Back to Academy

VCA-RF-301: Advanced SDR + Waveform RE

Virtus Academy · Part-II RF-Track Capstone

RF-201 closed at the protocol-RE engagement: a student who can characterise a sub-GHz device, write a working GNU Radio demodulator, and produce a written protocol specification at the level a successor RE engineer would actually read. RF-301 takes the same student to carrier scale, satellite scale, cellular scale, and adversary scale. Advanced DSP at the depth a working SDR engineer reads it (filter design + FIR/IIR / adaptive filtering + FFT-based processing). Cognitive radio anchored on Joe Mitola's seminal work (he coined "software radio" and "cognitive radio"); spectrum sensing; opportunistic access. Software-defined receivers and transmitters; full-duplex architecture; receiver chains. RF security primitives (encryption at the RF layer; physical-layer authentication). Cellular protocols deep-dive (LTE / 5G NR via OpenAirInterface). SATCOM (low-earth-orbit communications; weather satellites; military comms; the GMSK / DVB-S / Iridium-like modulation families). Signal Intelligence (SIGINT) techniques (capture / classify / decode unknown signals at the depth intelligence analysts work). RF waveform RE (custom proprietary protocol RE workflow against deeper targets). Anti-jamming and LPI/LPD (low-probability-intercept / low-probability-detect). And a capstone that integrates a full RF-protocol RE with a reimplementation in GNU Radio. This is the academy's RF-track terminal course.

Total time: ~170 hours
Lecture: ~26 hr
Practical / lab: ~58 hr
Independent practice: ~86 hr
Position: After RF-201 + CSA-201 (or equivalent intermediate RF + computer-architecture)
Prereq: VCA-RF-201 + VCA-CSA-201
Equipment: RF-201 setup carries forward (Pyodide workbench + GNU Radio); advanced SDR hardware (HackRF One + bladeRF + LimeSDR Mini + ANT-SDR E200 academy primary); USRP / Ettus high-end research-grade SDRs (program-supplied for select cellular + SATCOM labs); antennas (LPDA + discone + yagi for advanced bands); shielded RF lab access for transmit operations; Wyglinski full text + Pozar selected + Mitola + Ossmann library-acquired or purchased (see hardware platform · we update this as the kit firms up)
Credential: VCA-RF-301 Certificate of Completion
Register interest. We're not taking enrollments yet. Email interested@virtuscyberacademy.org.

Course Overview

RF-301 is the academy's RF-track capstone. It assumes RF-201's graduates: students who have shipped an end-to-end RF-protocol RE capstone, written a working GNU Radio demodulator for a self-selected real-world target, and authored a protocol specification at the level a successor RE engineer would read. The pedagogical contract is that RF-301 is RF at the scales where the single-protocol assumption breaks. Carrier-scale (where cellular protocols stack dozens of physical-layer mechanisms), satellite-scale (where Doppler shift and propagation delay restructure the demodulator), and adversary-scale (where SIGINT discipline + anti-jamming countermeasures shape the engagement).

Closes the RF-201 forward-promises. RF-201's modulation-theory module closes against RF-301's advanced-DSP filter-design module (where the modulation choice is a consequence of the filter constraints). RF-201's URH protocol-RE workflow closes against RF-301's waveform-RE module (where URH is one tool in a deeper toolchain that includes GNU Radio custom-block authoring, OpenAirInterface for cellular-stack RE, and gr-osmocom for broader integration). RF-201's sub-GHz capstone closes against RF-301's cellular-stack + SATCOM + SIGINT modules.

Position relative to peer offerings. RF-301 is the only formal curriculum at this course that crosses cellular, SATCOM, SIGINT, and waveform-RE in one course. University-level advanced wireless courses (Stanford EE 364, Berkeley EE 290, MIT 6.829) typically pick one or two scales rather than the full set; RF-301's breadth is calibrated against students who have taken the academy's WIR-101 + RF-201 + CSA-201 substrate and are heading into RE-201 / ADV-101 capstones where the full breadth is operationally relevant.

