Producción beta La plataforma está en fase de pruebas y transformación continua. Puedes subir cursos y usar el campus con normalidad; disculpa cualquier ajuste temporal mientras consolidamos la experiencia.
VULNHUNTERS ACADEMY
Red Team

Offensive Security Core

A comprehensive program designed to train you as an operational and responsible pentester. It includes legal framing, audit methodology, phased labs, evidence management, technical communication, and an oral defense of the final report before a panel.

10 weeks Intermediate 15 July 2026 Laura N. - Senior pentester 690 USD
Imagen of the curso Offensive Security Core
Red Team Offensive Security Core

Program outcome

By the end, you will be able to run an end-to-end security audit in an authorized environment, prioritize real risks, and deliver a professional report with a remediation plan and technical backing.

Learning objectives

  • Define scope, rules of engagement, and success criteria without ambiguity.
  • Build an attack-surface map and prioritize objectives.
  • Run reconnaissance and enumeration without breaking the environment.
  • Validate vulnerabilities in the lab and classify real impact.
  • Write technical evidence with reproducible traceability.
  • Present findings to technical teams and non-technical leadership.

High-level syllabus

  • M1 - Pentest governance and operational legal framework.
  • M2 - Reconnaissance, defensive OSINT, and surface mapping.
  • M3 - Enumeration of services, applications, and configurations.
  • M4 - Validation of web and infrastructure vulnerabilities.
  • M5 - Privilege escalation and ethical post-exploitation.
  • M6 - Professional reporting and finding defense.

Included labs

  • LAB-01: Lab preparation and security checklist.
  • LAB-02: Guided reconnaissance on a fictional company.
  • LAB-03: Enumeration of prioritized assets and ports.
  • LAB-04: Validation of OWASP flaws in an isolated environment.
  • LAB-05: Local escalation and evidence consolidation.
  • LAB-06: Complete simulation with assessable final report.

Guided path for inexperienced students

This course is designed so a person with basic technical foundations can progress step by step without getting lost. If you arrive without offensive experience, you follow the leveling path and reach the same final outcome.

Week 0 - Leveling

Reduce initial anxiety and build a shared foundation before touching offensive testing.

  • Install and validate the lab environment with an assisted guide.
  • Review Linux terminal usage, paths, permissions, and basic logs.
  • Review HTTP, request/response flow, cookies, and sessions.
  • Simulate a small toy audit in 90 minutes.

Expected result: The student starts Week 1 without technical blockers.

Weeks 1-3 - Foundations operational

Understand the method, language, and workflow before increasing complexity.

  • Use guided evidence templates field by field.
  • Run labs with a closed checklist and fixed order.
  • Resolve questions in a kickoff mentoring session every week.

Expected result: The student can document basic tests independently.

Weeks 4-7 - Consolidacion technical

Apply judgment to flaw validation and risk prioritization.

  • Practice vulnerability by vulnerability with feedback.
  • Compare poor evidence against correct evidence.
  • Run peer reviews using the rubric.

Expected result: The student stops merely running commands and starts justifying decisions.

Weeks 8-10 - Profesionalizacion

Turn technical knowledge into professional communication.

  • Write the report in short iterations with mentor correction.
  • Practice oral defense with common panel questions.
  • Adjust impact storytelling for non-technical audiences.

Expected result: The student delivers an internationally defensible report.

Step-by-step study method

An operational guide to study with less friction and better retention.

Weekly learning playbook

Before each session

  • Review the session objectives (10 min).
  • Open the notes template and evidence block.
  • Prepare the environment and validate snapshots.

Durante practice

  • Record command, result, and context at the same moment.
  • If something fails, document the hypothesis before trying another path.
  • Take screenshots only when they provide real evidence.

After of each session

  • Write a five-line summary: what I learned and what I did not understand.
  • Mark three questions for mentoring.
  • Update the personal improvement backlog.

