Skip to content

x02_Associate

Directory actions

More options

Directory actions

More options

Latest commit

 

History

History

x02_Associate

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
README.md
README.md
 
 

README.md

The Associate Hacker's Curriculum - Level 2 (2025 Edition)

Target Role: Mid-Level Penetration Tester | Salary Range: $90k - $120k | Timeline: 18-24 months

🎯 The Goal: End-to-End Engagement Mastery

You've mastered web application security. You can find vulnerabilities. But can you run an entire engagement from start to finish?

This level transforms you from a vulnerability finder into a complete penetration tester who can:

  • Conduct scoping calls with clients
  • Follow PTES methodology professionally
  • Bypass modern security controls
  • Study and replicate latest bug bounty techniques
  • Provide specific, actionable remediation recommendations
  • Master web security AND specialize in a secondary domain

You should NOT be here unless you've mastered:

  • ✅ All OWASP Top 10 vulnerabilities (2024)
  • ✅ Burp Suite mastery (all modules)
  • ✅ Web application reconnaissance
  • ✅ Python/BASH scripting proficiency
  • ✅ Linux command line mastery
  • ✅ Can write professional penetration test reports
  • ✅ Completed 50+ PortSwigger labs
  • ✅ Solved 10+ HackTheBox machines

🎯 Core Focus: End-to-End Engagement Execution

The Reality Check

Junior pentesters find vulnerabilities. Mid-level pentesters deliver complete engagements.

You need to master:

  1. Scoping Calls - Define engagement scope, objectives, rules of engagement
  2. PTES Methodology - Follow professional penetration testing execution standard
  3. Control Bypass - Bypass WAFs, EDR, modern security controls
  4. Bug Bounty Research - Study latest techniques from HackerOne, Bugcrowd
  5. Remediation Expertise - Provide specific, actionable fixes
  6. Domain Specialization - Master web + choose a secondary domain

Table of Contents

  1. PTES Methodology - Professional Engagement Execution
  2. Scoping Calls & Client Communication
  3. Control Bypass Techniques
  4. Bug Bounty Research & Latest Techniques
  5. Remediation & Security Recommendations
  6. Domain Specialization - Choose Your Path
  7. Mobile Application Security - Deep Dive
  8. Network Security - Deep Dive
  9. Cloud Security - Deep Dive
  10. DevOps Security - Deep Dive
  11. AI Security - Deep Dive
  12. IoT Security - Deep Dive
  13. Binary Reverse Engineering - Deep Dive
  14. Advanced Web Application Security
  15. Practice Labs & Real-World Scenarios
  16. Certifications

PTES Methodology - Professional Engagement Execution

Critical: PTES (Penetration Testing Execution Standard) is the industry standard. You MUST follow this methodology for professional engagements.

The 7 Phases of PTES

Phase Description Your Responsibilities Best Resources
1. Pre-engagement Interactions Scoping, contracts, rules of engagement Conduct scoping calls, define scope, set expectations PTES Pre-engagement
2. Intelligence Gathering OSINT, reconnaissance, information gathering Gather target information, identify attack surface PTES Intelligence Gathering
3. Threat Modeling Identify threats, attack vectors, business impact Model threats, prioritize attack vectors PTES Threat Modeling
4. Vulnerability Analysis Identify and validate vulnerabilities Find vulnerabilities, validate findings PTES Vulnerability Analysis
5. Exploitation Exploit vulnerabilities, gain access Exploit vulnerabilities, demonstrate impact PTES Exploitation
6. Post-Exploitation Maintain access, pivot, data exfiltration Maintain access, demonstrate business impact PTES Post-Exploitation
7. Reporting Document findings, remediation recommendations Write professional reports, provide remediation PTES Reporting

PTES Implementation Checklist

  • Can conduct pre-engagement scoping calls
  • Understand all 7 PTES phases
  • Can gather intelligence systematically
  • Can perform threat modeling
  • Can document methodology in reports
  • Can execute full engagement following PTES

Resources:

Scoping Calls & Client Communication

Critical: Scoping calls determine engagement success. You must be able to conduct professional scoping calls.

