Why Train with Me?

There are too many application security classes that waste time by discussing multiple tools that serve the same purpose, or make application security concepts feel like magic by not addressing the practical application of theory. Using the tools I use and the techniques I've learned from years of application security consulting, I provide training that focuses on bringing theory and reality together to provide a true learning experience.

No one wants to hire a consultant without experience, but it's difficult to gain experience unless you already work in the field, or breach ethical boundaries. This is a challenge that many "green" application security professionals face. My training provides real world experience in a classroom environment, allowing for the growth required to to enter the work force with confidence and a developed skill set.

Above all, training gives me an opportunity to share my passion for application security with individuals who make a real difference in the state of security for the applications that impact our daily lives. From banks, to social media, to government agencies, the opportunity to support those on the front line of application security is a privilege I don't take for granted.

...but don't take my word for it. Scroll down to see testimonials from previous students.

Upcoming Classes

Dates Class Host Location Registration
Jan 25-27, 2017 PWAPT (Developer Edition) OWASP Boston Waltham, MA (Boston) register
Q1, 2017 PWAPT (Standard Edition) OWASP NoVA TBD TBD

Contact me for on-site training opportunities.

Practical Web Application Penetration Testing - PWAPT


PWAPT provides comprehensive training on the latest open source tools and manual techniques for performing end-to-end web application penetration testing engagements. After a quick overview of the penetration testing methodology, the instructor will lead students through the process of testing and exploiting a target web application using the techniques and approaches developed from a career of real world application penetration testing experiences. Students will be introduced to the best tools currently available for the specific steps of the methodology, including Burp Suite Pro, and taught how to integrate these tools with manual testing techniques to maximize effectiveness. A major goal of this course is teaching students the glue that brings the tools and techniques together to successfully perform a web application penetration test from beginning to end, an oversight in most web application penetration testing courses. The end result is an individual with the confidence and skill set to conduct consultative web application penetration testing engagements.

The majority of the course will be spent performing an instructor led, hands-on web application penetration test against a target application built specifically for this class using a modern technology stack (Python Flask and React) and including real vulnerabilities as encountered in the wild. No old-school vanilla PHP stuff here folks. Students won't be given overly simplistic steps to execute independently. Rather, at each stage of the test, the instructor will present the goals that each testing task is to accomplish and perform the penetration test in front of the class while students do it on their own machine. Primary emphasis of these instructor led exercises will be placed on how to integrate the tools with manual testing procedures to improve the overall work flow. This experience will help students gain the confidence and knowledge necessary to perform web application penetration tests as an application security professional.

This course has an available Developer Edition that contains the same content as the original PWAPT course (Standard Edition), but adds a full day of code remediation lecture and exercises. The code remediation content includes discussions on the proper techniques for mitigating vulnerabilities, and exercises where the instructor and students will modify the application's source code to implement mitigating controls and test them for effectiveness.

PWAPT is a PortSwigger preferred Burp Suite Training course. PWAPT students will learn basic and advanced usage techniques for Burp Suite Pro, as well as discover obscure functionality hidden within the vast capabilities of the tool. Students will also receive a ~2 week trial license for Burp Suite Pro to use during and after the course.

For additional insight into the origin, mission, and benefits of PWAPT, listen to my interview with Timothy De Block for the Exploring Information Security podcast on the topic of "What is Practical Web Application Penetration Testing?"


Day 1:

  • Methodology
  • Reconnaissance
  • Mapping
  • Automated Discovery
  • Manual Discovery

Day 2:

  • Manual Discovery (cont.)
  • Exploitation
  • Web Services

Day 3: (Developer Edition only)

  • Remediation

Technical Requirements

  • Laptop with at least two (2) USB ports.
  • Latest VMware Player, VMware Workstation, or VWware Fusion installed. Other virtualization software such as Parallels or VirtualBox will probably work if the attendee is familiar with its functionality. However, VMware Player should be prepared as a backup.
  • Ability to disable all security software on their laptop such as Antivirus and/or firewalls (Administrator).
  • At least twenty (20) GB of hard drive space.
  • At least four (4) GB of RAM.