Weekly close

  • Review the deliverable against the official rubric.
  • Correct incomplete evidence before submitting.
  • Plan two independent practice blocks for the following week.

Micro-exercises to start with confidence

Short practices to master foundations before entering longer scenarios.

Micro-practice

Micro 1 - Read surface without atacar

Learn to observe assets without running invasive tests.

Duration: 20 min

  • Identify five public assets from a fictional scenario.
  • Classify each asset by business criticality.
  • Propose a reasoned review order.

Mastery signal: Your prioritization matches the expected business impact.

Micro-practice

Micro 2 - Valid minimum evidence

Distinguish a useful screenshot from an empty one.

Duration: 25 min

  • Compare two evidence examples (good versus poor).
  • Detect which data is missing for reproducibility.
  • Rewrite poor evidence in the correct format.

Mastery signal: Another student can reproduce your finding using only your note.

Micro-practice

Micro 3 - Explain risk without jargon

Communicate impact to a non-technical person.

Duration: 30 min

  • Take a technical finding and summarize it in four sentences.
  • Separate technical cause, impact, and recommended action.
  • Remove unnecessary jargon.

Mastery signal: The message is understandable without knowing the tools.

Micro-practice

Micro 4 - Responsible prioritization

Avoid inflating severity because context is missing.

Duration: 30 min

  • Analyze three fictional findings with the same CVSS score.
  • Apply business context to reorder them.
  • Justify why the order changes.

Mastery signal: Your ranking reflects real impact and operational urgency.

Essential glossary for beginners

Simple definitions so technical language does not slow your progress.

Scope

Exact limits of what may be tested.

Example: Only domains and subdomains authorized in the contract.

ROE

Rules of engagement: how testing is performed and what must not be done.

Example: Do not run tests during high-demand business hours.

Superficie of attack

Set of exposed points that can be analyzed.

Example: Web, API, admin panel, VPN, and email.

Enumeracion

Process of obtaining technical details from services and assets.

Example: Server version, open ports, and API routes.

Evidencia reproducible

Documented proof that another person can repeat.

Example: Step, command, output, and time context.

False positive

Finding that appears to be a vulnerability but is not.

Example: Missing header without real impact in that scenario.

Business impact

Operational or economic consequence of the finding.

Example: Exposure of customer data and regulatory risk.

Remediation

Technical action to reduce or remove risk.

Example: Patch, hardening, and follow-up validation.

Common mistakes by new students (and how to correct them)

Real blocking patterns and the immediate corrective action.

Wanting to use advanced tools too early.

Cause: Anxiety about looking like an expert from day one.

Correction: Follow the methodological order and master evidence plus scope first.

Saving screenshots without context.

Cause: Confusing quantity of evidence with quality.

Correction: Always record step, command, output, and conclusion.

Assigning high severity to everything.

Cause: Lack of business-impact judgment.

Correction: Combine technical data with operational impact before classifying.

Freezing when a lab fails.

Cause: Not using a diagnostic process.

Correction: Apply the protocol: hypothesis, small test, evidence, adjustment.

Copying technical text without understanding it.

Cause: Lack of active reading.

Correction: Rewrite each finding in your own words and validate it with the mentor.

FAQ for students without offensive experience

Direct answers to typical questions from the first month.

I have never done pentesting. Can I follow the course?

Yes. You start with Week 0 and follow the guided path for beginners.

What if I do not understand a session?

Every week you have a kickoff mentoring session, a checklist, and a bank of control questions.

How much should I study outside class?

Between four and six hours per week, with short blocks and concrete objectives.

How do I know I am progressing correctly?

With checkpoints by module, deliverable review, and rubric feedback.

Complete path for students without experience

A progress path with concrete criteria to advance without jumps or frustration.

Level-by-level progress ladder

Level 1 - Foundations without pressure

Window: Weeks 0-2

What you will already be able to do:

  • Understand the minimum technical vocabulary without blocking.
  • Configure the lab, snapshots, and note structure.
  • Follow a complete checklist without skipping steps.

