2018 Shearwater Application Hackathon

2018 AppSec Hackathon Highlights!


Solo Player from Brisbane Claims Victory

Over 100 cybersecurity professionals, code developers and students walked in the shoes of a cybercriminal for the day to test their skills and learn new ways to defend against cyberattacks at the 4th annual Shearwater Application Security Hackathon.

Growing in popularity, and with many returning participants (we thank you for your continued support), the Hackathon expanded this year to include venues in Sydney, Canberra, Melbourne and Brisbane, as well as the opportunity to participate remotely.

Attracting cybersecurity specialists and software developers from a mix of commercial, government and consulting roles, plus a number of talented university students, participants went head-to-head in this Capture the Flag competition and unique style of training event.

At the end of the day the results were as follows:

2018 Winners

First Place Team Menace Ian Esplin – Security Analyst, Acumenis, Brisbane
Second Place Team YDT James Dickens – Software Developer, Your Development Team, Melbourne
Matthew Cullen – Cybersecurity Graduate, Telstra, Melbourne
Third Place Team ComeExploitMe James Goddard 
Joseph Hardman 

Ethan Hillas 

Paul Hossack
(All Macquarie University Students)

Powered by CMD+CTRL from Security innovation, this year’s challenge featured 2 fully functional targets including an eCommerce and HR website, with over 70 intentional vulnerabilities for participants to find and attempt to exploit.


Shred Retail, e-Commerce Website Comprising 35+ Vulnerabilities.


Account All, HR Website Comprising 40+ Vulnerabilities.

The challenges were designed to cater to a range of abilities and each challenge (ranging from SQL injection, password cracking, XSS, authorisation and business logic bypass, cryptanalysis, cipher cracking and more) was carefully chosen to simulate the vulnerabilities commonly found in commercial applications today.

Together, the participants solved 39% of the challenges in Account All and 33% of the challenges in Shred, finding 65% of the Basic, 54% of the Easy, 32% of the Medium and 19% of the Hard issues with many achieving the strongest point in the Security Misconfiguration category (56%).

But importantly, guided by cheat sheets, learning labs and application security and penetration testing experts from Security Innovation and Shearwater Solutions, participants experienced how quickly and easily a poorly protected application’s security can crumble.

This was demonstrated at this year’s Hackathon by several participants. In this year’s exciting finale, Ian Esplin, a solo player from Brisbane, jumped to the top of the leader board, ahead of second half leader Team YDT (James Dickens and Matthew Cullen, from Melbourne) with a last-minute creative SQLMap exploit to gain control of the HR target’s database.


Team Menace, AKA Ian Esplin, IT Security Analyst, Acumenis, Brisbane takes 1st place, plus the solo player award.

Following last year’s impressive win by Sydney’s Optus Macquarie University Cybersecurity Hub Students, the Hub returned, with their new team ComeExploitMe (James Goddard, Joseph Hardman, Ethan Hillas, Paul Hossack) taking 3rd place. Another of this year’s student teams, Stuxxy, 2 cybersecurity students from Deakin University (Daniel Deliva and Daniel Le Souef), deserve an honourable mention for leading the first half of the day, demonstrating the talent of Australia’s up-and-coming cybersecurity professionals.


Team YDT, AKA James Dickens & Matthew Cullen win second place.


Team ComeExploitMe, AKA James Goddard, Joseph Hardman, Ethan Hillas & Paul Hossack take 3rd place.

Team Menace wins the Shearwater Hackathon Trophy, a $1000 JB Hi-Fi gift card + the solo player award (North Face backpack.)

Team YTD wins a $600 JB Hi-Fi gift card

Team ComeExploitMe wins a $400 JB Hi-Fi gift card.

Shearwater’s annual Application Security Hackathon is open to individuals and teams of up to four participants. 

To register for a reminder for the 2019 Hackathon, simply subscribe using the form at the top of this page.

Return to top