All training courses are completely sold out. You can submit a waitlist form below to be added to the waitlist for a given class. Please note that this does not guarantee a spot, just that if one becomes available we will notify you as soon as they are opened up and in the order they are received.

The cost of training is $1,000 per student. The training sessions are two days (before the conference) starting September 21st and ending on September 22nd.

Please note that if you purchase a training ticket, you automatically get a ticket to DerbyCon. You do not need to purchase a separate ticket for conference admission.

There is a NO REFUND policy. Once you purchase a ticket, the sale is final. We aren’t in charge of anything regarding your ticket once you purchase your ticket. If you can’t go, you will need to sell your ticket. Under no circumstances does DerbyCon refund a ticket for training or the conference.

Training sells out quickly, we would recommend not waiting until the end to get them. If your course is sold out, submit to the following document to be placed on a waitlist. If the course becomes available we will add you in the order they are received:

Waitlist Training Form

Waitlist Training Form

Training Courses

Advanced PowerShell for Blue and Red Teams (SOLD OUT)
Safe Cracking: Mechanical and Electronic (SOLD OUT)
Advanced OSINT For Social Engineers (SOLD OUT)
Application Security: For Hackers and Developers (SOLD OUT)
Practical Web Application Penetration Testing (PWAPT) (SOLD OUT)
Advanced Exploit & Security (SOLD OUT)
Red Team vs. Blue Team (SOLD OUT)
Memory-Resident Code: Analysis, Detection, and Development (SOLD OUT)
Practical Network Signature Development for Open Source IDS (SOLD OUT)
Tactical Sec Ops: Cloud Edition – AWS (SOLD OUT)
Pwning and Responding to SCADA Devices and Networks (SOLD OUT)
Introduction to Malware Analysis (SOLD OUT)
Hack It and Track It (SOLD OUT)
Pen Testing with PowerShell (SOLD OUT)

Advanced PowerShell for Blue and Red Teams

Course Description:

Learn how you can use PowerShell both in a defensive and offensive manner by people who have been using and teaching Microsoft PowerShell for years on both defense and offense.

Each exercise will build on the previous one so as to offer a solid based on how to use PowerShell both as a pentester and a defender. We will cover when PowerShell makes sense to use and when it will just get you caught quicker than any other tool in the target OS, on the defender side we will cover how it can be used to setup a properly secured environment and how to mitigate the use of PowerShell by attacker and be able to track every action an step taken and for the attacker how to operate in the shadows and minimize what they leave behind.

The class is geared to provide a solid foundation of knowledge on the language and tools that can be used to build your own tools and understand better how to use other. Challenges after each module will make the student apply what they learn in a fun competitive manner.

Course Outline:

* PowerShell Security – Logging of actions in different version of PowerShell and command execution restrictions and bypass.
* Network Discovery -How to use .Net API and existing PowerShell Cmdlets.
* WMI/CIM – Fundamentals of WMI/CIM and how to use the technology in Incident Response and Post-Exploitation.
* Active Directory – How to interact with AD using both .Net API and ADSI.
* Crypto Basics – Fundamental of decryption, encryption and hashing using PowerShell and the .Net API.
* Gaining Access – Covers :
* Execution Basics
* Shells
* Access Methods
* Enumeration and Discovery
* Lateral Movement
* Incident Response – Covers how PowerShell can be used for Incident Response.

Required Materials:

Students must come with a laptop capable of running 2 VMs, a Kali Linux VM and a Windows VM to perform the labs, a 90 day Windows 7/10/2012 trial works perfectly for the class.

Additional Requirements

A monitor, keyboard and mouse.

Instructor(s): Carlos Perez

Carlos Perez is an experienced security practitioner on both defense and offense and has presented on the subjects in several security conference, blogs and Podcasts. Has contributed to the community several open source tools in Ruby, Python, C# and PowerShell. He has been awarded the Microsoft MVP award for his contributions to the community on PowerShell.

Purchase below:


Safe Cracking: Mechanical and Electronic

Course Description

In the past, Deviant Ollam and his crew from The CORE Group have offered their Physical Penetration training at DerbyCon. However, once you’re inside your target… how do you go about gaining access to the secured spaces found within? This training focuses on a topic that many people fear is beyond them: manipulating and exploiting safes.

From mechanical locks to electronic hardware, this course will give you a solid foundation in the practical means and methods of opening up the containers in our world thought by many to be the most secure.

Course Outline

Day One – Mechanical
Safe Hardware Design
Insurance Ratings and Standards
Basics of Safe Dials
Components & Installation
Internal Terminology
Setting and Changing Combinations
Operating a 3-wheel or 4-wheel Safe Dial
Mechanical Weaknesses
Contact Points
Wheel Pack Flaws
Leaking Information
Practical Manipulation
The Process
The Documentation
Group Exercise
Individual Exercises

Day Two – Electronic
Hospitality Locks and Safes
Conventional Components
Mechanical Overrides
Circuit Design
Inspection and Logic Analysis
Searching for Master Overrides
Sniffing / Replay Code Discovery
Industry Override Tools

Required Materials

None. for Day One all students will be issued a mechanical safe dial suitable for in-class exercises.

