Training will be held on October 3rd and 4th, 2018.

  • Cost for Training is $1,200 per class.
  • Training ticket includes admission to the conference.
  • You do NOT need to purchase another ticket for admission.
  • Note that all tickets are non-refundable. No exceptions.
  • All training tickets are sold out.

Be sure to read the training course and ticket FAQ.

Training tickets are sold out. Thanks to everyone who makes DerbyCon successful!

Course name: Practical Web Application Penetration Testing (PWAPT)

Trainer name(s): Tim (@lanmaster53) Tomes

Course description: PWAPT provides comprehensive training on the latest open source tools and manual techniques for performing end-to-end web application penetration testing engagements. After a quick overview of the penetration testing methodology, the instructor will lead students through the process of testing and exploiting a target web application using the techniques and approaches developed from a career of real world application penetration testing experiences. Students will be introduced to the best tools currently available for the specific steps of the methodology, including Burp Suite Pro, and taught how to integrate these tools with manual testing techniques to maximize effectiveness. A major goal of this course is teaching students the glue that brings the tools and techniques together to successfully perform a web application penetration test from beginning to end. The end result is an individual with the confidence and skill set to conduct consultative web application penetration testing engagements.

The majority of the course will be spent performing an instructor led, hands-on web application penetration test against a target application built specifically for this class using a modern technology stack (Python Flask and React) and including real vulnerabilities as encountered in the wild. No old-school vanilla PHP stuff here folks. Students won’t be given overly simplistic steps to execute independently. Rather, at each stage of the test, the instructor will present the goals that each testing task is to accomplish and perform the penetration test in front of the class while students do it on their own machine. Primary emphasis of these instructor led exercises will be placed on how to integrate the tools with manual testing procedures to improve the overall work flow. This experience will help students gain the confidence and knowledge necessary to perform web application penetration tests as an application security professional.

PWAPT is a PortSwigger preferred Burp Suite Training course ( PWAPT students will learn basic and advanced usage techniques for Burp Suite Pro, as well as discover obscure functionality hidden within the vast capabilities of the tool. Students will also receive a ~2 week trial license for Burp Suite Pro to use during and after the course.

More info and testimonials can be found at

Course outline:

Day 1:

* Methodology

* Reconnaissance

* Mapping

* Automated Discovery

Day 2:

* Manual Discovery

* Exploitation

Course name: Modern Windows Attacks and Defense

Trainer name(s): Jared Haight and Sean Metcalf

Course description:  In this two day course, students will learn how to leverage built in Windows features and technologies to secure their environment from common (and uncommon) attacks. We’ll cover topics such as hindering lateral account movement, how to manage your environment without leaving your credentials all over the place, and how to detect and respond to malicious activity on your network.

The hands-on course starts out with protecting against very simple attacks and ramps up to more advanced attacks and solutions.  At each stage students will practice the attacks that are used in the wild and then implement security controls to stop them giving them an in-depth understanding of how to leverage and protect against a variety of attacks.

Course outline:

Day 1:

Protecting your privileged accounts

– Local Admin Password Management (including LAPS)

– Developing a Least Privilege Model

– Monitoring Privileged Groups

– Reviewing Role Access

Monitoring the Network

– Monitoring What Matters

– Monitoring PowerShell & Command Line Activity

– Sysmon

– Active Directory Event Auditing

– Detecting Attacks

– Windows Event Forwarding

Day 2:

Protecting the Network

– Attacking Legacy Protocols with Responder & Friends

– Hardening Windows Effectively

– Stopping Malicious Recon

– Windows Firewall

– Controlling Administrative Logon

– Protecting Credentials

– Application Whitelisting

– Windows 10 & Server 2016 Security Enhancements

Secure Administration: from PTH to PAW

– Common System Exploit Methods

– Disrupting the Attacker Playbook

– Credential Exposure

– Privileged Access Workstations (Admin Workstations)

– The New Standard for Domain Admins

– Tiered Model for the Real World

Implementation Guidance

– Supporting Legacy Applications

– Selling People on Security

– Building a Roll Out Plan

Course name: Introduction to Malware Analysis

Trainer name(s): Tyler Hudak

Course description: Due to the prevalence and business impact of malware, security professionals increasingly need the skills necessary to analyze ransomware, trojan horses and other computer viruses. This two day course teaches attendees the proven concepts, techniques and processes for analyzing malware. Students will take multiple “from-the-wild” malware samples in a hands-on environment and learn how to analyze their characteristics and behavior to determine what they do and what risk they present. The course culminates in an analysis that utilizes all of the tools and techniques that have been learned.