Pedagogy. The three RF-track teaching habits continue at advanced depth. Foundational readings (~18-22 weaves across RF-301's twelve chapters; Wyglinski advanced + Pozar Microwave Engineering selected for RF-circuit depth + Mitola Cognitive Radio Architecture for the cognitive-radio module + Ossmann for HackRF-specific labs + Sklar for advanced communications + OpenAirInterface community docs for cellular-stack RE). Tool Journal (~10 new entries: OpenAirInterface (OAI) cellular-stack; srsRAN; gr-satellites + gr-leo for SATCOM; gr-paint for spectrogram art / SIGINT visualisation; GNSS-SDR for GPS reception; gr-fosphor for waterfall visualisation; gr-iio for ANT-SDR E200 advanced; advanced antennas; ARRL Extra study materials). Architecture comparison sidebars (OFDM vs CDMA vs TDMA vs FHSS vs DSSS multiple-access techniques; cellular generations 2G GSM / 3G UMTS / 4G LTE / 5G NR; SATCOM constellations LEO / MEO / GEO / HEO; cognitive-radio paradigms Mitola / DARPA-spectrum-collaboration-challenge / FCC opportunistic-access).

What Belt-5 RF-Track Graduates Recognize

RF-301 reads paired anchors at advanced depth: Wyglinski's SDR for Engineers for the receiver-chain budgeting framework (noise, IM products, phase-noise, ADC quantisation, digital-filter ripple), Pozar's Microwave Engineering for RF-circuit-level depth, Mitola's Cognitive Radio Architecture for the software-radio-to-cognitive-radio arc, Ossmann's HackRF series for HackRF-specific advanced work, and the OpenAirInterface community docs for the cellular-stack reverse-engineering module. Kurose-Ross 9th edition supplies the 5G New Radio plus 5G Core layer so RF-track and NET-track graduates share a common 5G vocabulary. Graduates leave able to discuss carrier-grade waveforms (LTE, 5G NR, SATCOM, GNSS), IMSI-catcher attack classes and the 5G-AKA cryptographic response (SUCI, SUPI, ECIES), cognitive-radio designs (DARPA Spectrum Collaboration Challenge, FCC TV-white-space, WiFi dynamic-frequency-selection), and the SIGINT-and-anti-jamming surface that government and SDR-engineering employers pay for.

The teaching method uses paired textbook readings at advanced depth, with the per-chapter reading guide published as a separate handout (handouts/cross-chapter-rf-301-anchor-reading-guide.md) so the catalog page stays thin. Twelve hands-on labs anchor each chapter to a measurable artifact, and the capstone is a full RF-protocol reverse-engineering plus reimplementation in GNU Radio with a byte-for-byte interop demo, a written specification, and a reproducibility package graded on a two-tier rubric. Graduates carry the Wyglinski receiver-chain budget framework, the Mitolan software-to-cognitive-radio framing, and the cross-architecture comparison sidebar (5G Core vs SDN vs Mobile-IP, shared with vca-net-301) into SDR-engineering, wireless-protocol-RE, cellular-vendor, SIGINT-cleared, and academic-SDR-lab roles.

Curriculum Outline

Twelve chapters across ~14 weeks. Each chapter takes an RF-201 substrate and scales it.

ChTopicWhat RF-201 module it scales
1Advanced DSP. Filter design (FIR / IIR / adaptive / FFT-based processing)RF-201 Ch 5 LoRa demodulator filter pair
2Cognitive radio, Mitola; spectrum sensing; opportunistic accessRF-201 Ch 7 SDR fundamentals; the architectural-philosophy chapter
3Software-defined receivers + transmitters. Full duplex; receiver chainsRF-201 Ch 7 SDR fundamentals at architecture depth
4RF security primitives. Encryption at RF layer; physical-layer authenticationRF-201 Ch 4 BLE encrypted-pairing baseline
5Cellular protocols, LTE + 5G NR via OpenAirInterface (OAI)RF-201's "cellular mention only" framing
6SATCOM, LEO communications; weather and military satellitesNEW domain; RF-201 didn't reach SATCOM
7Signal intelligence (SIGINT) techniques. Capture / classify / decode unknown signals at intelligence-analyst depthRF-201 Ch 9 URH protocol RE at SIGINT-discipline depth
8RF waveform RE. Custom proprietary protocol RE workflow at advanced depthRF-201 Ch 9 URH at waveform depth
9Anti-jamming + LPI/LPD. Low-probability-intercept / low-probability-detectNEW domain; adversary-scale work
10Cross-cut to RE-track advanced protocol-RE methodologyForward pointer to vca-re-201 at advanced depth
11Cross-cut to PT-track advanced wireless pentestingForward pointer to vca-adv-101 at advanced depth
12Capstone. Full RF-protocol RE + reimplementation in GNU RadioThe synthesis deliverable

Architecture Comparison Sidebars

RF-301 carries five structured comparison sidebars. The full set publishes as handouts/cross-chapter-rf-301-architecture-sidebars.md.

