Natto Thoughts: Hacking Contests & Training

The Tianfu Cup Returns Under MPS Leadership as AI Takes Center Stage

Eugenio Benincasa — Wed, 11 Feb 2026 14:02:47 GMT

The Tianfu Cup (天府杯), China’s premier exploit hacking competition,1 has returned to Chengdu, Sichuan Province, for its sixth edition, held from January 29 to 30, 2026. This time, under the organizational lead of China’s Ministry of Public Security (MPS), China’s domestic law-enforcement authority. Launched in 2018 after Chinese authorities barred domestic researchers from participating in international exploit competitions, such as Canada’s Pwn2Own, the Tianfu Cup emerged as a domestic alternative for high-end vulnerability research and exploitation.

2026 Tianfu Cup homepage. Screenshot by the Natto Team, taken on January 31, 2026, of the Tianfu Cup 2026 website.

After skipping three editions in 2022, 2024, and 2025, the competition has now reappeared, although the reasons for this hiatus and revival remain unclear. The event was first announced on China’s MPS website on January 16. On January 19, the Tianfu Cup’s account on the social media platform X appears to have briefly posted about the competition before deleting the post shortly thereafter. The following day, the event’s website (hxxps://tianfucup[.]cn) became inaccessible from outside China. By February 2, following the conclusion of the contest, the site appeared to have been taken offline entirely and remains inaccessible as of this writing. The Natto Team was nonetheless able to access the website for this piece, which includes screenshots of relevant information, as well as MPS and private company press releases that remain accessible.

Building on earlier analyses of past Tianfu Cup events by the Natto Team and the From Vegas to Chengdu report from the Center for Security Studies at ETH Zurich, this piece examines what has changed with the Tianfu Cup’s return and why it matters. It analyzes the shift from a commercially led competition to one organized almost entirely by the MPS, specifically the Sichuan Provincial Public Security Bureau. It then looks at the structure of the 2026 edition and its two tracks, including evidence of AI-assisted techniques being used in vulnerability discovery and exploitation. Finally, it explores what remains the most consequential and unresolved question: where vulnerabilities discovered at the Tianfu Cup are likely to end up, and what this suggests about China’s evolving approach to vulnerability retention and state control.

A complete list of competition targets, as disclosed on the 2026 Tianfu Cup website, is reproduced in the appendix at the end of this piece.

Business Priorities of Chinese Cyber Range Providers Go Hand in Hand with State Cyber Capability Development

Eugenio Benincasa — Wed, 09 Oct 2024 16:02:09 GMT

This post is co-authored by the Natto Team and Eugenio Benincasa, a senior researcher at the Center for Security Studies at the Swiss Federal Institute of Technology Zurich (ETH Zurich). The report by Benincasa and Dakota Cary, Strategic Advisory Consultant at SentinelOne, titled “Capture The (Red) Flag: An Inside Look into China’s Hacking Contest Ecosystem,” is published by the Atlantic Council in October. The report examines over 120 hacking contests in China since 2004 and delves into the key elements of China’s hacking contest ecosystem, such as growth enablers, competition hosts, and cyber range providers, while highlighting specific contests associated with China’s government security agencies.

In September 2024, the FBI announced the seizure of a botnet operated by Integrity Technology (Integrity Tech), a Chinese information technology company linked to cyber threat group Flax Typhoon, which targeted critical infrastructure globally, including in the U.S. and Taiwan. The Integri…

Matrix Cup: Cultivating Top Hacking Talent, Keeping Close Hold on Results

Eugenio Benincasa — Wed, 24 Jul 2024 16:01:39 GMT

The Natto Team is honored to invite Eugenio Benincasa, a senior researcher at the Center for Security Studies at the Swiss Federal Institute of Technology Zurich (ETH Zurich), to co-author this post. Eugenio’s report “From Vegas to Chengdu: Hacking Contests, Bug Bounties, and China’s Offensive Cyber Ecosystem” is a must-read to understand how China's  offensive cyber ecosystem thrives by leveraging civilian hackers who excel in major hacking competitions and bug bounty programs.

China’s brand-new hacking contest, Matrix Cup (矩阵杯), was inaugurated in May 2024 in Qingdao, Shandong Province, and introduced as a “high-profile and large-scale cybersecurity competition in the Eastern Hemisphere.” This is no exaggeration. Organized by 360 Digital Security Group and Beijing Huayunan Information Technology Co. (also known as VUL.AI), the Matrix Cup brings together China’s highly influential actors from academia and the private sector, featuring various types of challenges and offering substanti…

Tianfu Cup 2023: Still a Thing

Natto Team — Thu, 16 Nov 2023 23:04:58 GMT

Tianfu Cup (TFC) 2023, China’s prestigious answer to the annual hacking competition Pwn2Own, took place from October 31 to November 1 in Chengdu, Sichuan Province this year. Compared to last, this year’s competition generated little overseas media coverage or chatter among overseas security researchers. Nevertheless, Natto Team observed some noteworthy changes and features in this year’s Tianfu Cup.

Screenshot by the author, taken November 15 2023 of Tianfu Cup 2023 website. Source: Tianfu Cup

What is the Tianfu Cup and How Did it Catch Western Media Attention Previously?

Tianfu Cup, officially described as a hacking competition and international cybersecurity summit, was born in 2018 at a time of upheaval in China’s approach to information security research. China had prohibited its own security researchers from participating in international hacking competition, and Chinese industry experts proposed to the government that vulnerabilities should be considered as national strategic re…