From the Forge: Certificates, Capture the Flag, and a Satchel of Your Own
Last month I teased Certificates and Badges. This month they’re shipped.
On top of that cert work we shipped something a bit sooner than I’d originally planned: Capture the Flag events. A whole event format, built right into Guardian Foundry. You use your existing account or register with a magic link, solve challenges, climb a live leaderboard, and at the end you get a signed badge you can drop straight onto socials.
There’s also a quieter piece in this release window that I’m just as proud of. It’s called My Satchel, and it’s the second feature (after the skill sheet) on the platform that exists purely to make Guardian Foundry feel like yours. One page for the things you’re working on, the things you own, and the things you flagged for later. It’s small, but I think it changes the posture of the whole platform.
Certificates and Badges
Badges have been quietly running inside Guardian Foundry for a while now. They tracked your achievements just fine. The problem was that nobody outside Guardian Foundry ever saw them. Hiring managers don’t look at your in-app dashboard. They look at LinkedIn. So I built the rest of the pipeline.
Eventually, every quest and campaign you finish will auto-award a certificate or badge. No staff in the loop, no waiting. Each cert gets a public verify page that anyone with the link can open. You can download the PNG or the PDF, and there’s a one-click “Add to LinkedIn Profile” button that pre-fills LinkedIn’s form with the right name, issuer, and a deep link back to your verify page. It will generate an X post as well, if you so choose.
The credentials are independently verifiable too. The JSON-LD export is signed with RS256 and published as Open Badges v3.0, with a JWKS endpoint at /.well-known/jwks.json. Any OBv3-compliant verifier can validate the cert without Guardian Foundry having to be online for it. There’s a scannable QR overlay on the rendered cert so a recruiter looking at a printed copy can validate it with their phone. Your skill sheet got new Certifications and Badges sections to show off everything you’ve earned.
Capture the Flag
This was the big one. A whole new kind of content on the platform.
We can run our own time-boxed CTF events now! Theme, scoring rules, hints, attachments, sponsor branding, access controls. There are three challenge modes per event: static flag, VM lab launch, and AI-graded challenges that can link out to Training or Trial content. Players register and play from the Tavern, the leaderboard updates live as solves come in, and the top three solvers on each challenge get first-blood callouts.
The magic-link quick-register flow is the part I’m watching the closest. A sponsor can drop a single link, a brand-new visitor lands on the event page, types their email, gets a magic link, and is solving challenges in one tap. No full sign-up required up front (see the Scars section below on the bug I found here!) I wanted the time-to-first-flag to be as close to zero as I could get it. And when the event closes, finalize fires the full badge pipeline I described above, so every eligible participant walks away with a verifiable cert that includes their final rank (“Finished 7th of 142”) in the badge evidence.
The admin tooling layer landed this month too. A full event audit view, an admin disqualify flow that automatically reassigns first-blood when a DQ’d player held it, “we liked this” bonus point adjustments with required reason text, and a scaled submission lookup for events that pull hundreds of submissions for auditing and bot hunting.
We already ran the first live event during the launch window, and it ran straight into a real production bug. More on that in a minute. Once I pushed out the hotfix, the quick signup was functional and we were back in business. The Phantom CTF event was a great pilot for the feature and we got some great feedback already. Looking forward to many more of these!
My Satchel
This one came about by request and natural progression. I knew the training catalog was starting to get a bit large and it would take a use 2-3 clicks to get to a training view. We need to be one click away from getting back to work on a previous training or engaging with a purchased quest. The solution is a pretty common pattern in the “My Stuff” sort of page. I just kept it in the theme and called it “My Satchel”.
Three sections on one page. Continue your journey, which is quests, campaigns, and trials you’ve started but haven’t finished. Your library, which is the things you own outright, whether you bought them with Stripe, redeemed a voucher, or were granted access by an admin. And Bookmarked for later, which is the platform’s first proper bookmark primitive. There’s a Bookmark toggle on every quest, training, campaign, and trial detail page now.
One detail I love. In-progress cards have a tiny × to dismiss them. When you click it, the card hides, but the underlying enrollment is untouched. Progress, XP, completion logic, all of it preserved. Dismissed cards reappear the moment you re-engage. I wanted a clean “out of sight” option without a “lost my progress” cliff. There’s a 5-second Undo toast every time, in case you dismissed the wrong one.
The platform had no concept of “save this for later” before this. Every page that needed it would have built its own version of the same query. Now there’s one layer underneath, the pages stay thin, and anything I build on top of this from here forward gets bookmarks for free.
The scars
Captcha frustrations
The new reality of bots everywhere forced us to have to add a mostly automated captcha to login pages and registration forms. Unfortunately, this add friction to any place you want to help users jump right in. This time it bit me when I was making the Quick signup link for CTFs. The plan was to let a user go to the CTF Details page, input an email and get right into the CTF event. They can setup their account later, no problem. Well yes there was a problem. In testing, things were fine and passing but in prod when I tested the flow, the supposed quick email signup sent me to the login page. Wat? After digging through logs, I realized the auth system was rejecting the passthru because of the captcha token. Ultimately the solution was to pass the capthca token along with the login and we were quickly back in business. Lesson learned though, or reminded at least. Captcha sucks but is a new reality we have to deal with.
What’s next
The second live CTF event, in partnership with JHT, will run during Continuum Con. We’ve worked out the bugs with our CTF features during the Phantom CTF event so we’re good to go and ready for larger scale player pools.
I’m also going to be putting a lot more time into the next big feature set. Our Enterprise tier. This is going to allow orgs to enroll their teams in Guardian Foundry, monitor progress, see team stats, and much more!
See you next month from the forge.
