Schedule & Trainings

Training subject to change based on trainer availability and meeting the number of students per trainer request.

Pricing

1-day course : $850
2-day course: $1770
3-day course: $2550

All training will be held at the Hyatt Regency San Francisco 5 Embarcadero Center San Francisco, California 94111 United States.

3-day training courses will be held September 23-25
2-day training courses will be held September 24-25
1-day training courses will be held on September 25.


  • Agile Whiteboard Hacking – aka Hands-on Threat Modeling - 2 Day Training

  • Based on the updated Black Hat edition 2024 training, you will be challenged with hands-on threat modeling exercises based on real-world projects. You will get insight into our practical industry experience, helping you to become a Threat Modeling Practitioner. We included an exercise on MITRE ATT&CK, and we focus on embedding threat modeling in Agile and DevOps practices. And we introduce a new challenge on threat modeling a Machine Learning-Powered Chatbot.

    We levelled up the threat modeling war game. Engaged in CTF-style challenges, your team will battle for control over an offshore wind turbine park.

    The level of this training is Beginner/Intermediate. Participants who are new to threat modeling are advised to follow our self-paced Threat Modeling Introduction training, which is about 2 hours and is included in this training.

    As highly skilled professionals with years of experience under our belts, we are intimately familiar with the gap between academic knowledge of threat modeling and real-world practice. To minimize that gap, we have developed practical use cases, based on real-world projects. Each use case includes a description of the environment, together with questions and templates to build a threat model.

    Students will be challenged in groups of 3 to 4 people to perform the different stages of threat modeling

    • Diagram techniques applied on a travel booking service
    • Threat model a cloud-based update service for an IoT kiosk
    • Create an attack tree against a nuclear research facility
    • Create a SOC Risk Based Alerting system with MITRE ATT&CK
    • Mitigate threats in a payment service build with microservices and S3 buckets
    • Threat modeling a Machine Learning-Powered Chatbot
    • Apply the OWASP Threat Modeling Playbook on agile development
    • Threat modeling the CI/CD pipeline
    • Battle for control over "Zwarte Wind", an offshore wind turbine park

    After each hands-on exercise, the results are discussed, and students receive a documented solution.

    As part of this training, you will be asked to create and submit your own threat model, on which you will get individual feedback.

    All participants get our Threat Modeling Playbook to improve you threat modeling practice, one-year access to our online threat modeling learning platform, and one-hour personal coaching to refine your threat modeling.

