Alum’s Thriving Cybersecurity Business Teaches Clients to Think Like Hackers

A toothpick flag stuck in a circuit board

MetaCTF utilizes a computer security exercise called “Capture The Flag,” in which hidden clues are secretly placed in purposely vulnerable programs or websites. (Illustration by Alexandra Angelich, University Communications)

The funny thing about MetaCTF is that it was never meant to be a company.

Roman Bohuk was simply a kid geeked out on computer science when the business first took root.

As a 10th-grader at Deep Run High School in Richmond, Bohuk and his friend Jake Smith attended a cybersecurity competition and came away so intrigued that they decided to hold their own. And that competition was so successful that a major university and several companies reached out to Bohuk and his friend about putting on more events.

But it wasn’t until he was a first-year student at the University of Virginia – and so many customers were still reaching out to him – that Bohuk saw the potential for a full-time cybersecurity business.

In 2018 Bohuk and Smith, Rodman Scholars in UVA’s School of Engineering who majored in computer science, added two fellow UVA students, Marina Sanusi and Mariah Kenny, to their team. A year later, MetaCTF became incorporated. It now claims dozens of companies and universities around the world as clients.

The company’s calling card is hands-on, interactive and learning-based competitions and trainings that make it easy to acquire new cybersecurity skills.

UVA alumnus Roman Bohuk wears a blue puffy vest and stands in front of a lake

Roman Bohuk first became interested in cybersecurity when he was in the 10th grade. (Contributed photo)

Since 2019, MetaCTF has organized almost 100 competitions for more than 15,000 participants all over the world. The “CTF” in the company’s name stands for Capture The Flag, a computer security exercise in which flags are secretly hidden in purposely vulnerable programs or websites.

UVA Today caught up with Bohuk – a native of Belarus who moved to Richmond in 2011 and was part of three consecutive national cybersecurity championships while at UVA – to learn more.

Q. What kinds of things interested you when you were a kid? What were your hobbies?

A. I was always into mathematics and natural sciences. All my toys were either puzzles or some form of an educational kit, so I spent hours playing around and tinkering with magnets, batteries, wires, chemistry kits, modeling clay, cardboard and random things I’d find outside when I was little.

Q. What attracted you to the cybersecurity field?

A. My interest in mathematics and engineering turned into a passion for computer science sometime around eighth grade. That’s when I first started to learn what programming was, and I ended up getting into a specialty program for information technology at my high school. There, I got involved in cybersecurity clubs and competitions and got to know a few cybersecurity professionals who came to our school as mentors and invited us to conferences. This, and our progress with MetaCTF, convinced me to pursue cybersecurity as a career.

I love cybersecurity because it requires you to have some understanding of almost every area of computer science: programming, web development, networking, operating systems, assembly, a bit of electrical engineering, and more. I’ve always considered myself to be a tech generalist, and I loved working with systems that had a lot of moving parts. Cybersecurity appealed to me because of that.

Q. How is MetaCTF different than other cybersecurity companies out there right now?

A. We specialize in cybersecurity training and recruiting. Our platform is very versatile, and we provide a range of services to a variety of companies. Some companies use it to provide supplemental or onboarding security training. Others use it for companywide engaging cybersecurity events, and others use it to source and screen technical candidates to fill their cybersecurity job openings.

Group photo of seven people wearing orange shirts and name-tags in a large conference room

Roman Bohuk, third from left, started MetaCTF while he was a UVA undergraduate. (Contributed photo)

There are a lot of companies out there that focus on basic security awareness training – boring videos teaching you how not to click phishing links – and a lot of companies that focus on specialized technical security training for security professionals or folks with a lot of technical experience. We fall somewhere in the middle. Our trainings are engaging and hands-on.

Q. Can you give UVA Today readers an example of the type of competition or training session that you hold, and how that helps your clients learn cybersecurity skills?

A. As opposed to presentations and videos, our trainings are completely hands-on, and they simulate real-world scenarios. They often have a competitive element, which makes it very engaging. For example, instead of warning web developers about the dangers of SQL [structured query language] injection, we create a website that is vulnerable by design and ask them to break into it themselves.

In order to secure something or write secure code, you have to know how a system works at every level and how the different moving parts work together. One of the best ways to learn that is by breaking that system. Participants are expected to research and use the internet to solve these challenges. Sometimes, we mimic the services developed by that company and have participants find and exploit flaws in that. We help developers and employees think as “hackers.”

These training sessions usually last anywhere from two hours to multiple days, and they can work well for participants at any skill level. For folks who are not technical, the challenges consist of technical puzzles that help them peek inside the black box and think about technology from a different perspective. Companies found this to be much more engaging than forcing their employees to watch videos or listen to death-by-PowerPoint lectures.

Q. President Biden warned U.S. business leaders about possible Russian cyberattacks. Just how vulnerable do you think some American companies are right now? Are there any precautions or safeguards that can be taken at this late juncture?

Very vulnerable. Small businesses, who often cannot afford a dedicated cybersecurity staff, are just as good of a target as any big corporation. Many technical employees lack sufficient cybersecurity training, and I am still regularly surprised by stumbling on rudimentary vulnerabilities in random public websites.

There are plenty of resources online that cover best practices, but in my opinion, security starts with having a good idea of what exists on your network. If you don't know what data you have and where it is, you can’t keep it safe. From there, you can figure out your attack surface, enumerate potential threats, and patch every hole you find one by one. This is definitely a generalization, but it’s a helpful way to get started.

There is a common saying that it’s a matter of when you get hacked, not if. Having a good incident response plan in place is just as important.

Q. What do you think is the biggest misconception about cybersecurity?

A. It seems that many people think that cybersecurity is just something that you can add on at the end after a product is already created. We want to help create a digital world that is secure by design.

There are some basic vulnerabilities out there, like cross-site scripting and SQL injection, that everyone has probably heard about over a hundred times. Despite that, they’re still extremely common, and many websites are less secure than people think. Computer science and programming are very hot topics right now, and many people start working in the field and developing applications and creating software without learning any basics of cybersecurity.

Q. Who were your biggest mentors at UVA, and how did they help get you to where you are today?

A. Darden School of Business lecturer Damon DeVito has been a great adviser to our company, and there is no way we would have made as much progress with MetaCTF without him. Professor Dana Elzey has been a great and inspiring role model of an engineer.

I love cybersecurity and computer science, but I also love building and designing things just as much. Professors Mark Floryan and Aaron Bloomfield helped foster a great student-faculty community in the computer science department, which I was fortunate to be a part of. Professors Jack Davidson and Yonghwi Kwon have been very supportive of our security club and enabled us to participate in all of the competitions that we did.

Media Contact

Whitelaw Reid

University of Virginia Licensing & Ventures Group