VCA-PEN-101: Introduction to Penetration Testing
VCA-RE-101 teaches students to characterize a device. VCA-ADV-101 teaches them to test a specific published vulnerability under authorization. VCA-PEN-101 sits between them and broadens the scope: a disciplined introduction to the full engagement lifecycle a professional penetration tester executes when a client gives them scope, a target network, and a week to find whatever is findable.
Course Overview
The course is deliberately broader than one vulnerability. It is also deliberately narrower than "how to hack everything." It is how a Virtus Academy graduate would perform their first professionally-scoped engagement against a small business LAN. Reconnaissance, enumeration, vulnerability identification, exploitation (within scope), privilege escalation, lateral movement, reporting, and document the work to a standard a paying client would accept.
Position relative to peer curricula. PEN-101 sits between CompTIA PenTest+ (vendor- neutral, multiple-choice-plus-performance, breadth-over-depth) and OffSec OSCP (24-hour proctored practical, deep technical depth, no reporting beyond the exam form). PenTest+ teaches what to know for the exam; OSCP teaches what to do under pressure for one machine at a time. PEN-101 teaches the full engagement. Scope, ROE, OSINT, scanning, exploitation, privilege escalation, pivoting, and the client-facing report. At a standard a paying client would accept. The course prepares students for both certs (PenTest+ within three months; OSCP via subsequent self-directed study) and exceeds the scope of either by treating the report as a graded deliverable.
Pipeline role: PEN-101 is the offensive-track midpoint between SEC-101 (defensive vocabulary + incident response) and ADV-101 (single-CVE adversarial techniques). Students arrive with Python (FND-102) + networking (NET-101) + security principles (SEC-101) and leave with an engagement methodology that the ADV-101 capstone's scoped exploitation lab assumes is already familiar.
For the academy-wide engagement-lifecycle methodology and MITRE ATT&CK vocabulary set cited in
this course's modules, see handouts/cross-chapter-engagement-attck-vocabulary-reference.md.
Companion to the per-chapter reading guide at
handouts/cross-chapter-pen-101-anchor-reading-guide.md.
What Belt-3 PEN-Track Graduates Recognize
PEN-101 reads paired anchors across the engagement lifecycle: TCM Practical Ethical Hacking and OffSec PEN-200 supply the build-it-yourself methodology scaffold (reconnaissance discipline, OSINT-without-detection, exploit customisation without Metasploit-as-crutch, evidence preservation, OSCP-grade note-taking under pressure), and Stuttard and Pinto's Web Application Hacker's Handbook plus Seitz and Arnold's Black Hat Python supply the practitioner mental model (HTTP state management, session handling, IDOR and broken-access-control patterns automated scanners miss, custom-tool authoring from raw sockets up). Graduates leave able to discuss the seven engagement phases (pre-engagement through reporting), the SOW vs ROE vs authorization-letter distinctions, the named tool families (Nmap, Masscan, Burp Suite, Nessus, Nuclei, Metasploit, Hashcat, Impacket, LinPEAS, WinPEAS), and the client-facing report shape that distinguishes a professional engagement from a casual scan.
The teaching method uses paired textbook readings on canonical practitioner texts, with the per-chapter
reading guide published as a separate handout (handouts/cross-chapter-pen-101-anchor-reading-guide.md) so the catalog page stays thin. Eleven hands-on
labs anchor each module to a measurable artifact, and the capstone is a five-day simulated
engagement against an academy-owned target with a client-style written report and oral debrief,
graded on a two-tier rubric (five binary engagement-discipline gates plus a 40-30-30
technical-depth, report-craft, and engagement-discipline split). Graduates carry the
engagement-lifecycle scaffold, the OSINT-without-detection discipline, and the client-style
report shape into ADV-101's CVE-to-tool work, into WIR-101's wireless engagements, into RE-101's
embedded teardowns, and into the OffSec PEN-200 / OSCP examination they typically sit within
months of PEN-101 completion.
Learning Objectives
step-by-step. Each is measurable against a specific lab or deliverable.
- Remember. State the seven phases of the standard engagement lifecycle (pre-engagement, intelligence-gathering, threat-modeling, vuln-analysis, exploitation, post-exploitation, reporting), the four CVSS v3.1 base-metric components, and the difference between SOW, ROE, and authorization letter. (Assessed: Week-1 ROE-drafting lab; midterm closed-book recall.)