  • Attacking and Defending - AWS, Azure and GCP Applications - 3 Day Training

  • Multicloud environments have grown in prevalence and significance. According to a study by VMWare in 2021, 73% of companies surveyed had adopted multi-cloud deployments with 2 cloud providers and 26% of them had adopted 3 cloud providers. Additionally, Hashicorp estimates nearly 90% of organizations are multicloud.
    Multicloud environments, consequently, lead to a variety of different application deployments and environments. Applications ranging from traditional VM deployed apps, to containerized apps on Kubernetes or other managed Container Orchestration apps to FaaS (Functions-as-a-Service) apps are deployed on the Big Three cloud providers (AWS, Azure, and GCP). Just as application deployment patterns are dissimilar, the security of applications in these cloud environments is different as well. Attack patterns against these applications are also different, as a result of this. Companies and their security personnel are grappling with this issue, not only at scale but with a severe shortage of skills to boot. This training has been designed with our highly renowned approach of ADD (Attack-Detect-Defend). This is where we use stories and get students to work through intricately designed technical scenarios. As part of each story, the student deploys the app on the relevant cloud environment using Infrastructure-as-Code tools like Terraform, CDK, Bicep, and others. The application(s), along with the stack (the cloud resources and configuration) is vulnerable in many small and serious ways. For the “Attack” part of the story, the students deploy the stack. Once the application is deployed, the students explore a compromise of the application. The students leverage vulnerabilities and execute carefully planned attack sequences that are designed to escalate privileges into the specific cloud environment and start to perform post-exploit activities ranging from data exfiltration to resource manipulation. This completes one part of the story where we go from deploying the application to attacking the application and compromising the underlying cloud infrastructure. This is the section of each story, where participants will do a CTF-style session. Here they will spend time identifying and attacking these infrastructures with multi-step attacks, where they perform extensive examples of lateral movement using techniques highlighted in the MITRE ATT&CK Framework, popular bug-bounties, and our own experiences with attacking and auditing cloud infrastructure. For the “Detect” part of the story, we look at scenarios that involve Incident Response, Detection Engineering on the cloud, with these various Cloud Providers. In this part of the story, we have students deploy an identical (still vulnerable stack). However, this time, they deploy stacks with detection services enabled and configured. These detection services include, but are not limited to
    • Ingesting and harnessing Control-Plane Logs of the Cloud Provider/Service
    • Leveraging Threat Intelligence Services provided by the Cloud Provider
    • Leveraging ETL Services and Cloud Storage to build Detection Queries and parameters
    • And more
    The idea here is to get the student to perform the same attack sequences against the Cloud environment. Except for this time, deployed detection mechanisms identify these incursions and identify the attack attempts. Finally, for each story, we have a “Defend” section. This is a section that comes full circle. We deploy a much more secure application to the particular cloud environment. In some cases, this would mean that even if the application continues to be vulnerable to the same issues, the underlying cloud configuration would be much more secure, hence negating the possibility of attack. In this part of each story, we’d explore a combination of several security mechanisms that are natively provided by the cloud provider. The security implementations we’ll be exploring across the stories are including, but are not limited to
    • AWS Network Security Controls => VPC, Advanced VPC Controls (Mirroring, Flow Logs, etc), Security Groups, etc
    • AWS IAM and Advanced IAM deployment, policies, and Policy Management
    • AWS Security Services => Security Hub, GuardDuty, etc
    • AWS Host Security Services => IMDSv2, Host level security monitoring using OSQuery, etc
    • Proactive Detection and Alerting => Cloudwatch, Cloudtrail, Alerts, Leveraging Lambda for security Event triggers, etc.
    • Security Analytics with Cloudwatch, Athena, etc
    • Federated Access Control and Management with Cognito and Cognito implementation deep-dives
    • Container-native security protections => ECR and Fargate
    • Encryption and Key Management Practices with KMS, Secrets Manager
    • GCP Network Security Controls => VPC, Firewall, and NAT Gateways
    • GCP IAM and advanced IAM with conditions and IAM policy with Audit logs
    • Access control management for the Application with GCP Identity Aware Proxy (IAP)
    • GCP Service account and least privilege in the service accounts
    • GCP Logging and monitoring => VPC logging, Firewall Logging, and Audit Logging
    • GCP storage and Security Controls for Storage => Fine-Grained Access, Uniform Access, and Public prevention
    • GCP Security Command Center for Security Detection and Vulnerability Monitoring
    • Azure network Security controls => Virtual network, Network Security Groups, Azure firewall
    • Azure IAM and Advanced IAM deployment, policies, and Policy Management
    • Azure Security Services => Microsoft sentinel, Defender for cloud service, advanced threat protection, Azure security center e.t.c
    • Security logging and monitoring with Azure monitor logs, Azure network watcher, and security orchestration automated incident response through Microsoft sentinel
    • Leveraging multiple encryption techniques through Azure key vault
    The scope of this training encompasses the Big Three Cloud Providers (AWS, Azure, and GCP). In addition, since Kubernetes is a cross-cutting concern across all three cloud environments, there would be relevant Kubernetes specific stories showcased in the training as well. Each story is a simulation of a real-world application and use-case(s). We’d leveraging everything from VMs on AWS, GCP, and Azure to Managed Container services (ECS, ACI, Cloud Run), to managed Kubernetes (EKS, AKS, GKE) to FaaS (Lambda, Azure Function Apps, Google Cloud Functions, Step Functions, Logic Apps, etc). The objective is to provide the students with a comprehensive viewpoint of applications, with a view on diverse deployment environments. This enables them to gain a greater understanding of the intricacies of offensive, defensive, and detection engineering for various types of applications and cloud environments. We look to cover approximately 2 stories every day of the training. To keep the flow consistent, we’d focus on one cloud provider per day, with a brief introductory session on the cloud provider and some critical areas that the audience should be aware of before they go deep into the subject matter. The stories themselves are a set of micro-labs, where the trainers would explain and demonstrate the concept with hands-on labs that the participants are working through. The class is meant to be an extensively hands-on class, with the theory intermeshed into the hands-on labs to support it and give the students a detailed understanding of the subject matter. To make things easier for the students, we provide hands-on lab environments on the cloud and access entirely on the browser. Free of VPNs and other messy VM setups. In addition, our cloud sandboxes are set up in such a way that the student does not even have to bring cloud accounts on AWS, Azure, and GCP. They use our cloud sandbox environments to do the hands-on labs in this class with no fear of their account being compromised, or them having to pay financial overages. This class is an intense, deep-dive experience in Multi-Cloud Application Security. We’d like participants to explore practical implementations of full-fledged environments, rather than have a surface-level understanding of attack and defense in AWS, Azure, and GCP.

