Web Security Bootcamp

Hands-on defense skills your developers will actually use

duration
2 or 3 Days
Kind
Course
where
Inhouse or Remote
language
German or English

Training info at a glance: Download the one-pager (PDF).

Hands-on attack & defense

Prior to conducting the training with your team, we’ll have an initial scoping call. This meeting is designed to customize the course to your specific requirements, helping us decide on the most suitable approach and focus areas to address your needs effectively.

In my fully packed hands-on bootcamp-style training, you will experience how hackers approach a typical web application to learn about the security vulnerabilities seen in many web applications and backends/APIs.

Also, we often switch the sides during the training into the defender’s perspective to learn how primary and secondary countermeasures harden the security posture of today’s applications and backends in a defense-in-depth way.

All exercises are executed against a participant-individual training environment, which I prepare and individually spawn for each participant in my cloud. Just a web browser is required to attend and no pre-installations are necessary on the participants’ machines. To allow recapping the practical exercises, participants receive Docker containers after the course with the training environment and all exercises to be able to run them locally on their machines.

To enhance interactivity and engagement, whether delivered remotely or on-site, my trainings incorporate live engagement elements using Workshop Board that augment the hands-on exercises with real-time participant input, collaborative brainstorming walls, questions, knowledge checks, and collaborative discussions.

The material and hands-on exercises cover the OWASP Top 10:2025 and the OWASP API Security Top 10. Optionally, when of interest, the training can also include the OWASP Top 10 for LLM Applications and the OWASP Top 10 for Agentic AI Security — covering attack and defense scenarios for modern AI-driven systems such as RAG pipelines, MCP tool integrations, and agentic architectures.

Vulnerabilities and Defense Measures

My hands-on web security bootcamp covers many vulnerabilities and their defense measures, including:

  • Injection Vulnerabilities, including Post-Exploitation towards Remote Code Execution (RCE)
  • XML External Entity Attacks (XXE)
  • Path-Traversals (including ClassPath-Traversals)
  • Cross-Site Scripting (XSS): Reflected, Persistent, DOM-based and different contexts
  • Session Attacks, etc.
  • Authentication Bypass
  • Information Disclosures
  • Server-Side Request Forgery (SSRF), especially in cloud-based environments
  • Attacks on File-Uploads and -Downloads
  • Attacks on WebSockets
  • Java Deserialization Vulnerabilities & Attacks
  • Advanced XML Attacks (leading to RCEs)
  • JSON Attacks (leading to RCEs)
  • GenAI Attack Surfaces: Prompt Injection, RAG Corpus Poisoning, MCP Tool Attacks, Agentic AI Goal Hijacking
  • AI-Generated Code Security: Reviewing AI-written code for injection flaws, XSS, and cryptographic failures; secure prompting techniques; automation bias awareness
  • and many more

This bootcamp-style training introduces the mentioned vulnerabilities and focuses also on defensive aspects to remediate these vulnerabilities in a defense-in-depth style. If instead you’re more offensive-oriented and interested in the art of exploitation of these vulnerabilities rather than the defensive approaches, the Pentesting Training might be of more interest to you.

Being a full-fledged bootcamp training, also DevSecOps scan automation techniques are presented. If you’re interested in automation of security scans inside CI/CD build pipelines, the DevSecOps Coaching might also be of more interest to you, either as an addition or a replacement.

AI-Generated Code Security

AI coding assistants like GitHub Copilot, Claude Code, Codex, or Cursor can significantly boost your team’s productivity. But that speed comes with a catch: studies show that a large share of AI-generated code ships with security flaws, from injection vulnerabilities and XSS to broken cryptographic implementations. Developers who rely on these tools without knowing what to look for end up trusting suggestions they shouldn’t.

To still get the most out of these tools, the bootcamp covers AI-Generated Code Security as an additional module: how to review and validate AI-written code, secure prompting techniques that produce safer output, and building awareness of automation bias, the tendency to accept AI suggestions at face value.

What participants will receive

All my trainings can be held in German (native speaker) or English (business fluent).

Participants receive the following along with my training:

  • Access to cloud-based training environments (individually spawned for each participant).
  • All slides and workshop material as a set of PDFs.
  • Lifetime access to GitHub and DockerHub repos with my training environments in order to recap all exercises with a working setup (including freshly added stuff in the future).
  • Support via mail for setup and exercise handling afterwards.
  • Printed and signed Certificate of Participation listing the training contents.