Scoping Call Essentials

Topic Questions to Ask Why It Matters
Scope Definition What systems/applications are in scope? Prevents scope creep, sets boundaries
Objectives What are the business objectives? Aligns testing with business goals
Rules of Engagement What techniques are allowed? Defines testing boundaries
Timeline What's the deadline? Sets expectations
Access What credentials/access will be provided? Determines testing approach
Critical Assets What are the most critical assets? Focuses testing efforts
Out of Scope What's explicitly out of scope? Prevents misunderstandings
Communication How should findings be communicated? Sets communication protocol

Scoping Call Template

Pre-Call Preparation:

  • Research client company (industry, size, public information)
  • Review previous engagement reports (if available)
  • Prepare questions based on engagement type

During Call:

  • Introduce yourself and your role
  • Explain PTES methodology
  • Ask scope-defining questions
  • Document everything
  • Set clear expectations

Post-Call:

  • Send follow-up email summarizing scope
  • Create statement of work (SOW)
  • Get written approval before starting

Client Communication Skills

Skill Description Best Practice
Technical Translation Explain technical findings to non-technical stakeholders Use analogies, avoid jargon
Risk Communication Explain business impact of vulnerabilities Focus on business risk, not just technical
Status Updates Regular communication during engagement Daily/weekly updates
Finding Presentation Present critical findings immediately Don't wait for final report

Resources:

Control Bypass Techniques

Critical: Modern applications have security controls. You MUST know how to bypass them.

WAF Bypass Techniques

Technique Description Best Tutorial Practice
Encoding Bypass URL encoding, Unicode, hex encoding PortSwigger: WAF Bypass PentesterLab: WAF Bypass
Comment Injection SQL comments, HTTP comments PortSwigger: SQL Injection PortSwigger SQLi Labs
Case Variation Mixed case, case-insensitive bypasses PortSwigger: XSS PortSwigger XSS Labs
Whitespace Manipulation Tabs, newlines, spaces PortSwigger: WAF Bypass Test various WAFs
Alternative HTTP Methods PUT, PATCH, OPTIONS instead of POST PortSwigger: HTTP Methods Test different methods
Parameter Pollution HPP (HTTP Parameter Pollution) PortSwigger: Parameter Pollution PortSwigger Labs
JSON Bypass JSON-specific bypasses PortSwigger: API Security PortSwigger API Labs
GraphQL Bypass GraphQL-specific bypasses PortSwigger: GraphQL PentesterLab: GraphQL

EDR/AV Bypass Techniques

Technique Description Best Tutorial Practice
Process Injection DLL injection, process hollowing TryHackMe: Windows Fundamentals TryHackMe Windows Rooms
Living Off The Land Using legitimate tools (LOLBAS) LOLBAS Project TryHackMe: Windows Fundamentals
Unhooking Bypassing API hooks TryHackMe: Windows Fundamentals Practice in lab
Shellcode Obfuscation Encoding, encryption, packing TryHackMe: Windows Fundamentals TryHackMe Windows Rooms

Modern Security Control Bypass

Control Bypass Technique Best Tutorial Practice
CSP (Content Security Policy) CSP bypass techniques PortSwigger: CSP PortSwigger CSP Labs
CORS CORS misconfiguration exploitation PortSwigger: CORS PortSwigger CORS Labs
Rate Limiting Rate limit bypass techniques PortSwigger: Rate Limiting PortSwigger API Labs
2FA/MFA 2FA bypass techniques PortSwigger: 2FA PortSwigger Auth Labs

Resources:

Bug Bounty Research & Latest Techniques

Critical: Bug bounty reports reveal latest attack techniques. Study them religiously.