On Day Two all logic analyzer work will take place with CORE gear and all practical example hardware will be transported to the site by us.

Don’t worry, we won’t be bringing in huge safes on hand trucks. =)

Instructor(s): Deviant Ollam, Babak Javadi

While paying the bills as a security auditor and penetration testing consultant with his firm, The CORE Group, Deviant is also a member of the Board of Directors of the US division of TOOOL, The Open Organisation Of Lockpickers. Every year at DEFCON and ShmooCon Deviant runs the Lockpick Village, and he has conducted physical security training sessions for Black Hat, The SANS Institute, DeepSec, DerbyCon, ToorCon, HackCon, ShakaCon, HackInTheBox, ekoparty, AusCERT, GovCERT, CONFidence, the FBI, the NSA, DARPA, the National Defense University, the United States Naval Academy at Annapolis, and the United States Military Academy at West Point. His favorite Amendments to the US Constitution are, in no particular order, the 1st, 2nd, 9th, & 10th.

Babak is a noted member of the physical security community, well-recognized among both professional circles (due to the work The CORE Group) as well as in the hacker world (as the President of TOOOL, The Open Organization Of Lockpickers.) His first foray into the world of physical security was in the third grade, where he was sent to detention for showing another student how to disassemble the doorknob on the classroom supply closet. Babak is an integral part of the numerous lockpicking workshops, training sessions, and games that are seen at annual events like DEFCON, ShmooCon, DeepSec, NotACon, QuahogCon, HOPE, and Maker Faires across the country. He likes spicy food and lead-free small arms ammunition.

Purchase below:


Advanced OSINT For Social Engineers

Course Description

Information is the lifeblood of the social engineer. But there is now so much available that it can be overwhelming. How can we dial in and narrow your focus in ways that will enhance your social engineering abilities? This course will show you the techniques, tricks, and tips used by the professional social engineering penetration testers of Social-Engineer, Inc. This two-day course is not a laundry list of tools. We will also share the methodology, processes, and our own experiences that allow us to successfully apply information to plan and launch realistic SE scenarios for our clientele. Having the information is only half of what you need.

Course Outline

During these two days, you will learn:

Non-tech OSINT gathering
Obfuscating your traffic
Email headers
Search engines
Metadata Maltego
Social media exploitation
Developing realistic attack vectors

This course was developed based on student demand from our 5-Day Advanced Practical Social Engineering Course. Now a full two days devoted to the very same methods our team uses during Social Engineering Risk Assessments and Social Engineering Penetration Tests are offered to the students of this class.

Required Materials

A laptop that is able to run Java-based tools such as Maltego as well as a variety of browsers. Since we will be running VPNs and installing tools, admin rights on the computer will be critical.

Instructor(s): Christopher Hadnagy

Chris Hadnagy, Chief Human Hacker and aka loganWHD, is the President and CEO of Social-Engineer, Inc. He specializes in understanding the ways in which malicious attackers are able to exploit human weaknesses to obtain access to information and resources through manipulation and deceit. He has been in security and technology for over 16 years. Chris is a graduate of Dr. Paul Ekman’s courses in Microexpressions, having passed the certification requirements with an “Expert Level” grade. He has significant experience in training and educating students in non-verbal communications. He also holds certifications as an Offensive Security Certified Professional (OSCP) and an Offensive Security Wireless Professional (OSWP). Finally, he is the author of the best-selling book, Social Engineering: The Art of Human Hacking.

Chris is his spare time is a pianist whom he dedicates to the love of music. The passion for social engineering in general spawned from his passion for music. When Chris was only 8 years old, he heard the song Bruce Hornsby “The Way It Is” and quickly fell in love with the piano. After that, he learned several of Bruce Hornsby’s amazing and inspiring songs including Mandolin Rain amongst many others. Chris’ love and passion for Bruce Hornsby led him into the social-engineering field and continues to drive him everyday.

Purchase below:


Application Security: For Hackers and Developers

Course Description

There are four technical skills required by security researchers, software quality assurance and test engineers, or developers concerned about security: Source code auditing, fuzzing, reverse engineering, and exploitation. Each of these domains is covered in detail. C/C++ code has been plagued by security errors resulting from memory corruption for a long time. Problematic code is discussed and searched for in lectures and labs. Fuzzing is a topic book author DeMott knows about well. Mutation file fuzzing and framework definition construction (Sulley and Peach) are just some of the lecture and lab topics. When it comes to reversing C/C++ (Java and others are briefly discussed) IDA pro is the tool of choice. Deep usage of this tool is covered in lecture and lab. Exploitation discussions and labs are the exciting final component. You’ll enjoy exploitation basics, and will also use the latest techniques.

