Contact us

      What we do

      At KPMG in India’s Digital Trust – Cyber Defense Incident Response (CDIR) team, we work at the intersection of cybersecurity, risk intelligence, and innovation. From breach and attack simulations to global security assessments, from OT security to incident response and from secure coding to developing secure products we help clients secure their digital ecosystems and prepare for tomorrow’s threats. Our work spans industries and borders, and we’re constantly evolving to stay ahead of the curve.

      ‘Capture the Flag 2025’ is not just a competition-it's your gateway into the heart of KPMG in India’s Digital Trust practice. Designed exclusively for lateral hires, this event blends technical acumen with real-world scenarios to test your readiness for the challenges we tackle regularly.

      As we step into an era where AI is reshaping the cybersecurity landscape, this ‘Capture the Flag’ is more than a challenge-it's a proving ground. We’re looking for individuals who can think critically, adapt swiftly, and collaborate with purpose. This is your chance to join a team that thrives on cyber innovation and delivers impact

      Sony Anthony

      Partner and Head – Cyber Defense and Incident Response, Global Head – Cyber in Deals

      KPMG in India

      Sony Anthony

      Important dates to remember

      Registration


      3 July 2025 to 17 July 2025

      Hackathon


      19 July 2025 10:00 a.m. to 19 July 2025 9:59 p.m. 

      Results


      23 July 2025

      Hackathon categories  - Get ready to explore six core domains that define our work

      OT security
       

      Defend industrial systems and critical infrastructure, with hands-on experience in Industrial Control Systems (ICS)/Supervisory Control and Data Acquisition (SCADA) penetration testing, protocol fuzzing (Modbus, OPC, Zigbee, WirelessHART), firmware and hardware exploitation, Programmable Logic Controllers (PLC)/Remote Terminal Units (RTU) attack simulation, and use of specialised tools to identify and exploit vulnerabilities across industrial and embedded systems.

      Python scripting 
       

      Automate, analyse, and exploit with precision; including exploit development, vulnerability scanning, payload generation, API interaction, log parsing, and tool integration, building custom scripts for penetration testing, threat hunting, and red teaming across diverse environments.

      AI security 
       

      Secure intelligent systems and machine learning pipelines, adversarial attacks (evasion, extraction, inference), model fuzzing, data poisoning, prompt injection, API abuse, with hands-on experience in exploiting vulnerabilities across AI pipelines and evaluating model exposure to real-world threats.

      Cloud penetration testing 
       

      Uncover vulnerabilities in cloud environments, with hands-on experience in cloud penetration testing, misconfiguration exploitation, privilege escalation, API abuse, container and serverless attack vectors, and red teaming across AWS, Azure, and GCP. 

      DevSecOps
       


      Integrate security into every stage of development, encompassing secure CI/CD pipeline integration, automation via scripting, Infrastructure as Code (IaC), container and cloud security, monitoring and alerting, and effective cross-functional communication.

       Red teaming 
       


      Simulate adversaries and test organisational resilience across IT infrastructure, web, mobile, and thick client applications, with expertise in manual and automated penetration testing, red teaming, vulnerability exploitation, and threat simulation with deep knowledge of network protocols, OS internals, and application security standards (OWASP, NIST, CIS). 

      The flags are hidden. The vulnerabilities await. The leaderboard is yours to climb.

      Whether you're a seasoned professional (one to three years’ experience) this is your chance to prove your mettle.

      Capture the Flag, 2025 - Registration form

      We would appreciate if you could spare a few minutes to register for Capture the Flag 2025 competition

      Register now

      Who can participate?

      • Candidates with one to three years of experience in cybersecurity or related fields, and at least one recognised security certification such as OSCP, CEH, or equivalent
      • The winners of the hackathon may get the opportunity to work with and learn from the cyber security team at KPMG in India in one or more of the above roles (please refer to our website for detailed JD), at the sole discretion of KPMG in India

      * Please note that participation in this event is not a guarantee of an offer at KPMG in India   

      • Who can participate in the hackathon event?

        The event is open for all people who have one to three years of relevant cybersecurity experience. KPMG in India reserves the right to not register people who have applied who do not meet these criteria or falsify this criteria on the registration form.

      • Do I need any prior experience in cyber security to participate?

        Yes, prior experience in cybersecurity is a must. Review the skillsets highlighted in the sections above, as they will form the basis for the ‘Capture the Flag’ (CTF) challenges.

      • Is this an online event?

        Yes, this is a virtual event. The registered participants will receive the details about the event on their registered contact details.

      • What would I need to participate in the event?

        Participants would require a laptop with internet access. Certifications in cyber security is a requirement but not mandatory.

      • Would I need to install a software?

        The CTF includes advanced challenges covering domains like AI/ML security, OT/IoT exploitation, cloud penetration testing, and infrastructure red teaming, having to tools commonly used to conduct security testing in these areas will help in solving the challenges. Refer skillsets highlighted in the sections above for more details.

      • Can I participate individually, or do I need to form a team?

        You would be required to register as an individual. The platform is equipped to monitor duplication of efforts and any submissions that are found to be collaborative will be disqualified. This is not a team event. Any sharing of flags or logging in from more than 5 IP addresses will be considered as a disqualification criteria.

      • Will there be any training or workshops to prepare for the event?

        No, the event itself is designed to be a learning experience. However, we may share some reading materials or links to publicly available platforms for your practice.

      • What is the scoring mechanism for the challenges?

        The event will include challenges that will have different points awarded based on the difficulty of the challenges. Once the candidate solves the challenges a flag will be presented which would have to be submitted onto the platform where it will be tracked. 

      • Would there be any negative marking?

        The platform allows you to submit a flag a limited number of times for every challenge. Once the limit is crossed the participant will not be allowed to submit the flag. Any brute force attempts detected on the flag submission portal will lead to disqualification. 

      • Will there be any support available?

        The platform allows you to take hints for every challenge. However, every hint will cost points. There will be open communication channels available to participants if they face any difficulties. However, this is for access related issues only and no help will be provided to solve these challenges. 

      For any further inquiries, please contact our team

      Access our latest insights on Apple or Android devices

      kpmg-insights-edge-qr