1-Day Training: May 28, 2025

Level: Intermediate

Trainer: Juliane Reimann​ and Marisa Fagan​

Do you feel a disconnect between your cybersecurity efforts and engineering activities? If so, a Security Champions Program could bridge the gap. By involving engineers in security topics that align with their work, a Security Champions program not only enhances security awareness but also fosters a culture of security across your organization. However, creating such a program requires careful planning, innovative strategies, and a solid understanding of what drives individuals to champion security initiatives.

This training will equip you with practical tools and actionable insights to design and launch a successful Security Champions Program. You'll explore key concepts, including how to:

- Develop a foundational understanding of what a Security Champions Programs is

- Plan and navigate the phases of program development, from launch to long-term growth.

- Learn about strategies to engage and motivate diverse personality types within the organization

- Acquire practical tools and a structured approach to establish a scalable and trackable Security Champions Program

Whether you're a security engineer, architect, or manager, this training will provide you with the tools and frameworks to collaborate effectively with your engineering teams and establish a thriving Security Champions Program.

The session is highly interactive, featuring hands-on exercises and team-based activities to encourage collaboration and networking with fellow professionals. Join us to gain the confidence and strategies you need to kickstart your journey toward a more secure organization.

1-Day Training: May 28, 2025

Level: Intermediate

Trainer: Rob van der Veer​

Learn AI security based on the latest greatest - straight from the forefront of AI security research and standardisation.

Last year in Lisbon, this training broke all the OWASP records with 50 attendees online and on-site.

Your trainer is Rob van der Veer, Chief AI Officer at Software Improvement Group, with 33 years of AI experience, founder of the OWASP AI Exchange, co-editor for the AI Act security standard, member of the ISO/IEC 27090 for AI security, co-founder of OpenCRE, and main author of ISO 5338 on AI engineering.

Some testimonials of previous masters of AI security:

Ahmed El Sheikh: "I highly recommend this training to anyone interested in advancing their understanding of the intersection between AI and security."

Marco Sebscak: "The Master AI Security training is as valuable training that I would recommend to any Cybersecurity professional."

This training is a unique opportunity to become proficient in the intricate and rapidly evolving field of AI security.

Soon, nearly every digital organisation will be deploying systems that incorporate AI. This presents a significant challenge, regardless of whether you are an AppSec specialist, a developer, or a red teamer. What are your responsibilities? What constitutes the new AI attack surface, and what threats emerge from it? What measures can you take to mitigate these emerging risks?

This one-day intensive training program will equip you with the knowledge to tackle these AI-related challenges effectively, enabling you to apply what you learn immediately. Starting with a pragmatic overview of AI, the course then delivers an exhaustive exploration of the distinctive vulnerabilities AI introduces, the possible attack vectors, and the most current strategies to counteract threats like prompt injection, data poisoning, model theft, evasion, and more. Through practical exercises, you will gain hands-on experience in enacting strong security measures, attacking AI systems, conducting threat modelling on AI, and targeted vulnerability assessments for AI applications.

By day's end, you will possess a thorough comprehension of the core principles and techniques critical to strengthening AI systems. You will have gained practical insights and the confidence to implement cutting-edge AI security measures.

A key resource that is used in the training is the OWASP AI Exchange, located at owaspai.org​ and the training has been enriched with the latest insights from the work being done for the official EU AI Act security standard.

The training is designed for all levels of attendees. as the material is new from the cutting edge of research and standardization. No in-depth security or AI knowledge is required, although some experience with either AI or security is helpful.

No recordings will be made.

Attendees will be provided with handout slides and afterwards with the unique Master AI security certificate.

2-Day Training: May 27-28, 2025

Level: Intermediate

Trainer: Adam Shostack​

This hands-on, interactive class will focus on learning to threat model by executing each of the steps. Students will start with a guided threat modeling exercise, and we'll then iterate and break down the skills they're learning in more depth. We'll progressing through the Four Questions of Threat Modeling: what are we working on, what can go wrong, what are we going to do about it and did we do a good job. This is capped off with an end-to-end exercise that brings the skills together.

2-Day Training: May 27-28, 2025

Level: Beginner

Trainer: Abhay Bhargav​

This training takes a comprehensive, focused and practical approach at implementing DevSecOps Practices with a focus on Application Security Automation. The training is a glued-to-your-keyboard hands-on journey with labs that are backed by practical examples of DevSecOps and AppSec Automation.