No previous malware analysis experience is necessary as this course is designed for those who have never performed malware analysis before.

Course outline:

Day 1:

– Introduction to Malware Analysis

– Setting up a Lab

– Static Analysis

– File Identification

– Hashing

– Header Analysis

– Embedded Strings Analysis

– .NET Malware Analysis

– Packers

Day 2:

– Dynamic Analysis

– System Integrity Monitoring

– System Activity Monitoring

– Baselining

– Process Analysis

– Network Analysis and Monitoring

– Sandnets and Automation

– Advanced Malware Analysis Topics (Document analysis, advanced unpacking techniques, etc.)

Course name: Dark Side Ops 2: Adversary Simulation

Trainer name(s): Nick Landers

Course description: Sophisticated adversaries are constantly setting and raising the bar for what are considered advanced attacks. Stealthy persistence, log and disk-less pivoting, advanced malware, custom exploitation, and unrelenting privilege escalation are just a few traits that comprise advanced adversarial trade craft. Adversary simulation is the next step in red team operations to better mimic the stealth, sophistication, and persistence of real-world adversaries. Challenge yourself to Dark Side Dev: Adversary Simulation, and move beyond reliance on the “”low-hanging exploitable fruit”” of unpatched systems, local admin privileges, clear-text passwords, and easy egress.

Dark Side Ops II: Adversary Simulation builds on Silent Break Security’s Dark Side Ops: Custom Penetration Testing training by furthering participants’ abilities to think, operate, and develop tools just like sophisticated, real-world attackers. If you want to 1) build confidence in your offensive approach and capabilities, 2) learn about and implement the techniques of stealthy malware and backdoors, and 3) achieve the operational results of a sophisticated adversary, then Dark Side Ops II: Adversary Simulation is for you.

Dark Side Ops II: Adversary Simulation provides participants with hands-on labs over an intense, two-day course.

– Discover new external attack techniques to gain stealthy internal network access without social engineering

– Leverage configuration weaknesses to fully compromise database servers

– Reverse engineer .NET applications to identify 0-day vulnerabilities

– Bypass even the tightest of egress controls through custom code execution techniques

– Learn about and perform disk-less pivoting techniques

– Implement the latest in code and DLL injection techniques completely undetectable by AV

– Learn about and bypass the latest in application whitelisting

– Prevent and block defensive incident responders from analyzing your tools, payloads, and backdoors

– Build easy-to-use and versatile malware, backdoors, and loaders to diversify your toolset and capabilities

As part of the course, participants will receive access to multiple virtual machines where their skills and proficiency will be challenged through a series of intense, hands-on lab exercises. Participants will also be provided with a LOT of custom code to facilitate their learning process and push them to consider improved attack techniques and new attack vectors.

Go custom or go home!

Course outline:

Day 1:

1 Open source recon/research – Intro to Slingshot

2 Automating infrastructure deployment – Ansible

3 Initial access techniques – OLE and HTA

4 Sandbox evasion – HTA and in-memory malware

5 App whitelisting bypasses – InstallUtil and .NET

6 User profiling

Day 2:

7 Introduction to rootkits – Process hiding

8 Hooking the network – Filtering packets

9 Triggerable implants – ICMP packet to rootkit filter to payload execution

10 Advanced Windows persistence – COM hijacking

11 Advanced Windows Privilege Escalation – Custom service exploitation

Course name: Advanced Security: For Hackers And Developers

Trainer name(s): Dr. Jared DeMott

Course description: As we learned in our first class (Application Security: for Hackers and developers), there are almost always bugs in code. We found them by auditing, fuzzing, and reversing code. Then we crafted exploits. To counter this reality, vendors have developed a variety of protections.

In this class we continue the battle. We describe a number of modern day systems which are likely targets of exploitation.  The first day is all about instruction and labs around finding bugs in an IoT, Embedded/ICS, and Auto systems. Our build-and-break teaching style provides the tools for vulnerability researchers, security engineers, and developers to perform cutting edge work.

