Offensive Whiteboard Hacking for Penetration Testers


Course Description

The training material and hands-on workshops with real live Use Cases are provided by Toreon. The students will be challenged to perform practical threat modeling in groups of 3 to 4 people covering the different stages of offensive threat modeling on:
  • Attacking a hotel booking web and mobile application, sharing the same REST backend
  • Weakness analysis of an Internet of Things (IoT) smart home deployment
  • Get into the defenders head – modeling points of attack against a nuclear facility
During the training many real life examples of attacks will be provided. Toreon has delivered threat modeling training courses at Black Hat, OWASP and O’Reilly Security conferences.

Course contents

Threat modeling introduction
  • Offensive threat modeling for penetration testers
  • What is threat modeling?
  • Why perform threat modeling?
  • Threat modeling stages
  • Diagrams
  • Identify threats
  • Addressing threats
  • Exploiting a threat model
Diagrams – what are you attacking?
  • Understanding context
  • Doomsday scenarios
  • Data flow diagrams
  • Attack Boundaries
  • Hands-on: Attacking a B2B web and mobile applications, sharing the same REST backend
Identifying threats – how can we attack?
  • STRIDE introduction
  • Spoofing threats
  • Tampering threats
  • Repudiation threats
  • Information disclosure threats
  • Denial of service threats
  • Elevation of privilege threats
  • Attack trees
  • Hands-on: Weakness analysis of an Internet of Things (IoT) smart home deployment
Understanding defence
  • Mitigation patterns
  • Authentication: mitigating spoofing
  • Integrity: mitigating tampering
  • Non-repudiation: mitigating repudiation
  • Confidentiality: mitigating information disclosure
  • Availability: mitigating denial of service
  • Authorization: mitigating elevation of privilege
  • Hands-on: get into the defenders head – modeling points of attack of a nuclear facility.
Attack libraries
  • Attack libraries
  • OWASP Top 10
  • The “Snowden” documents
  • Other lists
  • Create your own attack list
Penetration testing based on threat models
  • Create pentest cases for threat mitigation features
  • Pentest planning to exploit security design flaws
  • Vulnerabilities as input to plan and scope security testing
  • Prioritization of pentesting based on risk rating
  • Threat modeling resources
  • Open-Source tools
  • Commercial tools
  • General tools
  • Hands-on examination
  • Grading and certification

Target audience

This training is aimed at security professionals or penetration testers.


Before attending this course, students should be familiar with basic knowledge of penetration testing methodologies and techniques.

Hardware/Software Requirements

The students should bring their own laptop to the course.


Example feedback from our Black Hat training attendees:
  • Sebastien delivered! One of the best workshop instructor’s I’ve ever had.
  • Very nice training course, one of the best I ever attended.”
  • I feel that this course is one of the most important courses to be taken by a security professional.
  • The group hands-on practical exercises truly helped.

Trainer Biography

Steven Wierckx is a software and security tester with 15 years of experience in programming, security testing, source code review, test automation, functional and technical analysis, development, and database design, Steven shares his passion for web application security through writing and training on testing software for security problems, secure coding, security awareness, security testing, and threat modeling. He is the project leader for the OWASP Threat Modeling Project and organizes the BruCON student CTF. Last year, he spoke at Hack in the Box Amsterdam, hosted a workshop at BruCON and delivered threat modeling trainings at OWASP AppSec USA and O’Reilly Security New York.

Linkedin : steven-wierckx
Twitter : @ihackforfun