  • Hacking Modern Web & Desktop apps - Master the Future of Attack Vectors - 3 Day Training

  • In person and online training option available

    This course is a 100% hands-on deep dive into the OWASP Security Testing Guide and relevant items of the OWASP Application Security Verification Standard (ASVS), so this course covers and goes beyond the OWASP Top Ten. Long are the days since web servers were run by perl scripts and desktop apps written in Delphi. What is common between Walmart, eBay, PayPal, Microsoft, LinkedIn, Google and Netflix? They all use Node.js, JavaScript on the server. What is common between Microsoft Teams, Skype, Bitwarden, Slack and Discord? All of them are written in Electron, JavaScript on the client. Modern Web and Desktop apps share traditional attack vectors and also introduce new opportunities to threat actors. This course will teach you how to review modern web and desktop apps, showcasing Node.js and Electron but using techniques that will also work against any other web or desktop app platform. Ideal for Penetration Testers, Web and Desktop app Developers as well as everybody interested in JavaScript/Node.js/Electron app security.

    Get a FREE taste for this training, including access to video recording, slides and vulnerable apps to play with
    1.5 hour workshop - https://7asecurity.com/free-workshop-desktop-apps

    1 hour workshop - https://7asecurity.com/free-workshop-web-apps

    All action, no fluff, improve your security analysis workflow and immediately apply these gained skills in your workplace, packed with exercises, extra mile challenges and CTF, self-paced and suitable for all skill levels, with continued education via unlimited email support and lifetime access to training portal with step-by-step video recordings and interesting apps to practice, including all future updates for free.

  • OWASP in Action - ASPM (DevSecOps) with OWASP Projects - DevSecOps 2 Day Training