The Training starts with a view of DevSecOps and AppSec Automation, specifically in terms of embedding security activities in multiple stages of the Software Development Lifecycle. Subsequently, the training delves into specific Application Security Automation approaches for SAST, SCA and Supply-Chain Security, DAST and Integration of these tools into CI/CD tools and Automation Pipelines.

2-Day Training: May 27-28, 2025

Level: Beginner

Trainer: Josh Grossman​

You bought the application security tools, you have the findings, but now what? Many organisations find themselves drowning in "possible vulnerabilities", struggling to streamline their processes and not sure how to measure their progress.

If you are involved in using SAST, DAST or SCA tools in your organisation, these may be familiar feelings to you.

In this course, which is being refreshed and updated for 2025, you will learn how to address these problems and more (in a vendor-neutral way)

For 2025, we are putting a particular emphasis on practicality and activities which bring value with topics including the following:

• Customising the tools to focus on your needs

• Building tool processes which fit your business

• Automating workflows using CI/CD without slowing it down

• Showing the value and improvements you are making

• Finding ways to scale triage to cut down noise

• Focusing on fixing what matters in your situation

• Advantages and disadvantages of alternative forms of remediation

• Comparison of the different tool types covered and which you may want to use in different situations.

• The use of Vulnerability Aggregation and ASPMs

To bring the course to life and let you apply what you learn, you will work in teams on table-top exercises where you design processes to cover specific scenarios, explain and justify your decisions to simulated stakeholders and practice prioritising your remediation efforts.

For these exercises, you will work based on specially designed process templates (which we will provide) which you can use afterwards to apply these improvements within your own organisation.

Be ready to work in a group, take part in discussions and present your findings and leave the course with clear strategies and ideas on how to get less stress and more value from these tools.

2-Day Training: May 27-28, 2025

Level: Beginner

Trainer: Jim Manico​

Core Modules

00-00 Intro to App Security

00-01 Input Validation Basics

00-02 HTTP Security Basics

00-03 SOP and CORS

00-04 API and REST Security

00-05 Microservice Security

00-06 JSON Web Tokens

00-07 SQL and Other Injections

00-08 Cross-Site Request Forgery - CSRF Defenses for Various Architectures

00-09 File Upload and File I/O Security - Secure File Upload, File I/O Security

00-10 Deserialization Security - Safe Deserialization Practices

00-11 Artificial Intelligence Security - Securing AI Implementations, Full Course

00-12 Third-Party Library Security Management - Ensuring Third-Party Library Security

00-13 Introduction to Cloud Security - Basics of Cloud Security Management

00-14 Intro to iOS and Android Security - Mobile Security Fundamentals

Standards

01-00 OWASP Top Ten - Top Ten Web Security Risks

01-01 Intro to GDPR - European Data Privacy Law

01-02 OWASP ASVS - Comprehensive Secure Coding Standard

01-03 OWASP Top Ten Proactive Controls - Web Security Defense Categories

01-04 PCI Secure SDLC Standard - Credit Card SDLC Requirements

User Interface Security

02-00 XSS Defense - Client-Side Web Security

02-01 Content Security Policy - Advanced Client-Side Web Security

02-02 Content Spoofing and HTML Hacking - HTML Client-Side Injection Attacks

02-03 React Security - Secure React Application Development

02-04 Vue.js Security - Secure Vue.js Application Development

02-05 Angular and AngularJS Security - Secure Angular App Development

02-06 Clickjacking - UI Redress Attack Defense

Identity & Access Management

03-01 Authentication Best Practices - Web Authentication Practices

03-02 Session Management Best Practices - Web Session Management Practices

03-03 Multi-Factor Authentication - NIST SP-800-63 Compliant MFA Implementation

03-04 Secure Password Policy and Storage - Secure User Password Policy and Storage

03-05 Access Control Design - ABAC/Capabilities-Based Access Control

03-06 OAuth2 Security - OAuth2 Authorization Protocol

03-07 OpenID Connect Security - OpenID Connect Federation Protocol

Crypto Modules

04-00 Secrets Management - Key and Credential Storage Strategies

04-01 HTTPS/TLS Best Practices - Transport Security Introduction

04-02 Cryptography Fundamentals - Part 1 - Terminology, Steganography, Attacks, Kerchoff's Principle, PFC

04-03 Cryptography Fundamentals - Part 2 - Hash Functions, Symmetric Cryptography, Randomness, Digital Signatures

