Baseband exploitation is often considered the cream of the offensive security field. In the last decade, only a handful of such exploits were publicly released. As a result, many researchers view the ability to silently achieve code execution on a victim’s device by emulating a GSM (2G), 3G, LTE (4G), or 5G base station as a difficult objective.

In reality, baseband exploitation is not that challenging! By following a simple list of steps, a baseband platform can be quickly unlocked for research, debugging and exploitation.

In this course, students will learn our systematic approach to baseband security research: from setting up a fake base station using SDR and open-source BTS software, to obtaining and analysing mobile phone firmware and crash dumps, modifying BTS code to trigger bugs and deliver a payload, and finally reverse engineering radio protocols, hunting for vulnerabilities and exploiting them.

By the end of this heavily hands-on course, students will become familiar with two extremely common baseband platforms, Shannon and MediaTek, gain the skills to debug these and other baseband platforms, and learn about previously discovered bugs in basebands, and how they have been exploited.

Each student will be provided with a Software Defined Radio (SDR) board to emulate a base station, and a modern mobile phone to serve as a target.

iOS is one of the most popular operating systems on the market, offering a state-of-the-art security model. During this 4-day training provided by experienced security researchers, participants will discuss the ecosystem, the fundamental building blocks and the internals of the iOS operating system with a hands on approach on a virtual phone device. They will discover how to use the macOS toolchain to deploy their own code, debug and use diagnostic tools.

The fundamentals of reverse-engineering applications and system services in iOS will be covered in a second step: Objective-C internals, IPC mechanisms (Mach, XPC, NSXPC), kernel APIs (MIG, IOKit), usermode and kernelmode tracing, bootloader. Practical examples and exercises will guide participants throughout the training. Finally, software and hardware security measures specific to iOS will be covered both in kernel and user space, including: PAC, MIE, SPTM/TXM, KTRR.

Get prepared for the world of iOS vulnerability research and exploit development with a training built to equip you with the essential tools, techniques, and mindset to get started on iOS 26.

Modern reverse engineering increasingly relies on automation, custom tooling, and agent-assisted workflows. But these approaches quickly run into limits when binaries actively resist analysis through control-flow obfuscation, virtualization, mixed Boolean-Arithmetic, and other transformations. This training teaches the practical deobfuscation workflows needed to break such protections and to make automated reverse-engineering workflows effective on real-world targets.

The course will present an in-depth description of the techniques implemented in modern malware to evade defenders and security products (such as AV, IPS, IDS, EDR), and how attackers design and operate their implants in order to ensure a prompt redeployment after a detection or a public disclosure by researchers or security vendors.

The course will also cover real-world scenarios that impair (effectively slow-down or dissuade) reverse engineering efforts and make the job of first responders tougher. The techniques will be demonstrated in two ways: first, by reversing real malware samples, and then by re-implementing an improved version of the malware code. The training is designed from an attacker's point of view, teaching red-teams how to make their implants stealthier, but it will also teach defenders how to deal with the anti-reversing and the OPSEC techniques demonstrated in class.

The course focuses primarily on Windows malware and on the analysis, tweaking and re-purposing of real malware samples. Participants will be provided with plenty of custom code to facilitate the understanding of complex malware techniques.

As part of the course, theory sessions will be followed by exercises where participants will reverse and re-implement specific parts of real malware in order to fully understand the hidden corners of all the techniques involved. The 50% of the course will be dedicated to hands-on labs that will show how to translate the theory principles into practice.

Labs are designed to provide flexibility in terms of complexity and include bonus tracks to ensure that you always feel engaged and have something interesting to explore and learn.

Almost all labs are provided in dual versions (reverse and development). Students can choose which version to approach.

To develop and test the techniques described during the theory sessions, students will be provided with the source-code of our training agent and its corresponding C2.

The security research workflow for IM applications has changed. Large language models can now read and classify thousands of decompiled functions in minutes, build protocol clients from documentation, and map attack surfaces across entire applications. But they also hallucinate about code paths that don't exist and confidently recommend exploit strategies against unreachable targets. Knowing where to trust them and where to verify is the new core skill.

This four-day course teaches a methodology for IM vulnerability research and exploitation that generalizes across targets. We use Telegram and WhatsApp as case studies because together they cover the two main scenarios a researcher faces: an open-source application where the challenge is scale, and a closed-source, heavily obfuscated application where the challenge is understanding. Students build an LLM-powered vulnerability research pipeline in Python against both the OpenAI API and the Claude Agent SDK, then turn it against Telegram's animated sticker processing to independently rediscover a real, recently-disclosed vulnerability class.

The pipeline is model-agnostic by design. Inference runs against multiple backends: a dedicated GPU server hosting leading open-weight models (currently GLM-5.1 and Kimi K2.5, subject to change as the field moves), and commercial APIs including Claude via the Agent SDK. Students use multiple models throughout the course. The course treats model selection as a first-class research decision: which model to use for which task, when to switch, and why.

Hypervisors are complex software that play a critical role in modern infrastructure, but like any software, they’re not immune to flaws which can be exploited by sophisticated attackers. This training dives into the technical depths of virtualization technologies and explores the flaws leading to virtual machine (VM) escapes. During this training, you will be able to sharpen your skills on multiple platforms from the initial analysis of a target to exploiting real world vulnerabilities.

The course explores the attack surfaces hypervisors expose to their guests, both statically and dynamically. By breaking down how virtual machines communicate with hypervisors and their internal components, participants will learn to apply their existing vulnerability research and exploitation skills to any virtualization software. The training also provides detailed insights for each studied target, including their architectures, typical vulnerabilities, and guidance for effective bug hunting.

This course is ideal for security researchers and vulnerability analysts who are already familiar with low-level systems programming and common exploitation techniques but are new to hypervisor internals. By the end of the training, participants will have a solid foundation in virtualization attack surfaces and vulnerability research as well as the ability to craft proof-of-concept exploits targeting hypervisors.

The course is designed to be given in 4 days of 7 hours.

This training guides researchers through the field of Android kernel exploitation. The training is structured as a series of lectures, each followed by one or more hands-on labs executed on a Pixel 8 device. The goal of each lab is to write an Android kernel exploit following the techniques described during the lecture.

The training starts with the chapters on setting up a kernel debugging environment on Pixel 8 and exploiting Slab (heap) memory corruptions to escalate privileges. The following core part of the training focuses on modern Android kernel exploitation techniques for memory corruption vulnerabilities.

It's strongly recommended for a participant to already have at least some experience with writing Linux kernel exploits (i.e., knowing the basics of exploiting Slab memory corruptions and escalating privileges on x86-64 Linux kernels). Participants without such experience should consider taking the Exploiting the Linux Kernel training first.

Join an esteemed senior security researcher and endpoint security engineer for a deep dive into the internals of the Windows 11 Operating System.