  • OFDM vs CDMA vs TDMA vs FHSS vs DSSS. Five multiple-access techniques, the spectrum-sharing philosophies, where each is deployed (OFDM dominant for 4G/5G/WiFi-6; CDMA for 3G; TDMA for 2G GSM; FHSS for Bluetooth Classic; DSSS for legacy 802.11b and GPS). Anchored on Wyglinski + Sklar.
  • Cellular generations 2G GSM vs 3G UMTS vs 4G LTE vs 5G NR vs 6G. Five cellular generations, the architectural transitions (circuit-switched to packet-switched; centralised to distributed RAN; sub-6 GHz to mmWave; orchestration via SDN). Anchored on OAI community docs + Mitola.
  • SATCOM constellations LEO vs MEO vs GEO vs HEO. Four orbital regimes, the propagation-delay / Doppler-shift / coverage tradeoffs, which deployments chose which (Iridium / Starlink LEO; Galileo / GPS MEO; geostationary broadcast; Molniya HEO).
  • Cognitive-radio paradigms, Mitola academic vs DARPA Spectrum Collaboration Challenge vs FCC opportunistic-access. Three cognitive-radio research/regulatory traditions, what each enabled, what each missed.
  • 5G Core vs SDN vs Mobile-IP control-plane architectures. Three contemporary control-plane decompositions compared on three axes (control-plane decomposition, routing model, state-management strategy). Cross-chapter shared sidebar with vca-net-301 Ch 8; published as handouts/cross-chapter-control-plane-architectures.md. Anchored on Kurose-Ross 9e §7.4 + §7.5.4 + §5.
  • WPA2-SAE vs WPA3-SAE vs 5G-AKA (wireless AKA progression) three contemporary wireless Authentication-and-Key-Agreement protocols compared on three axes (trust-anchor model, long-term-identity privacy, forward-secrecy + replay-protection mechanism); the design-evolution arc from 802.11i (2004) through WPA3 / Dragonfly (2018) to 5G-AKA (3GPP Rel-15, 2018), with KRACK / Dragonblood / IMSI-catcher named as the attack classes driving each redesign. Cross-chapter shared sidebar with vca-wir-101 Week 4 + vca-net-201 security module + vca-net-301 Ch 8 + cross-reference from vca-sec-101; published as handouts/cross-chapter-wireless-aka-progression.md. Anchored on Kurose-Ross 9e §8.8.1 + §8.8.2; reads as the Ch 4 (RF security primitives. Physical-layer authentication) signal-side capture-and-replay lens onto the AKA-progression story. Companion sidebar to the 5G-Core control-plane comparison above; 5G-AKA appears in both, read once as AKA-progression endpoint and once as control-plane decomposition expression.

Ch 5 also draws on one cross-chapter reference handout. A different artifact class from the comparison sidebars above, published as a single canonical reference rather than a compare-N-implementations sidebar: handouts/cross-chapter-docsis-quad-cross-cut.md. The DOCSIS handout is the wired-RF / advanced-waveform-RE complement to the cellular content of this chapter. One industry case study read across NET-201 (link-layer protocol), NET-301 (carrier / RF-front-end), RF-301 Ch 5 (DOCSIS PHY/MAC analysis as cellular's wired-RF cousin), and RE-201 (SB6141 hardware lab); the burst-mode upstream + TDMA/SC-FDMA + symbol-decode pipeline of DOCSIS reads as a structural cousin to the cellular RACH + uplink-grant + symbol-decode pipeline, but on coaxial cable rather than air. Anchored on Kurose-Ross 9e §6.3.4 with chip-by-chip mapping for the SB6141 lab target.

Learning Outcomes

step-by-step.

