  • Ignas Petreikis
  • Jack Pringle
  • Lewis Warner (writing this)

Devand, Ignas, and Jack: huge well done. You carried this result, and it is a genuine pleasure to play alongside you. The next event is already on the calendar.

Verified results

If you want a tester-led assessment delivered by the people who hold this standard, get in touch or book a scoping call.

Found this useful?

Share it with your network on LinkedIn.

Share on LinkedIn
Previous Article

The GitHub Breach and the Developer Supply Chain: What the TeamPCP Cascade Means for Your Business

You might also like

Vulnerability Management

Known Exploited Vulnerabilities: How to Patch What Matters

How the CISA KEV catalogue transforms vulnerability prioritisation, where it fits alongside EPSS and CVSS, and a simple defensible workflow.

#vulnerability-management#prioritisation

Penetration Testing

How Often Should You Perform Penetration Testing?

Understand the factors that determine how often to schedule penetration tests, including compliance requirements, organisational complexity and change frequency.

#penetration-testing#pen-testing

Penetration Testing

External vs Internal Penetration Testing: Understanding the Differences

Learn how external and internal penetration tests differ, what each aims to uncover, and why both are essential to a comprehensive security programme.

#pen-testing#penetration-testing