About the tournament
First-of-its-Kind Challenge for Cyber Pros
PGT turns phishing simulation into a competitive, 9-hole challenge mapped to the NIST Phish Scale. Competitors craft emails at specified difficulty levels, proving not only social engineering skill, but the ability to calibrate difficulty to a learner’s ability—critical for effective human risk management.
Corner holes are judged in two stages—first by accuracy to difficulty, then by a special category (humor, psychological manipulation, low technical signature, or sheer difficulty). Center holes focus on concrete objectives like link-click, gift card purchase, or unauthorized shipment.
Reference
Built on the NIST Phish Scale
The NIST Phish Scale (TN 2276) is the canonical guide for mapping premise alignment and number of cues to detection difficulty. Each "hole" in the PGT is calibrated to require an email based on a gamified version of the NIST Phish Scale.
We recommend competitors use the NIST.TN.2276 (linked below) as a single source-of-truth while formulating entries.
Why it matters
Practice Skills that Can Impact Human Risk
Static, one-size-fits-all simulations fail. PGT compels dynamic tuning of difficulty across personas, aligning challenge to ability. If it’s too easy, learners disengage; too hard, they give up. The sweet spot drives durable behavior change.
For sponsors, PGT showcases a commitment to practical defense: measurable skill growth, data-driven insights, and a vibrant community of practitioners.
Cognitive Security Institute
CSI runs programs and research focused on practical human-centric security: reducing real-world risk through measurable behavior change, better training mechanics, and community collaboration. The Phishing Golf Tournament (PGT) is part of that mission—raising the bar for how we teach and test phishing resilience.
Rules
The Phish Golf Tournament (PGT will begin at 12:01am (EDT) and end at 11:58pm (PST). One entry/play per email address ( if players wish to play more than one round, they must register using a new email for each round played. AI may be used to help construct phishing emails, but this must be disclosed at the time of submission. To “play a hole,” players will submit a phishing email template along with a completed online form which will explain the cues they included in the email, and explanation for how the template aligns with the target, and how the email aims to achieve its objectives. Provided registration number must be submitted with entry. Submitted phishing emails MUST include a minimum of ONE cue in order to qualify. Entries may not be discriminatory or inappropriately inflammatory. Challenges may intentionally or unintentionally reference real organizations or individuals. You may not call, email, contact, or harass the referenced individuals in any ways. Do not violate any local, state, federal, or international laws. Do not modify any unique IDs assigned to you by the competition platform and do not access competition resources using another competitor’s unique ID. Do not misrepresent yourself or use multiple personas. Do not sabotage any game elements, including online resources. DO NOT, under any circumstance, attack the PGT Game or scoring systems. This includes, but is not limited to, launching automated scans or tools targeted towards the scoring system, attempting injections, altering targets, or attempting to manipulate data stored within the scoring system. Players found manipulating, or attempting to manipulate, the scoring system will be immediately disqualified from the current and future PGT and/or CSI events. Players found manipulating the puzzles and targets may be disqualified from playing in current and/or future PGT and/or CSI events and/or have their scores altered. Do not attack the competition platform. DO NOT under any circumstance purposely disable, alter, or damage a challenge/puzzle and/or target in a manner that will disrupt the solution or structure of the puzzle or gameplay. This includes, but is not limited to, changing core system configurations (passwords, firewall rules, services, etc.), manipulating any network settings, and/or altering, introducing, or removing vulnerabilities on the system. Altering public Internet resources related to puzzles is not permitted. Behave in a professional manner, including on PGT social media channels, and when interacting with PGT and CSI representatives. All text, graphics, user interfaces, visual interfaces, photographs, trademarks, logos, sounds, music, artwork, computer code, challenges, and artifacts used within the PGT are owned or licensed by CSI and is protected by copyright, patent, and trademark laws. You may not copy, reproduce, alter, modify, resell, mirror, or create derivative works of the materials used within the PGT Games. Documents containing our challenges or associated artifacts, commonly referred to as "writeups" or “solution guides” may not be published or distributed without our written permission. All participants own their own content and intellectual property generated from their participation in the PGT. We do not represent any ownership or claim any intellectual property rights over the information that you provide or that is provided to us. Ethics Statement The Cognitive Security Institute aspires to communicate and promote an honor code, ethical values, and behaviors that are essential elements of the cybersecurity workforce. We are not here to help people learn to be criminals. Rather, we hope to help develop players to become human risk professionals who can make a difference in our information, knowledge, and innovation economies. Spirit of the Game The spirit of the Phishing Golf Tournament is to foster an excitement and eagerness for learning through friendly competition. These rules are designed to maintain fairness in the competition and safeguard the community from behavior that negatively affects the experience of others.
NIST Phish Scale — Criteria for Counting Cues
| Cue Type | Cue Name | Criteria for Counting |
|---|---|---|
| Error | Spelling and grammar irregularities | Does the message contain inaccurate spelling or grammar, including mismatched plurality? |
| Error | Inconsistency | Are there inconsistencies contained in the email message? |
| Technical indicator | Attachment type | Is there a potentially dangerous attachment? |
| Technical indicator | Sender display name and email address | Does a display name hide the real sender or reply-to email addresses? |
| Technical indicator | URL hyperlinking | Is there text that hides the true URL behind the text? |
| Technical indicator | Domain spoofing | Is a domain name used in addresses or links plausibly similar to a legitimate entity’s domain? |
| Visual presentation indicator | No/minimal branding and logos | Are appropriately branded labeling, symbols, or insignias missing? |
| Visual presentation indicator | Logo imitation or out-of-date branding/logos | Do any branding elements appear to be an imitation or out-of-date? |
| Visual presentation indicator | Unprofessional looking design or formatting | Does the design and formatting violate conventional professional practices, or appear unprofessionally generated? |
| Visual presentation indicator | Security indicators and icons | Are any markers, images, or logos that imply the security of the email present? |
| Language and content | Legal language/copyright info/disclaimers | Does the message contain legal-type language such as copyright information, disclaimers, or tax information? |
| Language and content | Distracting detail | Does the email contain details that are superfluous or unrelated to the email’s main premise? |
| Language and content | Requests for sensitive information | Does the message request sensitive information, including personally identifying information or credentials? |
| Language and content | Sense of urgency | Does the message contain time pressure to get users to quickly comply, including implied pressure? |
| Language and content | Threatening language | Does the message contain a threat, including an implied threat, such as legal ramifications for inaction? |
| Language and content | Generic greeting | Does the message lack a greeting or lack personalization in the message? |
| Language and content | Lack of signer details | Does the message lack detail about the sender, such as contact information? |
| Common tactic | Humanitarian appeals | Does the message make an appeal to help others in need? |
| Common tactic | Too good to be true offers | Does the message offer anything that is too good to be true, such as having won a contest, lottery, free vacation and so on? |
NIST Phish Scale — Premise Alignment Elements
| Premise Alignment Element | Scoring Criterion |
|---|---|
| Mimics a workplace process or practice | Does this element attempt to capture premise alignment with a workplace process or practice for the target audience? |
| Has workplace relevance | Does this element attempt to reflect the pertinence of the premise for the target audience? |
| Aligns with other situations or events (including those external to the workplace) | Does this element align to other situations or events, even those external to the workplace, lending an air of familiarity to the message? |
| Engenders concern over consequences for NOT clicking | Does this element reflect potentially harmful ramifications for not clicking, raising the likelihood of clicking? |