Course created by: Jared DeMott

Course Outline

Source Code Auditing
Understanding how and when to audit source code is key for both developers and hackers. Students learn to zero in on the important components. Automated tools are mentioned, but auditing source manually is the focus, since verifying results is a required skill even when using automated tools. Spotting and fixing bugs is the focus.

Fuzzing is a runtime method for weeding out bugs in software. It is used by a growing number of product and security organizations. Techniques such as dumb file fuzzing, all the way up to distributed fuzzing, will be covered. Students will write and use various fuzzers.

Reverse Engineering
Student’s focus on learning to reverse compiled software written in C and C++, though half-compiled code is mentioned as well. The IDA pro tool is taught and used throughout. Calling conventions, C to assembly, identifying and creating structures, RTTI reconstruction are covered. Students will also see IDA’s more advanced features such as flirt/flare, scripting, and plug-ins.

Students will walk out of this class knowing how to find and exploit bugs in software. This is useful to both developers and hackers. The exploit component will teach common bug type such as: stack overflow, function pointer overwrite, heap overflow, off-by-one, integer error, uninitialized variable, use-after-free, double fetch, and more. For the exploits, return overwrites, heap spraying, ROP and gadget discovery, etc. Shellcode creation/pitfalls and other tips and tricks will all be rolled into the exciting, final component.

Required Materials

Students are required to provide a laptop for the course:
Your laptop should have at least 18GB of free HD space and should have 4GB+ of RAM.
– Install Ahead of Time
– VMware workstation/player for Windows or Fusion for the Mac
– You will be given a Windows 7 VM. Copy to your hard drive, and pass the portable Media to your neighbor. You may not share any course media with non-students.


Josh Stroschein

Course was created and taught by: Jared DeMott

Purchase below:


Practical Web Application Penetration Testing (PWAPT)

Course Description

This course provides customized training on the latest open source tools and manual techniques for performing end-to-end web application penetration testing engagements. After a quick overview of the penetration testing methodology, the instructor will lead students through the process of testing and exploiting a target web application using the techniques and approaches developed from a career of real world application penetration testing experiences. Students will be introduced to the best open source tools currently available for the specific steps of the methodology, including Burp Suite Pro, and taught how to integrate these tools with manual testing techniques to maximize effectiveness. A major goal of this course is teaching students the glue that brings the tools and techniques together to successfully perform a web application penetration test from beginning to end, an oversight in most web application penetration testing courses.

The majority of the course will be spent performing an instructor led, hands-on web application penetration test against a target application built specifically for this class using a modern technology stack (Python Flask) and including real vulnerabilities as encountered in the wild. No old-school vanilla PHP stuff here folks. Students won’t be given overly simplistic steps to execute independently. Rather, at each stage of the test, the instructor will present the goals that each testing task is to accomplish and perform the penetration test in front of the class while students do it on their own machine. Primary emphasis of these instructor led exercises will be placed on how to integrate the tools with manual testing procedures to improve the overall work flow. This experience will help students gain the confidence and knowledge necessary to perform web application penetration tests as an application security professional.

More info and testimonials from last years PWAPT course can be found at

PWAPT is a PortSwigger preferred Burp Suite Training course (

Course Outline

Day 1:
* Methodology
* Reconnaissance
* Mapping
* Automated Discovery
Day 2:
* Manual Discovery
* Exploitation

Required Materials

* Laptop with at least two (2) USB ports.
* Latest VMware Player, VMware Workstation, or VWware Fusion installed. Other virtualization software such as Parallels or VirtualBox will probably work if the attendee is familiar with its functionality. However, VMware Player should be prepared as a backup.
* Ability to disable all security software on their laptop such as Antivirus and/or firewalls (Administrator).
* At least twenty (20) GB of hard drive space.
* At least four (4) GB of RAM.

Instructor(s): Tim (@lanmaster53) Tomes

Tim (lanmaster53) Tomes is the Director of Application Security Services at nVisium with extensive experience in Application Security and Software Development. Tim currently manages multiple open source software projects such as the Recon-ng Framework, the HoneyBadger Geolocation Framework, and PeepingTom, writes technical articles at, and frequently instructs and presents on Application Security topics at major Information Security conferences such as DerbyCon, ShmooCon, Black Hat and SANS.

Purchase below:


Advanced Exploit & Security

Course Description

As we learned in my first class, there are almost always bugs in code. We found them by auditing, fuzzing, and reversing code. Then we crafted exploits. To counter this reality, vendors have developed a variety of protections.
In this class we continue the battle. We describe a number of modern day protections: things like EMET, Isolated Heap, and CFG. We then perform hands-on lab work to show how bypasses can be constructed. This build-and-break teaching style provides the tools for vulnerability researchers, security engineers, and developers to perform cutting edge work.
The second half of the class is all about the kernel. You will learn how to debug, audit, fuzz, and exploit kernel code. The class is fast pasted, but low stress and fun. Prepare to learn!

