Pentesting Training

Teach your team to think and act like an attacker

duration
2 or 3 Days
Kind
Course
where
Inhouse or Remote
language
German or English

Hands-on pentesting exercises

Prior to conducting the training with your team, we’ll have an initial scoping meeting. This session is designed to customize the course to your specific requirements, helping us decide on the most suitable approach and focus areas to address your needs effectively.

In my hands-on pentesting training, we will attack my training web application targets (spawned in my cloud for each participant). The participants will learn how to use professional security tools through numerous practical exercises as well as the general procedure of pentesters when attacking web applications and backends.

The attack paths learned in this training include pivoting and post-exploitation for a deeper persistence in the attacked system. Interactive engagement elements via Workshop Board keep participants involved throughout the session, whether attending remotely or on-site.

The training can either use the open-source intercepting proxy OWASP ZAP or the more pentester oriented Burp Suite Pro, depending on your choice.

My hands-on pentesting training is highly modular—you can choose which vulnerabilities and exploit styles your team wants to focus on.

Select from the following topics to tailor the training to your needs:

  • Injection Vulnerabilities, including Post-Exploitation towards Remote Code Execution (RCE)
  • XML External Entity Attacks (XXE)
  • Path-Traversals (including ClassPath-Traversals)
  • Cross-Site Scripting (XSS): Reflected, Persistent, DOM-based and different contexts
  • Session Attacks, etc.
  • Authentication Bypass
  • Information Disclosures
  • Server-Side Request Forgery (SSRF), especially in cloud-based environments
  • Attacks on File-Uploads and -Downloads
  • Attacks on WebSockets
  • Java Deserialization Vulnerabilities & Attacks: Trigger-, Abuse-, Bypass-, and Golden-Gadgets
  • In-band signaling: Time-based & Denial-of-Service
  • Out-of-band signaling: Generic DNS-Payloads
  • Advanced XML Attacks (leading to RCEs)
  • JSON Attacks (leading to RCEs)
  • GenAI & Agentic Systems: Prompt Injection Exploitation, RAG Data Poisoning, MCP Tool Poisoning & Rug Pulls
  • Analyzing security of Low-Code/No-Code Platforms
  • Checking Passkey implementation security
  • Attempting container breakouts
  • and many more, pwning all the things…

This hands-on offensive training teaches how to find these vulnerabilities (even the hard to find ones) and how to exploit them fully (including post-exploitation). If instead you’re more defensive-oriented and interested how to avoid and remediate these vulnerabilities in a defense-in-depth style, the Web Security Bootcamp might be of more interest to you.

What participants will receive

All my trainings can be held in German (native speaker) or English (business fluent).

Participants receive the following along with my training:

  • Access to cloud-based training environments (individually spawned for each participant).
  • All slides and workshop material as a set of PDFs.
  • Lifetime access to GitHub and DockerHub repos with my training environments in order to recap all exercises with a working setup (including freshly added stuff in the future).
  • Support via mail for setup and exercise handling afterwards.
  • Printed and signed Certificate of Participation listing the training contents.

Interested in your organization’s individual quote? Let’s talk

Different Options

As always in life, there is no one-fits-all solution. So regarding the concrete setup and execution of my trainings and workshops, you have different options and variants to choose from.

Fully customizable training agenda

In case you want certain aspects of your technology stack or specific internal process or tools covered during the training: The training agenda can be customized to your needs, resulting in an individual setup and content.

On-site or Remote? – Choice is yours!

My trainings and workshops can be executed on-site (either directly at your office or at one of my training sites) as well as fully remote for home-office workers. Even hybrid variants are possible, where some remote-only workers can join online, while I execute the training on-site for the majority of the participants. I’ve already conducted numerous online-based variants of my training, even for bigger audience groups.

Either way, participants just need a browser as nothing needs to be installed locally, since my training runs with participant-individual environments in my cloud.

Alternative option: Professional training recording

In case you would like to have a customized version for your company recorded as a set of chapters and lessons for your in-house video-based electronic learning platform: Let’s talk

I can record a customized training session (without participants) and provide you with professionally cut chapters exported as SCORM (useful for import into LMS systems), MPEG, and other formats. This package includes digital training slides and the runnable training environment for local offline training. If you and all participants prefer to record a live training while being held, this is also possible and would produce a video handout of the full course.

That way, several companies have successfully enriched their own internal video-based training offers with my hands-on security workshops imported into their own electronic learning platforms.

Professional training recording

Testimonials

What Customers Are Saying

A great seminar. Please keep the content and methodology unchanged!

Training Participant

Very strong expertise — responded very well to follow-up questions.

Workshop Participant

Thank you very much for your training! It was very interesting and packed with knowledge. People on the team learned a lot and speak about it positively.

