VCA-ADV-101: Adversarial Techniques, CVE-to-Tool, Course Outline (v0.1)

Belt-4 deep-technical. ~125 hours across 13 weeks. The course where students take one CVE, reproduce it under authorization, and ship a CERT/CC-grade tool plus disclosure report. Pairs with PEN-101 as the academy's explicit OSCP-prep sequence.

Course mission and audience

ADV-101 is the academy's CVE-to-tool capstone. By the end of the course the student has taken a published vulnerability, reproduced it manually against an authorized lab target, engineered a Python tool that exercises it with proper safety controls, scored it under CVSS v3.1, drafted a CERT/CC-grade disclosure report, and defended both orally in a simulated client briefing. The deliverable is the deliverable a professional vulnerability-research engagement produces.

The audience is students who have completed RE-101 (the academy's flagship reverse-engineering course, capstoned on the same Motorola SB6141 cable modem ADV-101 uses as its lab target). RE-101 graduates can read a firmware binary, identify a vulnerable function, and characterize a primitive. ADV-101 teaches them to take that characterization and convert it into an authorized testing tool plus the documentation that lets a vendor accept the disclosure and fix the bug.

The course is not about offensive enthusiasm. It is about the engineering discipline that distinguishes a security researcher from an attacker. Every Lab 4 onward enforces an --authorized-by flag in the tool's own argparse interface. Every lab requires a signed authorization line in the student's lab notebook. The discipline is the discipline; the course rejects students who treat the lab targets as conquest material.

Position in the pipeline. After VCA-RE-101 (required). Pairs with VCA-PEN-101 as the OSCP-prep sequence. Bridges to VCA-ADV-102 (LLM-CVE variant; in roadmap) and to industry vulnerability-research roles.

What you will know at the end

Listed in Bloom's-taxonomy order:

1. Remember. State the four CVSS v3.1 base-metric components (Attack Vector, Attack Complexity, Privileges Required, User Interaction), the three CERT/CC CVD timeline phases (notify, embargo, disclose), the three U.S. statutes governing adversarial testing (CFAA, DMCA §1201, state computer-crime equivalents), and the structural difference between a tool, a script, and a payload.

2. Understand. Explain why authorization is the dividing line between research and crime; why a tool that can run without an --authorized-by flag is professionally indefensible; why CVSS scores are not the same as business risk; why ISO/IEC 29147 coordinated-disclosure timelines exist; why a vendor who refuses a disclosure is not a defense against publishing it; why the Computer Fraud and Abuse Act's broad surface is a practical problem for security researchers even when their intent is defensive.

3. Apply (reproduction). Reproduce a published CVE manually against an authorized lab target. The reproduction starts from the public advisory and ends with a transcript that demonstrates the vulnerable behavior on the lab device. Manual first; tools later. (Lab 2.)

4. Apply (tool engineering). Build a Python CLI tool that exercises the CVE. The tool ships across three versions: v0.1 fingerprints the target (refuses to act if the target is not the expected device); v0.2 adds an --authorized-by flag plus --dry-run and destructive-action confirmation; v0.3 adds structured JSON + human-readable run logs, idempotency, and a rollback path. (Labs 4, 5, 7.)

5. Apply (CVSS scoring). Score the chosen CVE under CVSS v3.1. Produce the vector string and per-metric justification. Defend the score against an adversarial reviewer. (Lab 8.)

6. Apply (CVD drafting). Draft a CERT/CC-grade disclosure report for a hypothetical novel finding. Cover vulnerability description, reproduction steps, CVSS, remediation, mitigation, and the explicit negative-scope section that protects the researcher from accusations of demonstrating exploitation. (Lab 9.)

7. Analyze (ethics framework). Articulate in writing the legal and ethical boundary between authorized research and unauthorized access. Cite CFAA, DMCA §1201, and state-law variation. Address the professional-conduct boundaries SDVOSB and consulting engagements impose. (Lab 10, two-page ethics statement.)

8. Synthesize / Create (capstone). Produce a CERT/CC-grade disclosure-ready report (vulnerability description + reproduction steps + CVSS + remediation + mitigation + negative-scope section); ship the tool as a proper Python package (README, LICENSE, CHANGELOG, pytest suite); defend both orally in a simulated client briefing.