  1. Remember. State the four major filter-design methods (windowed-FIR / Parks-McClellan FIR / IIR-from-analogue-prototype / adaptive); the five multiple-access techniques (OFDM / CDMA / TDMA / FHSS / DSSS); the five cellular generations (2G GSM / 3G UMTS / 4G LTE / 5G NR / 6G research); the four SATCOM orbital regimes (LEO / MEO / GEO / HEO).
  2. Understand. Explain why a cognitive-radio system needs both a spectrum-sensing front-end and a decision-making policy layer, and why the trustworthiness of those decisions is what makes the architecture controversial in regulatory contexts.
  3. Understand. Distinguish anti-jamming (resistance to deliberate interference) from LPI/LPD (resistance to detection in the first place); explain the spread-spectrum and frequency-hopping strategies each uses and the cost they impose.
  4. Apply. Implement a cognitive-radio spectrum-sensing-and-opportunistic-access pipeline in GNU Radio against a real ISM-band environment.
  5. Apply. Stand up an OpenAirInterface eNB on a programmable USRP or ANT-SDR E200; complete an LTE attach procedure with an authorised UE; measure the SNR budget across the receiver chain.
  6. Apply. Capture and decode a NOAA APT weather satellite pass with a DIY V-dipole + RTL-SDR; reproduce in software the demodulator that recovers the image.
  7. Apply. Reverse-engineer a deliberately-obfuscated proprietary RF protocol from captured IQ to a working GNU Radio demodulator and a written specification.
  8. Analyze. Given a captured signal at low SNR with unknown framing, classify the modulation, hypothesise the multiple-access scheme, identify any spread-spectrum/anti-jam mechanisms, and propose an SIGINT discipline workflow that would reduce the unknowns.
  9. Synthesize. Ship the end-to-end capstone: select a target real-world RF protocol; reverse-engineer it; reimplement in GNU Radio; produce the written specification + reproducibility package + 15-minute recorded technical demo.

Hands-On Labs

Twelve labs, one capstone. Each lab takes an RF-201 substrate to advanced scale.

  • Lab 1. Filter-design comparative lab, Parks-McClellan FIR vs IIR-from-Butterworth vs adaptive LMS against the same channel.
  • Lab 2. Cognitive-radio spectrum-sensing-and-opportunistic-access pipeline.
  • Lab 3. Full-duplex software-defined receiver chain on ANT-SDR E200; SNR budget measured.
  • Lab 4. Physical-layer authentication primer, RF fingerprinting of two same-make transmitters.
  • Lab 5. OpenAirInterface LTE attach-procedure lab; SNR-budget instrumentation across the receiver chain.
  • Lab 6. NOAA APT weather-satellite reception with V-dipole + RTL-SDR; full demodulator reimplementation in GNU Radio.
  • Lab 7. SIGINT discipline lab. Instructor-supplied unknown low-SNR capture; full classification + hypothesis + decode workflow.
  • Lab 8. Proprietary-protocol waveform RE against a deliberately-obfuscated target.
  • Lab 9. LPI/LPD waveform demonstration. Build a low-power chirped-spread-spectrum transmitter; demonstrate detection-difficulty tradeoffs.
  • Lab 10. Cellular-stack RE cross-cut. Partial-reverse of an LTE PHY layer.
  • Lab 11. Wireless-pentest cross-cut at advanced depth. Integrate ADV-101 wireless techniques against an authorised target.
  • Lab 12 (capstone). Full RF-protocol RE + reimplementation in GNU Radio. See the Capstone section below.

Capstone: Full RF-Protocol RE + GNU Radio Reimplementation

The student selects a real-world RF protocol (an authorised target the student can capture - examples: an authorised industrial-telemetry transmitter, an authorised drone-control protocol, an authorised proprietary IoT protocol, a NOAA-class weather satellite, an open-source cellular baseband from OAI). The student reverse-engineers the protocol from captured IQ to a written specification AND a working GNU Radio reimplementation that interoperates with the original system on the demodulation side.

Required artifacts

  • Captured IQ archive across multiple operating conditions (high SNR / low SNR / Doppler / multipath where relevant).
  • SIGINT-discipline classification document (modulation / multiple-access / spread-spectrum / framing hypothesis trail).
  • GNU Radio flowgraph implementing the full demodulator (and, where authorised, the modulator); demonstrates byte-for-byte interoperation with the original system on at least one captured frame.
  • Written protocol specification at a level a successor RE engineer at a peer firm would actually read (physical / link / network / application layers as recoverable; explicit limit-of-confidence statement for any layer not recoverable).
  • Reproducibility package, make capture reproduces the IQ archive on the target hardware where authorised; make demod reproduces the GNU Radio flowgraph against a captured archive; make verify demonstrates the byte-for-byte match.
  • 20-35 page lab-notebook capstone report covering: target-selection rationale, capture methodology, SIGINT classification trail, RE workflow, protocol specification, limit-of-confidence statement, ROE / FCC / CFAA / ITAR compliance section.
  • 15-minute recorded technical demo showing the demodulator running against the captured archive in real time.

Two-tier grading rubric

First, your project must work. The IQ archive reproduces; the SIGINT classification document is internally consistent; the GNU Radio reimplementation extracts the same byte stream the original system emits on at least one captured frame; the recorded demo plays. Reports below this threshold do not pass.

