What is the NSA Codebreaker Challenge?

The NSA Codebreaker Challenge provides students with a hands-on opportunity to develop their reverse-engineering / low-level code analysis skills while working on a realistic problem set centered around the NSA's mission.

While the challenge is intended for students, professors are encouraged to participate as well. Furthermore, the site was designed to make it easy for those professors interested in incorporating the challenge into their courses to do so (see the additional FAQ entries below.)

Who can participate?

Anyone with an email address from a recognized U.S. school or university may participate in the challenge. All players register and login individually. If your school's domain is not recognized during registration, please complete this form to Request Access. The form only needs to be completed once per institution. If there are further questions, you can email the Codebreaker support team at codebreaker@uwe.nsa.gov. We are also permitting those with .mil/.gov addresses to participate for training purposes, but results from .mil/gov participants (with the exception of military academies and other educational institutions) will not be displayed on the public leaderboard since this is meant to be an academic competition.

Why should I learn software reverse engineering?

Reverse engineering is a crucial skill for those involved in the fight against malware, advanced persistent threats, and similar malicious cyber activities. As the organization tasked with protecting U.S. government national security information systems, NSA is looking to develop these skills in university students and prospective future employees. NSA isn’t the only organization interested in these skills - many Fortune 500 companies are also looking for individuals with reverse engineering abilities, as they work to protect their corporate computer systems and networks. In addition, the same techniques used to reverse engineer an unknown binary can often be applied to diagnose and fix bugs in your own applications, especially if they are low-level / hard to find. It is important to note that reverse engineering might violate the End User License Agreement of some software packages and/or be considered illegal in certain cases. Always check with the appropriate copyright holder / legal counsel if unsure.

Are the binaries on this site safe to run on my computer?

We wrote the code for these challenge binaries (with the exception of several other libraries that are statically linked) and our testing hasn’t indicated any negative side effects, but ultimately you must use these at your own risk. As a general rule, we encourage you to take precautions before running any questionable executables on your machine. For instance - running these in a virtual machine environment is a good first step to take. Directions on setting up a virtual machine for testing can be found in the 'Technical Resources' section of this page.

We have heard that the 2014 challenge binary may get flagged as being malicious by some anti-virus software. Again, that one should be safe as well, but taking precautions just in case is advised.

What do I do if I'm having problems with the site?

You can use the "Get Help" tab at the bottom of the page for help or any type of feedback. If that isn't working (or not available because you cannot login) then email us at: codebreaker@uwe.nsa.gov

For professors - What is the process for verifying that a student has completed the challenge?

The site includes a "sharing" feature that everyone can use to share their progress with other players. Register for the challenge, then ask each student to share their progress with you by entering your email address into their "followers" list. You can then view each students' completion time on each individual task of the challenge. See the sharing page accessible under the rightmost menu.

What steps are in place to prevent cheating?

Each player receives a slightly different set of challenge binaries and associated files, making it unlikely for one person's solution to work for someone else. All Participants are reminded that "Tasks are to be solved on your own, so collaborating with others on those [to solve] is cheating."

How does scoring work?

Our scoring system aims to incentivize participation, but prioritizes the success students achieve on the tasks. Only student registration and progress (not alumni, faculty, or others) is used to calculate the school's score.


  • All calculations are done within the context of the school's division, which is assigned based on the number of registered students.

  • The final score is the sum of all of the task scores.

  • For each task, a school's score is the weighted sum of two parts: A) the points for reaching a task, and B) the points for successfully completing ("passing") the task.

    • Task 0 is optional and worth 0 points.

    • For Task 1, each school's points calculation is weighted with 10% for part A and 90% for part B.

    • For all other tasks, the part A weight is either: 5% for schools with a pass percentage below the median pass percentage of schools in their division, or 0% otherwise.

  • The part A value is the number of students who have reached the task, minmax normalized with each school in the division, times 100,000 possible points.

  • The part B value is the product of a task difficulty measure (D), and transformed measurement (M) of the school's pass percentage vs the division's pass percentage without the school, times 100,000 possible points.

    • The task difficulty measure (D) is the geometric mean of 2 failure rates, the "local" rate and the "global" rate. These rates are calculated over the other schools in the division, excluding this school.

      • The local failure rate is the number of students in the division who have reached the task, but not passed it, divided by the number who have reached it, whether they passed it or not.

      • The global failure rate is the number of students in the division who have passed Task 1 (the "baseline" task) but not passed this task, divided by the number of students in the division who have passed Task 1.

    • The final step calculates (M) the sigmoid transform with k=1/3 of the natural logarithm of the school's pass percentage divided by the division's pass percentage without the school.

Are there awards for students and schools?

  • Schools will be grouped into divisions based on their number of registred students at the end of the challenge.

  • Schools ranked 1st in each division 1, 2, and 3 will receive a first place award.

  • Schools ranked 1st thru 5th in each of division 1, 2, and 3 will receive a letter of recognition.

  • The school with the most students registered will receive a participation award.

  • High performing students (those who completed task 5) will receive an NSA fidget spinner and a letter of recognition.

  • Students who complete all tasks will receive the NSA Codebreaker medallion and a letter of recognition.