The second half of the class is all about Windows code. You will learn how to debug, audit, fuzz, and exploit the browser and kernel. The class is fast pasted, but low stress and fun. Prepare to learn!

Course outline:

Day 1 – IoT, Embedded, and Automotive

The first day is all about instruction and labs around finding bugs in an embedded systems.  We will describe the processes and likely targets, and begin a real-world hunt through interesting code to find and exploit bugs – just the type of activities security researchers, pentesters, and security engineers of all kinds might be asked to do.

We will do:

– Firmware unpacking

– Code analysis and reverse engineering

– Bug Hunting via static and dynamic techniques

– Exploitation

Day 2 – Windows Browser and Kernel Hacking

ROP, EMET, & Use-after-free

Lecture: Browser vendors have added UaF protections

Lab: Bypass Isolated Heap and Deferred Free


Control Flow Integrity

Lecture: Describe new feature in VS 2015, used to protect program execution

Lab: Bypass Microsoft’s Control Flow Guard


Browser Extension Exploitation

Lecture: Discuss flash and describe an exploit that was disclosed as part of the Hacking Team fiasco

Lab: Understand and work with the exploit


Kernel Debugging

Lecture: Discuss the Windows Architecture, including the principles and components of the Kernel

Lab: Learn how to debug system code


Kernel Auditing

Lecture: Windows drivers- how they work and how to find bugs in them

Lab: Find bugs in the provided driver code


Kernel Fuzzing

Lecture: Syscalls, IOCTLs, User/GDI, Networking/IO stacks, etc.

Lab: Perform GDI/Font fuzzing


Kernel Exploitation

Lecture: Teach about kernel exploits and defenses

Lab: Examine details of two kernel exploits: how ROP and actual elevation works

Course name: Application Security: For Hackers and Developers

Trainer name(s): Dr. Josh Stroschein and Dr. Jared DeMott

Course description: There are four technical skills required by security researchers, software quality assurance and test engineers, or developers concerned about security: Source code auditing, fuzzing, reverse engineering, and exploitation. Each of these domains is covered in detail. Code has been plagued by security errors resulting from memory corruption for a long time. Problematic code is discussed and searched for in lectures and labs. Fuzzing is a topic book author DeMott knows about well. Mutation, framework, and genetic fuzzers (Peach, AFL, etc) are just some of the lecture and lab topics. When it comes to reversing C/C++ (Java and others are briefly discussed) IDA pro is the tool of choice. Deep usage of this tool is covered in lecture and lab. Exploitation discussions and labs are the exciting final component. You’ll enjoy exploitation basics, and will also use the latest techniques.

Course outline:

Day 1:

Source Code Auditing

Understanding how and when to audit source code is key for both developers and hackers. Students learn to zero in on the important components. Automated tools are mentioned, but auditing source manually is the focus, since verifying results is a required skill even when using automated tools. Spotting and fixing bugs is the focus.


Fuzzing is a runtime method for weeding out bugs in software. It is used by a growing number of product and security organizations. Techniques such as dumb file fuzzing, all the way up to distributed fuzzing, will be covered. Students will write and use various fuzzers.


Reverse Engineering

Students focus on learning to reverse compiled software written in C and C++, though half-compiled code (.net, Java, etc) is mentioned as well. The IDA pro tool is taught and used throughout. Calling conventions, C to assembly, identifying and creating structures, RTTI reconstruction are covered. Students will also use IDA’s more advanced features such as flirt/flare, scripting, and plug-ins.


Students will walk out of this class knowing how to find and exploit bugs in software. This is useful to both developers and hackers. The exploit component will teach common bug type such as: stack overflows, function pointer overwrites, heap overflows, off-by-ones, FSEs, return to libc, integer errors, uninitialized variable attacks, heap spraying, and ROP. Shellcode creation/pitfalls and other tips and tricks will all be rolled into the exciting, final component.

Course name: Advanced Open Source Intelligence for Social Engineers

Trainer name(s): Ryan MacDougall

Course description: Information is the lifeblood of the social engineer. But there is now so much information available that it can be overwhelming. How can we dial in and narrow your focus in ways that will enhance your social engineering abilities? This course will show you the techniques, tricks, and tips used by the professional social engineering penetration testers of Social-Engineer, LLC. This two-day course is not a laundry list of tools. We will also share the methodology, processes, and our own experiences that allow us to successfully apply information to plan and launch realistic SE scenarios for our clientele. Having the information is only half of what you need.