Bug Bounty Platforms

Platform Description Best For Link
HackerOne Largest bug bounty platform Latest web vulnerabilities HackerOne Hacktivity
Bugcrowd Bug bounty platform Mobile, web, API vulnerabilities Bugcrowd Bug Bounty List
Intigriti European bug bounty platform European companies Intigriti Programs
YesWeHack Bug bounty platform European focus YesWeHack Programs

How to Study Bug Bounty Reports

1. Read Reports Daily

  • Check HackerOne Hacktivity daily
  • Read Bugcrowd blog posts
  • Follow top hackers on Twitter/X

2. Replicate Techniques

  • Set up vulnerable environments
  • Replicate reported vulnerabilities
  • Understand the root cause

3. Document Learnings

  • Create personal knowledge base
  • Document bypass techniques
  • Build payload library

Latest Bug Bounty Techniques (2025)

Technique Description Example Reports Learn More
GraphQL Vulnerabilities GraphQL-specific attacks HackerOne GraphQL Reports PortSwigger: GraphQL
API Security Issues REST/GraphQL API vulnerabilities HackerOne API Reports PortSwigger: API Security
SSRF Chain Attacks Multi-step SSRF exploitation HackerOne SSRF Reports PortSwigger: SSRF
Business Logic Flaws Application logic vulnerabilities HackerOne Logic Flaw Reports PortSwigger: Logic Flaws
Race Conditions TOCTOU vulnerabilities HackerOne Race Condition Reports PortSwigger: Race Conditions

Top Bug Bounty Hackers to Follow

  • @stok - Bug bounty methodology
  • @jhaddix - Reconnaissance techniques
  • @nahamsec - Bug bounty education
  • @zseano - Bug bounty methodology

Resources:

Remediation & Security Recommendations

Critical: Finding vulnerabilities is only half the job. You MUST provide specific, actionable remediation.

Remediation Best Practices

Principle Description Example
Specific Provide exact code/config changes "Use parameterized queries: PreparedStatement stmt = conn.prepareStatement("SELECT * FROM users WHERE id = ?");"
Actionable Clear steps to implement Step 1: Update code, Step 2: Test, Step 3: Deploy
Prioritized Risk-based prioritization Critical → High → Medium → Low
Business-Focused Explain business impact "This vulnerability could lead to data breach affecting 10,000 users"
Testable How to verify fix "Verify fix by attempting SQL injection - should return error"

Remediation Templates

SQL Injection Remediation:

Vulnerability: SQL Injection in login form
Risk: Critical
Impact: Complete database compromise

Remediation:
1. Use parameterized queries/prepared statements
2. Implement input validation
3. Use least privilege database accounts
4. Enable WAF rules for SQL injection

Code Example:
Before: "SELECT * FROM users WHERE username = '" + username + "'"
After: PreparedStatement stmt = conn.prepareStatement("SELECT * FROM users WHERE username = ?");
       stmt.setString(1, username);

XSS Remediation:

Vulnerability: Reflected XSS in search parameter
Risk: High
Impact: Session hijacking, credential theft

Remediation:
1. Implement output encoding (HTML entity encoding)
2. Use Content Security Policy (CSP)
3. Validate and sanitize input
4. Use framework's built-in XSS protection

Code Example:
Before: <%= request.getParameter("search") %>
After: <%= ESAPI.encoder().encodeForHTML(request.getParameter("search")) %>

Remediation Resources

Resource Description Link
OWASP Cheat Sheets Remediation guidance OWASP Cheat Sheets
PortSwigger Remediation Vulnerability-specific fixes PortSwigger Web Security
CWE Mitigations Common Weakness Enumeration mitigations CWE Mitigations

Domain Specialization - Choose Your Path

Critical: Web security is mastered. Now choose a secondary domain to specialize in.

