Cyberange

Training · Pentest · Web · Mobile · Network · AD · Cloud

Real targets. Real exploits. Real engagement letters.

A multi-domain pentest programme that trains the five surfaces a working pentester will actually be scoped against. Lab-grade exploits on lab-isolated targets. Engagement-grade rules of engagement, write-ups, and re-test discipline. 24-hour lab capstones at each tier.

Browse tracks Cohort schedule

The training gap

Most pentest certifications teach one path. A real engagement scopes you against five.

The classic offensive certifications still over-index on a Linux machine, a buffer overflow, and a privilege escalation. Modern engagements are scoped against web applications, mobile clients, flat enterprise networks, hardened Active Directory, and the customer's chosen cloud — sometimes all in the same letter.

01

Single-domain certifications

You pass on a network track, you walk into a web-app scope. You pass on a web track, the engagement letter names "the corporate AD environment". The mismatch is structural.

02

Cloud and AD left out

Cloud-pentest content is barely covered in the canonical certifications. Active-Directory attack chains live almost entirely in community write-ups, not curricula.

03

Engagement discipline left to chance

Rules of engagement, scope-fence enforcement, evidence packaging, write-up audience-tuning — the boring discipline that decides whether a pentest report gets paid for or returned for revision.

Five domains

Five surfaces. One curriculum. Every cohort member operates in all five.

Each domain is a 3-week module. The programme runs 15 weeks of domain modules plus a final 24-hour multi-domain capstone — an engagement letter scoped across at least three of the five surfaces.

Five pentest domains: web, mobile, network, Active Directory, cloud. Each shows representative techniques and reference frameworks. WEB · OWASP Top 10 · API · GraphQL · JWT · OAuth abuse · SSRF · IDOR · SSTIREFOWASP WSTGMOBILE · iOS + Android · app static + dynamic · TLS pinning bypass · reverse engineeringREFOWASP MASTGNETWORK · recon · enumeration · service exploitation · pivoting · tunnels · evasion · LotLREFPTESAD · Kerberos attacks · ACL · DACL abuse · BloodHound paths · domain escalationREFMITRE TA0006CLOUD · IAM abuse paths · misconfig · public S3 · container · k8s escape · cross-tenantREFCSA · MITRE Cloud3 WEEKS × 5 DOMAINS · 24-HR MULTI-DOMAIN CAPSTONE IN WEEK 16ROE + REPORTING DISCIPLINE DRILLED EVERY WEEK

What you do on the programme

Less reading. More owning.

Exploit OWASP Top 10 from byte level

IDOR, SSRF, SSTI, deserialisation, OAuth abuse, JWT confusion — written by hand against real lab apps. Not Burp button-clicks.

Reverse and exploit a mobile app

Static and dynamic analysis on iOS and Android. TLS pinning bypass. Local-storage extraction. Native-library RE. Build the attacker workflow you will actually use on an engagement.

Move through a flat enterprise network

Recon, service enumeration, exploitation, pivoting, tunnelling — without tripping the EDR you would meet in production. Living-off-the-land where it matters.

Take a domain

Kerberoasting. AS-REP roasting. ACL abuse. BloodHound graph reasoning. Privilege escalation from a low-priv user to Domain Admin — and learn what the SOC saw on the way.

Compromise the cloud

AWS IAM-policy abuse paths. Azure managed-identity escapes. GCP service-account chaining. Container and k8s escape. The fastest-changing attack surface and the one you will be scoped against.

Write the engagement letter you will receive

Each module produces a real-format pentest report — executive summary, technical narrative, risk-ranked findings, retest scope, evidence pack. The boring discipline that decides who hires you.

Sample week · Active Directory · week 10 of 16

The week a low-priv user becomes Domain Admin.

A representative AD week. By Friday, you have walked an AD attack path from a single phished domain user account to full domain dominance — and, more importantly, you can explain every hop to the blue team in the debrief.