  • If you are facing the challenge of Application Security Posture Management amidst a plethora of applications and issues, this course is designed to streamline the process using OWASP’s open source projects, optimized for DevSecOps workflows. Over the span of two days, you’ll engage in interactive lectures and labs that showcase the effective application of OWASP tools, as previously implemented by seasoned AppSec teams. Recognizing that the size of AppSec teams is often a limiting factor, the course emphasizes automation of routine tasks to free up your time for more complex problem-solving. Upon completion, you will be equipped with a comprehensive set of strategies and tools to enhance your AppSec initiatives through automation and the integration of OWASP projects, all delivered at DevSecOps pace. The instructors, with over two decades of industry and OWASP project experience, offer practical, proven guidance for achieving success in ASPM.
    Outline
    • Introduction
      • Application Security Programs
      • AppSec – Current State of Affairs
      • ASPM – Why?
      • Lab #1 – Getting to know the Lab Dockers
    • Docker Overview
      • Why Docker?
      • Docker Fundamentals
      • Dockerfiles, volumes, layers and more
      • Being productive with Docker
      • Lab #2 - Dockerizing a security tool
    • OWASP DefectDojo
      • One source
      • One place
      • Findings
      • Reports
      • Integrations
      • REST API
      • Inventory
      • Lab #3 DefectDojo on Intake
      • Lab #4 DefectDojo on Engagements and managing data
      • Lab #5 DefectDojo on delivering results
    • OWASP and other OS Testing Tools
      • ZAP
      • Dependency Check and Dependency Track
      • ModSecurity Core Rule Set
      • O-Saft, Amass, Find Security Bugs, OWASP Sedated
      • Glue, AppSec Pipeline/Gasp, OWTF
      • Lab #6 - Getting to know the testing tools
    • OWASP Docs you need to use
      • ASVS
      • Testing Guide & Mobile Security Testing Guide
      • SAMM
      • Top 10 Proactive Controls
      • Cheat Sheet Series
      • Top 10
      • Automated Threats to Web Applications
      • SecLists Project
      • DevSecOps Maturity Model
      • Docker, Container and API projects
      • Lab #7 - Putting the docs to work for you
    • OWASP Training Tools
      • JuiceShop
      • WebGoat
      • Security Shepherd
      • DevSlop & Pixi
      • Secure Coding Dojo
      • Vulnerable Web Applications Directory
      • Lab #8 - DIY CTF
    • Conclusion

  • The Mobile Playbook - A guide for iOS and Android App Security - 3 Day Training

  • Available as hybrid, - in Person or Online This three-day hands-on course teaches penetration testers and developers how to analyse Android and iOS applications for security vulnerabilities by going through the different phases of testing, including dynamic testing, static analysis, reverse engineering and Software Composition Analysis (SCA), using the OWASP Mobile Application Security Testing Guide (MASTG). The OWASP MASTG is a comprehensive and open source guide to mobile security testing for both iOS and Android, providing a methodology and very detailed technical test cases to ensure completeness and using the latest attack techniques against mobile applications. This course will give you hands-on experience with open source tools and advanced methodologies by guiding you through real-world scenarios.
    Detailed outline

    We'll start the first day with an introduction to the OWASP MASVS and MASTG and the latest updates to it and then dive into the Android platform and its security architecture. Students will no longer be required to bring their own Android device, instead each student will be provided with a cloud-based virtualised Android device from Corellium. Topics include

    • Intercepting network traffic from apps written in mobile app frameworks such as Google's Flutter
    • Reverse engineering a Kotlin app and identifying and exploiting a real-world deep link vulnerability through manual source code review
    • Explore the differences and effectiveness of reverse engineering Android apps using Smali patching, Magisk and Dynamic Instrumentation with Frida
    • Frida crash course to get started with dynamic instrumentation on Android apps
    • Bypass different implementations of SSL pinning using Frida
    • Use dynamic instrumentation with Frida to Bypass multiple root detection mechanisms

    Day 1 will be closed with a Capture the Flag (CTF)

    On day 2 we wrap up Android and start with iOS and we will use a Github repo to trigger static scanning, SCA and secret scanning on Kotlin and Swift

    Android

    • Analyse the storage of an Android app and understand the various options on how and where files can be stored (app-specific, shared storage etc.)
    • Using Brida (Frida and Burp) to bypass End2End encryption in an Android App
    • Static Scanning of Kotlin source code, identifying vulnerabilities and eliminating false positives
    • Scanning for secrets in an APK

    iOS

    • Introduction into iOS Security fundamentals
    • Scanning for secrets in a Swift repository and identifying ways to handle them securely
    • Software Composition Analysis (SCA) for iOS - Scanning 3rd party libraries and SDKs in mobile package managers for known vulnerabilities and mitigation strategies
    • Statically scanning Swift source code, identifying vulnerabilities and eliminating false positives
    • Demonstration on how to test watchOS apps and it's limitations