- Understand. Explain why scope is the engagement's most central artifact, why CVSS scores are not the same as business risk, and why "default credentials" is a finding category that exceeds many CVE-specific findings in real-world impact. (Assessed: Capstone executive-summary section; D2 reflection.)
- Apply. Conduct OSINT + passive recon of a target without tripping detection, WHOIS, certificate-transparency logs, GitHub recon, social-media tradecraft, search-operator literacy. (Assessed: Lab 2 OSINT dossier.)
- Apply. Perform active recon + enumeration with Nmap, Masscan, and purpose-built tooling; identify services, banners, and OS-fingerprint hints; build a target-host inventory. (Assessed: Lab 3 lab-network full enumeration.)
- Apply. Identify vulnerabilities in common services (SMB, SSH, HTTP, DNS, databases) using Nessus, Nuclei, and manual analysis; triage findings by exploitability + business risk. (Assessed: Lab 5 triaged-finding spreadsheet.)
- Apply. Exploit misconfigurations + commonly-weaponized vulnerabilities using Metasploit, public exploits, and scripted tooling within authorized scope; escalate privileges on Linux + Windows targets. (Assessed: Labs 7-9; midterm practical.)
- Analyze. Move laterally across an authorized network; reason about scope-limiting rules; document credential reuse + pivoting paths; recognize when the engagement has reached a scope boundary that requires escalation to the client. (Assessed: Lab 10 multi-host engagement transcript.)
- Synthesize / Create. Produce a client-grade engagement report: executive summary, CVSS-scored findings, remediation guidance, appendices; deliver an oral debrief to faculty playing technical + non-technical client stakeholders. (Assessed: Capstone, 5-day simulated engagement + report + debrief.)
Week-by-Week Topic Flow
| Week | Topic | Lab anchor |
|---|---|---|
| 1 | Engagement lifecycle, authorization, ROE, professional ethics | Lab 1, Draft an ROE for a hypothetical SMB client |
| 2 | OSINT and passive reconnaissance | Lab 2, OSINT dossier on the lab target |
| 3 | Active recon (Nmap, Masscan, service enumeration | Lab 3) Full scan + enumeration of the lab network |
| 4 | Web application recon (directory enumeration, fingerprinting, Burp Suite | Lab 4) Enumerate web targets; identify attack surface |
| 5 | Vuln identification (Nessus, Nuclei, manual analysis | Lab 5) Identify + triage vulnerabilities; spreadsheet by CVSS+exploitability |
| 6 | Midterm practical, 3-hour scoped mini-engagement | Proctored exam |
| 7 | Exploitation I (Metasploit, public exploits, when not to use them | Lab 7) Exploit Metasploitable + DVWA + retired HTB boxes |
| 8 | Exploitation II. Web-app (SQLi, XSS, SSRF, IDOR, file upload, deserialization) | Lab 8, Attacks on Juice Shop + WebGoat |
| 9 | Post-exploitation (Linux and Windows privilege escalation | Lab 9) Privesc labs both platforms (LinPEAS / WinPEAS workflow) |
| 10 | Lateral movement, pivoting, credential reuse; operational security | Lab 10, Simulated multi-host engagement |
| 11 | Reporting and client communication; ethics of disclosure | Lab 11, Draft + workshop the engagement report |
| 12-13 | Capstone (five-day simulated engagement | Capstone) report + 20-min oral debrief |
Lab Manifest
Eleven graded labs plus the five-day capstone engagement. Every lab produces a transcript + finding artifacts the student commits to a private course Git repository (engagement findings are sensitive even when the lab targets are intentionally vulnerable; the repo's discipline anticipates the OPSEC norms of real client work).
