pathwar: an open playground for cybersecurity
Pathwar is a platform for learning cybersecurity by doing. seasons run like e-sports leagues, every challenge is randomized so nobody can copy a friend’s solution, and your CV grows out of what you actually solve. open source, self-hostable, and built so anyone can author their own challenges.
a project with history
it didn’t start with me. it started in 2010, inside ECS (Epitech Security Lab), under the name Thot Project — an anarchic hub for learning cyber. anarchic because almost anything was fair game. lead opponents down false trails, mess with their access to a level, defend with your wits. the original platform even had a Hall of Deface, where solving a challenge let you upload a screenshot of your own “work” to a public wall. unhinged, brilliant, very 2010.
years later, Manfred Touron took the project over with bigger ambitions. rebuild it from scratch as something that could teach real vulnerabilities, randomize away the cheat-sheet problem, and let anyone author or self-host their own version. seasons modeled on e-sports. a CV that grows from what you actually solve. those were the goals.
i’m now leading development. the platform is still maturing, but the core is in place — script injection that randomizes each challenge at start time, the seasons-based competition system, an event-driven backbone for resilience, team play, and full open source so anyone can contribute.
under the hood
Pathwar is Golang end to end. internal services talk to each other over gRPC, with an HTTP gateway exposing the web client. every action flows through an event-driven pipeline (recorded first, processed after) so the entire state of the platform can be rolled back at any point. on a system where players are actively trying to break things, that resilience matters more than almost anywhere else.
challenges run in standardized containers behind an Nginx reverse proxy. when one starts, the Pathwar magic kicks in — an init script is injected to randomize the instance, so two players never face the exact same puzzle. authentication is pluggable through a module called pwsso, with auth0 as the default and public keys pulled from the iss claim to verify tokens. on the front-end, JS, React, and Tabler, with Redux holding the state. PostgreSQL underneath it all.
what’s next
Pathwar is built to support every kind of challenge — web, reverse, pwn, crypto, network. the long bet is to become the reference platform for serious cybersecurity training, with a skills-tracking system that turns hours spent solving real problems into a CV that means something, because it was earned in the open.
if any of this resonates, follow along. there’s a lot still to build.