Available Domains

Domain Description Why Specialize Difficulty Market Demand
🌐 Web Application Security Already mastered Maintain expertise ⭐⭐⭐⭐⭐
📱 Mobile Application Security Android/iOS security High demand, growing field ⭐⭐⭐ ⭐⭐⭐
🔌 Network Security (External) External network pentesting Foundational, always relevant ⭐⭐ ⭐⭐⭐
🏢 Network Security (Internal) Internal network, Active Directory High-value, complex ⭐⭐⭐ ⭐⭐⭐⭐
☁️ Cloud Security AWS, Azure, GCP security Explosive growth, high demand ⭐⭐⭐ ⭐⭐⭐⭐
🤖 AI Security AI/ML system security Emerging field, cutting-edge ⭐⭐⭐⭐⭐ ⭐⭐⭐⭐⭐
🔌 IoT Security Internet of Things security Growing field, diverse ⭐⭐⭐⭐ ⭐⭐⭐
⚙️ DevOps Security Kubernetes, CI/CD security Modern infrastructure, high demand ⭐⭐⭐⭐ ⭐⭐⭐⭐⭐
⚫ Binary Reverse Engineering Exploit development, RE Advanced, high-value ⭐⭐⭐⭐⭐ ⭐⭐

Domain Selection Guide

Choose based on:

  1. Interest - What excites you?
  2. Market Demand - What's hiring?
  3. Difficulty - Can you master it?
  4. Career Goals - Where do you want to be?

Recommended Paths:

  • Cloud Security - Highest demand, good salary
  • Internal Network Security - High-value, complex, always needed
  • DevOps Security - Modern, growing, high demand
  • Mobile Security - Growing field, good opportunities

Mobile Application Security - Deep Dive

Critical: Mobile apps are everywhere. Android and iOS security assessment is a high-demand skill.

Android Application Security

#1 Resource: HexTree Android Security Course - Free course developed in collaboration with Google. 12 micro-courses, 135+ videos, 70+ hands-on challenges. This is THE resource for Android pentesting.

Android Pentesting Fundamentals

Topic Description Best Tutorial Practice
Android Architecture Components, activities, services, broadcast receivers HexTree Android Course HTB Academy Android Path
APK Structure Android package format, DEX files, manifest HexTree Android Course Decompile APKs with APKTool
Static Analysis Code review, manifest analysis, permission review HexTree Android Course MobSF Static Analysis
Dynamic Analysis Runtime analysis, API monitoring, hooking HexTree Android Course Frida Dynamic Analysis
Root Detection Bypass Bypassing root detection mechanisms HexTree Android Course Objection Root Bypass
SSL Pinning Bypass Certificate pinning bypass techniques HexTree Android Course Frida SSL Pinning Bypass
Insecure Data Storage SharedPreferences, SQLite, file storage HexTree Android Course Analyze app data storage
Intent Vulnerabilities Intent injection, deep link attacks HexTree Android Course Test intent handling

Android Pentesting Tools

Tool Purpose Best Tutorial Download
MobSF Mobile Security Framework - static & dynamic analysis MobSF GitHub MobSF Install
Frida Dynamic instrumentation toolkit Frida Documentation Frida Install
APKTool APK reverse engineering APKTool Documentation APKTool GitHub
jadx DEX to Java decompiler jadx GitHub jadx Releases
Objection Runtime mobile exploration Objection Documentation Objection Install
Drozer Android security assessment framework Drozer Documentation Drozer GitHub
Genymotion Android emulator for testing Genymotion Genymotion Download
Burp Suite Proxy for mobile app traffic PortSwigger Mobile Testing Burp Suite

Android Practice Labs

Platform Description Link
InsecureBankv2 Vulnerable Android banking app InsecureBankv2 GitHub
Damn Vulnerable Android App (DVAA) Vulnerable Android app DVAA GitHub
OWASP MSTG Crackmes Mobile security testing challenges OWASP MSTG Crackmes
HTB Academy Android Path Comprehensive Android pentesting path HTB Academy Android

iOS Application Security

iOS Pentesting Fundamentals

Topic Description Best Tutorial Practice
iOS Architecture iOS security model, sandboxing, entitlements OWASP Mobile Security Testing Guide DVIA iOS App
IPA Structure iOS app package format Apple Developer Documentation Analyze IPA files
Mach-O Format macOS/iOS binary format Apple Mach-O Format Analyze Mach-O binaries
Static Analysis Code review, plist analysis, entitlements OWASP Mobile Security Testing Guide class-dump
Dynamic Analysis Runtime analysis, method swizzling Frida iOS Frida iOS Scripts
Jailbreak Detection Bypass Bypassing jailbreak checks OWASP Mobile Security Testing Guide Objection iOS
Keychain Analysis iOS secure storage analysis OWASP Mobile Security Testing Guide Keychain-Dumper
SSL Pinning Bypass iOS certificate pinning bypass Frida iOS SSL SSL Kill Switch 2