Then we score the report on three dimensions.

  • RE depth + SIGINT discipline (40%). Is the SIGINT classification trail systematic and reproducible? Does the demodulator handle the full envelope of operating conditions captured? Is the protocol specification complete at the level a successor RE engineer would actually read?
  • Limit-of-confidence honesty + ROE compliance (30%). Is the limit-of-confidence statement complete? Did the student avoid claiming more than the evidence supports? Is transmit operation on lab-shielded equipment only? Is the regulatory framing complete (FCC + ITAR + CFAA)?
  • Engineering quality + reproducibility (30%). Does the GNU Radio reimplementation read as production-grade engineering? Does the reproducibility package work end-to-end on a fresh clone?

B− minimum on Tier 2 for the certificate. The capstone is the structural precursor to a working SDR-engineer / wireless-protocol-RE / SIGINT-analyst role; combined with WIR-101's and RF-201's capstones, it produces a portfolio object hiring managers at SDR companies, IoT vendors, defence-adjacent firms, and security-research firms specifically look for.

Tool Journal: RF-301 Originating Entries

~10 new tools enter the diary in RF-301; the WIR-101 + RF-201 corpus continues at capstone depth.

  • OpenAirInterface (OAI), the open-source cellular-stack reference; LTE eNB / EPC / 5G NR gNB. Anchored on OAI community docs.
  • srsRAN. Alternative open-source cellular-stack; LTE + 5G NR.
  • gr-satellites + gr-leo, SATCOM-decoder framework + LEO orbital-mechanics integration. Anchored on libre-space community.
  • GNSS-SDR. Open-source GPS / Galileo / GLONASS / BeiDou software-defined receiver.
  • gr-fosphor, GPU-accelerated waterfall visualisation; SIGINT discipline tool.
  • gr-paint. Spectrogram-art and SIGINT visualisation.
  • USRP / Ettus + UHD. Research-grade SDR; program-supplied for cellular + SATCOM labs.
  • gr-iio + libIIO advanced, ANT-SDR E200 advanced workflow.
  • Advanced antennas (LPDA / discone / yagi), the antenna-selection-by-application discipline.
  • ARRL Extra license study materials, the terminal ham-licensing tier.

Recommended Readings

Primary anchors (continued from WIR-101 / RF-201 at advanced depth)

  • Wyglinski et al., Software-Defined Radio for Engineers. Artech House, 2018. Full text at advanced depth; receiver-chain chapters become primary. FREE PDF via Analog Devices.
  • Richard Lyons, Understanding Digital Signal Processing, 3rd ed. Pearson, 2010. Advanced chapters on adaptive filtering + spectral analysis.
  • Marc Lichtman, PySDR. FREE at pysdr.org. Advanced chapters; carries forward as the in-browser substrate.

Module-specific anchors (RF-301 introduces)

  • Joseph Mitola, Cognitive Radio Architecture: The Engineering Foundations of Radio XML. Wiley, 2006. Primary anchor for Chapter 2; Mitola coined "software radio" and "cognitive radio".
  • David Pozar, Microwave Engineering, 4th ed. Wiley, 2011. Selected RF-circuit-level chapters for Chapter 3 receiver-chain depth.
  • Behzad Razavi, RF Microelectronics, 2nd ed. Pearson, 2011. IC-level RF design; alternative to Pozar for students wanting transistor-level depth.
  • Bernard Sklar, Digital Communications: Fundamentals and Applications, 3rd ed. Pearson, 2017. Advanced communications-systems chapters.
  • Michael Ossmann, "Software Defined Radio with HackRF" video series. FREE on YouTube; carries forward at advanced depth.
  • OpenAirInterface community documentation. openairinterface.org. Primary reference for Chapter 5 cellular-stack work.
  • James Kurose and Keith Ross, Computer Networking: A Top-Down Approach, 9th ed. Pearson, 2021 (ISBN 978-0-13-592861-5). Chapter 7 (Wireless and Mobile Networks) supplements OAI for the contemporary cellular-architecture framing; the 9e additions are particularly central, §7.3.3 (5G NR / massive-MIMO / mmWave radio side), §7.4 (5G Core Network and the AMF / SMF / UDM / AUSF / UPF roster), §7.5.3 (5G handover and inter-AMF mobility), and §8.8.2 (5G-AKA and SUCI / SUPI / IMSI-catcher attack-class closure). Used in the two cellular-architecture weaves above + the 5G-Core-vs-SDN-vs-Mobile-IP shared sidebar.
  • Marwick, Inside Radio: An Attack and Defense Guide. RF-RE specialised reference; supplementary for Chapter 8 waveform RE.