Course Outline

8:30 –
10:00 ROP/EMET: includes 5 ROP protections. We discuss how they work, and how they could be bypassed. Bypass EMET by upgrading existing working exploit. WinDbg, HTML/JavaScript, python, 010, IDA, NASM, etc.
15 min break Coffee
10:15 –
12:00 Use-after-free: Browser vendors have added UaF protections Bypass Isolated Heap and Deferred Free
12:00 –
1:00 Lunch
1:00 –
3:00 Control Flow Integrity: Describe new feature in VS 2015, used to protect program execution Bypass Microsoft’s Control Flow Guard
15 min break Coffee
3:15 –
5:00 Browser Extension Exploitation: Discuss flash and describe an exploit that was disclosed as part of the Hacking Team fiasco
Understand and work with the exploit FlashDevelop, Same

Day 2
8:30 –
10:00 Kernel Debugging: Discuss the Windows Architecture, including the principles and components of the Kernel. Learn how to debug system code WinDBG,
15 min break Coffee
10:15 –
12:30 Kernel Auditing: Windows drivers: how they work and how to find bugs in them Find bugs in the provided driver code Visual Studio, Verifier, etc
12:00 –
1:00 Lunch
1:00 –
3:00 Kernel Fuzzing: Syscalls, IOCTLs, User/GDI, Networking/IO stacks, etc. Perform GDI/Font fuzzing. Use GDI font fuzzing code
15 min break Coffee
3:15 –
5:00 Kernel Exploitation: Teach about kernel exploits and defenses Examine details of two kernel exploits: how kernel ROP and actual elevation works. Code auditing, debugging, etc.

Required Materials

Your laptop should have 100GB of free HD space and should have 8GB of RAM.
* Install Ahead of Time
* VMware workstation/player for Windows or Fusion for the Mac
* If you have a licensed version of IDA Pro, bring that too
* Else you will use the demo version, which is fine.

Instructor(s): Dr. Jared DeMott

Dr. Jared DeMott is a seasoned security researcher, and has spoken at conferences such as DerbyCon, BlackHat, Defcon, ToorCon, Shakacon, DakotaCon, CarolinaCon, ThotCon, GRRCon, and Bsides*. Past notable research relates to stopping a trendy hacker exploit technique (known as ROP), by placing as a finalist in Microsoft’s BlueHat prize contest, and by more recently showing how to bypass Microsoft’s EMET protection tool.
Jared is active in the security community by teaching his Application Security course, and has co-authored the book – Fuzzing for Software Security Testing and Quality Assurance. DeMott has been on three winning Defcon CTF teams, and has the black badges to prove it. He has been an invited lecturer at prestigious institutions such as the United States Military Academy, and previously worked for the National Security Agency. DeMott holds a PhD from Michigan State University.

Purchase below:


Red Team vs. Blue Team

Course Description

This course focuses on the latest attack techniques, as well as how to best defend against the attacks. This course will cover both red and blue team efforts and provide methods for understanding how to best detect threats in an enterprise. It will give penetration testers the ability to learn the new techniques as well as teach blue team how to defend against them.

This course is completely hands on!

By the end of day 1, students will be attacking our simulated network while the trainers defend against the attacks. By the end of day two, the students will be defending the network against the trainers who will be attacking!

This course applies real-world offense and defense capabilities to truly paint the full picture of understanding how attacks happen today and how to best prevent them.

This is a new course and is completely fresh. It contains all of the latest pentester methods as well as unreleased methods for detecting attacks.

Students can have a penetration testing background or a focus on defense. We recommend having basic systems administration experience – this will help you with the hands-on exercises.

Course Outline

Day 1 Outline
• Introduction to Attacker Techniques
• Common Methods for Exploitation
• Methods for Persistence and Evasion
• Lateral Movement and Pivoting
• Circumventing Security Defenses
• Understanding Attacker Mindsets
• Performing an adversarial simulation
• Simulated Attack Scenario on Live Network

Day 2 Outline
• Developing a Common Defense
• Introduction to Hunt Teaming
• Performing a hunt team exercise
• Tools, tricks, and free scripts!
• Identifying threats on the network
• Identifying threats on the endpoint
• Using existing technology in the network
• Special goodies
• Defending the Network – Live Network Defense

Required Materials

* Laptop with VMWare/Fusion or similar (VirtualBox is not recommended).
* Ubuntu (LTS) with PenTesters Framework already loaded and up-to-date (
– git clone
– cd ptf
– ./ptf
– use modules/install_update_all
– yes

* Windows system (Windows 7+)

Instructor(s): Larry Spohn, Paul Koblitz

Larry Spohn is a Senior Principal Security Consultant at TrustedSec, an Information Security consulting company, based out of Cleveland Ohio. Larry’s main areas of expertise are focused on Information Security Risk Assessments, Penetration Testing, Application Security, and Red Teaming. Larry has extensive experience in the financial sector and has extensive knowledge in Python and PowerShell development and exploitation.

