This study investigates how cognitive biases systematically influence attackers’ decision-making in Capture-the-Flag (CTF) competitions to enhance proactive and adaptive cyber defense. Leveraging over 500,000 real submission logs from the picoCTF platform, we employ a mixed-methods approach: qualitative behavioral coding to identify bias manifestations, complemented by descriptive statistics and generalized linear modeling to quantify their effects. We present the first large-scale empirical evidence in adversarial cybersecurity settings: availability bias causes format errors to obscure correct solutions (12.7% of cases), while the sunk-cost fallacy drives inefficient repeated attempts—even after failure rates exceed 60%. Based on these findings, we propose the first cognitive-bias-aware adaptive defense framework, enabling attack-intent prediction rather than passive response. This work establishes a novel behavior-driven paradigm for proactive defense grounded in human cognition.

Understanding how cognitive biases influence adversarial decision-making is essential for developing effective cyber defenses. Capture-the-Flag (CTF) competitions provide an ecologically valid testbed to study attacker behavior at scale, simulating real-world intrusion scenarios under pressure. We analyze over 500,000 submission logs from picoCTF, a large educational CTF platform, to identify behavioral signatures of cognitive biases with defensive implications. Focusing on availability bias and the sunk cost fallacy, we employ a mixed-methods approach combining qualitative coding, descriptive statistics, and generalized linear modeling. Our findings show that participants often submitted flags with correct content but incorrect formatting (availability bias), and persisted in attempting challenges despite repeated failures and declining success probabilities (sunk cost fallacy). These patterns reveal that biases naturally shape attacker behavior in adversarial contexts. Building on these insights, we outline a framework for bias-informed adaptive defenses that anticipate, rather than simply react to, adversarial actions.