Interested in your organization’s individual quote? Let’s talk

This service also supports technical security requirements commonly referenced in modern cybersecurity regulations.

Different Options

As always in life, there is no one-fits-all solution. So regarding the concrete setup and execution of my trainings and workshops, you have different options and variants to choose from.

Fully customizable training agenda

In case you want certain aspects of your technology stack or specific internal process or tools covered during the training: The training agenda can be customized to your needs, resulting in an individual setup and content.

On-site or Remote? – Choice is yours!

My trainings and workshops can be executed on-site (either directly at your office or at one of my training sites) as well as fully remote for home-office workers. Even hybrid variants are possible, where some remote-only workers can join online, while I execute the training on-site for the majority of the participants. I’ve already conducted numerous online-based variants of my training, even for bigger audience groups.

Either way, participants just need a browser as nothing needs to be installed locally, since my training runs with participant-individual environments in my cloud.

Alternative option: Professional training recording

In case you would like to have a customized version for your company recorded as a set of chapters and lessons for your in-house video-based electronic learning platform: Let’s talk

I can record a customized training session (without participants) and provide you with professionally cut chapters exported as SCORM (useful for import into LMS systems), MPEG, and other formats. This package includes digital training slides and the runnable training environment for local offline training. If you and all participants prefer to record a live training while being held, this is also possible and would produce a video handout of the full course.

That way, several companies have successfully enriched their own internal video-based training offers with my hands-on security workshops imported into their own electronic learning platforms.

Professional training recording

Self-paced training preferred? — no problem

My live Web Security Bootcamp is also available as a set of self-paced training video sets along with the training material and a cloud-based training environment for the exercises. This package encompasses over 25 high-quality module videos, each lasting between 30 and 60 minutes, tailored for participants to learn at their own pace.

As participants advance through the course in their personalized cloud environment, they might have questions or need clarification on certain topics. Therefore, learners can opt to jump into regular Q&A sessions with me (for example, offered weekly or bi-weekly) to discuss their queries and delve deeper into specific areas of interest. Participants are also welcome to email me for tailored guidance on the module they’re currently working on, ensuring an interactive and supportive learning experience.

As a company, you can opt to incorporate special topic update-modules into the subscription. These modules are designed to cover the latest trends and advancements in web security, keeping your employees abreast of the ever-evolving landscape of the cybersecurity world.

This subscription model is perfect for larger groups seeking the freedom of self-paced learning with the benefits of still having live interaction with me as their trainer and ongoing support. Upon successfully completing the course units, learners will be awarded a certificate of participation, showcasing their commitment and expertise in web security.

Let’s discuss the details and tailor a solution that best fits your needs in web security training.


Follow-up options

After completing the course, you may want to deepen or broaden your team’s security expertise through a range of further options. Depending on your goals and interests, follow-up possibilities include:

  • Review & Reflect Workshop: Facilitated, team-based security review to help your team analyze architectures, codebases, and operations for actionable improvements
  • Custom Focus Sessions: Short, focused sessions to dive deeper into specific topics identified during the workshop
  • DevSecOps Pipeline Coaching: Help implementing security automation for findings related to CI/CD and build processes
  • Security Sparring Partner: Ongoing support for addressing architectural recommendations and other security topics

Ready to apply security knowledge to your own systems? Contact me to discuss your workshop requirements.

Testimonials

What Customers Are Saying

A great seminar. Please keep the content and methodology unchanged!

Training Participant

Very strong expertise — responded very well to follow-up questions.

Workshop Participant

Thank you very much for your training! It was very interesting and packed with knowledge. People on the team learned a lot and speak about it positively.

Training Participant

From my side, thanks again for running the training. Participant feedback was positive across the board, always with the note that the training fits our company well.

Training Organizer

Thank you so much for such an interactive session — really enjoyed it and learned a lot.

Training Participant

Very strong on content — excellent presentation.

Training Participant

Thank you so much for the valuable input. Especially the insights about agentic AI security were very helpful.

Training Participant

Just wanted to share feedback on the past three days: the training matched my expectations exactly. The topics covered and the mix of practical and theoretical parts were perfect. Your years of experience really show.

Training Participant

Time well spent! Thanks a lot, I thoroughly enjoyed the training and depth of content.

Training Participant

Your passion for security is contagious :)

Training Participant

Thank you for the great training — it was exactly what I had in mind for my team! I expect we’ll repeat it with other employees soon.

