The offensive-track midpoint. Students arrive with Python (FND-102), networking (NET-101), and security principles (SEC-101). They leave with a complete engagement methodology: recon through reporting, graded against a client-style report, anchored in authorized practice ranges only.
Course mission and audience
VCA-PEN-101 is the first Virtus Academy course where students conduct authorized attacks, not just study them. It teaches the full engagement lifecycle that a professional penetration tester executes when a client hands them scope, a target network, and a signed statement of work.
The audience is students who have completed SEC-101 + NET-101 + FND-102: they can reason about CIA triad, read a packet capture, write Python scripts, and understand basic vulnerability classes. They are not yet able to plan or conduct a structured engagement. This course builds that capability.
Position in the pipeline: After SEC-101 + NET-101 + FND-102. Gates ADV-101, WIR-101, and the OSCP-prep track. Concurrent-eligible with RE-011 for students who have the prerequisites.
OSCP alignment: PEN-101 + ADV-101 is the academy's OSCP-prep sequence. The capstone's five-day simulated engagement is the closest cohort-supportable analog to OSCP's 24-hour solo practical.
Ethics and authorization: Every offensive technique in this course is taught against explicitly authorized practice ranges. The legal boundary is established in Week 1 and revisited every week. No module, lab, or supplementary exercise in this course authorizes or encourages testing systems you do not own or have explicit written permission to test. The Computer Fraud and Abuse Act (CFAA, 18 U.S.C. 1030) applies regardless of intent.
Foundational anchor
PEN-101 reads paired texts across the engagement lifecycle. Weidman's Penetration Testing: A Hands-On Introduction to Hacking (No Starch, 2014) supplies the week-by-week methodology scaffold and is the course's primary anchor. The Penetration Testing Execution Standard (PTES, pentest-standard.org) provides the seven-phase framework the week sequence mirrors. Supplementary anchors per PTES phase are cited in each week file.
The Petzold weave from CSA-101 does not apply in this track. PEN-101's equivalent foundational anchor is Weidman + PTES.
What you will know at the end
Listed in Bloom's-taxonomy order:
-
Remember -- State the seven PTES phases (pre-engagement, intelligence gathering, threat modeling, vulnerability analysis, exploitation, post-exploitation, reporting); the four CVSS v3.1 base-metric components; and the distinctions between SOW, ROE, and authorization letter.
-
Understand -- Explain why scope is the engagement's most central artifact; why CVSS scores are not interchangeable with business risk; why "default credentials" findings often exceed CVE-specific findings in real-world impact; and why every offensive technique is gated on written authorization.
-
Apply (recon) -- Conduct OSINT and passive reconnaissance on a target without triggering detection: WHOIS, certificate-transparency logs, GitHub recon, social-media tradecraft, search-operator literacy. Perform active recon with Nmap and Masscan; enumerate services, banners, and OS fingerprint hints; produce a target-host inventory.
-
Apply (web) -- Enumerate web application attack surface using directory fuzzers, tech-stack fingerprinting, and Burp Suite proxy; identify injection entry points and broken-access-control patterns that automated scanners miss.
-
Apply (vuln analysis) -- Run Nessus Essentials and Nuclei; triage scanner output by exploitability and business risk; verify findings manually before including them in a client-facing report.
-
Apply (exploitation) -- Exploit misconfigurations and weaponized vulnerabilities using Metasploit, public exploit code, and custom Python scripting; execute web-application attacks (SQLi, XSS, SSRF, IDOR, file upload, deserialization) against authorized targets; escalate privileges on Linux and Windows.
-
Analyze -- Move laterally across an authorized multi-host network; reason about credential reuse, pivoting paths, and scope boundaries; document when the engagement has reached a boundary requiring client escalation.
-
Synthesize / Create -- Produce a client-grade engagement report: executive summary, CVSS-scored findings, remediation guidance, evidence appendix. Deliver a 20-minute oral debrief to technical and non-technical stakeholders. Pass the five binary engagement-discipline gates.
The seven-phase engagement lifecycle (PTES)
The course week sequence mirrors the seven phases of the Penetration Testing Execution Standard. Students learn to label every action against the phase model.
| PTES Phase | Course weeks | What happens |
|---|---|---|
| 1. Pre-engagement | Week 1 | Define scope, draft ROE, obtain written authorization |
| 2. Intelligence Gathering | Weeks 2-4 | OSINT, passive recon, active recon, web recon |
| 3. Threat Modeling | Week 5 (woven into vuln triage) | Map findings to business impact |
| 4. Vulnerability Analysis | Week 5 | Scanner output + manual analysis + triage |
| 5. Exploitation | Weeks 7-8 | System exploitation + web-app attacks |
| 6. Post-Exploitation | Weeks 9-10 | Privesc + lateral movement + pivoting |
| 7. Reporting | Week 11 + Capstone | Executive summary + technical findings + debrief |
Week 6 is the midterm practical -- a proctored 3-hour mini-engagement across phases 1-4. Weeks 12-13 (Capstone) run a full five-day engagement across all seven phases.