    Day 3 focuses on iOS. We will begin the day by creating an iOS test environment using Corellium and dive into several topics, including

    • Intercepting network traffic of an iOS App in various scenarios, including intercepting traffic that is not HTTP
    • Examining stateless authentication (JWT) in a mobile app
    • A Frida crash course to get started with dynamic instrumentation for iOS applications
    • Analyse the storage of an iOS app and understand the various options on how (Realm databases etc.) and where files can be stored
    • Testing methodology with a non-jailbroken device by repackaging an IPA with the Frida gadget
    • Using Frida to bypass runtime instrumentation of iOS applications
    • Anti-Jailbreaking Mechanisms
    • Frida's detection mechanism

    We'll wrap up the final day with another mobile app CTF where you can apply your newly learned skills.

    Whether you are a beginner who wants to learn mobile app testing from the ground up, or an experienced pentester or developer who wants to improve your existing skills to perform more advanced attack techniques, or just for fun, this training will help you achieve your goals.

    The course consists of many different labs developed by the instructor and is approximately 65% hands-on and 35% lecture.

    Upon successful completion of this course, students will have a better understanding of how to test for vulnerabilities in mobile applications, how to suggest the right mitigation techniques to developers, and how to perform tests consistently.

    What students should bring

    The following requirements must be met by students in order to be able to follow all exercises and participate fully

    • Laptop (Windows/Linux/macOS) with at least 8GB of RAM and 40GB of free disk space
    • Full administrative access in case of problems with the laptop environment (e.g. ability to disable VPN or AV/EDR)
    • Virtualisation software (e.g. VMware, VirtualBox, UTM); a virtual machine will be provided for X86 and ARM architecture (for M1/M2/M3 MacBooks) with all tools required for the training
    • Ideally a tablet to have a second screen for the practical lab slides when doing the hands-on sessions
    • Github account is needed (free account is sufficient) to fork a repository

    An iOS and Android device is NOT required as an emulated instance is provided for each student hosted at Corellium. This is a cloud-based environment that allows each student access to a jailbroken iOS device and a rooted Android device during the training.

    What students will receive

    • Slide decks for the iOS and Android training and all videos for all demonstrations shared in class
    • All vulnerable apps used during the training, either as APK or IPA
    • Detailed write-ups for all labs so you can review them at your own pace after the course
    • Dedicated Slack channel used to help students prepare before the course, communicate during the course and stay in touch after the course for any questions
    • Certificate of completion

    What prerequisites should students have before attending this training?

    • This course is for Beginners and Intermediate
    • Basic understanding of mobile apps
    • able to use Linux command line

  • Web Application Security Essentials - 3 Day Training

  • This course provides the knowledge and resources required to evaluate the security of web applications. The participants, through the understanding of theory and a strong focus on practical exercises, will be able to identify critical vulnerabilities in web applications, understand how exploitation works and learn how to implement the necessary corrective measures.

    The course is aligned with the OWASP Top 10 2021, a world-renowned reference document which describes the most critical web application security flaws.

    The topics covered include
    • Introduction to Web Application Security
    • Technologies used in Web Applications
    • The Security Tester Toolkit
    • Critical Areas in Web Applications
    • Broken Access Control
    • Cryptographic Failures
    • Injection
    • Insecure Design
    • Security Misconfiguration
    • Vulnerable and Outdated Components
    • Identification and Authentication Failures
    • Software and Data Integrity Failures
    • Security Logging and Monitoring Failures
    • Server Side Request Forgery (SSRF)

    Format - The course combines theory and hands-on practical exercises. The participants start by learning about web application vulnerabilities. They are then given access to a purpose-built web application environment that contains the bugs and coding errors they have learned about. This provides an ideal ‘real-life’ opportunity to exploit these vulnerabilities in a safe environment.