Process

05-00 DevOps Best Practices - DevOps and DevSecOps with a CD/CI Focus

05-01 Secure SDLC and AppSec Management - Managing Secure Software Processes

Additional Topics

06-00 User and Helpdesk Awareness Training - Security Awareness for Non-Technical Staff

06-01 Social Engineering for Developers - Developer Protection Against Social Engineering

06-02 App Layer Intrusion Detection - Detecting App Layer Attacks

06-03 Threat Modeling Fundamentals - Security Design via Threat Modeling

06-04 Forms and Workflows Security - Secure Handling of Complex Forms

06-05 Java 8/9/10/11/12/13+ Security Controls - Java Security Advances

06-06 Logging and Monitoring Security - Security-Focused Logging

06-07 Subdomain Takeover - Preventing Subdomain Takeover Scenarios

06-08 Laravel and PHP Security - Focus on PHP Security

Lab Options

07-00 Competitive Web Hacking LABS - Hands-on Web Hacking Labs

07-01 Competitive API Hacking LABS - Hands-on API Hacking Labs

07-02 Secure Coding Knowledge LABS - Hands-on Secure Coding Labs

2-Day Training: May 27-28, 2025

Level: Intermediate

Trainers: Kim Wuyts​ and Avi Douglen​

Privacy is hot! This course will teach you this in-demand skillset and give you hands-on experience with privacy challenges, guiding you to combine Privacy by Design with your security practice.

Our lives are becoming more and more digitized, resulting in a lot of personal data floating around in the cloud. Now, many organizations are keen to use personal data for marketing, personalization or monetization, however, all this personal data comes with increased risk and surprising impact. Noone wants to find out that their daughter is pregnant from the department store ads…

Moreover, data protection legislation is forcing companies to integrate a technical approach for privacy into system design. With ever higher demands for privacy-respecting products, security teams have implicitly gained additional responsibilities and are hard pressed to keep up with these emerging requirements and often feel like there is a substantial and growing skills gap. Incorporating privacy into security with a proactive approach is essential to addressing this!

Traditional security approaches have historically not focused on this aspect of data protection, leaving individuals at risk. While common compliance and governance aspects of privacy are important, the technical aspects of privacy engineering are substantially more challenging - and that is the primary focus of this course.

This interactive technical course will teach you privacy analysis skills that are valuable to security teams. You can leverage your existing security skills with just a shift of mindset, since privacy largely shares the same foundation as security. We will teach you how common security techniques, such as architecture specification, threat modeling, and mitigation design, can be adapted for privacy. You will learn to capture how sensitive data flows through the system, and identify and mitigate high impact privacy issues in the software system. This will enable you to build privacy into the core of the product design and development process, while aligning it efficiently with security practices.

The course will cover these main topics:

- Privacy engineering essentials

- Privacy architecture & feature analysis

- Data inventory, mapping, and tagging

- Privacy threats (e.g. LINDDUN)

- Privacy controls, mitigations, and technologies

- Full privacy process

Each of these topics will be taught in an engaging, interactive format, with plenty of hands-on, collaborative exercises. We will teach you both the technical skills and social aspects essential for successful privacy engineering. This will include an assortment of relevant scenarios for each module, realistic simulations of popular upcoming features, diagramming tasks, and open debates. You will gain confidence using proven design techniques in order to improve the privacy posture of your system. In each module, you'll gain hands-on privacy experience through a set of exercises and class discussions.

We received rave reviews on our previous delivery of this course, for example:

- "If you're looking for a challenging, in-depth Privacy course which focuses on the technical aspects, look no further. Yes, it's only a 2-day course, but during that time, you'll take a deep dive into threat modelling, architecture, and other aspects required for ensuring Privacy is included in the SDLC."

2-Day Training: May 27-28, 2025

Level: Intermediate

Trainer: Abraham Aranguren​

This course is a 100% hands-on deep dive into the OWASP Security Testing Guide and relevant items of the OWASP Application Security Verification Standard (ASVS), so this course covers and goes beyond the OWASP Top Ten.

Long are the days since web servers were run by perl scripts apps written in Delphi. What is common between Walmart, eBay, PayPal, Microsoft, LinkedIn, Google and Netflix? They all use Node.js: JavaScript on the server.

Modern Web apps share traditional attack vectors and also introduce new opportunities to threat actors. This course will teach you how to review modern web apps, showcasing Node.js but using techniques that will also work against any other web app platform. Ideal for Penetration Testers, Web app Developers as well as everybody interested in JavaScript/Node.js and Modern app stack security.