Course shape table
| Week | PTES Phase | Topic | Lab |
|---|---|---|---|
| 1 | Pre-engagement | Engagement lifecycle, authorization, ROE, professional ethics | Lab 1: ROE drafting for a hypothetical SMB client |
| 2 | Intelligence Gathering | OSINT and passive reconnaissance | Lab 2: OSINT dossier on lab target |
| 3 | Intelligence Gathering | Active recon (Nmap, Masscan, service enumeration) | Lab 3: Full scan + enumeration of lab network |
| 4 | Intelligence Gathering | Web application recon (directory fuzz, fingerprint, Burp Suite) | Lab 4: Enumerate web targets; map attack surface |
| 5 | Threat Modeling + Vuln Analysis | Vuln identification (Nessus, Nuclei, manual) | Lab 5: Triage findings; spreadsheet by CVSS + exploitability |
| 6 | Phases 1-4 | Midterm practical: 3-hour scoped mini-engagement | Proctored exam |
| 7 | Exploitation | Exploitation I (Metasploit, public exploits, when not to use them) | Lab 7: Exploit Metasploitable + DVWA + retired HTB boxes |
| 8 | Exploitation | Exploitation II - Web-app attacks | Lab 8: Juice Shop + WebGoat SQLi, XSS, SSRF, IDOR |
| 9 | Post-Exploitation | Post-exploitation and privilege escalation | Lab 9: Linux + Windows privesc (LinPEAS / WinPEAS) |
| 10 | Post-Exploitation | Lateral movement, pivoting, credential reuse, OPSEC | Lab 10: Simulated multi-host engagement |
| 11 | Reporting | Reporting and client communication; ethics of disclosure | Lab 11: Draft engagement report; peer + instructor review |
| 12-13 | All seven | Capstone: five-day simulated engagement | Capstone report + 20-min oral debrief |
Anchor readings
Primary anchor
Georgia Weidman, Penetration Testing: A Hands-On Introduction to Hacking (No Starch Press, 2014; ISBN 978-1-59327-564-8)
Weidman is the course's primary technical anchor. It covers the full engagement lifecycle from lab setup through exploit development, with hands-on walkthroughs the course's labs extend. The Penetration Testing Primer chapter (before Chapter 1) is Week 1 required reading and establishes the seven-phase model the rest of the course follows.
Methodology framework
Penetration Testing Execution Standard (PTES) (pentest-standard.org; free, open standard)
PTES defines the seven-phase engagement lifecycle that is the backbone of this course. Students should bookmark the technical guidelines section and return to it as each phase is introduced.
Web-application track
Dafydd Stuttard + Marcus Pinto, The Web Application Hacker's Handbook, 2nd ed (Wiley, 2011; ISBN 978-1-118-02647-2)
Weeks 4, 8, and the capstone draw on WAHH chapters for web-application attack methodology. WAHH explains the HTTP state management, session handling, and IDOR patterns that automated scanners miss.
Custom tooling
Justin Seitz + Tim Arnold, Black Hat Python, 2nd ed (No Starch Press, 2021; ISBN 978-1-7185-0112-1)
Students with FND-102 Python fluency will find BHP directly applicable. Lab 10's lateral-movement scripting draws on BHP's network-automation chapters.
Advanced-track supplement
Peter Kim, The Hacker Playbook 3 (Security Journey, 2018; ISBN 978-0-9926-1731-6)
HP3's red-team orientation (assumed-breach exercises, C2 tooling, Active Directory attack chains) is optional reading for students aiming at the OSCP or ADV-101 ahead of schedule. It is not required for course completion.