| Lab | Title | Deliverable artifact |
|---|---|---|
| 1 | ROE Drafting | SOW + ROE document for a hypothetical SMB client; instructor-reviewed |
| 2 | OSINT Dossier | Passive-recon report on the lab target; sources annotated; no detection-tripping queries |
| 3 | Active Recon | Nmap + Masscan results; host inventory; service banners |
| 4 | Web Recon | Directory enumeration + tech-stack fingerprint + attack-surface map |
| 5 | Vuln Triage | Nessus / Nuclei output triaged into a spreadsheet by CVSS + exploitability + business risk |
| 7 | Exploitation I | Working exploits against 3+ retired HTB boxes; Metasploit + manual; transcript per host |
| 8 | Web-App Exploitation | Successful SQLi + XSS + SSRF + IDOR + file-upload + deserialization payloads against Juice Shop / WebGoat |
| 9 | Privesc | Linux + Windows privilege escalations; LinPEAS / WinPEAS findings annotated with the underlying technique family |
| 10 | Lateral Movement | Multi-host engagement transcript; credential-reuse paths documented; scope boundaries respected |
| 11 | Report Workshop | Engagement-report draft; instructor + peer review |
| C | Capstone | 5-day engagement report (executive summary + CVSS findings + remediation roadmap + appendix) + 20-min oral debrief |
Bridge to Downstream Courses
PEN-101 is the offensive-track midpoint. Cross-course skill-transfer threads:
- → ADV-101 (Adversarial Techniques). The engagement-lifecycle + authorization discipline from Lab 1 + the report format from the capstone are what ADV-101 assumes is already practiced; ADV-101 narrows scope to a single CVE under explicit authorization, but the surrounding professional discipline is PEN-101's.
- → WIR-101 (Wireless Pentest). The recon + enumeration + reporting practices transfer directly; WIR-101 substitutes RF surface for IP surface, with the same engagement-lifecycle scaffold.
- → RE-101 (Reverse Engineering of Embedded Systems). The vuln-triage skill from Lab 5 + the post-exploitation reasoning from Lab 9 inform RE-101's firmware-vulnerability work; the ROE-drafting habit from Lab 1 is exactly what an RE engagement against owned hardware also needs.
- → OffSec OSCP / industry red-team roles. The course explicitly prepares students for the OSCP skill set; the capstone's 5-day engagement scaffold is the closest cohort-supportable analog to OSCP's 24-hour solo practical.
Topical mini-module cross-cut: VCA-MINI-WIRESHARK-CVES-2026-05 (Wireshark RCE quartet, May 2026). PEN-101's Week 5 RDP-protocol fuzzing methodology references CVE-2026-5405 (the asymmetric-validation pattern in the ZGFX uncompressed path); the engagement-lifecycle reporting practices reference the cross-CVE shape comparison across the four bugs. The mini-module catalog page distils the companion handout for vocabulary-level recognition; the deep walkthrough lives in the handout.
Tool Journal: PEN-101 Additions
Tools introduced in PEN-101, with one paragraph each in the student's personal toolchain-diary.md:
- Nmap / Masscan. Active reconnaissance + port scanning. The practitioner staple. (First-introduced NET-101; PT track deepens for engagement scope.)
- Burp Suite Community. Web-app proxy + manual fuzzer. Canonical first-introduction: PEN-101 (PT track). Returns in WIR-101 (web management consoles) + ADV-101 + RE-101 (firmware web interfaces). The academy's TIR-3 Phase-2 roadmap targets a browser-native Burp/ZAP-equivalent WebAssembly tool (LoE-D-E; forward-stretch).
- OWASP ZAP. Automated web-app scanner + manual testing proxy. Canonical first-introduction: PEN-101 (PT track). Complements Burp Suite in Lab 4 and Lab 8 scanning workflows.
- sqlmap. Automated SQL injection tool. Canonical first-introduction: PEN-101 (PT track). Lab 8's SQLi work uses it alongside manual WAHH-chapter techniques to show what the tool catches and what it misses.
- Nessus Essentials / Nuclei. Vulnerability scanners. The triage workflow from Lab 5 is the practitioner discipline that distinguishes a finding-spreadsheet from a vendor-tool dump.
- Metasploit Framework. Exploit framework. Canonical first-introduction: PEN-101 (PT track). The "when not to use it" lesson is as important as the "how to use it" lesson.
- John the Ripper / Hashcat. Password-cracking toolkit. Canonical first-introduction: PEN-101 (PT track). Returns in ADV-101 + RE-101 firmware-credential-extraction work.
- Impacket, Python network-protocol library. Lab 10's lateral-movement work uses it; the FND-102 Python fluency is the working substrate.
- LinPEAS / WinPEAS. Privilege-escalation enumeration scripts. The student reads them, runs them, and learns to recognise the technique families they output.
- Markdown + the report-writing format. A tool in the same sense the diary itself is. The capstone report is the practitioner artifact PEN-101 builds.
