SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
SEC760: Advanced Exploit Development for Penetration Testers
SEC760Offensive Operations
- 5 Days (Instructor-Led)
- 40 Hours (Self-Paced)
Course authored by:
Alexandre Becholey & Stephen Sims
Course authored by:Alexandre Becholey & Stephen Sims
- 40 CPEs
Apply your credits to renew your certifications
- In-Person, Virtual or Self-Paced
Attend a live, instructor-led class at a location near you or remotely, or train on your time over 4 months
- 20 Hands-On Lab(s)
Apply what you learn with hands-on exercises and labs
Develop advanced exploit development skills to discover vulnerabilities, analyze patches, and write complex exploits while working with modern security controls.
Featured Quote
SEC760 was a great course that I can highly recommend. It's truly the "summit" of the pen test curriculum. The instructor did a wonderful job of explaining the complex material to us n00bs and was able to describe things tangibly and in an easy-to-understand way!
Course Overview
This intensive course equips security professionals with advanced exploit development skills needed in today's complex threat landscape. Focusing on modern Windows and Linux systems, participants learn sophisticated techniques for vulnerability discovery, patch analysis, and exploit development. The curriculum covers essential areas including advanced fuzzing methodologies, kernel debugging, and exploitation techniques that work against current security controls. Through hands-on exercises and real-world scenarios, security professionals gain practical experience in reverse engineering applications, Chrome V8 exploitation, binary and patch diffing, and developing exploits for challenging targets like the Windows kernel and modern Linux heap.
What You’ll Learn
- Advanced reverse engineering techniques
- Complex exploit development methodologies
- Modern fuzzing and vulnerability discovery
- Kernel debugging and exploitation skills
- Windows patch analysis and diffing
- Chrome V8 internals and exploitation
- Advanced heap exploitation techniques
Business Takeaways
- Discover zero-day vulnerabilities in programs running on fully-patched modern operating systems
- Use the advanced features of IDA Pro and write your own IDAPython scripts
- Perform debugging of Linux and Windows applications
- Understand and exploit Linux heap overflows.
- Perform patch diffing against programs, libraries, and drivers to find patched vulnerabilities.
- Perform Windows Kernel debugging
- Reverse engineer and exploit Windows kernel drivers
Meet Your Authors
- Slide 1 of 2
Alexandre Becholey
Certified Instructor CandidateAlexandre Becholey has been a driving force in offensive cybersecurity since 2013, applying his expertise in exploit development, reverse engineering, and iOS penetration testing across diverse industries.
Read more about Alexandre Becholey - Slide 2 of 2
Stephen Sims
FellowStephen Sims, an esteemed vulnerability researcher and exploit developer, has significantly advanced cybersecurity by authoring SANS's most advanced courses and co-authoring the "Gray Hat Hacking" series.
Read more about Stephen Sims
Slide 1 of 0
(1/0)
Course Syllabus
Explore the course syllabus below to view the full range of topics covered in SEC760: Advanced Exploit Development for Penetration Testers.
Section 1IDA Pro, Exploit Mitigations, and Windows Kernel Debugging
This section begins working with IDA Pro to look the latest features and techniques. We look at IDA scripting to aid in your reverse engineering workflow and how to leverage AI to assist. Additionally, we cover debugging with IDA, how to create FLIRT signatures, and optimizing your build environment.
Topics covered
- Windows Defender Exploit Guard implementation
- Reversing and debugging mitigations in-depth
- IDA Pro fundamentals and advanced features
- IDA debugging capabilities
- Lumina, FLIRT, and FLAIR
Labs
- Analyze Windows Defender Exploit Guard configurations
- Setting up Windows kernel debugging
- Develop custom IDAPython scripts
- Recreating undocumented structures in IDA
- Reversing and debugging Windows exploit mitigations
Section 2Advanced Linux Exploitation
Focusing on sophisticated Linux exploitation techniques, this section builds upon fundamental vulnerability knowledge to address modern attack methodologies. Participants learn to navigate and exploit heap structures and develop advanced exploitation strategies. Chrome V8 vulnerabilities are inherently complex.
Topics covered
- Linux heap management fundamentals
- Off-by-One vulnerability exploitation
- TCache poisoning techniques
- Chrome V8 Internals
- Introduction to JavaScript
Labs
- Analyze heap management structures
- Information disclosure exploitation
- Create TCache poisoning exploits
- Chrome V8 exploitation
- Shellcode smuggling
Section 3Advanced Fuzzing
Building on basic concepts, this section explores sophisticated fuzzing methodologies for vulnerability discovery. Participants learn to implement coverage-guided fuzzing, develop custom harnesses, and utilize advanced tools like WinAFL for closed-source application testing.