Course shape table

Two weeks for the capstone proper; weeks 1-11 are the build-up. Total ~125 hours across the 13-week sequence.

Per-week time budget

The course averages ~9.5 hours per week across 13 weeks. Most weeks use this shape:

The course leans heavily on practical lab time (~45 hours total across 13 weeks). Lecture is light (~10 hours total). Most learning happens at the lab bench with the SB6141 in front of the student.

Weeks that vary from the standard shape:

• Week 6 (midterm). 3-hour proctored practical replaces the standard lab; independent practice drops to ~2 hr (exam prep).
• Week 11 (capstone workshop). Lab time is 1-on-1 instructor scope-check meetings; independent practice rises to ~6 hr (workshop polish).
• Weeks 12-13 (capstone). Lecture stops. Lab + independent practice converge to capstone build (~12-15 hr/wk).

Anchor readings

The ADV-101 reading anchors continue the paired-textbook system PEN-101 established. The narrative anchors (Stuttard + Pinto; Seitz + Arnold) are not re-introduced; the academy assumes students completed PEN-101 and met them there. ADV-101 deepens both texts. Per the per-track foundational-anchor discipline, ADV-101 also names a track-specific narrative anchor (Schneier, A Hacker's Mind) that the course's voice weaves through.

Per-track foundational anchor (narrative weave)

0. Bruce Schneier, A Hacker's Mind: How the Powerful Bend Society's Rules, and How to Bend them Back (Norton, 2023). Academy library copy at calibre id 677; /media/laptop/data4t/books-master/Calibre_Library/Bruce Schneier/A Hacker's Mind (677)/. The course's Petzold-equivalent narrative weave: short prose passages from Schneier ground each week's adversarial-mindset framing. The book's central argument (that "hacking" is the discipline of finding rule-system loopholes, applied broadly across technical and non-technical domains) is the voice that lets ADV-101 reframe adversarial work as professional craft rather than transgression. CSA-track uses Petzold CODE; ADV-101 track uses Schneier. Two or three Schneier weaves per chapter, each ~250-325 words, anchored to specific Schneier chapters with cited page numbers.

Practitioner-narrative pair (advanced depth)

1. Stuttard + Pinto, The Web Application Hacker's Handbook, 2nd ed., Chs 8-21 (Wiley, 2011; ISBN 978-1-118-02647-2). The session-management, authentication, and state-attack chapters are the mental model behind the Week 2 CSRF reproduction work. Stuttard and Pinto's account of how browsers attach session cookies automatically to same-origin requests, and how a cross-origin form can ride that automatic-attachment behavior to perform actions in the user's session, is the mechanism the SB6141 CSRF exploits. The book's chapter on state-management attacks explains why the SB6141's unauthenticated interface is structurally exploitable in a way that makes the Longenecker CVE not a surprise but a predictable consequence of how the modem interface was designed. Academy library copy at calibre id 301; /media/laptop/data4t/books-master/Calibre_Library/Dafydd Stuttard/The Web Application Hacker's Handbook_ Finding and Exploiting Security Flaws (301)/.

2. Seitz + Arnold, Black Hat Python, 2nd ed., Chs 6-12 (No Starch Press, 2021; ISBN 978-1-7185-0112-6). The proxy, fuzzer, and post-exploitation tooling chapters drive the Tool v0.1 -> v1.0 engineering sequence. Seitz and Arnold's logging and state-management examples are the structural model for the Tool v0.3 idempotency and JSON-log requirements. Academy library copy at calibre id 138; /media/laptop/data4t/books-master/Calibre_Library/Justin Seitz/Black Hat Python (138)/.

Build-it-yourself (graduation track)

3. OffSec, PEN-200 / OSCP+ (OffSec institutional subscription). The institutional graduation credential. ADV-101 + PEN-101 is the academy's explicit OSCP-prep sequence; PEN-200 is the self-study reference for students planning to sit the OSCP+ examination after the academy offensive track.

Supplementary

4. Kim, The Hacker Playbook 3 (Self-published, 2018). Red-team mindset and engagement-report format. ADV-101 capstone-report companion. Academy library copy at calibre id 26.