Training Participant

From my side, thanks again for running the training. Participant feedback was positive across the board, always with the note that the training fits our company well.

Training Organizer

Thank you so much for such an interactive session — really enjoyed it and learned a lot.

Training Participant

Very strong on content — excellent presentation.

Training Participant

Thank you so much for the valuable input. Especially the insights about agentic AI security were very helpful.

Training Participant

Just wanted to share feedback on the past three days: the training matched my expectations exactly. The topics covered and the mix of practical and theoretical parts were perfect. Your years of experience really show.

Training Participant

Time well spent! Thanks a lot, I thoroughly enjoyed the training and depth of content.

Training Participant

Your passion for security is contagious :)

Training Participant

Thank you for the great training — it was exactly what I had in mind for my team! I expect we’ll repeat it with other employees soon.

Product Security Manager

Super exciting and varied! Thank you!

Training Participant

Thanks for the training! It was varied and the different interactive elements kept it engaging. We took away a lot! Looking forward to possible future collaboration.

Training Participant

This was my second time with you, Christian. Very interesting again and a lot of fun!

Training Participant

Thanks again for today’s session! I have to say, every time I’m impressed by how quickly you dive into complex topics, ask critical questions, and provide valuable input. Truly fascinating!

Threat Modeling Customer

Thanks a lot for sharing such great insights with us!

Training Participant

I found the training overall very informative and helpful. The explanations were clear and well structured. Important security concepts were covered with plenty of examples to illustrate them. I took away a lot. Thank you for the training :)

Training Participant

Thanks a lot, I liked the format and the workshop as a whole very much, very engaging, great job, learned quite a bit.

Training Participant

Thanks a lot! Also for the brilliant explanations and well-presented practical examples!

Training Participant

Very intensive seminar, presented very clearly and well!

Training Participant

Insider knowledge from pentesting came through clearly. Broad coverage, strong expertise, and you tailored the content to the technologies we actually use. Technically, pedagogically, and personally excellent — you handled questions well and the structure worked really well.

Training Participant

Excellent example applications — you explain things very clearly.

Training Participant

Very high level of expertise! Pedagogically excellent. Interesting with lots of practical exercises. A seemingly “dry” but very important topic was conveyed and communicated really well.

Training Participant

Very interesting, very practical, engaging — and an answer to everything ;)

Training Participant

I really enjoyed the training thank you so much! 🙏 It was an interactive and insightful session. I became more aware of security tools and how to use them effectively. Thanks again for sharing such valuable insights with us. I really appreciate it!

Training Participant

Thank you Christian! Superb content and explanations, I learned a lot.

Workshop Participant

Participants were thrilled with the training — hardly any survey scores this well! We’re glad feedback was so positive and that participants got so excited about the topic! We really hope we’ll have the chance to work together again (and hopefully often) in the future!

Training Company

Very practical, instructive, and pedagogically excellent! Had a blast!

Workshop Participant

Many topics were covered that were new to me and important for my work.

Workshop Participant

Thank you so much Christian, very informative, substantial and useful.

Workshop Participant

The training was absolutely excellent. I now have over 10 years of professional experience, and over all those years this is one of the best trainings I’ve ever attended.

Training Participant

Thanks again for the very, very good workshop today. I wanted to give big praise for your talks and your workshop — really well done! You just want to get started and try it yourself. Simply excellent!

Workshop Participant

Every developer should take this training at least once.

Training Participant

Many thanks! Really detailed and exciting!

Training Participant

I took part in the web security training last week. It was great again. You make it so vivid, and combined with your real-world stories it’s genuinely gripping. The training was really fun and made me want to learn more about the topic.

Training Participant

An exciting and inspiring event with a speaker who fully masters his subject area.

Workshop Participant

Thanks a lot, it was a very interesting and entertaining training!!! 🙌

Training Participant

Really amazing and brilliant course. Happy to have chosen your training. Thanks for all the preparations and for accommodating lots of questions after the time ;).

Training Participant

As the organizer, I received consistently positive feedback from participants. The real-world examples landed especially well, and defense in depth felt well placed.

Training Organizer

I’d like to thank you again for the exciting training last week. The content was very well prepared and the training formed a cohesive package.

Training Participant

Your workshop at our company had real impact: many participants tried to find vulnerabilities in their projects — with success.

Workshop Organizer

This was a mind-boggling workshop and I’d like to recommend you to colleagues from other companies.

Training Participant

Very helpful training. Very clear description of the attacks and things we need to take care of. Now we have a list of tasks to check/improve in our codebase.

Training Participant

Thank you again for the excellent intensive training this week.

Training Participant

Thank you Christian! Even though I’m not a developer, I could follow almost everything and learned a lot. Absolutely recommended!