Paul has always had a passion for security, focusing on the physical side. While in the US Navy, Paul was a Duty Master-at-Arms and part of the shipboard security team. In Paul’s off time from the military, he held several security related jobs to include: late night and emergency locksmith, security systems installation consultant, and vehicle/personal property repossession. While working for TrustedSec, Paul has utilized his physical and social engineering skills in several fields of business such as; financial institutions, retail clothing chains, grocery store chains, manufacturing, and education.

Purchase below:


Memory-Resident Code: Analysis, Detection, and Development

Course Description

This two-day class introduces students to Windows memory-resident malware techniques, analysis, and defenses. Students will learn how memory-resident malware is created and operates invisible to many defenses. Students will also gain understanding of how the Windows operating system manages memory and active defence techniques to detect and eradicate memory resident malware.

Course Outline

Day 1.
– Introduction
– Windows Memory Basics – Allocations, Paging, Permissions, and Mapping
– Powershell Basics
– Scanning Methodologies
– Live analysis tools
– Memory dump analysis tools
– Signs of Malware in Memory
– Case studies; memory-resident code, packers, rootkits
– Malicious memory contents
– Assembly basics
– Shellcode structure
– Final exercise

Day 2.
– Development environment setup and shellcode harness
– General development strategies
– API lookup; hash vs name
– Function tables
– Reflective loading
– Injection techniques
– Remote allocation and thread spawning
– DLL loading
– Asynchronous procedure calls
– Process hollowing
– Write-only method
– Section mapping
– Exercises

Required Materials

1. A laptop with a 64-bit operating system and hardware virtualization supported and enabled (you may need to enable this in the BIOS). Note: I do not recommend using government-owned or employer-owned equipment for this malware class in general, especially if you are unable to turn off the antivirus software.
2. VirtualBox installed: (note: VMWare workstation will also work)
3. Download and set up a Kali Linux Virtual Machine as one VM (
4. Download the 64-bit USGCB Win7 VHD as a second VM, create a virtual machine using it as a hard disk, and make sure they can boot it and log in: Attach the VHD to the IDE controller instead of the default SATA controller when setting up the VM, or you will get a blue screen. To do that, after creating the VM, click on it in VirtualBox, then click the Settings gear button, then click Storage, then remove any hard drives from the SATA controller and add the “USGCB Windows7 SP1 x64 Enterprise – 20111014.vhd” hard drive to the IDE controller. Then start the VM.
5. Download the Debugging Tools for Windows (windbg) and install it on the Windows 7 VM:
6. Download and install Visual Studio community edition in the Windows VM

Instructor(s): Matt “scriptjunkie” Weeks

Matt “scriptjunkie” Weeks has extensive experience in information security operations, research, and software development. He currently leads root9B’s research and development arm. Previously, he was the Officer In Charge of the US Air Force’s Intrusion Forensics and Reverse Engineering lab, a lead network defense tactician, and led the creation of the Air Force’s Defensive Counter Cyber forces, tactics, and mission. As a researcher, he has uncovered vulnerabilities found to have affected millions of networks. As a developer, he was behind a significant portion of the Metasploit framework. His work has been featured in numerous national publications.

Purchase below:


Practical Network Signature Development for Open Source IDS

Course Description

In “Practical Network Signature Development for Open Source IDS” we will teach expert methods and techniques for writing network signatures to efficiently detect the greatest threats facing organizations today. Students will gain invaluable information and knowledge including the configuration, usage, architecture, traffic analysis fundamentals, signature writing, and testing of a modern network IDS, such as Suricata and Snort. Students will be provided with a custom Virtual Machine containing packet captures of real malicious traffic, preconfigured IDS engines, and various malware/PCAP analysis tools. This will provide students with hands on lab exercises designed to reinforce the concepts introduced. Lab exercises will train students how to analyze and interpret hostile network traffic into agile IDS rules for detecting threats, including but not limited to: Exploit Kits, Ransomware, Phishing Attacks, Crimeware Backdoors, Targeted Threats, and more. Students will leave the class armed with the knowledge of how to write quality IDS signatures for their environment, enhancing their organization’s ability to respond and detect threats.

