Capture-the-flag style cyber security games (CTF) are one of the most popular ways of learning and teaching ethical hacking. These CTF games usually present a set of hacking tasks or challenges that simulate a vulnerability to be compromised. When the participant compromises the vulnerability they are presented with a secret flag that is uploaded to prove a participants completion of a challenge. Whilst this secret flag confirms successful completion of a challenge, it does little to verify the legitimacy of a participant’s activities. We propose a process for plagiarism detection in CTF games via automated cyber threat hunting techniques. Using log data captured from penetration testing courses, we develop a series of indicators of compromise for each CTF challenge that are attributed to a participant’s activities. We propose an automated querying tool that can query these IoCs and classifying participant activities as suspicious or benign without false positives.