The next generation of cybersecurity pros drills in the dojo

ASU faculty member Yan Shoshitaishvili’s pwn.college learning platform goes from pet project to global phenomenon

Tales of massive data breaches at well-known companies like Bank of America, American Family Insurance and T-Mobile dominate the national news. The Internet Crime Report compiled annually by the U.S. Federal Bureau of Investigation warns of alarming growth in cybercrime, with official complaints increasing by more than 300% each year and reported financial losses set to exceed $10 billion annually.

Meanwhile, there are an estimated 3.5 million unfilled cybersecurity jobs worldwide, around 750,000 of which are in the U.S.

Dangerous hackers are stealing our data and our dollars.

Yan Shoshitaishvili, an associate professor of computer science and engineering in the Ira A. Fulton Schools of Engineering at Arizona State University, has come to stop them.

Shoshitaishvili plans to fill the jobs pipeline with a well-qualified, dedicated cybersecurity workforce that can beat the hackers at their game because these pros have learned to play that game and win.

With his innovative project, pwn.college — a distinct combination of an educational curriculum, a competitive practice environment and a set of communication tools to help students learn collaboratively — Shoshitaishvili, a faculty member in the School of Computing and Augmented Intelligence, part of the Fulton Schools, has developed an effective system to train the next generation of cybersecurity professionals.

And the world is taking notice.

Today, pwn.college is used in 145 countries and is on the path to becoming the gold standard for cybersecurity training. The idea for the project was inspired by Shoshitaishvili’s own experiences as a computer science student where he developed a love for participating in “capture the flag” hacking competitions.

“I learned a programming language called assembly through a series of hacking challenges and that was absolutely game-changing for me,” he says. “It really exposed the underpinnings of computing in a way that I just hadn’t experienced before.”

In real life, capture the flag is an outdoor game where two teams compete to be the first to retrieve a flag or marker from the opposing team’s territory or designated base.

A similar activity can be played in a computing environment in which a software engineer hides a cryptographic token, typically a short line of code, in part of a system that is supposed to be secure. To win the game, the hacker must identify security vulnerabilities, bypass them and find the hidden line of code.

“The awesome thing about teaching from this offensive perspective is that if a student can hack a certain program, they know that specific attack,” Shoshitaishvili says. “It becomes a lot easier to design a defense that blocks the attack. These competitions build confidence and skill.”

But many organizations, like the popular hacking convention operator, DEF CON, hold competitive events and conferences a few times each year.

When Shoshitaishvili began to design his own teaching curriculum, he knew that would never be enough.

Practice makes perfect

Because fighting the rise in cybercrime would require a new approach, Shoshitaishvili turned to colleague Adam Doupé, a Fulton Schools associate professor of computer science and director of the Center for Cybersecurity and Trusted Foundations, to discuss what the future of cybersecurity training might look like.

“I said something along the lines of ‘Why don’t we teach cybersecurity and hacking skills like we do sports?’ When practicing for a sport, you drill the basics over and over so that they become second nature,” Doupé says.

The pair settled on the concept of an online dojo, a Japanese term for a hall where karate and judo are practiced, that was likely to resonate with students who are fans of martial arts films, anime and manga.

Early on, Shoshitaishvili was approached by his computer science doctoral student Connor Nelson, who wanted to get in on the ground floor of the groundbreaking project. Nelson took Shoshitaishvili’s curriculum and put it to work on the dojo website.

The pwn.college site was initially designed to work with the in-person curriculum of live ASU classes, including CSE 365 Intro to Cybersecurity and CSE 598 Advanced Software Exploitation. Shoshitaishvili converted his lesson plans into a series of modules that students could work through in tandem with class instruction. Each consists of a variety of resources including tutorials and recorded introductions. To finish a module, a student must successfully complete a series of capture-the-flag exercises. The results are displayed on a leaderboard, fostering a spirit of friendly competition.