Lots of tools are nice, but we find that just 3-4 can get the job done 100% of the time. This class is designed with a live practical certification as part of the class that you will get a chance to put your skills to applicable use – live and in person.

Course outline:

Day 1:

Non-Technical OSINT

Observational Skills


Google Hacking

Day 2:


Social Media Recon

Practical Certification

Course name: Memory-Resident Code: Analysis, Detection, and Development

Trainer name(s): Matt “scriptjunkie” Weeks

Course description: This two-day class introduces students to Windows memory-resident malware techniques, analysis, and defenses. Students will learn how memory-resident malware is created and operates invisible to many defenses, with real-world examples and context. Students will also gain understanding of how the Windows operating system manages memory and active defense techniques to detect and eradicate memory resident malware.

Course outline:

Day 1:

– Introduction

– Windows Memory Basics – Allocations, Paging, Permissions, and Mapping

– Powershell Basics

– Scanning Methodologies

– Live analysis tools

– Memory dump analysis tools

– Signs of Malware in Memory

– Case studies; memory-resident code, packers, rootkits

– Malicious memory contents; signs of loaded code

– Assembly basics and opcodes

– Shellcode structure

– Day 1 final exercise

Day 2:

– Development environment setup and shellcode harness

– General development strategies

– API lookup; hash vs name

– Function tables

– Reflective loading

– Injection techniques and exercises

– Remote allocation and thread spawning

– DLL loading

– Asynchronous procedure calls

– Process hollowing

– Write-only method

– Section mapping

– Combined techniques

Course name: Achieving Security Awareness Through Social Engineering Attacks

Trainer name(s): Jayson E. Street and April Wright

Course description: The ability to “think like an attacker” is the best way to defend against attacks. Your employees are your biggest asset, but also at the biggest risk for social engineering (SE). Awareness is the best defense against SE threats. Through hands-on exercises using software and hardware tools, SE risks will be discussed and evaluated with an emphasis on developing awareness programs. Class activities will introduce students to profiling the online presence of employees and enterprises, as well as performing hands-on attacks against WiFi and computers. After successful completion of this course, students will have a better understanding of how to detect and/or prevent to SE events by looking at their defenses from a different perspective. Students will gain insight into how to educate others and create greater awareness about the various dangers that can occur. The primary goal of this course is to substantially increase the security posture of an organization by implementing changes to better handle malicious SE attacks. This 2-day course will use current Red Team strategies to develop a better understanding of how attackers use SE, as well as provide methods to prevent and detect these attacks via awareness programs and “teachable moments”.

Course outline:

Day One:

A custom Hak5 Field Kit will be provided to each student for use during the class, which students will be able to keep and take home.

Brief Intro to Social Engineering

– Methods

– How does it work

– Why does it work

Recon Phase


– Social Media opportunities

– Other sources of value

– Browser recon

– Case Study

– Exercise

Attack Phase: No-tech

– Pretexting basics, methods

– Phishing and Spearphishing

– Case Study

– Exercise

Attack Phase: Technical

– Wired Networks

– Wireless Networks

– Physical Attacks

– Payloads

– Hak5 LAN Turtle

– USB Thumbdrive

– Hak5 Bash Bunny

– Exercise

Day 2:

Attack Phase: Technical (continued)

Hak5 WiFi Pineapple

– Walkthrough

– Instruction

– Exercises

Building Awareness Programs

– Steps and Strategy

– Getting Buy-in

– Creating Effective Policy

– Exercise

– Ways to Engage Users

– Practical tips, everyday activities

– Testing Goals, Scenarios

– Example Checklists and User Guides

Course name: Adversarial Attacks and Hunt Teaming (Red Team vs. Blue Team) Hands-On

Trainer name(s): Larry Spohn and Ben Ten

Course description: This course is completely hands-on, focusing on the latest attack techniques and building a defense strategy around them. This workshop will cover both red and blue team efforts and provide methods for understanding how to best detect threats in an enterprise. It will give penetration testers the ability to learn the newest techniques, as well as teach blue teamers how to defend against them.

