Faculty reference. Covers lab network setup, grading rubrics, ethical-incident protocol, and cohort-coordination notes. Not student-facing.
Course philosophy
PEN-101 is the first course in the Virtus Academy offensive track where students conduct real attacks against intentionally vulnerable targets. The ethics and authorization framing is not a disclaimer -- it is curriculum. Every week reinforces the message that scope, written permission, and professional documentation are what separate authorized penetration testing from criminal unauthorized access.
Instructors must model this framing in every session. Never demonstrate a technique without explicitly naming the authorization that makes the demonstration lawful and professional. When students shortcut this framing in labs ("can I just run this against..."), redirect them to the authorization-first question before discussing the technical approach.
Pre-cohort setup
Lab network
The lab network is a set of intentionally vulnerable VMs on an isolated RFC 1918 range. It must be physically or logically isolated from the production network and from the Internet. Recommended setup: a dedicated Proxmox or VMware vSphere host on a VLAN that cannot route outside the lab.
Minimum lab VM set:
| VM | Purpose | Weeks used |
|---|---|---|
| Metasploitable 2 | Linux exploitation target, vuln scanner target | 5, 7 |
| DVWA (Docker on Kali) | Web recon + vuln scanning | 4, 5 |
| Juice Shop (Docker on Kali) | Web-app exploitation | 8 |
| WebGoat (Docker on Kali) | Web-app exploitation (server-side injections) | 8 |
| Windows 10 / Server 2019 (eval) | Privesc + lateral movement | 9, 10 |
| Instructor-built multi-host range | Lab 10, Capstone | 10, 12-13 |
Capstone lab network: 3-5 hosts with documented intentional vulnerabilities. Document the intentional vulnerabilities in a separate instructor file never shared with students. Every vulnerability must be deliberately introduced and reversible (snapshot-able). The capstone lab is wiped and re-snapshotted between cohorts.
Student access
Each student receives their Kali VM credentials and the VPN .ovpn file for the lab network at the setup session. The lab network is accessible during lab hours only (configure firewall rules to enforce the window, or trust + verify against the honor code for small cohorts).
Authorization documentation
The academy lab-use agreement must be signed before any student receives lab access. Keep signed copies on file. The agreement specifies:
- The IP ranges that are in scope for each lab
- The window during which lab access is authorized
- The student's obligation to report scope excursions within 30 minutes
- Consequences of unauthorized use
Grading rubrics
Labs 1-11
Each lab is graded on a three-part rubric: technical execution, documentation quality, and authorization compliance.
| Component | Weight | What passes |
|---|---|---|
| Technical execution | 50% | The stated technique was correctly applied against the authorized target; outputs are real (not fabricated); findings are reproducible |
| Documentation quality | 30% | Command transcripts included; screenshots at each meaningful step; timestamps present; findings described in client-addressable language |
| Authorization compliance | 20% | Work was performed against the authorized target only; any accidental scope excursion was reported immediately |
A lab that shows technical success but no documentation gets 50% of the technical component only. A lab that shows evidence of unauthorized-target access gets a zero for that lab and triggers the ethical-incident protocol (see below).
Midterm (Week 6)
The midterm is a 3-hour proctored mini-engagement against an instructor-designated lab VM. Students receive a one-page mock scope document at the start and must produce a one-page finding summary at the end.
Graded on:
- Correct identification of at least 2 findings (40%)
- Evidence of all four pre-midterm PTES phases in the finding summary (30%)
- Documentation quality (30%)
Capstone
See CAPSTONE.md for the full rubric. Summary:
First tier (binary gates -- all five must pass for the capstone to be scored):
- Engagement was conducted within stated ROE
- At least one finding exploited end-to-end with proof
- Report contains all five required sections
- Oral debrief delivered in under 25 minutes
- Both technical and non-technical stakeholder questions answered substantively
Second tier (scored after all five gates pass):
- Technical depth + accuracy: 40%
- Report clarity and craft: 30%
- Engagement discipline + reflection: 30%
Ethical incident protocol
An ethical incident is any situation where a student may have accessed a system outside the authorized target range, or used course techniques in an unauthorized context.
Immediate response:
- The student reports the incident. If discovered by the instructor, notify the student immediately.
- The student documents exactly what happened: what command was run, what IP was targeted, what output was received, at what time.
- The student stops all lab activity until cleared.
- The instructor reviews the network logs to confirm or rule out unauthorized access.
- If unauthorized access is confirmed, escalate to academy administration per the institution's policy.
Prevention:
- Before each lab, verbally confirm the authorized IP range with students.
- Require students to paste the target IP into the command before running it; instructors can verify during lab sessions.
- On the lab network, use network monitoring to alert on traffic outside the authorized target range.