Product Security Manager

Super exciting and varied! Thank you!

Training Participant

Thanks for the training! It was varied and the different interactive elements kept it engaging. We took away a lot! Looking forward to possible future collaboration.

Training Participant

This was my second time with you, Christian. Very interesting again and a lot of fun!

Training Participant

Thanks again for today’s session! I have to say, every time I’m impressed by how quickly you dive into complex topics, ask critical questions, and provide valuable input. Truly fascinating!

Threat Modeling Customer

Thanks a lot for sharing such great insights with us!

Training Participant

I found the training overall very informative and helpful. The explanations were clear and well structured. Important security concepts were covered with plenty of examples to illustrate them. I took away a lot. Thank you for the training :)

Training Participant

Thanks a lot, I liked the format and the workshop as a whole very much, very engaging, great job, learned quite a bit.

Training Participant

Thanks a lot! Also for the brilliant explanations and well-presented practical examples!

Training Participant

Very intensive seminar, presented very clearly and well!

Training Participant

Insider knowledge from pentesting came through clearly. Broad coverage, strong expertise, and you tailored the content to the technologies we actually use. Technically, pedagogically, and personally excellent — you handled questions well and the structure worked really well.

Training Participant

Excellent example applications — you explain things very clearly.

Training Participant

Very high level of expertise! Pedagogically excellent. Interesting with lots of practical exercises. A seemingly “dry” but very important topic was conveyed and communicated really well.

Training Participant

Very interesting, very practical, engaging — and an answer to everything ;)

Training Participant

I really enjoyed the training thank you so much! 🙏 It was an interactive and insightful session. I became more aware of security tools and how to use them effectively. Thanks again for sharing such valuable insights with us. I really appreciate it!

Training Participant

Thank you Christian! Superb content and explanations, I learned a lot.

Workshop Participant

Participants were thrilled with the training — hardly any survey scores this well! We’re glad feedback was so positive and that participants got so excited about the topic! We really hope we’ll have the chance to work together again (and hopefully often) in the future!

Training Company

Very practical, instructive, and pedagogically excellent! Had a blast!

Workshop Participant

Many topics were covered that were new to me and important for my work.

Workshop Participant

Thank you so much Christian, very informative, substantial and useful.

Workshop Participant

The training was absolutely excellent. I now have over 10 years of professional experience, and over all those years this is one of the best trainings I’ve ever attended.

Training Participant

Thanks again for the very, very good workshop today. I wanted to give big praise for your talks and your workshop — really well done! You just want to get started and try it yourself. Simply excellent!

Workshop Participant

Every developer should take this training at least once.

Training Participant

Many thanks! Really detailed and exciting!

Training Participant

I took part in the web security training last week. It was great again. You make it so vivid, and combined with your real-world stories it’s genuinely gripping. The training was really fun and made me want to learn more about the topic.

Training Participant

An exciting and inspiring event with a speaker who fully masters his subject area.

Workshop Participant

Thanks a lot, it was a very interesting and entertaining training!!! 🙌

Training Participant

Really amazing and brilliant course. Happy to have chosen your training. Thanks for all the preparations and for accommodating lots of questions after the time ;).

Training Participant

As the organizer, I received consistently positive feedback from participants. The real-world examples landed especially well, and defense in depth felt well placed.

Training Organizer

I’d like to thank you again for the exciting training last week. The content was very well prepared and the training formed a cohesive package.

Training Participant

Your workshop at our company had real impact: many participants tried to find vulnerabilities in their projects — with success.

Workshop Organizer

This was a mind-boggling workshop and I’d like to recommend you to colleagues from other companies.

Training Participant

Very helpful training. Very clear description of the attacks and things we need to take care of. Now we have a list of tasks to check/improve in our codebase.

Training Participant

Thank you again for the excellent intensive training this week.

Training Participant

Thank you Christian! Even though I’m not a developer, I could follow almost everything and learned a lot. Absolutely recommended!

Training Participant

I enjoyed and can highly recommend this training. Christian is an awesome educator and teacher.

Training Participant

First of all, heartfelt thanks for the three very inspiring days. I found your talk excellent both pedagogically and in terms of content. The many workshop exercises also contributed a lot to a better basic understanding of the theory.

Workshop Participant

Thank you for the great training! Had a lot of fun and I’ve already recommended it. The mix of theory, practice, and vivid case studies was perfect. You definitely leave the training with a sharper security mindset.