This course is completely hands on!

This course applies real-world offense and defense capabilities to truly paint the full picture of understanding how attacks happen today and how to best prevent them.

This is a new course and is completely fresh. It contains all of the latest pentester methods as well as unreleased methods for detecting attacks.

Students can have a penetration testing background, or someone that focuses on defense.

Course outline:

Day 1

  • Introduction to Attacker Techniques
  • Common Methods for Exploitation
  • Methods for Persistence and Evasion
  • Lateral Movement and Pivoting
  • Circumventing Security Defenses
  • Understanding Attacker Mindsets
  • Performing an adversarial simulation
  • Simulated Attack Scenario on Live Network

Day 2

  • Social Engineering and physical attacks
  • Developing a Common Defense
  • Introduction to Hunt Teaming
  • Performing a hunt team exercise
  • Tools, tricks, and free scripts!
  • Identifying threats on the network
  • Identifying threats on the endpoint
  • Using existing technology in the network

Course name: Practical Signature Development for Open Source IDS

Trainer name(s): Jason Williams and Jack Mott

Course description: In Practical Signature Development for Open Source IDS we will teach expert methods and techniques for writing network signatures to efficiently detect the greatest threats facing organizations today. Students will gain invaluable information and knowledge including the configuration, usage, architecture, traffic analysis fundamentals, signature writing, and testing of an Open Source IDS like Suricata and Snort. Students will be given handouts to help them understand and develop their own network signatures. Updated lab exercises featuring current threats will train students how to analyze and interpret hostile network traffic into agile rules for detecting threats, including but not limited to: Exploit Kits, Ransomware, Cryptocurrency Miners, Phishing Attacks, Malicious Documents, Crimeware Backdoors, and Targeted Threats. Students will leave the class armed with the knowledge of how to write quality signatures for their environment, enhancing their organization’s ability to respond and detect threats. The class is very hands-on with a robust workbook featuring exercise walkthroughs/explanations and a physical copy of the material presented. The class exercises feature paths for those that are brand new to writing signatures and signature experts who dream in pcre. The class has been updated for Derbycon 8 with new exercises and the latest Suricata functionality such as the SMB2/3 protocol, whitespace transforms, and new detection buffers.

Course outline:

Day 1:

Network and Malware Analysis Fundamentals

IDS Engine Fundamentals

Rule Writing Fundamentals

Writing Signatures for DNS

Writing Signatures for HTTP

Writing Signatures for SMB

Day 2:

Advanced Rule Features

Writing Signatures for SSL / TOR

Detecting Cryptocurrency Miners

Detecting Phishing Communications

Detecting Ransomware Communications

Detecting Exploit Kits

Detecting Malicious Documents

Detecting Targeted Threats

Course name: PowerShell for Blue/Red Teams

Trainer name(s): Carlos Perez and Jose Quinones

Course description: This course will cover from basics to advance use of Windows PowerShell for the the security professional that works either in a Blue or Red Teams.

Course outline:

–  PowerShell Login

–  Logging per version of PS

–  Bypass of PowerShell Logging

–  Obfuscation

–  Mitigations

–  PowerShell Execution

–  Using PowerShell.exe

–  General considerations

–  Macros

–  HTA files

–  Using the PowerShell Engine

–  .Net Executable using System.Management.Automation.dll

–  WMI win32_process

–  PowerShell in Post Exploitation

–  Enumeration

–  AD via ADSI

–  WMI Basics

–  Persistence

–  Scheduled Task

–  WMI Permanent Events

–  Mitigations

And much much more.

Course name: Advanced Attack Infrastructure

Trainer name(s): Jason Lang

Course description: Still sending shells directly to your private C2 server? This course will teach you how to proxy your traffic through the cloud (AWS), ensuring your C2 endpoints are protected at all times. We will cover dealing with incoming sandbox connections, domain categorization, and complete infrastructure buildout start to phish. 🙂

Students will come away with full knowledge of how to build out a red team infrastructure capable of handling the demands of modern red teaming, including supporting multiple team members and clients simultaneously while ensuring your C2 servers are protected from prying defenders.