  1. Monday

    AD reconnaissance

    LDAP enumeration. SMB share triage. Service-account discovery. BloodHound ingestion. By end of day: a graph of the domain with the shortest path to DA flagged.

  2. Tuesday

    Kerberos attacks

    Kerberoasting. AS-REP roasting against pre-auth-disabled accounts. Offline cracking. Practical thresholds — what kind of service account is realistically crackable and what is not.

  3. Wednesday

    ACL and DACL abuse

    GenericAll, GenericWrite, WriteDACL, ForceChangePassword — the misconfigurations that make a DA path two hops shorter. Identify, exploit, document.

  4. Thursday

    Lateral movement and the blue-team trace

    Pass-the-hash, pass-the-ticket, overpass-the-hash. Each technique demonstrated alongside the EDR / SIEM events it generates. You learn the attack and the trace in the same hour.

  5. Friday morning

    Domain escalation capstone

    You receive a fresh, unbriefed AD lab and a single phished user account. You have 90 minutes to reach Domain Admin. Document the path.

  6. Friday afternoon

    Blue-team debrief

    A blue-team instructor walks the cohort through the telemetry generated during Friday's capstone. Each cohort member must explain which of their actions were noisiest — and why they made them anyway.

Tooling coverage

The open-source pentest toolchain, learned past the point of cheat-sheet.

Web

Burp Suite, ZAP, sqlmap, nuclei, ffuf, gobuster. Custom extension authoring; you fix the tools, the tools do not fix you.

Mobile

Frida, Objection, MobSF, jadx, apktool, Ghidra for iOS native libs. SSL Kill Switch. Custom Frida scripts.

Network

nmap, masscan, Metasploit, Impacket, Responder, Chisel, Ligolo-ng, evilginx for relay attacks.

Active Directory

BloodHound + SharpHound. mimikatz. Rubeus. Certify + Certipy. CrackMapExec. NetExec. ldapdomaindump.

Cloud

Pacu (AWS). Stormspotter, MicroBurst (Azure). ScoutSuite. Prowler. cloudfox. kubeaudit for k8s.

Reverse + binary

Ghidra, x64dbg, radare2, IDA Free. gdb, pwndbg. ROP gadget search. Symbolic execution where useful.

Reporting + evidence

A pentest-report template library covering exec summary, technical narrative, risk ranking, retest scope. Evidence-pack assembly.

Rules of engagement

Scope-fence discipline, kill-switch protocols, customer-communication cadence, emergency-stop language — drilled, not learned at first engagement.

What you walk away with

A pentester who can take any of the five surfaces on day one.

Five-domain certification

A 24-hour multi-domain capstone in week 16. Pass to certify; the rubric mirrors the discipline of a real engagement.

Engagement-grade report portfolio

Five module reports + one capstone report. Real format, real audience-fit, real risk ranking. Show them at interview.

Adversary-emulation grounding

You can hand off your kill-chain log into an AttackWiz BAS scenario (see Products). Offensive practice + continuous validation, same vocabulary.

Hiring pipeline access

Cyberange consulting team, sovereign red-team cells, BFSI internal offensive teams, MSSP testing desks. Referral pipeline, not portal applications.

Drilled against

  • CERT-In empanelment criteria
  • STQC certified-tester scheme
  • MITRE ATT&CK
  • PTES
  • OSSTMM
  • OWASP WSTG · MASTG · ASVS
  • NIST SP 800-115
  • CIS · CSA cloud benchmarks

Practice

"The exploit is the easy part. The engagement letter, the scope-fence, the rules of engagement, the kill switch, and the report are the discipline. Anyone can pop a shell. Far fewer can do it inside a scope and write a report that gets paid for."
Pentest Training · operating principleThe case for engagement discipline as the differentiator between hobbyist and professional.

Sixteen weeks. Five domains. One multi-domain capstone.

Weekend and weekday cohorts. Corporate cohorts on request. Workload is real — budget twelve to fifteen hours per week outside the cohort sessions.

See current cohorts Train a team