iOS Pentesting Tools

Tool Purpose Best Tutorial Download
Frida Dynamic instrumentation for iOS Frida iOS Docs Frida Install
Objection Runtime mobile exploration (iOS) Objection iOS Objection Install
class-dump Objective-C class information extractor class-dump class-dump Download
Hopper Disassembler macOS/iOS disassembler Hopper Hopper Download
PassionFruit iOS app analysis framework PassionFruit GitHub PassionFruit Install
iLEAPP iOS log analysis iLEAPP GitHub iLEAPP Install

iOS Practice Labs

Platform Description Link
DVIA Damn Vulnerable iOS App DVIA GitHub
iGoat OWASP vulnerable iOS app iGoat GitHub
OWASP Mobile Security Testing Guide iOS pentesting methodology OWASP MSTG

OWASP Mobile Top 10 (2024)

Rank Vulnerability Description Best Tutorial Practice
M1 Improper Platform Usage Misuse of platform features HexTree Android, HTB Academy Android Path Analyze platform usage
M2 Insecure Data Storage Weak data protection HexTree Android Find insecure storage
M3 Insecure Communication Weak network security HexTree Android Analyze network traffic
M4 Insecure Authentication Weak auth mechanisms HexTree Android Bypass authentication
M5 Insufficient Cryptography Weak encryption HexTree Android Analyze crypto
M6 Insecure Authorization Authorization flaws HexTree Android Find auth bypasses
M7 Client Code Quality Code vulnerabilities HexTree Android, CodeReviewLab Code review
M8 Code Tampering App modification HexTree Android Tamper with apps
M9 Reverse Engineering Code analysis HexTree Android Reverse engineer apps
M10 Extraneous Functionality Hidden features HexTree Android Find hidden features

Mobile Security Resources:

Network Security - Deep Dive

Critical: Network security is foundational. You need both external and internal network pentesting skills.

External Network Security

Topic Description Best Tutorial Practice
External Reconnaissance OSINT, subdomain enumeration, port scanning HTB Academy External Pentesting TryHackMe: OSINT
Port Scanning Nmap, masscan, rustscan techniques NetworkChuck: Nmap Nmap Interactive Guide
Service Enumeration Banner grabbing, service version detection HTB Academy Network Enumeration TryHackMe: Network Services
Vulnerability Scanning Nessus, OpenVAS, Nuclei Nessus Documentation TryHackMe: Vulnerability Assessment
Exploitation Public exploits, Metasploit Metasploit Unleashed TryHackMe Metasploit

Internal Network Security & Active Directory

Critical: Internal network pentesting is high-value. Active Directory is everywhere in enterprise environments.

Topic Description Best Tutorial Practice
Active Directory Basics Domain, forest, trust relationships TryHackMe Active Directory TryHackMe AD Rooms
AD Enumeration Users, groups, computers, GPOs TryHackMe: Active Directory Basics TryHackMe AD Rooms
Kerberos Attacks Kerberoasting, AS-REP roasting, Golden/Silver tickets TryHackMe: Active Directory Basics TryHackMe AD Rooms
Lateral Movement Pass-the-Hash, Pass-the-Ticket, RDP, SMB TryHackMe: Active Directory Basics TryHackMe AD Rooms
BloodHound AD attack path mapping TryHackMe: BloodHound BloodHound GitHub
Mimikatz Credential extraction TryHackMe: Active Directory Basics TryHackMe AD Rooms
DCSync Domain controller sync attack TryHackMe: Active Directory Basics TryHackMe AD Rooms

Network Security Resources:

Cloud Security - Deep Dive

Critical: Cloud security is exploding. AWS, Azure, and GCP are everywhere. This is HIGH demand.

