OWASP offers much more than a single Top 10 list, and this talk turns that ecosystem into a live pentest workflow. The session starts with the OWASP project map, Top 10 families, Cheat Sheets, and training applications like Juice Shop, FinBot, and PyGoat. From there, the demo moves through recon with Amass compared to dnsrecon and fierce, vulnerability scanning with OWTF and Nettacker, Burp Suite scanning driven through MCP and Codex, scan data import into DefectDojo, and AI-assisted report writing. The result is a compressed but recognizable pentest arc that showcases both OWASP resources and modern AI-enabled operator workflows.
Who Should Attend
- Pen testers
- AppSec engineers
- Red teamers
- Defenders
- Security-minded developers
Learning Objectives
- Identify where OWASP's project map, Top 10 families, and Cheat Sheets fit into a practical web application pentest workflow
- Compare reconnaissance and scanning roles across Amass, dnsrecon, fierce, OWTF, Nettacker, and Burp Suite
- Explain how Burp MCP and Codex can accelerate scanning, triage, and verification without replacing analyst judgment
- Understand how to move findings into DefectDojo and use AI to accelerate report drafting from verified evidence
- Recognize when to pivot from standard web application testing into AI-specific resources such as OWASP GenAI materials
This session supports concepts from SEC542: Web App Penetration Testing and Ethical Hacking. To learn more about this course and explore upcoming sessions, Click Here.