Training Participant

I enjoyed and can highly recommend this training. Christian is an awesome educator and teacher.

Training Participant

First of all, heartfelt thanks for the three very inspiring days. I found your talk excellent both pedagogically and in terms of content. The many workshop exercises also contributed a lot to a better basic understanding of the theory.

Workshop Participant

Thank you for the great training! Had a lot of fun and I’ve already recommended it. The mix of theory, practice, and vivid case studies was perfect. You definitely leave the training with a sharper security mindset.

Workshop Participant

Mega great workshop! THANK YOU

Workshop Participant

Many heartfelt thanks. Excellently delivered and so many important pieces of information! I learned a lot of new things…

Workshop Participant

just one word: AWESOME! thank you!

Training Participant

Yes!! This should be mandatory for all software developers!

Training Participant

I would buy it again 5/5 stars :D

Training Participant

Great session Christian!!! Thanks a million!!!

Training Participant

It was great! Concrete examples, explained clearly — definitely left a lasting impression. Keep it up!!

Training Participant

The training made it tangible how hackers work in practice and which tools they have at their disposal. The concrete examples helped a lot.

Training Participant

I found the training comprehensive, VERY educational, highly interesting and exciting — and it really drives the point home. Remote participation was especially important for our team, and you mastered that format really well. The training had a clear narrative arc and clear business value. I’ll definitely recommend it. Thank you!

Training Organizer

Really, really well done pentesting lecture. It was very informative and fun to learn about this stuff again. Since becoming a developer I stopped coding in my free time, but seeing how to break systems — and how and why they work — was part of why I became a programmer in the first place. So the child in me was so happy to learn about XML bombs and all the other crazy things!

Training Participant

Much was new to me (even after years in corporate IT). With the flood of attack possibilities, the framework with “code/data” and “source-taint-sink” is helpful, as is the calm delivery and “let them discover” approach. I recommend the training!

Training Participant

First of all: thank you for an excellent workshop. Feedback on the second part of the workshop was consistently positive. I’ve already heard from several teams that they want to use threat modeling in practice going forward. From my perspective, a complete success.

Workshop Organizer

Very entertaining, interesting and inspiring two days of security training. Enjoyed it a lot and got curious about analyzing our code for weaknesses. Long live the Swiss cheese model! :-)

Training Participant

Thanks for the training. It was an eye-opener, especially the live hacking demonstrations.

Training Participant

Yes, it was really fun, especially the vivid way knowledge was conveyed, the practical examples, addressing every question, the detailed handout, and not least the pleasant atmosphere. Thank you!

Training Participant

We would like to thank you once again for enriching our summit as a speaker with your excellent talks. We collected initial participant feedback right after the event, and it was consistently positive.

Conference Organizer

I took part in your web security training over the past two days — it was awesome. I like the practical approach with the marathon app to try out different cases. Your slides and presentation style are really good and I learned a lot. You definitely know what you’re talking about and convey that knowledge well.

Training Participant

Great training — I had to file a bug for an app right away :D.

Training Participant

Very interesting training. Pedagogically well structured. Especially the step-by-step escalation of the attack, followed by a demonstration of automated off-the-shelf attack tools.

Training Participant

Thank you for the exciting time at the Web Security Bootcamp. With a high level of competence and “escape-the-room” flair, it was fascinating to look at vulnerable doors and gates from the attacker’s point of view, and to learn the many ways to keep those paths closed and secure. A training I can recommend 100% to every developer.

Training Participant

Thank you. I was a complete security beginner and now definitely have a different view of my source code. For many things I used to think mainly about clean code and good style, but it clearly also makes sense from a security perspective to separate data and code.

Training Participant

I loved that you encouraged people to ask questions. Unusual at first how often you did it, but that’s how questions actually get asked :)

Training Participant

I also loved that you had everything prepared so you could always work hands-on if you wanted. You could tell you have routine. At the same time it never got boring.

Training Participant

Great training! Not just technically strong, but also excellently delivered. There genuinely weren’t any dull moments. And with the handout you feel equipped for upcoming challenges.

Training Participant

It was great to always see how far you can take exploiting vulnerabilities!

Training Participant

The training was amazing. I’m quite new to security, and I was speechless at how many everyday systems can be broken when you know what to look for. WOW. Also amazing job, Christian — talking for so many hours with this ease and answering every question. What I appreciated very much was that every question was treated seriously. You motivated people to ask questions! Thank you very much for the great training, but also for the great atmosphere!

Training Participant

Thank you again for the seminar. You could follow along well, and each topic still went quite deep. Injection and XSS in particular reminded me how important those fundamentals are — and how valuable it is to see them explained this clearly.

Training Participant

The training was extremely informative and so much fun! 10/10

Training Participant