Cloud Security Fundamentals

Cloud Provider Key Services Pentesting Focus Best Tutorial Practice
AWS EC2, S3, IAM, Lambda, CloudFormation IAM misconfigurations, exposed S3 buckets, Lambda security TryHackMe AWS TryHackMe AWS Rooms
Azure Azure AD, Storage Accounts, Functions Azure AD misconfigurations, storage account access TryHackMe: Cloud Security TryHackMe: Cloud Security Module
GCP Compute Engine, Cloud Storage, IAM IAM misconfigurations, bucket permissions TryHackMe: Cloud Security TryHackMe: Cloud Security Module

Cloud Security Testing

Topic Description Best Tutorial Practice
Cloud Enumeration Enumerating cloud resources CloudBrute GitHub TryHackMe: Cloud Security
IAM Misconfigurations Overly permissive IAM policies TryHackMe: Cloud Security CloudGoat GitHub
S3 Bucket Security Exposed S3 buckets, bucket policies TryHackMe: AWS Security CloudBrute GitHub
Cloud Metadata Attacks Instance metadata service exploitation TryHackMe: Cloud Security CloudGoat GitHub
Container Security Docker, Kubernetes security TryHackMe: Docker TryHackMe: Docker Module

Cloud Security Resources:

DevOps Security - Deep Dive

Critical: DevOps security is modern infrastructure. Kubernetes, CI/CD pipelines are everywhere.

DevOps Security Fundamentals

Topic Description Best Tutorial Practice
Kubernetes Security Pod security, RBAC, network policies KodeKloud Kubernetes TryHackMe: Docker Module
Docker Security Container security, image scanning TryHackMe: Docker TryHackMe: Docker Module
CI/CD Security Jenkins, GitLab CI, GitHub Actions security HTB Academy DevOps TryHackMe: CI/CD
Infrastructure as Code Terraform, CloudFormation security HTB Academy DevOps CloudGoat GitHub

DevOps Security Resources:

AI Security - Deep Dive

Critical: AI security is emerging. Understanding AI/ML vulnerabilities is cutting-edge.

AI Security Fundamentals

Topic Description Best Tutorial Practice
Prompt Injection Injecting malicious prompts into AI systems OWASP LLM Top 10 Garak LLM Scanner
Model Poisoning Training data poisoning attacks OWASP LLM Top 10 Research papers on arxiv.org
Adversarial Examples Crafting inputs to fool ML models OWASP LLM Top 10 Research papers on arxiv.org
AI-Augmented Pentesting Using AI tools (RapidPen, VulnBot) RapidPen Research Paper Garak LLM Scanner

AI Security Resources:

IoT Security - Deep Dive

Critical: IoT devices are everywhere. Smart devices, embedded systems need security testing.

IoT Security Fundamentals

Topic Description Best Tutorial Practice
Firmware Analysis Extracting and analyzing firmware Firmware Analysis Toolkit Firmware Samples
Hardware Hacking UART, JTAG, SPI interfaces OWASP IoT Top 10 Hardware labs
IoT Protocols MQTT, CoAP, Zigbee security OWASP IoT Top 10 IoTGoat GitHub
Embedded Device Security Microcontroller security OWASP IoT Top 10 Hardware labs

IoT Security Resources:

Binary Reverse Engineering - Deep Dive

Critical: Binary RE is advanced. Exploit development and reverse engineering are high-value skills.

Binary RE Fundamentals

Topic Description Best Tutorial Practice
ELF Analysis Linux binary analysis Ghidra Tutorial pwnable.kr
PE Analysis Windows binary analysis IDA Pro Tutorial Flare VM
Assembly Language x86-64, ARM assembly x86-64 Guide Exploit Education
Exploit Development Buffer overflows, ROP, heap exploitation ROP Emporium pwnable.kr

Binary RE Resources:

Advanced Web Application Security

Critical: Web security is mastered, but you need to maintain and deepen expertise.

