This year I had the opportunity to take a few stellar instructor-led training courses, one of which was Joe McCray's "Advanced Penetration Testing: Pentesting High Security Environments" course from his training entity LearnSecurityOnline.

Since I'm already doing pen testing full time I feel like it's a tremendous opportunity to see what techniques other testers use. I'm definitely not arrogant enough to think I know everything, but I do know Joe is tremendously skilled and has many more years "in the game" than I have. What an opportunity for me to learn from the best.

Joe's class is presented as higher level pen test course. There are no real introductions into pen testing theory, tools, or syntax. APT is largely comprised of labs and demos. The course also has a very unique structure. It comes from the mindset of attacking from the outside (web) and pivoting through the DMZ to the LAN. There is a lot of emphasis on stealth, persistence, and evasion. Even if your testing isn't scoped this way it is a powerful ability to be able to show your clients how one seemingly innocuous web flaw can lead to network disaster. Regardless, I found that this class was beneficial even to those that separated web and network scopes.

This review covers the course offered in conjunction with Black Hat Training at the venerable annual event in 2010 and will take a detailed look at the 2-day agenda, coverage of the 5-Day version of the course, thoughts on presentation and technical content, conclusions made as well as modest recommendations.