Prerequisite Map
Depends on: SEC-101 (defensive vocabulary + incident-response fundamentals) + NET-101 (packet + protocol literacy) + FND-102 (Python tooling fluency).
Feeds into:
- ADV-101 (capstone-class single-CVE adversarial work; PEN-101's engagement lifecycle is a prereq)
- WIR-101 (concurrent-eligible if NET-101 is done; same engagement scaffold over RF)
- OffSec OSCP / industry red-team (career-path follow-on; PEN-101 + ADV-101 is the academy's OSCP-prep sequence)
See the course prerequisite map for the academy-wide map and named track sequences.
Capstone: Five-Day Simulated Engagement
Students conduct a five-day simulated engagement against an instructor-built target network (three to five hosts with documented intentional vulnerabilities). The report format is client-professional, not academic-publication, and is explicitly graded on actionability for the imagined client.
Two-tier grading rubric
First, your project must work. The engagement is conducted within stated ROE; at least one finding is exploited end-to-end with proof; the report contains all five required sections (executive summary, methodology, findings, evidence appendix, remediation roadmap); the oral debrief is delivered in under 25 minutes; both technical and non-technical stakeholder questions are answered substantively.
Then we score the report.
- Technical depth + accuracy (40%). Findings are real (no false positives passed through from scanner output without verification); CVSS scores are defensible against the base-metric components; exploitation evidence is reproducible from the report alone; remediation guidance is concrete and prioritized.
- Report clarity and craft (30%). Executive summary is readable by a non-technical client decision-maker; methodology section is auditable; appendix evidence is well-organized; document is professionally typeset; spelling + grammar clean; no academic hedging where confidence is appropriate.
- Engagement discipline + reflection (30%), ROE was respected; scope boundaries acknowledged; OPSEC trade-offs (e.g., loud scans vs. detection avoidance) are explained; debrief shows the student understands what they would do differently and why.
Submitted artifacts: the full engagement report (PDF, professionally typeset); evidence-appendix archive (screenshots, command transcripts, captured artifacts); the oral-debrief slide deck (~10 slides); a one-page personal lessons-learned memo; the engagement Git repository (private; instructor + cohort-peer review only).
Required Hardware & Software
- No additional hardware beyond the standard student compute environment (personal laptop or rented Pi).
- The target network runs in program-owned lab infrastructure (Proxmox or VMware cluster, reset per cohort).
- Kali Linux in a VM or as the Pi distribution.
- Tools: Nmap, Masscan, Nessus Essentials, Nuclei, Burp Suite Community, Metasploit, Hashcat, Impacket. All free; Kali bundles most.
Texts: Weidman, Penetration Testing: A Hands-On Introduction to Hacking (No Starch, 2014); Hickey & Arcuri, Hands On Hacking (Wiley, 2020); OWASP Testing Guide v4.2 (free); PTES (free online).
Recommended Readings
Primary anchor pair. Build-it-yourself
- Heath Adams, Practical Ethical Hacking (TCM Security; ~$30 course; ~20 hours video + labs). The entry-tier build-it-yourself companion for PEN-101. Adams's methodology-first approach to the engagement lifecycle maps directly onto PEN-101's week-by-week structure. Students who work through the course alongside PEN-101 will recognize every phase the labs exercise.
- OffSec, PEN-200 / OSCP+ (OffSec; institutional subscription ~$1,749-$2,599; includes 90-day lab access). The institutional gold-standard graduation credential for penetration testers. PEN-200 is the official preparation material for the OSCP+ examination; PEN-101 + ADV-101 is the academy's OSCP-prep sequence. Students targeting OSCP should plan to work PEN-200 after completing the academy's offensive-track sequence.
Primary anchor pair. Practitioner narrative
- Stuttard & Pinto, The Web Application Hacker's Handbook, 2nd ed. (Wiley, 2011; ISBN 978-1-118-02647-2). The canonical reference for web-application penetration testing, authored by Dafydd Stuttard (creator of Burp Suite) and Marcus Pinto. Stuttard and Pinto's chapter-by-chapter dissection of authentication, session management, access controls, and injection classes is the mental model behind Lab 4's web-recon work and Lab 8's web-app exploitation labs.