Just like in a real dojo, each time students complete a module they can earn belts. An entry-level computer science student begins with a white belt. After completing all modules, a student hacker can earn a blue belt. Shoshitaishvili held belting ceremonies throughout each semester to reward students for their progression through the dojo.

Everything was going great.

Then came the COVID-19 pandemic.

Shoshitaishvili (left in both photos) and computer science doctoral student Connor Nelson (right in both photos) prepare to present pwn.college belts to students who have completed cybersecurity training modules at the 2023 DEF CON Capture the Flag afterparty in Las Vegas (shown left) and on the ASU campus in 2024 (shown right). Images courtesy of Connor Nelson

When the student is ready, the master will appear

With much of the world in lockdown and most university campuses closed, Shoshitaishvili was forced to consider how to get vital instruction to students stuck at home.

He noticed that many schools were using Zoom to conduct online classes, but Nelson, who would go on to receive his doctoral degree for his pwn.college research, advocated for streaming lectures on Twitch and building an online community on Discord, two platforms already popular with hackers due to their connection to electronic gaming.

“Zoom works fine enough but the vibe is a little boring and corporate. But Twitch is fun. It’s built for gamers!” Nelson says. “Also, honestly, a text-based chat room for fielding student questions and getting feedback asynchronously works a million times better than trying to play the online microphone interruption and shuffle game.”

As Shoshitaishvili live-streamed his lockdown lectures, he noticed that the controlled chaos resonated with students. One of his most popular Twitch lectures features the instructor discussing return-oriented programming with his baby daughter in a carrier attached to his back.

The pwn.college Discord server is also popular with student hackers.

“The Discord community is a great place to bounce ideas off of people or ask for hints when I’m stuck,” says Samuel Zhu, a graduate student studying computer science and a pwn.college white belt. “The community there is super helpful without giving out answers. People are there for the struggle and the learning, and that makes me very invested too.”

Even after the return to in-person learning as the pandemic waned, Shoshitaishvili saw great value in maintaining the online communities. He believes that having different learning modalities is a key part of the success of his project.

“There is an interesting online phenomenon where there are people who will never ask a question in class. They’re terrified of it,” he says. “But they’ll ask on Twitch all day long. They will chat or share code on Discord. These tools enable a lot of people to fully participate.”

The final piece of the puzzle was the development of SENSAI, a personalized tutor powered by artificial intelligence that develops insights from the dojo platform and can help students progress when they need help.

“Students might not want to reach out on Discord for every small thing. Or maybe it’s the middle of the night and a student gets stuck,” Shoshitaishvili says. “Now, users can ask SENSAI for help.”

With SENSAI in place, the dojo is always open.

The pwn.college is used in 145 countries and provides a cybersecurity curriculum for colleges and universities all over the world. Graphic courtesy of Connor Nelson

The future is now

Universities throughout the world are starting to use pwn.college as their cybersecurity curriculum, with the program in place at schools in the United Kingdom, Italy, Singapore, South Korea, Georgia and India.

In 2023, cybersecurity students around the world spent more than 1.5 million hours drilling in the dojo. In the short span of a few years, use of the site has increased from a handful of users to nearly 14,000 registered users and is awarding more than 800 belts each year.

Shoshitaishvili, who also serves as the associate director of workforce development of the Center for Cybersecurity and Trusted Foundations, is looking at potential applications of the pwn.college system for enterprise and government sectors.

“Adequately protecting the nation and the world from cybersecurity threats is one of the most pressing challenges in computer science today,” says Ross Maciejewski, director of the School of Computing and Augmented Intelligence. “Shoshitaishvili’s work will ensure that the talent needed to tackle these challenges is in rapid development.”

Branden Yang, a green belt and senior undergraduate student studying computer science and cybersecurity, believes that pwn.college will help him in his life beyond college.

“More than anything, I think pwn.college has really taught me how to learn,” he says. “I know how to ask good, specific questions and how to get information about techniques. I understand how to take cybersecurity concepts and use them to solve real problems.”