Advanced Web Topics

Topic Description Best Tutorial Practice
HTTP/2 & HTTP/3 Attacks Request smuggling, cache poisoning PortSwigger: HTTP/2 PortSwigger Labs
Advanced SSRF SSRF chain attacks, cloud metadata PortSwigger: SSRF PortSwigger SSRF Labs
Race Conditions TOCTOU, time-based attacks PortSwigger: Race Conditions PortSwigger Race Condition Labs
Deserialization Insecure deserialization PortSwigger: Deserialization PortSwigger Deserialization Labs
Template Injection SSTI, template attacks PortSwigger: SSTI PortSwigger SSTI Labs

Web Security Maintenance

  • Read latest OWASP updates
  • Complete new PortSwigger labs monthly
  • Study latest bug bounty reports
  • Practice advanced bypass techniques
  • Maintain Burp Suite proficiency

Practice Labs & Real-World Scenarios

End-to-End Engagement Practice

Platform Description Best For Link
HackTheBox Realistic penetration testing Full engagement practice HackTheBox
TryHackMe Guided learning paths PTES methodology practice TryHackMe Complete Beginner Path
PentesterLab Web security exercises Web application practice PentesterLab
PortSwigger Labs Web security labs Advanced web exploitation PortSwigger Labs
OWASP Juice Shop Modern vulnerable app OWASP Top 10 practice Juice Shop

Practice Engagement Workflow

1. Scoping Phase

  • Define scope and objectives
  • Set rules of engagement
  • Create engagement plan

2. Intelligence Gathering

  • Perform OSINT
  • Enumerate attack surface
  • Identify technologies

3. Vulnerability Analysis

  • Find vulnerabilities
  • Validate findings
  • Prioritize by risk

4. Exploitation

  • Exploit vulnerabilities
  • Demonstrate impact
  • Document techniques

5. Post-Exploitation

  • Maintain access
  • Pivot through network
  • Exfiltrate data (in lab)

6. Reporting

  • Write professional report
  • Provide remediation
  • Present findings

Certifications

Mid-Level Certifications

Certification Provider Focus Best Study Resource Cost Value
OSCP Offensive Security Hands-on exploitation OffSec PWK Course ~$1,499 ⭐⭐⭐⭐⭐
OSWE Offensive Security Web exploitation OffSec AWAE Course ~$1,499 ⭐⭐⭐⭐⭐
GPEN GIAC Penetration testing SANS GPEN ~$7,000+ ⭐⭐⭐⭐
GXPN GIAC Exploit development SANS GXPN ~$7,000+ ⭐⭐⭐⭐

Recommended: OSCP first (most respected), then OSWE for web specialization.

Skills Checklist

Engagement Execution

  • Can conduct professional scoping calls
  • Understand and follow PTES methodology
  • Can execute full engagement end-to-end
  • Can communicate with clients professionally
  • Can write professional penetration test reports

Control Bypass

  • Can bypass WAFs (Cloudflare, AWS WAF, etc.)
  • Can bypass EDR/AV controls
  • Understand modern security controls
  • Can bypass CSP, CORS, rate limiting
  • Can bypass 2FA/MFA

Bug Bounty Research

  • Study HackerOne reports daily
  • Can replicate bug bounty techniques
  • Understand latest attack vectors
  • Document learnings systematically

Remediation

  • Can provide specific remediation recommendations
  • Understand business impact
  • Can prioritize vulnerabilities by risk
  • Can provide code examples for fixes

Domain Specialization

  • Web security mastered (maintained)
  • Chosen secondary domain
  • Deep expertise in secondary domain
  • Can assess secondary domain professionally

Next Steps

Master this level and you're ready for x03_Mid-Level where you'll become a true security consultant, specialize deeply, and lead engagements!

Remember:

  • Master end-to-end engagement execution
  • Follow PTES methodology religiously
  • Study bug bounty reports daily
  • Provide specific, actionable remediation
  • Choose and master a secondary domain

Last Updated: January 2025
Author: Kenneth Kasuba
Feedback: GitHub Issues