Mentor support:

  • Kickoff mentoring to resolve environment questions.
  • Validation of the first evidence with guided correction.

Exit criterion: You can explain scope, objective, and result of a basic practice in your own words.

Level 2 - Guided execution with judgment

Window: Weeks 3-6

What you will already be able to do:

  • Enumerate services and prioritize tests by risk.
  • Differentiate a real finding from noise or a false positive.
  • Document reproducible evidence for external review.

Mentor support:

  • Severity review with business context.
  • Technical-writing feedback every week.

Exit criterion: You submit findings with complete traceability and justified severity.

Level 3 - Professional autonomy

Window: Weeks 7-10

What you will already be able to do:

  • Conduct a small end-to-end pentest in an authorized environment.
  • Turn technical data into remediation decisions.
  • Defend findings before technical and non-technical profiles.

Mentor support:

  • Oral-defense rehearsal with panel questions.
  • Final report correction before certification.

Exit criterion: You present a complete, defensible, and business-useful report.

Step-by-step guided cases

Educational scenarios to practice technical decisions, evidence, and professional communication.

Initial

Case 1 - Exposed administration panel

Learn to detect sensitive assets and assess risk without running destructive actions.

Case steps

  • Map subdomains and classify visible assets.
  • Identify exposed administration panels.
  • Assess potential impact according to business type.

Case deliverable: One-page executive note with priority and recommended action.

Beginner-intermediate

Case 2 - Weak authentication flow

Practice validation of access and session controls with clear evidence.

Case steps

  • Document the legitimate login flow.
  • Test controlled authorization variations.
  • Record impact, scope, and exploitation risk.

Case deliverable: Reproducible logbook with test, result, and recommendation.

Intermediate

Case 3 - Technical finding to executive report

Turn a technical finding into an actionable message for leadership.

Case steps

  • Explain technical cause with precise and brief language.
  • Translate impact into operational and economic risk.
  • Propose a phased remediation plan.

Case deliverable: Report section ready for a non-technical committee.

Complete weekly plan

Professional schedule with sessions, weekly focus, and required deliverables.

Week 1

Kickoff, legality, scope, and baseline methodology

  • Session 1: Rules of engagement, authorizations, and operational limits.
  • Session 2: Work methodology, evidence format, and audit workflow.

Deliverable: Scope document and audit-objective matrix.

Week 2

Defensive OSINT and initial surface mapping

  • Session 3: Passive collection of assets, domains, and metadata.
  • Session 4: Prioritization by business value and exposure.

Deliverable: Prioritized initial inventory and preliminary risk.

Week 3

Active reconnaissance and safe enumeration

  • Session 5: Controlled scanning, noise tuning, and traceability.
  • Session 6: Enumeration of services, versions, and configurations.

Deliverable: Service map with weakness hypotheses.

Week 4

Web validation I - authentication, sessions, and access control

  • Session 7: Web testing methodology according to OWASP.
  • Session 8: Improper access and flow-abuse cases.

Deliverable: Web-testing logbook and reproducible evidence.

Week 5

Web validation II - data input, logic, and APIs

  • Session 9: API surfaces, validation errors, and parameter abuse.
  • Session 10: CVSS prioritization plus business context.

Deliverable: Top vulnerabilities with remediation priority.

Week 6

Infrastructure and internal services

  • Session 11: Hardening baseline, configuration weaknesses, and protocols.
  • Session 12: Credential exposure and deficient segmentation.

Deliverable: Partial infrastructure report.

Week 7

Privilege escalation in the lab

  • Session 13: Local Linux/Windows escalation in educational machines.
  • Session 14: Ethical post-exploitation and impact minimization.

Deliverable: Attack chain documented with evidence.

Week 8

Technical writing and executive reporting

  • Session 15: Professional report structure and traceability.
  • Session 16: Translation of findings into business risk.

Deliverable: Complete report draft.