- Seitz & Arnold, Black Hat Python, 2nd ed. (No Starch Press, 2021; ISBN 978-1-7185-0112-6). The canonical reference for offensive Python scripting. Seitz and Arnold's build-from-scratch approach (netcat replacements, packet crafters, proxy interceptors, exploit harnesses) is the scripting philosophy behind PEN-101's custom-tooling expectations in Lab 10. The FND-102 Python fluency is the prerequisite Seitz and Arnold assume.
Supplementary
- Weidman, Penetration Testing: A Hands-On Introduction to Hacking (No Starch, 2014). Foundational survey; Lab 3-5 methodology parallels.
- Kim, The Hacker Playbook 3 (Self-published, 2018). Red-team mindset; ADV-101 prereading after PEN-101.
- Yaworski, Real-World Bug Hunting (No Starch, 2019). Bug-bounty methodology; ADV-102 bridge reading.
- OWASP Testing Guide v4.2 (free; owasp.org), the industry-standard web-app testing methodology reference.
- PTES (Penetration Testing Execution Standard; free online), the open-standard engagement-lifecycle reference.
Practitioner training platforms
- PortSwigger Web Security Academy (free; portswigger.net/web-security). Interactive browser-based web-pentest labs by the Burp Suite team. The first 10 lab modules map directly onto Lab 4 and Lab 8 content. Independent use alongside PEN-101 is strongly recommended.
- HackTheBox Academy / TryHackMe. Subscription-based guided lab environments. Useful for additional Metasploit + privesc + lateral-movement practice between PEN-101 labs.
Certification Alignment
CompTIA PenTest+ CompTIA Security+ OSCP Prep
Primary alignment, CompTIA PenTest+. Course content exceeds the exam objectives in every domain (planning + scoping, information gathering + vuln scanning, attacks + exploits, reporting + communication, tools + code analysis). Students should sit PenTest+ within three months of PEN-101 completion; the capstone's reporting practices also covers the soft-skill domain PenTest+ inserted in its 2021 revision and that PenTest-PT0-002 retains.
Long-term alignment, OffSec OSCP. PEN-101 is explicit preparation for the OSCP skill set, with the capstone serving as the closest cohort-supportable analog to OSCP's 24-hour solo practical. Students who complete PEN-101 + ADV-101 typically need 6-12 months of self-directed retired-HTB-box work before sitting OSCP.
Pedagogical-vs-vocational stance. The capstone's 5-day engagement, client-grade report, and oral debrief exceed what any cert measures. Employers evaluating Virtus Academy graduates should weight the capstone artifact and the reproducible engagement repository alongside (or above) the cert. The cert is earned as a side effect by students who choose to sit it.
Certs are never required to complete a Virtus Academy course. The course transcript and the submitted capstone engagement-report are the academy's primary credentials.
Format Prescriptions
Hour budget: ~10 lec hr + ~58 lab hr + ~54 indep hr (= ~122 hr total). 11 weeks of curriculum + a 5-day capstone engagement.
Live (standard cadence)
2 sessions/wk × 90 min each (45 min lecture + 45 min hands-on per session) + 30 min stay-after office time. 11 weeks + 5-day capstone. Best for college-elective + adult-learning + homeschool-co-op cadence with shared red-team lab access.
Night class (working-adult cadence)
1-2 sessions/wk in evenings; spread over ~22 weeks + capstone weekend. Best for community-college + vocational-tech students with day jobs. The capstone engagement is best run as a dedicated weekend or 5 consecutive evenings.
Bootcamp
8 hr/day × 5 days/wk = 40 hr/wk; total ~4 weeks (3 weeks of curriculum + 1 week capstone). Best for adults / age-irrelevant students with prereq comfort + dedicated learning time. Bootcamp format also serves as direct OSCP-prep accelerator.
Async self-paced
Lecture hours via recorded video; lab hours via TryHackMe / HackTheBox subscription (academy-discounted rate); indep hours = student pace. Includes Discord-group access (1-2 days/wk instructor-advertised availability). AI-assistant tier add-on. Live 1:1 tutoring premium tier add-on for capstone-engagement coaching.
High school / homeschool co-op
Adapted live cadence over a school year (~15 weeks at typical school cadence) OR semester (11 weeks at college cadence + capstone). Detailed per-syllabus planning available on request.
Interested in VCA-PEN-101?
Email interested@virtuscyberacademy.org with your background and interest.