Course outline:

Day 1:

Infrastructure Design

Proxying vs Redirecting

Apache & Apache Modules

Proxy Cloud Buildout

Automation & Security

Domain Categorization & URL Filtering

Day 2:

C2 Endpoint Design & Installation

Proxying DNS Channels

Domain Fronting

Handing Sandboxes

Payload Crafting

Putting It Together

Course name: Evil Mainframe Penetration Testing

Trainer name(s): Philip “Soldier of FORTRAN” Young and Chad “Big Endian Smalls” Rikansrud

Course description: Have you ever been mid pentest with mainframe credentials and thought ‘now what?’ Or were you ever asked to do a mainframe pentest and didn’t even know where to start? Maybe you’re a sysprog and think your systems are impenetrable. No matter your background this course is for you!

This course provides training on mainframe penetration testing using the most recent and up to date attack vectors. Walking through techniques for gaining system access, performing end-to-end penetration tests, and teaching you to ‘own’ the mainframe.

After a quick overview of how z/OS works and how to translate from Windows/Linux to “z/OS” the instructors will lead students through multiple real world scenarios and labs against a real live target mainframe brought on site for the training. The areas explored in this course include VTAM, CICS, TSO, Unix and Web. Students will be given access to this mainframe environment for the duration of the course where they will learn to navigate the operating system, learn some of the misconfiguration targets and privilege escalation techniques. They will get introduced to the open source tools and libraries available for all the steps of a penetration test including Nmap, python, kali, and metasploit as well as being able to write their own tools on the mainframe using REXX, JCL, C and CLISTs.

The majority of the course will be spent performing instructor led hands on mainframe testing with tools provided by the instructors. Goals for each segment will be laid out with appropriate time afforded to students to allow them the ability to gain a deep understanding of how a mainframe pentest could and should be performed. Exercises will be based on real world attack scenarios.

While this class is outlined as a beginner class to mainframe hacking the attendee should have knowledge of IT security, penetration testing and very basic Python.

Course outline:

Day One: Mainframe Basics, User Interaction, Scripting, Network Protocols & Security

– About us and the course

– Mainframes: A *brief* History

– z/OS Basics


– Unix



LAB: Creating a folder on a mainframe. Copy/Pasting to that folder. Writing JCL, submitting the job and viewing the output.

– Patching

– System Startup Understanding the boot process

– Storage (Memory)

– Security: How security is handled on mainframes and what to look for

LAB: RACF commands, accessing dataset in warning mode. Submitting JCL with ‘SURROGAT’ authority

– Writing *real* JCL

– Writing REXX

– Writing CLISTs

– Writing and compiling C

LAB: Write REXX script to create a reverse shell. Compile C program to create reverse shell.

– Writing HLASM

– CICS: Understanding how CICS works and used in the enterprise

LAB: Connecting to CICS, accessing a transaction and gathering information

– TN3270: How the major mainframe protocol works and how to use it to our advantage

LAB: Using TN3270 python script to hack poorly coded TN3270 apps


Day Two: Let’s Hack a Mainframe!

– Reconnaissance

– OSINT and the Mainframe

– Using Nmaps *new* tn3270 library

– Writing your own Nmap scripts to target mainframe applications

LAB: Using Nmap enumerate LU names, VTAM Application IDs, CICS transactions.

– System Interaction/Shells

– Breaking in through TSO, CICS, Web

– Using Python for infil/exfil

– Using x3270 & s3270 scripting

LAB: Using Python and Tn3270 to automate

– CICS Security Bypass

– Using CICS to get a shell

LAB: CICSPwn reverse shell

– FTP and JCL

LAB: Using FTP and JCL to run a job & get a shell.

– Automating it all with metasploit

– System Enumeration

– Gathering system information

– SuperC

– Memory storage locations

– Enum (rexx script)

– SETRCVT (rexx script)

LAB: Identify all APF authorized libraries

– Offline Cracking

– How passwords are stored

– Where they are stored

– Understanding the hashing algorithm

– Cracking the passwords with John/Hashcat

– Privilege Escalation


– Warnmode

– BPX.Superuser

– SURROGAT authority

– Search/SuperC

– APF Authorized

LAB: Using ELV.APF (rexx script) to escalate privileges

– Review

– Cover any questions/remaining items


– The last hour is a mainframe CTF which uses everything learned in the class to ‘own’ a mainframe.

– Students attack the in-house mainframe to gain points. First team to get the highest wins!