Practitioner training (parallel credential pathway)

  • ARRL Extra licensing. The terminal amateur-radio tier; full HF/VHF/UHF privileges plus DXCC pursuit.
  • SANS GAWN / GIAC GAWN. Pairs with the wireless-pentest cross-cut module + WIR-101 + RF-201 capstones.

Career Outcomes & Cross-Course Bridges

  • → VCA-RE-201 (RE of Burst Radio Signals). RF-301's SIGINT discipline + waveform-RE methodology + GNU Radio reimplementation discipline are the substrate RE-201 capstones on; the same byte-level discipline applies above and below the modulation layer.
  • → VCA-ADV-101 (Adversarial Techniques). RF-301's anti-jamming + LPI/LPD + advanced-wireless-pentest modules feed adv-101's engagement work; engagements against RF-aware targets become operationally tractable.
  • → XD strand (future). The chapter graduates onto the academy's adversarial-defence track at the RF layer.
  • Industry. Senior SDR engineers (Ettus / Analog Devices / National Instruments / Per Vices); wireless-protocol-RE engineers at security-research firms (Trail of Bits wireless team / PentHertz / Nettitude RF); RF security researchers at IoT vendors (Lutron / Schlage / smart-meter manufacturers); senior wireless-pentest specialists at offsec consultancies; embedded-radio engineers at modem / cellular / SATCOM vendors (Qualcomm / MediaTek / Iridium / SpaceX); SIGINT analysts in defence-adjacent roles (cleared positions); academic SDR research at university labs.
  • Credential paths. ARRL Extra (terminal amateur tier); SANS GAWN; CWNP CWAP / CWSP / CWDP for advanced wireless-LAN; (US) defence cleared positions for SIGINT track.

Certification Alignment

ARRL Extra SANS GAWN CWNP CWAP

Primary: ARRL Extra. The terminal amateur-radio tier; full HF/VHF/UHF privileges. Continues from RF-201's General. Exam fee ~$15.

Alternative (security specialty): SANS GAWN (GIAC Assessing and Auditing Wireless Networks). High-cost SANS-track credential with substantial employer-funded adoption; pairs with RF-301's wireless-pentest cross-cut + waveform-RE modules.

Forward-pointer: CWNP CWAP (Certified Wireless Analysis Professional) or CWSP (Certified Wireless Security Professional). Vendor-neutral wireless-LAN advanced credentials.

Before You Start

  1. Have you completed RF-201 and shipped its end-to-end RF-protocol-RE capstone? (If no → RF-201's capstone is central prereq.)
  2. Have you completed CSA-201 (or equivalent intermediate computer-architecture)? (If no → the cellular-stack and SDR receiver-chain modules assume systems-level fluency at intermediate depth.)
  3. Are you comfortable with GNU Radio custom-block authoring? (If no → RF-201 review.)
  4. Can you read primary academic papers on cognitive radio + cellular-stack security + SATCOM-protocol research? (If no → Belt-5 means you read papers; warm up with Mitola intro.)
  5. Do you have access to advanced SDR hardware (HackRF + ANT-SDR E200 program-supplied; USRP/Ettus program-supplied for select labs)? (If no → academy bench-share for capstone.)

Format Prescriptions

Hour budget: ~26 lec hr + ~58 lab hr + ~86 indep hr (= ~170 hr total).

Live (standard cadence)

2 sessions/wk × 90 min over 14 weeks. Best for advanced-elective post-RF-201.

Night class

1-2 sessions/wk evenings; ~30 weeks. The cellular-stack and capstone modules need extended-evening blocks.

Bootcamp

40 hr/wk × ~4.5 weeks intensive. Compressed but feasible; capstone may extend an extra week.

Async self-paced

Recorded video; per-student SDR kit (RTL-SDR + HackRF; ANT-SDR E200 + USRP loaner); AI-assistant tier add-on; 1:1 tutoring premium for capstone protocol-RE work.

High school / homeschool co-op

Generally not recommended; RF-301 is a deep-specialised graduate-level course. ROE+FCC+ITAR-compliance instructor sign-off required for transmit + cellular-stack labs.

Interested in VCA-RF-301?

Email interested@virtuscyberacademy.org.

Email interested@virtuscyberacademy.org

Virtus Academy is the educational arm of Virtus Cybersecurity, LLC. An SDVOSB. Virtus Academy is an independent program; no affiliation with any government academy or university is claimed or implied.