Course Outline

Day 1

– Network Analysis Fundamentals
– IDS Engine Fundamentals
– Rule Writing Fundamentals
– Advanced Rule Features
– Writing Signatures for DNS
– Writing Signatures for HTTP
– Writing Signatures for SSL / TOR
– Writing Signatures for Custom Protocols

Day 2

– Malware Analysis Fundamentals – Network Focused
– Detecting Phishing Communications
– Detecting Ransomware Communications
– Detecting Exploit Kit Activity
– Detecting Targeted Threats
– Detecting Vulnerabilities
– Network Challenge

Required Materials

Basic knowledge of *nix and the command line
Basic knowledge of Wireshark/tcpdump
Basic TCP/IP knowledge

Laptop with at least:

VMware Player
VMware Workstation/Fusion
Available for free 30-day trial at
Administrative rights
No AV / Ability to temporarily disable
Please do not bring a company laptop containing sensitive materials or that you cannot modify

Instructor(s): Jason Williams, Jack Mott

Jason (JAe) is a Security Researcher on the Emerging Threats Research team at Proofpoint. When not writing signatures and fighting phishing, he works on Red Onion – a Centos/Redhat centric NSM solution combining Suricata, Bro, and Moloch. Outside of the infosec community, he can be found online delighting Destiny players with his average competency and robust fun-having abilities.

Jack is a Security Researcher on the Emerging Threats Research team at Proofpoint where he dissects malware and PCAPs all day long. When not poking and prodding at the nastiness that exists on the internet, he can be found enjoying the mountains on bike, foot, or skis. He runs a personal blog and can be reached via Twitter @malwareforme

Purchase Below:


Tactical Sec Ops: Cloud Edition – AWS

Course Description

By attending this course, students will explore and learn the various security controls available in the Amazon Web Services (AWS) environment. Working through real-world deployment and configuration scenarios, attendees will design and deploy a series of network systems within the AWS environment. They will also explore the various security controls within the AWS features such as VPCs, EC2 containers and S3 objects. Attendees will also explore the IAM featureset, how AWS enables security groups and controls such as Inspector and the AWS WAF.

Course Outline

Day One:
AWS Features
Understanding EC2
Creating hardened AMIs
Exercise: Creating a custom AMI
Creating instances securely
Exercise: Setting up Security Groups
IAM basics
Creating roles
Determining permissions
Exercise: Creating and managing IAM users
API setup and usage
API key concerns and setup
Protecting API keys
Exercise: API usage
Working with Buckets
Understanding Objects and Keys
Working with permissions
Standard interfaces
Exercise: Creating and working with S3
Understanding VPCs
Designing the VPC
Exercise: Designing and Creating a VPC
Building instances within a VPC
Segmenting and routing traffic in the VPC
NAT and proxies
Bastion Hosts
Exercise: Building instances within the VPC
Command-line tools
Controlling AWS from the CLI
Building and managing objects from the CLI
Securely using the CLI
Exercise: Using the CLI with AWS
Day Two
Automation within AWS
Ansible Basics
Ansible Playbooks and Roles
Dynamic AWS Hosts
Exercise: First Ansible Playbook
Configuring AWS for Developers
Git Configuration: Intro to AWS CodeCommit
Deploying Code with AWS CodeDeploy
Continuous Integration
Exercise: Working with CodeCommit and CodeDeploy
Monitoring AWS instances
Using the AWS API for monitoring
Critical events
Security Onion
Set up within AWS
Logging and monitoring
Exercise: Security Onion and AWS
Using the WAF
Rules sets
Exercise: Configuring and testing the WAF
AWS Inspector
Application testing
Testing with other toolsets
Exercise: AWS-hosted Application testing
Next Steps
Maintaining for future state
Final Exercise: Building a Production Network design

Required Materials

Attendees will bring a Windows, Linux or Mac laptop with a wireless adapter. They will also sign up for an AWS account that they have administrative privileges.

Instructor(s): Kevin Johnson – CEO – Secure Ideas, Jason Wood – Principal Security Consultant – Secure Ideas, Jason Gillam – Principal Security Consultant – Secure Ideas

Kevin Johnson is the Chief Executive Officer of Secure Ideas. Kevin has a long history in the IT field including system administration, network architecture and application development. He has been involved in building incident response and forensic teams, architecting security solutions for large enterprises and penetration testing everything from government agencies to Fortune 100 companies. In addition, Kevin was an instructor and author for the SANS Institute and is a faculty member at IANS.

Jason Wood is a Principal Security Consultant with Secure Ideas. He has over a decade of systems administration and security experience with the Windows and UNIX/Linux operating systems. He has spent most of his career in internet-based companies in security, application and infrastructure roles. These roles have required him to troubleshoot application issues, making different operating systems play well with each other and supporting developers during their projects. Jason was also responsible for vulnerability assessments, web application penetration testing and network security monitoring.
Jason has also spent a number of hours in front of an audience presenting on security topics at conferences and in classes. He has presented at Derbycon and the Utah Open Source Conference. Before coming to Secure Ideas, Jason taught classes on vulnerability management, event monitoring, and configuration auditing for Tenable Network Security. He also has been a mentor for SANS Security 504 – Hacker Techniques, Exploits and Incident Handling.