Free references
- OWASP Testing Guide v4.2 (owasp.org; free) -- Web-application test methodology underlying Lab 4 + Lab 8
- OWASP Juice Shop (owasp.org; free, Docker) -- Intentionally vulnerable web app; Lab 8 primary target
- OWASP WebGoat (owasp.org; free, Docker) -- Lab 8 secondary target for server-side injection patterns
- VulnHub / HackTheBox Retired Machines -- Lab 7 primary targets (authorized intentional-vulnerability ranges)
- Metasploitable 2 (Rapid7; free) -- Lab 7 foundational target; all vulnerabilities intentional and authorized
Per-week time budget
| Week | Lecture | Lab | Indep reading | Other indep | Total |
|---|---|---|---|---|---|
| 1 | 1 hr | 2 hr | 1.5 hr | 1.5 hr | 6 hr |
| 2 | 1 hr | 4 hr | 1.5 hr | 1.5 hr | 8 hr |
| 3 | 1 hr | 4 hr | 1.5 hr | 1.5 hr | 8 hr |
| 4 | 1 hr | 4 hr | 1.5 hr | 1.5 hr | 8 hr |
| 5 | 1 hr | 4 hr | 1.5 hr | 1.5 hr | 8 hr |
| 6 | 0.5 hr | 3 hr (midterm) | 1 hr | 1 hr | 5.5 hr |
| 7 | 1 hr | 5 hr | 1.5 hr | 1.5 hr | 9 hr |
| 8 | 1 hr | 5 hr | 1.5 hr | 1.5 hr | 9 hr |
| 9 | 1 hr | 5 hr | 1.5 hr | 1.5 hr | 9 hr |
| 10 | 1 hr | 5 hr | 1.5 hr | 1.5 hr | 9 hr |
| 11 | 1 hr | 3 hr | 1.5 hr | 2 hr | 7.5 hr |
| Cap | 0 hr | 20 hr (engagement) | 2 hr | 12 hr (report+debrief) | 34 hr |
| Total | ~10 hr | ~64 hr | ~18 hr | ~30 hr | ~122 hr |
Lab index
| Lab | Title | Week | Authorized target | Deliverable |
|---|---|---|---|---|
| Lab 1 | ROE Drafting | 1 | None (paper exercise) | SOW + ROE document |
| Lab 2 | OSINT Dossier | 2 | Lab target (VulnHub VM; instructor-assigned) | Passive-recon report; no detection-tripping queries |
| Lab 3 | Active Recon | 3 | Lab network (instructor-assigned RFC 1918 range) | Nmap + Masscan results; host inventory |
| Lab 4 | Web Recon | 4 | DVWA + WebGoat (local Docker) | Directory enumeration + tech-stack fingerprint + attack surface map |
| Lab 5 | Vuln Triage | 5 | Metasploitable 2 + DVWA (local VM + Docker) | Nessus / Nuclei output triaged into a finding spreadsheet |
| Midterm | Mini-Engagement | 6 | Proctored instructor-built lab VM | Transcript + one-page finding summary |
| Lab 7 | Exploitation I | 7 | Metasploitable 2 + retired HTB boxes | Working exploits against 3+ hosts; command transcript |
| Lab 8 | Web-App Exploitation | 8 | OWASP Juice Shop + WebGoat (Docker) | SQLi + XSS + SSRF + IDOR + file-upload + deserialization payloads |
| Lab 9 | Privesc | 9 | LinPEAS-VulnHub VM + WinPEAS-lab Windows VM | Linux + Windows privesc; annotated LinPEAS / WinPEAS output |
| Lab 10 | Lateral Movement | 10 | Instructor multi-host lab (RFC 1918) | Multi-host engagement transcript; credential-reuse paths documented |
| Lab 11 | Report Workshop | 11 | Output of Labs 7-10 | Engagement-report draft; instructor + peer review |
| Capstone | Five-Day Engagement | 12-13 | Instructor-built 3-5 host network | Report + evidence archive + debrief slides + lessons-learned memo |
Authorization note: Every target listed above is an intentionally vulnerable system operated within a controlled lab environment for educational purposes. All access is explicitly authorized. Students must never apply any technique from this course against systems they do not own or have explicit written permission to test.
Toolchain Diary additions (PEN-101)
Students maintain a toolchain-diary.md across the academy. PEN-101 adds the following entries:
- Nmap / Masscan -- Active recon + port scanning. Deepened from NET-101 context into engagement-scoped methodology.
- Burp Suite Community -- Web proxy + manual fuzzer. First canonical PEN-track introduction.
- OWASP ZAP -- Automated web scanner. Complements Burp in Lab 4 + Lab 8.
- sqlmap -- Automated SQL injection. Lab 8; used alongside manual WAHH techniques.
- Nessus Essentials / Nuclei -- Vulnerability scanners. Lab 5 teaches the triage discipline that separates a finding-spreadsheet from a vendor dump.
- Metasploit Framework -- Exploit framework. First canonical PEN-track introduction. The "when not to use it" lesson is as load-bearing as the "how to use it" lesson.
- John the Ripper / Hashcat -- Password cracking. Lab 7 + Lab 9 credential-capture workflows.
- Impacket -- Python network-protocol library. Lab 10 lateral-movement scripting.
- LinPEAS / WinPEAS -- Privilege-escalation enumeration. Lab 9; students read the scripts before running them.
PEN-101-OUTLINE.md v0.1. Week files: week-1.md through week-11.md. Capstone: CAPSTONE.md. Setup: SETUP.md. Faculty: INSTRUCTOR-GUIDE.md.