Week-by-week instructor notes
Week 1
Ethics-heavy week. Spend half the lecture on the authorization bright line and CFAA; the other half on the PTES seven-phase overview. The ROE-drafting lab is a written exercise, not a technical exercise. Grade it on whether the student correctly identifies the key components (IP scope, testing window, contact chain, out-of-scope actions, payment terms, NDA). Real-world ROEs are 5-15 pages; the lab deliverable is a 1-2 page structured outline.
Week 2
OSINT without detection: emphasize that passive recon by definition should leave no fingerprint on the target's logs. Demonstrate common mistakes (directly probing DNS on the target's authoritative server, querying WHOIS from your own IP without a relay). The lab target for OSINT is an instructor-designated fictional company with a real domain (register a .com for this purpose) and a GitHub org with intentional exposures (leaked API key in commit history, email addresses in README). Do not use a real company.
Week 3
First hands-on tool week. Many students will want to run every Nmap flag. Keep the lecture focused on scan types (SYN, Connect, UDP, version, script) and when each is appropriate. Common mistake: students run -sV --script=default on every target and miss that aggressive scans are louder. Lab 3 is on the authorized lab network only.
Week 4
Burp Suite is the most friction-heavy tool install. Ensure students have installed the Burp CA certificate in their browser before class starts. The lab walks directory fuzzing with gobuster or feroxbuster (both in Kali) and then Burp Suite proxy interception. The DVWA security level should be set to Low for the lab to keep friction low; students explore the Medium and High settings independently.
Week 5
Nessus Essentials has a 16-IP limit on the free tier -- sufficient for the lab network. Nuclei is faster and more template-extensible; show both and let students compare output. The lab deliverable is a spreadsheet, not just the scanner output. Stress the difference: raw scanner output is not a finding list; triaged findings with manual verification and business-risk context are.
Week 6 (Midterm)
No lecture. Brief students on the lab VM's IP, the mock scope document, and the time constraint. Proctored: confirm students are working against the designated target only. Reserve 15 minutes at the end for a debrief -- have students describe one finding they made and one they missed.
Week 7
This is where the tone shifts from reconnaissance to exploitation. Restate the authorization framing at the start. The three tool families -- Metasploit modules, public exploit-db code, and custom Python -- each get 30 minutes of lecture. The most important pedagogical point: Metasploit makes exploitation look easy; the student who only knows Metasploit does not understand what they are doing. The lab requires at least one exploit run manually (not through Metasploit) with the underlying CVE read and understood.
Week 8
Web-app exploitation is the longest single lab in the course. The WAHH chapters on SQL injection, XSS, and SSRF are required reading before lab. Juice Shop provides guided hints; disable them for lab submission (configure NODE_ENV=ctf to hide the score board hints). WebGoat provides lesson-mode tutorials; require students to perform the attacks manually, not just click through the lesson.
Week 9
LinPEAS and WinPEAS are automation tools. Require students to read the source before running it -- at least the module list. The lab deliverable must annotate each finding with the underlying technique family (SUID bit, writable service binary, unquoted service path, DLL hijacking, etc.), not just paste the tool output.
Week 10
Multi-host engagement. This is the most complex lab and will take most students the full 5 hours. Pre-configure credential reuse across at least two hosts (same password for different service accounts). Document which hosts are in scope; if a student reaches an out-of-scope address, the network monitoring alert fires and you debrief the scope-boundary lesson in real time.
Week 11
No new tools. Pure report-writing and ethics-of-disclosure week. The lab peer-review session is as important as the instructor review. Pair students with different technical backgrounds so the technical student checks the non-technical student's clarity and vice versa.
Capstone logistics
The capstone runs over two consecutive weeks with instructor availability during engagement hours. See CAPSTONE.md for the full spec.
Lab reset cadence: Snapshot the capstone lab network immediately before each cohort's Day 1. Reset from snapshot at the end of Day 5.
Oral debrief: Schedule 30-minute slots per student. First 20 minutes is the student's presentation. Last 10 minutes is Q&A with the instructor playing two roles: technical peer (ask about tool choice, why a finding was CVSS-scored the way it was) and non-technical client (ask what the risk means in plain language, what they should fix first and why).
Report security: The capstone report contains real exploitation evidence against lab targets. While the targets are intentionally vulnerable educational VMs, treat the report as sensitive. Private Git repo per student; instructor + cohort-peer access only; never shared publicly.
Academic integrity
Students may discuss approaches and compare notes in the course forum. They may not share working exploits, report sections, or evidence artifacts for the graded capstone. The course forum is monitored; flag anything that looks like shared capstone work.
The lab deliverables for Labs 1-11 are individual. The OSINT lab (Lab 2) can be completed against the same lab target with different students taking different recon angles; if the same finding appears in two submissions verbatim, flag it for review.
INSTRUCTOR-GUIDE.md v0.1.