Week 9

Guided capstone: client simulation

  • Session 17: Full audit execution by teams.
  • Session 18: Cross-review of evidence and technical consistency.

Deliverable: Final report ready for presentation.

Week 10

Defense, feedback, and career plan

  • Session 19: Oral defense before a technical panel.
  • Session 20: Individual feedback and professional roadmap.

Deliverable: Final presentation and certification closure.

Detailed curriculum by module

Internal lessons, practices, and quality deliverables for every module.

M1

Pentest governance and legal framework

18h

Ensure every audit is designed with clear limits, traceable evidence, and legal compliance.

L1. Scope, authorizations, and ROE

  • Technical testing contract
  • Permitted environments
  • Incident escalation during testing

Practice: ROE design for a fictional e-commerce client.

Deliverable: Signed ROE template and compliance checklist.

L2. Operational methodology and quality control

  • Pentest phases
  • Evidence chain of custody
  • Change control in the lab

Practice: Creation of a standardized technical logbook.

Deliverable: Versioned testing logbook.

M2

Reconnaissance and defensive OSINT

22h

Build a useful asset map to reduce uncertainty before any active testing.

L3. Public-surface mapping

  • Subdomains
  • Exposed services
  • Technology footprint

Practice: Asset inventory for a simulated company.

Deliverable: Surface map and criticality.

L4. Risk-based prioritization

  • Business value
  • Technical exposure
  • Testing sequence

Practice: Impact-probability matrix for targets.

Deliverable: Prioritized testing backlog.

M3

Service and application enumeration

24h

Obtain technically valuable information without compromising stability or going out of scope.

L5. Controlled scanning and fingerprinting

  • Scanning strategies
  • Version identification
  • Finding documentation

Practice: Profiling host and services in a lab network.

Deliverable: Technical inventory with confidence level.

L6. Web and API enumeration

  • Routes, endpoints, authentication
  • Configuration errors
  • Sensitive metadata

Practice: Mapping a multi-module application.

Deliverable: Catalog of testing vectors.

M4

Vulnerability validation

30h

Confirm weaknesses with reproducible evidence and classify real impact.

L7. Authentication and access testing

  • Session handling
  • Access control
  • Data exposure

Practice: OWASP test case in a vulnerable application.

Deliverable: Controlled PoC and evidence record.

L8. Data input and business logic

  • Server-side validation
  • Flow abuse
  • Impact on critical processes

Practice: Design of abuse scenarios without affecting production.

Deliverable: Prioritized findings with technical narrative.

M5

Ethical escalation and post-exploitation

22h

Understand how far a weakness can escalate and how to close the test safely.

L9. Local escalation in isolated labs

  • Unsafe permissions
  • Weak configurations
  • Controlled educational persistence

Practice: Escalation in Linux/Windows training VMs.

Deliverable: Documented impact chain.

L10. Technical closure and cleanup

  • Change rollback
  • Verification of no residual impact
  • Defensive recommendations

Practice: Audit-closure checklist.

Deliverable: Testing closure record.

M6

Reporting, presentation, and defense

24h

Deliver an actionable report for technical profiles and leadership.

L11. Technical report and executive summary

  • Report structure
  • Valid evidence
  • Remediation plan

Practice: Writing the final capstone report.

Deliverable: Complete report v1.

L12. Panel defense

  • Risk narrative
  • Technical questions
  • Prioritization negotiation

Practice: Simulation of a CISO plus technical-team meeting.

Deliverable: Defended final presentation.

Lab catalog

Realistic practice with measurable objectives and auditable evidence.

LAB-01

Audit environment build

Preparation of attacker VM and target VM with baseline security checklist.

Estimated duration: 6h

Objectives

  • Establish a reproducible environment.
  • Record the baseline before testing.
  • Configure the command and evidence logbook.

Required evidence

  • Environment configuration screenshots.
  • Signed baseline checklist.
LAB-02

Full reconnaissance of a fictional organization

Demo company with exposed domains, subdomains, and services.

