Baseband exploitation is often considered the cream of the offensive security field. In the last decade, only a handful of such exploits were publicly released. As a result, many researchers view the ability to silently achieve code execution on a victim’s device by emulating a GSM (2G), 3G, LTE (4G), or 5G base station as a difficult objective.

In reality, baseband exploitation is not that challenging! By following a simple list of steps, a baseband platform can be quickly unlocked for research, debugging and exploitation.

In this course, students will learn our systematic approach to baseband security research: from setting up a fake base station using SDR and open-source BTS software, to obtaining and analysing mobile phone firmware and crash dumps, modifying BTS code to trigger bugs and deliver a payload, and finally reverse engineering radio protocols, hunting for vulnerabilities and exploiting them.

By the end of this heavily hands-on course, students will become familiar with two extremely common baseband platforms, Shannon and MediaTek, gain the skills to debug these and other baseband platforms, and learn about previously discovered bugs in basebands, and how they have been exploited.

Each student will be provided with a Software Defined Radio (SDR) board to emulate a base station, and a modern mobile phone to serve as a target.

During this training, participants will discover the ecosystem and the fundamental bricks of the iOS operating system. They will discover the macOS toolchain used to deploy applications, and the debugging and diagnostic tools.

Participants will be teached fundamentals to reverse-engineer applications and system services: Objective-C internals, IPC mechanisms (XPC, NSXPC) and kernel APIs.
Practical examples and exercices built on iOS 17 will guide them all along the training. Hardware and software security measures unique to iOS will be covered, from both userland and kernel perspectives.

In this training, we get to know state-of-the-art code obfuscation techniques and look at how these complicate reverse engineering. Afterwards, we gradually familiarize ourselves with different deobfuscation techniques and use them to break obfuscation schemes in hands-on sessions. Thereby, participants will deepen their knowledge of program analysis and learn when and how (not) to use different techniques.

This 4-day course introduces participants to the fundamentals of Azure, one of the top cloud platforms, and delves into its security aspects. Tailored for red teamers, the course focuses on the tactics, techniques, and procedures (TTPs) used in cloud environments, emphasizing discretion and stealth during testing. Through hands-on exercises in simulated environments, attendees will practice Azure intrusion techniques on Entra ID, Microsoft 365, Azure resources, Azure DevOps (CI/CD), Intune, and hybrid infrastructures. They will develop the skills to identify vulnerabilities and exploit weaknesses while maintaining operational secrecy. This training provides red team professionals with the knowledge to assess cloud security effectively and discreetly.

This class teaches you how hypervisors and hardware-assisted virtualization technologies work. You can use this knowledge to build your hacking hypervisors for research and to study, customize, and break existing hypervisors.

We achieve this by developing lightweight, UEFI module-based hypervisors using Intel VT-x and analyzing various advanced hypervisor applications, such as fuzzing and system hardening. The knowledge we acquire can be applied to kernel module-based hypervisors and AMD processors.

The class is hands-on oriented; we will spend 30-40% of the time with excesses.

This class is designed to introduce students to the most effective tools and techniques for applying cutting-edge deep learning–based artificial intelligence to cybersecurity tasks. By leveraging AI-driven automation, students will explore new ways to enhance security workflows and optimize vulnerability research. We will take a deep dive into modern AI architectures, focusing on how deep learning models can assist in areas such as malware analysis, reverse engineering, vulnerability research, and penetration testing. Students will learn to train, fine-tune, and apply large language models (LLMs) to solve real-world cybersecurity challenges, integrating AI-driven solutions into their daily operations. The course will provide hands-on experience with model training, embeddings, vector search, and agents for fuzzing, source code auditing, voice cloning, website penetration testing, and more! Through practical exercises, students will gain proficiency in using AI to automate security tasks. By the end of the course, attendees will have the skills and knowledge to incorporate deep learning–based AI solutions into their cybersecurity workflows, enhancing both efficiency and effectiveness.

This training will equip students with an understanding of modern virtualization architecture and attack surfaces with a focus on KVM, while also looking at Samsung Knox's Real-time Kernel Protection (RKP), Huawei's Hypervisor Execution Environment (HHEE). Through structured labs, students will build the intuition to be able to effectively find and exploit design flaws and memory corruption issues within hypervisors, and attack hypervisor-enforced security mechanisms.

A 4-day Linux kernel exploitation frenzy! This training guides researchers through the field of Linux kernel exploitation. In a series of practical labs, the training explores the process of exploiting kernel bugs in a modern Linux distribution on the x86-64 architecture. The training is structured as a series of lectures, each followed by one or more hands-on labs. The goal of each lab is to write a Linux kernel exploit following the techniques described during the lecture. The training starts with beginner topics but proceeds into advanced areas as well. The beginner chapters include learning how to escalate privileges and bypass foundational mitigations in x86-64 kernels. The advanced chapters are primarily dedicated to the modern slab (heap) exploitation techniques and include an in-depth analysis of the kernel allocators' internals. The core requirement for this training is the ability to read and write C code. Basic knowledge of the x86-64 architecture and assembly, GDB, and the common binary exploitation techniques would also come in handy. There is no need to know any Linux kernel internals: all required parts are covered during the training.

The course will present an in-depth description of the techniques implemented in modern malware to evade defenders and security products (such as AV, IPS, IDS, EDR), and how attackers design and operate their implants in order to ensure a prompt redeployment after a detection or a public disclosure by researchers or security vendors. The course will also cover real-world scenarios that impair (effectively slow-down or dissuade) reverse engineering efforts and make the job of first responders tougher. The techniques will be demonstrated in two ways: first, by reversing real malware samples, and then by re-implementing an improved version of the malware code. The training is designed from an attacker's point of view, teaching red-teams how to make their implants stealthier, but it will also teach defenders how to deal with the anti-reversing and the OPSEC techniques demonstrated in class. The course focuses primarily on Windows malware and on the analysis, tweaking and re-purposing of real malware samples. Participants will be provided with plenty of custom code to facilitate the understanding of complex malware techniques. As part of the course, theory sessions will be followed by exercises where participants will reverse and re-implement specific parts of real malware in order to fully understand the hidden corners of all the techniques involved. The 50% of the course will be dedicated to hands-on labs that will show how to translate the theory principles into practice. Labs are designed to provide flexibility in terms of complexity and include bonus tracks to ensure that you always feel engaged and have something interesting to explore and learn. Almost all labs are provided in dual versions (reverse and development). Students can choose which version to approach. To develop and test the techniques described during the theory sessions, students will be provided with the source-code of our training agent and its corresponding C2.