DEF CON Training
The SecOps Group - Certified Pentester (CPen) MONDAY ONLY - $1,050 (early bird)
Certified Pentester (CPen) at DEF CON Training 2023
Defcon has been an industry leader in providing and facilitating cutting edge security research and training for over three decades. Driven by innovation and research, the annual conferences provide attendees various avenues to learn and progress in the different sectors of information security. This year, in partnership with The SecOps Group (https://secops.group/), Defcon is pleased to announce a certification track to allow attendees (and their employers) to validate their skills which in turn will enable them to progress their career.
What is Certified Pentester (CPen) Exam?
The Certified Pentester (CPen) is an intermediate level exam, intended to be taken by professional pentesters, bug-bounty hunters, red and blue team experts, SOC analysts and anyone wanting to evaluate or appraise their existing knowledge in topics involving hands-on pentesting. This practical exam covers a wide variety of topics and in order to successfully complete each section, attendees will have to obtain flags associated with every topic.
The pass criteria is as following:
- Attendees scoring over 60% marks will be deemed to have successfully passed the exam.
- Attendees scoring over 75% marks will be deemed to have passed with merit.
How long is the exam?
The exam will be for 7 hours (9 am to 5pm). However, an hour of lunch break can be taken during the exam. The exam can be taken on any one of the following two days:
- Monday, August 14th, 2023 (in-person exam to be held at Caesars Forum, Las Vegas, NV)
What topics are covered?
The exam will cover the following topics of pentesting:
- Web Hacking (50%) – 3.5 hours (210 mins); 210 Marks*
- Infrastructure Hacking (50%) – 3.5 hours (210 mins); 210 Marks*
The complete list of topics can be found in the exam syllabus section below.
The marks allocated for every question also indicates the time that an attendee is expected to spend in solving a question. For e.g. a question worth 30 marks, will require roughly 30 minutes, for it to be solved.
What is the format of the exam?
The exam will be a Capture The Flag (CTF) style Hackathon. It will be a full day event requiring attendees to capture flags as they go on identifying and exploiting various system vulnerabilities and score points, after submitting the flags and answering the associated questions.
What is the experience needed to take the certification and what level of difficulty can be expected from the exam?
We recommend a minimum of 2 years of professional penetration testing/bug bounty experience before taking this exam.
In terms of difficulty, on the scale of beginner, intermediate and advanced, this exam has been rated as intermediate. The exam tests attendees' practical knowledge in identifying and exploiting vulnerabilities in real life pentesting scenarios.
To explain this a bit more, we expect attendees to be able to identify and exploit vulnerabilities such as SQL Injection and obtain relevant flags, however, we are not testing them on advanced web hacking concepts such as that of Second-order SQL Injection, within this exam. Similarly, to cite another example for infrastructure hacking, attendees are expected to use common hacking tools and techniques to demonstrate how to compromise a Windows Active Directory infrastructure, but they are not expected to write custom exploits, use or create 0-day exploits or perform reverse engineering etc.
Can I participate with my friends and colleagues as a team?
One can only participate in an individual capacity (i.e. teamwork is not allowed).
What tools/laptop do I need to bring?
Attendees must use their own laptop and can use hacking tools of their choice. Internet access will be available during the course of the exam but no assistance will be provided with regards to installation/configuration of any tools. The hacking challenges can be solved using freely available tools and scripts.
What will attendees get?
Each attendee will receive:
A certificate of participation. The certificate will mention pass/fail and merit status. In addition to this, attendees will be able to download a PDF report, which will have detailed scores for each section of the exam, allowing them to identify and focus on areas of improvement for future qualification and training.
Will you provide any training that can be taken prior to the certification?
Being an independent certifying authority, we (The SecOps Group) do not provide any training for the exam. Attendees should carefully go over each topic listed in the syllabus and make sure they have adequate understanding, required experience and practical knowledge of these topics.
What is the exam retake policy?
Candidates who fail the exam must purchase a new exam voucher for every attempt.
How long is the certificate valid for?
The certification does not have an expiration date. However, the passing certificate will mention the details of the exam such as the exam version and the date. As the exam is updated over time, candidates should retake the newer version as per their convenience.
What is the exam syllabus?
The exam syllabus is listed below:
- Google Hacking, Dorking and OSINT Techniques.
- Identification and Exploitation of OWASP Top 10 Vulnerabilities
- Cross-Site Scripting
- SQL Injection
- XML External Entity attack
- Cross-Site Request Forgery
- Practical Cryptographic Attacks
Authentication related Vulnerabilities
- Brute force Attacks
- Username Enumeration
- Identification of TLS security Misconfigurations.
- Server-Side Request Forgery
- Authorization and Session Management related Flaws
- Insecure File Uploads
- Code Injection Vulnerabilities
- Business Logic Flaws
- Directory Traversal Vulnerabilities
- Common Security Misconfigurations.
- Information Disclosure.
- Vulnerable and Outdated Components.
- Common Security Weaknesses affecting Cloud Services such as a S3 Bucket.
- Security Best Practices and Hardening Mechanisms.
- Common OSINT Techniques
- Network Mapping and Target Identification
- Brute-force Attacks.
- Vulnerability Identification and Exploitation using Common Hacking Tools.
- Application Server Flaws.
- Insecure Protocols
- *nix Vulnerabilities.
- Insecure File permissions.
- Security Misconfigurations Leading to Privilege Escalation Attacks.
- Windows Active Directory Attacks.
- OS Credential Dumping and Replay.
- Kerberoasting; golden and silver tickets.
- Password Attacks and Password Cracking.
- Administrative Shares Exploitation
- Persistence Techniques
- Lateral Movements
- Cloud Enumeration
- Abusing Serverless Services
- Abusing API Token and Cloud Credentials
- Vulnerability chaining
- Common security misconfigurations allowing docker escape.
About: The SecOps Group
The SecOps Group (https://secops.group) is a globally recognized IT security company having vast experience of providing cyber security consultancy and education services. At The SecOps Group, we believe that security is a continuous process, which has to progress with time and in accordance with the customer needs and constantly evolving threats. Our core business comprises of two units:
Pentesting and Advisory
The SecOps Group are cybersecurity experts offering CREST accredited security consultancy services.
Cyber Security Certifications
Through our exams, we provide an authentic and credible certification program that is modern, relevant and represents real life business risks.
Vulnmachines (A Pentest Learning Platform)
The SecOps Group runs a free pentest learning platform called “Vulnmachines” (www.vulnmachines.com).
DATE: August 14th 2023
TIME: 8am to 5pm PDT
VENUE: Caesars Forum, Las Vegas, NV
TRAINER: Sumit Siddharth
- 2 coffee breaks are provided per day
- Note: Food is not included
Registration terms and conditions:
Trainings and Certifications are refundable before July 1st, the processing fee is $250.
Trainings and Certifications are non-refundable after July 10th, 2023.
Training and Certification tickets may be transferred. Please email us for specifics.
Failure to attend the Training or Certification without prior written notification, will be considered a No-Show. No refund will be given.
By purchasing this ticket you agree to abide by the DCT Code of Conduct and the registration terms and conditions listed above.