Topics covered
- Advanced fuzzing architectures
- Code coverage analysis
- Harness development
- Closed-source application fuzzing
- Full-system fuzzing implementation
Labs
- Configure WinAFL for PDF reader analysis
- Build custom fuzzing harnesses
- Implement code coverage tracking
- Execute full-system fuzzing tests
- Analyze fuzzing results
Section 4Patch Diffing and One-Day Exploitation
Participants learn to analyze vendor patches for vulnerability identification and exploitation. The section covers binary diffing techniques and patch analysis methodologies. You will reverse notable Microsoft patches from the past as well as patches from 2025. Microsoft often changes the way in which patches are packaged up.
Topics covered
- Microsoft patch management processes
- Binary diffing methodologies
- Vulnerability identification techniques
- One-day exploit development
- BinDiff and Diaphora
Labs
- Extract and analyze Microsoft patches
- Perform binary difference analysis
- Develop one-day exploits
- Practice kernel debugging
- Implement exploitation techniques
Section 5Windows Kernel Debugging and Exploitation
This section teaches Windows 11 kernel debugging and exploitation techniques. Participants learn to navigate kernel complexities, analyze Ring 0 vulnerabilities, and develop working exploits while dealing with modern protection mechanisms.
Topics covered
- Windows kernel architecture
- Modern kernel protections
- WinDbg debugging techniques
- Kernel vulnerability analysis
- Token manipulation techniques
Labs
- Analyze driver vulnerabilities
- Develop kernel exploits
- Implement token stealing techniques
- Practice information disclosure attacks
Things You Need To Know
Relevant Job Roles
Vulnerability Researcher & Exploit Developer
Offensive OperationsIn this role, you will work to find 0-days (unknown vulnerabilities) in a wide range of applications and devices used by organizations and consumers. Find vulnerabilities before the adversaries!
Explore learning pathVulnerability Assessment
SCyWF: Protection And DefenseThis role tests IT systems and networks and assesses their threats and vulnerabilities. Find the SANS courses that map to the Vulnerability Assessment SCyWF Work Role.
Explore learning pathPenetration Tester
European Cybersecurity Skills FrameworkAssess the effectiveness of security controls, reveals and utilise cybersecurity vulnerabilities, assessing their criticality if exploited by threat actors.
Explore learning pathRed Teamer
Offensive OperationsIn this role you will be challenged to look at problems and situations from the perspective of an adversary. The focus is on making the Blue Team better by testing and measuring the organization’s detection and response policies, procedures, and technologies. This role includes performing adversary emulation, a type of Red Team exercise where the Red Team emulates how an adversary operates, following the same tactics, techniques, and procedures (TTPs), with a specific objective similar to those of realistic threats or adversaries. It can also include creating custom implants and C2 frameworks to evade detection.
Explore learning pathCourse Schedule & Pricing
Looking for Group Purchasing Options?Contact Us
Filter by:
Location & instructorDate & TimeCourse priceRegistration Options
- Date & TimeOnDemand (Anytime)Self-Paced, 4 months accessCourse price$8,780 USD*Prices exclude applicable local taxesRegistration Options
- Date & TimeFetching schedule..View event detailsCourse price€8,230 EUR*Prices exclude applicable local taxesRegistration Options
- Date & TimeFetching schedule..View event detailsCourse priceA$13,350 AUD*Prices exclude applicable local taxesRegistration Options
- Date & TimeFetching schedule..View event detailsCourse price$8,780 USD*Prices exclude applicable local taxesRegistration Options
- Date & TimeFetching schedule..View event detailsCourse price€8,230 EUR*Prices exclude applicable local taxesRegistration Options
- Location & instructor
Amsterdam, NL & Virtual (live)
Date & TimeFetching schedule..View event detailsCourse price€8,230 EUR*Prices exclude applicable local taxes
Showing 6 of 6
Learn Alongside Leading Cybersecurity Professionals From Around The World
- Slide 1 of 3I've taken many other advanced exploit dev classes and none of them break it down and step through the exploits like this class.
- Slide 2 of 3SEC760 is the challenge I was looking for. It will be overwhelming, but well worth it.
- Slide 3 of 3The hands-on labs in SEC760 were some of the most intense and educational I've ever experienced. Highly recommend for serious pen testers.
Slide 1 of 0
(1/0)
Benefits of Learning with SANS
Get feedback from the world’s best cybersecurity experts and instructors
Choose how you want to learn - online, on demand, or at our live in-person training events
Get access to our range of industry-leading courses and resources