5. Yaworski, Real-World Bug Hunting (No Starch, 2019). Bug-bounty methodology; the academy's bridge reading for students advancing into bug-bounty work after ADV-101 ships. Academy library copy at calibre id 47.

6. Weidman, Penetration Testing: A Hands-On Introduction (No Starch, 2014). The introductory-pentest reference; useful when an ADV-101 student needs to brush up on lab-network basics from PEN-101. Academy library copy at calibre id 66.

7. Furqan Khan, Hands-On Penetration Testing with Python (Packt, 2018). Python-pentest tooling reference; companion to Seitz and Arnold for the Tool v0.1-v0.3 engineering sequence. Academy library copy at calibre id 98.

8. CERT/CC CVD Guide + ISO/IEC 29147 (cert.org, iso.org; free). The disclosure-practice references underlying Lab 9 and the capstone report shape. CERT/CC's guide at https://vuls.cert.org/confluence/display/CVD/; ISO/IEC 29147 abstract at https://www.iso.org/standard/72311.html (full text purchasable; abstract sufficient for course needs).

9. NIST CVSS v3.1 specification at https://www.first.org/cvss/v3.1/specification-document. The CVSS calculator at https://www.first.org/cvss/calculator/3.1 is the standard scoring tool; Lab 8 uses it directly.

10. Longenecker SB6141 CVE advisory (the canonical 2015 disclosure that named the academy's lab target). Original advisory at http://www.kb.cert.org/vuls/id/419568 (CERT/CC VU#419568); researcher write-up at https://www.shellntel.com/blog/2015/11/22/cable-modem-pwned.

The supplementary list intentionally excludes books better-suited to other academy courses. Erickson's Hacking: The Art of Exploitation (RE-101 anchor) is not re-cited; students completing RE-101 met it there. Sikorski + Honig's Practical Malware Analysis (forward-pointer to advanced RE work) is not in scope.

Lab target: Motorola SURFboard SB6141

The course uses the Motorola SURFboard SB6141 cable modem as its single named lab target across every lab and the capstone. The modem is end-of-life, available on the used market for $25-40, and carries a documented unauthenticated CSRF vulnerability (the Longenecker disclosure, CERT/CC VU#419568). The academy provides SB6141 units via the Hardware Checkout pool; students who prefer to buy their own are welcome to.

Why this target. Four reasons. (1) The CSRF is a textbook example of the session-management failures Stuttard and Pinto describe; the academic and practitioner literature align cleanly. (2) The device is consumer-grade, broadly available, and end-of-life, which means academy use does not affect vendor patch-availability decisions. (3) The lab harness is reproducible: a single SB6141 plus a USB-Ethernet adapter on an isolated lab network is the entire setup. (4) The academy's RE-101 (prerequisite) already characterized the device; ADV-101 starts from the characterization rather than redoing it.

Cyber-use authorization. The academy operates ADV-101 under Anthropic's acceptable-use cyber-research exception on the academy account. Every student in the cohort signs a current-cohort cyber-use authorization in Week 3 before the first authorized reproduction in Week 4. The authorization documents the lab target, the scope of authorized activity, and the negative-scope restrictions. The signed document lives in the student's lab portfolio.

What the lab target is NOT. The SB6141 is the academy's authorized target. Students do not test their own home modems unless they own them outright and the modem is the same model. Students do not test cable modems they encounter in the wild. The course's professional discipline is the discipline.

Per-track foundational anchors

Per the academy's feedback_track_specific_foundational_anchors discipline, each track picks a foundational anchor that fits the track. ADV-101's track-foundational anchor is the CERT/CC Coordinated Vulnerability Disclosure framework plus the Longenecker SB6141 CVE as the canonical worked example. The CSA-track Petzold weaves do not apply here; the foundational text is the disclosure framework itself.

The course's nand2tetris-equivalent spine is the Tool v0.1 -> v0.2 -> v0.3 -> v1.0 engineering sequence. Just as nand2tetris builds a computer one layer at a time, ADV-101 builds a vulnerability-research tool one safety property at a time: fingerprint, then authorization, then logging, then a shippable package. Each weekly artifact is a layer that subsequent labs depend on.