Estimated duration: 8h

Objectives

  • Build an asset inventory.
  • Identify obvious exposures.
  • Prioritize testing targets.

Required evidence

  • Final inventory with criticality.
  • Risk hypotheses by asset.
LAB-03

Infrastructure enumeration and profiling

Segmented lab network with web and administrative services.

Estimated duration: 10h

Objectives

  • Enumerate authorized ports and services.
  • Detect inconsistent configurations.
  • Maintain command traceability.

Required evidence

  • Versioned service map.
  • Preliminary risk list.
LAB-04

OWASP validation in a training web app

Controlled vulnerable application with authentication and API.

Estimated duration: 14h

Objectives

  • Validate access and session flaws.
  • Check impact without permanent damage.
  • Define concrete remediation for each finding.

Required evidence

  • Documented PoC by vulnerability.
  • Risk and recommended fix.
LAB-05

Local escalation and impact consolidation

Educational VMs with permission and configuration weaknesses.

Estimated duration: 12h

Objectives

  • Demonstrate privilege chains ethically.
  • Record technical evidence artifacts.
  • Apply cleanup checklist.

Required evidence

  • Technical escalation timeline.
  • Closure record with no residual impact.
LAB-06

Full capstone with simulated client

Final audit project with realistic scope and oral defense.

Estimated duration: 24h

Objectives

  • Execute the full methodology.
  • Deliver a professional-level report.
  • Defend findings before a panel.

Required evidence

  • Signed final report.
  • Defended executive presentation.

Assessment system

  • Technical quizzes by module (10%): Validate understanding of methodology, legality, and technical criteria.
  • Lab deliverables (35%): Evidence quality, traceability, and reproducibility are assessed.
  • Intermediate technical report (15%): Review of structure, clarity, and risk prioritization.
  • Final capstone (30%): Full project with complete execution and verifiable evidence.
  • Oral defense before a panel (10%): Communication, judgment, and ability to answer technical questions.

Final project: end-to-end audit for simulated fintech

The student performs a complete audit of a fictional payments platform in an isolated environment, respecting scope, time, and operating rules.

Project phases

  • Initial briefing and scope definition.
  • Documented reconnaissance and enumeration.
  • Validation of prioritized vulnerabilities.
  • Impact analysis and recommendations.
  • Final report delivery plus oral defense.

Complete course documentation

Academic documentation pack to run the course at professional standard, without depending on a demo.

Document

D1 - Official course syllabus

Defines objectives, calendar, assessment criteria, and academic policies.

  • Training objectives by competency.
  • Weekly plan with deliverables.
  • Full rubric and passing rules.
  • Conduct, ethics, and legality rules.
Document

D2 - Manual of lab

Operational standard to prepare and run practices in isolated environments.

  • Hardware and virtualization requirements.
  • Startup, snapshot, and rollback flow.
  • Security checklist before and after each practice.
  • Lab-incident reporting protocol.
Document

D3 - Evidence and chain-of-custody guide

Rules for capturing valid and auditable evidence.

  • Standard logbook format.
  • Folder structure by lab.
  • Evidence versioning and integrity hash.
  • Retention and secure deletion policy.
Document

D4 - Technical report standard

Official template for communicating findings with technical and business impact.

  • Executive summary for leadership.
  • Technical detail by vulnerability.
  • Priority matrix and recommendations.
  • Appendices with PoC and traceability.
Document

D5 - Assessment and certification guide

Describes scoring, retake, and certificate-issuance rules.

  • Final exam blueprint.
  • Passing conditions by percentage.
  • Retake criteria by module.
  • Certificate issuance and verification process.

Academic and ethical policies

  • All practices are performed only in environments authorized by the academy.
  • Replicating techniques on third-party systems without explicit permission is forbidden.
  • Every submission must include traceable evidence and the data sources used.
  • Plagiarism of reports or evidence results in academic suspension.
  • Certification is issued only after passing the capstone and oral defense.