Get a FREE taste for this training, including access to video recording, slides and vulnerable apps to play with:

1 hour workshop - https://7asecurity.com/free-workshop-web-apps

All action, no fluff, improve your security analysis workflow and immediately apply these gained skills in your workplace, packed with exercises, extra mile challenges and CTF, self-paced and suitable for all skill levels, with continued education via unlimited email support, lifetime access, step-by-step video recordings and interesting apps to practice, including all future updates for free.

3-Day Training: May 26-28, 2025

Level: Intermediate

Trainer: Sebastien Deleersnyder​

Download the complete training outline: AI Whiteboard Hacking Training Details​

Testimonial: "After years evaluating security trainings at Black Hat, including Toreon's Whiteboard Hacking sessions, I can say this AI threat modeling course stands out. The hands-on approach and flow are exceptional - it's a must-attend."

- Daniel Cuthbert, Global Head of Cyber Security Research, Black Hat Review Board Member

In today's rapidly evolving AI landscape, security threats like prompt injection and data poisoning pose significant risks to AI systems. Our 3-day AI Whiteboard Hacking training equips you with practical skills to identify, assess, and mitigate AI-specific security threats using our proven DICE methodology. Through hands-on exercises and real-world scenarios, you'll learn to build secure AI systems while ensuring compliance with regulations like the EU AI Act.

The training concludes with an engaging red team/blue team wargame where you'll put theory into practice by attacking and defending a rogue AI research assistant. Upon completion, you'll earn the AI Threat Modeling Practitioner Certificate and gain access to a year-long subscription featuring quarterly masterclasses, expert Q&A sessions, and continuously updated resources.

Led by Sebastien Deleersnyder, co-founder and CTO of Toreon, and Black Hat trainer, this training combines technical expertise with practical insights gained from real-world projects across government, finance, healthcare, and technology sectors.

Quick Overview:

·       Target Audience: AI Engineers, Software Engineers, Solution Architects, Security Professionals

·       Prerequisites: Basic understanding of AI concepts (pre-training materials provided)

·       Certification: AI Threat Modeling Practitioner Certificate

·       Bonus: 1-year AI Threat Modeling Subscription included

Our lineup of the hands-on exercises from the training that let you put AI security concepts into practice:

Day 1: Foundations & Methodology

·       "AI Security Headlines from the Future" - Explore potential security scenarios

·       "Diagramming the AI Assistant Infrastructure" - Map out real AI system components

·       "Identification of STRIDE-AI threats for UrbanFlow" - Apply threat modeling to urban systems

·       "Autonomous Vehicle System Attack Tree Analysis" - Build attack scenarios

Day 2: Implementation & Defense

·       "The Curious Chatbot Challenge (Injection)" - Hands-on prompt injection threats

·       "Applying OWASP AI Exchange on a RAG-powered CareBot" - Real-world threat library application

·       "AI Security Architecture Building Blocks Workshop" - Design secure AI systems

·       "AI Risk Assessment: Autonomous Healthcare Robots" - Evaluate real-world AI risks

Day 3: Advanced Concepts & Practical Application

·       "Ethics in Action - The FairCredit AI Incident" - Navigate ethical AI challenges

·       "Data minimization and secure data handling for AI agents" - Implement privacy-by-design

·       "Mapping attacks and controls in an MLOps pipeline" - Secure the AI development lifecycle

·       "Project Prometheus: The Rogue AI Research Assistant" - Red Team/Blue Team wargame finale

Download the complete training outline: AI Whiteboard Hacking Training Details​

3-Day training: May 26-28, 2025

Level: Intermediate

Trainer: Sven Schleier​

This three-day hands-on course teaches penetration testers, developers and engineers how to analyse Android and iOS applications for security vulnerabilities by going through the different phases of testing, including dynamic testing, static analysis, reverse engineering and Software Composition Analysis (SCA). The foundation for this will be the OWASP Mobile Application Security Testing Guide (MASTG). The OWASP MASTG is a comprehensive and open source mobile security testing book that covers both, iOS and Android and provides a methodology and very detailed technical test cases to ensure completeness and use the latest attack techniques against mobile applications. This course will give you hands-on experience with open source tools and advanced methodologies by guiding you through real-world scenarios.