Capstone

The ADV-101 capstone is "ship the tool and the report." Across two intensive weeks (12-13) the student takes their Lab 7 Tool v0.3 to v1.0 (proper Python package: README + LICENSE + CHANGELOG + pytest suite), drafts the CERT/CC-grade disclosure-ready report covering the SB6141 CSRF, and defends both in a 20-minute oral defense before the cohort plus an external reviewer (academy alumnus or sponsoring practitioner).

Full specification, rubric, and the standard report template in CAPSTONE.md. Graduate students who want a stretch capstone may instead apply the methodology to CVE-2026-5402 (TLS ECH integer-truncation) per the companion handout at /handouts/adv-101-cve-2026-5402-capstone-arc.md; that arc is engagement-tradecraft depth on a richer protocol-level CVE.

Labs

Ten graded labs plus the capstone:

Setup before week 1

See SETUP.md for the full checklist. Plan ~2 hours before week 1: install Burp Suite Community Edition, confirm Python 3.11+, set up the isolated lab network harness, request a Hardware Checkout SB6141 (or buy a used one), and sign the academy cyber-use authorization. The first lab does not touch any device; it is a CVE-record annotation. The first hardware-touching lab is Week 2.

Pedagogy

ADV-101 is taught by reproduction and reflection. Every week the student reproduces a step (a CSRF on the wire; a fingerprint via Python; a CVSS score on paper) and then reflects in writing on what the step taught them about the discipline. The course rejects the "exploit-of-the-week" register that some adversarial training programs use; the focus is on the methodological backbone, not the trophy count.

Five cross-cutting voice patterns run through the course:

1. Schneier weave (Petzold-equivalent narrative weave per per-track anchor doctrine). Camera-ready prose passages of ~250-325 words from Schneier's A Hacker's Mind, anchored to specific Schneier chapters with cited page numbers. Two or three per chapter. The weave grounds the week's adversarial-mindset framing in Schneier's argument that hacking is a discipline of rule-system loophole-finding.

2. Authorization callout. Every lab opens with the authorization statement the student signs in their lab notebook before the lab begins. The boilerplate is not optional; the discipline is the discipline.

3. Adversary Diary callout. Each week names the practitioner tools introduced that week (Burp Suite, curl with specific flags, Python requests, CVSS calculator). Students maintain adversary-diary.md in their course repo; by Week 13 it is a portfolio reference of the practitioner toolchain. This is the security-track analog of the CSA-track Toolchain Diary.

4. Disclosure-Ethics Sidebar. Per lecture, a boxed callout comparing the week's adversarial work against (a) responsible-disclosure norms (the CVE process), (b) academic-ethics norms (IRB-like review), and (c) legal-context norms (CFAA, DMCA §1201, applicable state-law equivalents). The sidebar reframes adversarial work as professional rather than transgressive; voice-matched to Schneier's framing throughout id 677. Security-track analog of the CSA-track Architecture Comparison Sidebar.

5. "What would a reviewer ask?" callout. Each lab closes with two or three questions an adversarial reviewer (instructor, capstone defense panelist, industry hiring manager) might ask about the work. The discipline of anticipating questions is the discipline of doing serious work.

The course does NOT use the CSA-track Petzold weaves. ADV-101's track-foundational narrative anchor is Schneier A Hacker's Mind; the per-track foundational discipline anchor is the CVD framework itself.

Tool journal: ADV-101 additions

By the end of week 13 the student's tool journal carries these new entries:

• Burp Suite Community Edition, the HTTP-inspection workhorse (Week 2 and forward)
• curl with -v, -c, -b, --data-raw for session-management replay
• Python requests with Session for cookie persistence (Week 4)
• argparse with --authorized-by as a required-by-policy flag (Week 5; FND-102 introduces argparse; ADV-101 adds the safety semantics)
• logging with JSON formatter + structured fields (Week 7)
• CVSS v3.1 calculator at https://www.first.org/cvss/calculator/3.1 (Week 8)
• CERT/CC CVD disclosure-report template (Week 9; the actual template from cert.org)
• pytest with tmp_path fixture for tool tests (Capstone)
• Python packaging (pyproject.toml, setup.cfg, MANIFEST.in, LICENSE, CHANGELOG) (Capstone)

Course outline v0.1 prepared 2026-05-29. Iteration after first pilot cohort runs.