Jason Gillam is a Principal Security Consultant with Secure Ideas. He has over 15 years of industry experience in enterprise software solutions, system architecture, and application security. Jason has spent most of his career in technical leadership roles ranging from startups to fortune 100 companies and has learned the business acumen necessary to advise everyone from developers to senior executives on security and architecture.

Jason co-built and managed an award-winning ethical hacking program at one of the world’s largest financial institutions. He also provided numerous application security training and awareness briefings to a large internal technical audience and led the development of best practices code and documentation for the the same. Jason is especially passionate about integration of security best practices with the SDLC.

Purchase below:


Pwning and Responding to SCADA Devices and Networks

Course Description

Taught by two of the leading ICS security experts, this hands-on SCADA Security course features exercises and labs that are performed on a portable SCADA lab. The participant will achieve an understanding of SCADA devices, how they work, how to exploit and perform incident response on these devices. The students will have a chance to also work with and physically interact with multiple SCADA devices. In addition, defense mechanisms will be taught to ensure attack damage is kept to a minimum.

Course Outline

The course outline will contain:
Day 1:
1.1 Course Overview, Introductions and Ground rules
-Virtual machine install
1.2 ICS Systems Overview
1.3 Controllers, Embedded Systems and Protocols
-PLCS, DCS, Hybrid Controllers, PC-Control
1.4 SCADA and ICS Protocols
1.5 Working with Modbus, OPC, and HMIs
1.6 Tests performed against SCADA networks
-External Penetration Testing
-Internal Penetration Testing
-Vulnerability Assessments
-Wireless Audits
1.7 SCADA Vulnerability Assessment Methodology
-Vulnerability assessment against SCADA devices

DAY 2:
2.1 SCADA Exploitation
-Discuss SCADA exploitation
-Discuss methods for exploitation
-Perform exploitation of SCADA devices/embedded controllers
2.2 Introduction to SCADA Incident Response
-Concepts of SCADA Incident Response
-Phases of SCADA Incident Response
2.3 SCADA Incident Response Overview
-Challenges seen
2.4 SCADA Incident Response In-Depth
-How to perform SCADA Incident Response
-In Depth Incident Response against live Havex malware sample and custom created malware
-Lessons learned phase
2.5 SCADA Defense Mechanisms

Required Materials

Laptop capable of running 3 virtual machines or virtual box images.

Instructor(s): Kyle Wilhoit, Sr. Threat Reseacher, Trend Micro @lowcalspam, Stephen Hilt, Sr. Threat Researcher, Trend Micro @tothehilt

Kyle Wilhoit: Kyle Wilhoit, an internationally recognized speaker, has given talks at Blackhat US, Blackhat EU, FIRST, and on four continents. With his work featured in BBC, NBC, ABC, Wired, and other outlets- his research is recognized as some of the most unique around the world. As a Sr. Threat Researcher at Trend Micro, Kyle is responsible for hunting nastiness on the Internet, one bad guy at a time. Kyle has a Master’s and Bachelor’s degree and has worked at a large coal company and ISP performing threat intelligence and malware reverse engineering.

Stephen Hilt:Stephen Hilt has been in Information Security and Industrial Control Systems (ICS) Security for around 10 years. With a Bachelors Degree from Southern Illinois University, he started working for a large power utility in the South East of the United States. There Stephen gained an extensive background in Security Network Engineering, Incident Response, Forensics, Assessments and Penetration Testing. That is where Stephen started focusing on ICS Assessments, then moved to working as an ICS Security Consultant and Researcher for one of the most foremost ICS Security Consulting groups in the world. In 2014, Stephen was named as having one of the coolest hacks by dark reading for his PLCPwn, a weaponized PLC. As well, he has published numerous ICS Specific Nmap Scripts to Identify ICS protocols via native commands. Stephen now is at Trend Micro as a Sr. Threat Researcher, continuing ICS research, and diving into other areas of research. Over the past 10 years, Stephen has learned how to build, defend and attack ICS networks.

Purchase below:


Introduction to Malware Analysis

Course Description

Due to the prevalence and business impact of malware, security professionals increasingly need the skills necessary to analyze worms, bots and trojan horses. This two day course teaches attendees the proven concepts, techniques and processes for analyzing malware. Students will take multiple “”from-the-wild”” malware samples in a hands-on environment and learn how to analyze their characteristics and behavior to determine what they do and what risk they present. The course culminates in an analysis that utilizes all of the tools and techniques that have been learned.

No previous malware analysis experience is necessary as this course is designed for those who have never performed malware analysis before.