Detailed outline

We'll start the first day with an introduction to the OWASP MASVS and MASTG and the latest updates to it and then dive into the Android platform and its security architecture. Students will no longer be required to bring their own Android device, instead each student will be provided with a cloud-based virtualised Android device from Corellium. Topics include:

- Intercepting network traffic from apps written in mobile app frameworks such as Google's Flutter

- Reverse engineering a Kotlin app and identifying and exploiting a real-world deep link vulnerability through manual source code review.

- Explore the differences and effectiveness of reverse engineering Android apps using Smali patching, Magisk and Dynamic Instrumentation with Frida

- Frida crash course to get started with dynamic instrumentation on Android apps

- Bypass different implementations of SSL pinning using Frida

- Use dynamic instrumentation with Frida to

- Bypass multiple root detection mechanisms

- Bypass Frida detection mechanisms

- Day 1 will be closed with a Capture the Flag (CTF)

On day 2 we start with applying our new skills to a real world app and wrap up the Android part and start with iOS. We will use a Github repo that will allow us to execute static scanning, SCA and secret scanning on Kotlin and Swift:

Android:

- Attacking a real world app and overcome it's protection mechanisms.

- Analyse the storage of an Android app and understand the various options on how and where files can be stored (app-specific, shared storage etc.)

- Using Brida (Frida and Burp) to bypass End2End encryption in an Android App

- Static Scanning of Kotlin source code, identifying vulnerabilities and eliminating false positives

- Scanning for secrets in an APK

iOS:

- Introduction into iOS Security fundamentals

- Scanning for secrets in a Swift repository and identifying ways to handle them securely.

- Software Composition Analysis (SCA) for iOS - Scanning 3rd party libraries and SDKs in mobile package managers for known vulnerabilities and mitigation strategies.

- Demonstration on how to test watchOS apps and it's limitations

- Statically scanning Swift source code, identifying vulnerabilities and eliminating false positives.

Day 3 focuses on iOS. We will begin the day by creating an iOS test environment using Corellium and dive into several topics, including:

- Intercepting network traffic of an iOS App in various scenarios, including intercepting traffic that is not HTTP

- Examining stateless authentication (JWT) in a mobile app

- A Frida crash course to get started with dynamic instrumentation for iOS applications

- Analyse the storage of an iOS app and understand the various options on how (Realm databases etc.) and where files can be stored.

- Testing methodology with a non-jailbroken (jailed) device by repackaging an IPA with the Frida gadget

- Using Frida to bypass runtime instrumentation of iOS applications

- Anti-Jailbreaking Mechanisms

- Frida's detection mechanism

We'll wrap up the final day with a CTF and participants can win a prize!

Whether you are a beginner who wants to learn mobile app testing from the ground up, or an experienced pentester or developer who wants to improve your existing skills to perform more advanced attack techniques, or just for fun, this training will help you achieve your goals.

The course consists of many different labs developed by the instructor and is approximately 65% hands-on and 35% lecture.

Upon successful completion of this course, students will have a better understanding of how to test for vulnerabilities in mobile applications, how to suggest the right mitigation techniques to developers, and how to perform tests consistently.

What students should bring

The following requirements must be met by students in order to be able to follow all exercises and participate fully:

- Laptop (Windows/Linux/macOS) with at least 8GB of RAM and 40GB of free disk space.

- Full administrative access in case of problems with the laptop environment (e.g. ability to disable VPN or AV/EDR)

- Virtualisation software (e.g. VMware, VirtualBox, UTM); a virtual machine will be provided for X86 and ARM architecture (for M1/M2/M3/M4 MacBooks) with all tools required for the training.

- Ideally a tablet to have a second screen for the practical lab slides when doing the hands-on sessions.

An iOS and Android device is NOT required as an emulated instance is provided for each student hosted at Corellium. This is a cloud-based environment that allows each student access to a jailbroken iOS device and a rooted Android device during the training.

What students will receive

- Slide deck and labs for the iOS and Android training as PDF and all videos for all demonstrations shared in class.

- All vulnerable apps used during the training, either as APK or IPA.

- Docker Containers with the APIs the apps were communicating with.

- Detailed write-ups for all labs so you can review them at your own pace after the course.

- Dedicated Slack channel used to help students prepare before the course, communicate during the course and stay in touch after the course for any questions.

- Printed hand-out of the Labs

What prerequisites should students have before attending this training?

- This course is for Beginners and Intermediate

- Basic understanding of mobile apps

- Able to use Linux command line