Workshop Participant

Mega great workshop! THANK YOU

Workshop Participant

Many heartfelt thanks. Excellently delivered and so many important pieces of information! I learned a lot of new things…

Workshop Participant

just one word: AWESOME! thank you!

Training Participant

Yes!! This should be mandatory for all software developers!

Training Participant

I would buy it again 5/5 stars :D

Training Participant

Great session Christian!!! Thanks a million!!!

Training Participant

It was great! Concrete examples, explained clearly — definitely left a lasting impression. Keep it up!!

Training Participant

The training made it tangible how hackers work in practice and which tools they have at their disposal. The concrete examples helped a lot.

Training Participant

I found the training comprehensive, VERY educational, highly interesting and exciting — and it really drives the point home. Remote participation was especially important for our team, and you mastered that format really well. The training had a clear narrative arc and clear business value. I’ll definitely recommend it. Thank you!

Training Organizer

Really, really well done pentesting lecture. It was very informative and fun to learn about this stuff again. Since becoming a developer I stopped coding in my free time, but seeing how to break systems — and how and why they work — was part of why I became a programmer in the first place. So the child in me was so happy to learn about XML bombs and all the other crazy things!

Training Participant

Much was new to me (even after years in corporate IT). With the flood of attack possibilities, the framework with “code/data” and “source-taint-sink” is helpful, as is the calm delivery and “let them discover” approach. I recommend the training!

Training Participant

First of all: thank you for an excellent workshop. Feedback on the second part of the workshop was consistently positive. I’ve already heard from several teams that they want to use threat modeling in practice going forward. From my perspective, a complete success.

Workshop Organizer

Very entertaining, interesting and inspiring two days of security training. Enjoyed it a lot and got curious about analyzing our code for weaknesses. Long live the Swiss cheese model! :-)

Training Participant

Thanks for the training. It was an eye-opener, especially the live hacking demonstrations.

Training Participant

Yes, it was really fun, especially the vivid way knowledge was conveyed, the practical examples, addressing every question, the detailed handout, and not least the pleasant atmosphere. Thank you!

Training Participant

We would like to thank you once again for enriching our summit as a speaker with your excellent talks. We collected initial participant feedback right after the event, and it was consistently positive.

Conference Organizer

I took part in your web security training over the past two days — it was awesome. I like the practical approach with the marathon app to try out different cases. Your slides and presentation style are really good and I learned a lot. You definitely know what you’re talking about and convey that knowledge well.

Training Participant

Great training — I had to file a bug for an app right away :D.

Training Participant

Very interesting training. Pedagogically well structured. Especially the step-by-step escalation of the attack, followed by a demonstration of automated off-the-shelf attack tools.

Training Participant

Thank you for the exciting time at the Web Security Bootcamp. With a high level of competence and “escape-the-room” flair, it was fascinating to look at vulnerable doors and gates from the attacker’s point of view, and to learn the many ways to keep those paths closed and secure. A training I can recommend 100% to every developer.

Training Participant

Thank you. I was a complete security beginner and now definitely have a different view of my source code. For many things I used to think mainly about clean code and good style, but it clearly also makes sense from a security perspective to separate data and code.

Training Participant

I loved that you encouraged people to ask questions. Unusual at first how often you did it, but that’s how questions actually get asked :)

Training Participant

I also loved that you had everything prepared so you could always work hands-on if you wanted. You could tell you have routine. At the same time it never got boring.

Training Participant

Great training! Not just technically strong, but also excellently delivered. There genuinely weren’t any dull moments. And with the handout you feel equipped for upcoming challenges.

Training Participant

It was great to always see how far you can take exploiting vulnerabilities!

Training Participant

The training was amazing. I’m quite new to security, and I was speechless at how many everyday systems can be broken when you know what to look for. WOW. Also amazing job, Christian — talking for so many hours with this ease and answering every question. What I appreciated very much was that every question was treated seriously. You motivated people to ask questions! Thank you very much for the great training, but also for the great atmosphere!

Training Participant

Thank you again for the seminar. You could follow along well, and each topic still went quite deep. Injection and XSS in particular reminded me how important those fundamentals are — and how valuable it is to see them explained this clearly.

Training Participant

The training was extremely informative and so much fun! 10/10

Training Participant
Alternative to custom session
Especially for smaller teams — join my upcoming public Web Security Bootcamp:
30.9. – 1.10.2026 (click for dates and booking)