Course Outline

Day 1:

– Introduction to Malware Analysis
– Setting up a Lab
– Static Analysis
– File Identification
– Hashing
– Header Analysis
– Embedded Strings Analysis
– Packers

Day 2:
– Dynamic Analysis
– System Integrity Monitoring
– System Activity Monitoring
– Baselining
– Process Analysis
– Network Analysis and Monitoring
– Sandnets and Automation
– Advanced Malware Analysis Topics
– Malware Analysis Challenge

Required Materials

Students will be required to bring their own laptops for the class. Laptops will need a VMWare Workstation or VirtualBox installation with an install of Windows (XP or higher) as the guest OS prior to the class. If the base OS is Windows, an installation of Cygwin may be helpful as well. All other tools will be provided.

Instructor(s): Tyler Hudak

Tyler Hudak has more than 15 years of extensive real-world experience in incident handling, malware analysis, computer forensics, and information security for multiple Fortune 500 firms. Tyler has spoken and taught at a number of security conferences on the topics of malware analysis, incident response and penetration testing, and brings his front line experience and proven techniques to bear in the training. He currently works for a major medical institution as the team lead for the security operations center.

Purchase below:


Hack It and Track It

Course Description

Hack It and Track It is a two-day course designed for penetration testers and forensic investigators. Experts from Nuix’s Cyber Threat Analysis Team will cover cutting-edge techniques for compromising a target and then forensically investigating that breach.

Most penetration testers have limited knowledge regarding the residual trace data left behind by their activities. Similarly, most forensic investigators have only a rudimentary knowledge of how the attacks they investigate actually take place. What if you could see the attack as it happened and the indicators of compromise left behind by the breach?

Our expert trainers will lead you through two real-world scenarios. You will use your skills to compromise a host and extract target data. Then, you will utilize the indicators of compromise and trace evidence left behind by your activities to tell the story of what took place and how.

Course Outline

• Web vulnerability scanning
• Manually identifying SQL injection
• Basic SQL injection attacks
• Using sqlmap to gain access to data
• Data exfiltration

• Log file pattern recognition
• Identifying malicious agents
• Keyword identification and searching
• Understanding SQL queries

• Finding vulnerable applications
• Enumerating users and permissions
• Bypassing content restrictions
• Injecting code and remote execution

• Pulling techniques together
• Malware identification
• Analysis of malware
• Network analysis
• Mining packet capture files

Required Materials

Laptop with virutialization software

Instructor(s): Ryan Linn, Thomas McCarthy

Ryan Linn
Director Advanced Tactics and Countermeasures
Ryan has more than 15 years of experience in information security. He has worked as a technical team leader, database administrator, Windows and UNIX systems administrator, network engineer, web application developer, systems programmer and information security engineer. Ryan has delivered his research about ATM security, network protocol attacks, and penetration testing tactics. He also contributes to open source projects such as Metasploit, Ettercap, and the Browser Exploitation Framework.

Thomas McCarthy
Principle Security Consultant Advanced Threats and Countermeasures
With over 10 years’ experience in information security engineering, network security engineering, penetration testing, and information security consulting and more than 400 individual tests performed, Tom helps to lead our industry leading ATAC team. He is active in the information security community by contributing to and developing multiple open source security projects and conducting security research. Several of these projects including Metasploit, SMBExec, and Phishing Frenzy have been presented at security conferences including Derbycon, Black Hat, and DEFCON.

Purchase below:


Pen Testing with PowerShell

Course Description

Everyone’s talking about it, but are you in on the fun? Attendees will learn all the latest techniques that attackers and pen testers are using to make the pain as real as it can get!

This is an updated version of last year’s class. We’ll cover the latest findings including unmanaged code space and bypassing PowerShell 5’s __PSLockdownPolicy

Course Outline

Quick overview of PowerShell

How to use cmdlets as your attack platform

Building your lab — including a cloud setup

Using the current frameworks
– Empire
– Nishang
– NaishoDeNusumu

Day Two:
– Taking it to the next level
– Working on large networks

Required Materials

Laptop, VM instance of windows, and being ready to have fun and get their learn on!

Instructor(s): Adam Crompton, Mick Douglas

Adam Crompton:
Adam Crompton is a Senior Security Consultant with InGuardians where he specializes in Red Teaming, penetration testing, research and development, and architecture reviews. Adam has been a speaker at several security conferences and universities presenting on data exfiltration, antivirus evasion, powershell and honeypot tools he has developed. When Adam is not working he likes to spend time with the family and developing tools for Red Teaming.

Mick Douglas:
Mick (nick name Mickles) is the DFIR practice lead at Binary Defense. He is always excited for the opportunity to share with others so they do not have to learn the hard way! Please join in; security professionals of all abilities will gain useful tools and skills that should make their jobs easier. When he’s not “”geeking out”” you’ll likely find him indulging in one of his numerous hobbies; photography, scuba diving, or hanging around in the great outdoors. Hello Gents!

Purchase below: