VCA-PEN-101 — Introduction to Penetration Testing
VCA-RE-101 teaches students to characterize a device. VCA-ADV-101 teaches them to test a specific published vulnerability under authorization. VCA-PEN-101 sits between them and broadens the scope: a disciplined introduction to the full engagement lifecycle a professional penetration tester executes when a client gives them scope, a target network, and a week to find whatever is findable.
Course Overview
The course is deliberately broader than one vulnerability. It is also deliberately narrower than “how to hack everything.” It is how a Virtus Academy graduate would perform their first professionally-scoped engagement against a small business LAN — reconnaissance, enumeration, vulnerability identification, exploitation (within scope), privilege escalation, lateral movement, reporting — and document the work to a standard a paying client would accept.
Learning Outcomes
- Scope and contract an authorized engagement — SOW, ROE, change-control process.
- Conduct OSINT and passive reconnaissance of a target organization without tripping detection.
- Perform active reconnaissance and enumeration (host discovery, port and service enumeration, banner grabbing, OS fingerprinting) using Nmap, Masscan, and purpose-built tooling.
- Identify vulnerabilities in common services (SMB, SSH, HTTP, DNS, databases) using Nessus, Nuclei, and manual techniques.
- Exploit misconfigurations and commonly-weaponized vulnerabilities using Metasploit, manual exploitation, and scripted tooling — within authorized scope.
- Escalate privileges on Linux and Windows targets using published technique families.
- Move laterally across an authorized network and reason about scope-limiting rules.
- Produce a professional-register engagement report with executive summary, CVSS-scored findings, remediation guidance, and appendices.
Weekly Schedule
| Week | Topic | Laboratory |
|---|---|---|
| 1 | Engagement lifecycle, authorization, ROE, ethics | Draft an ROE for a hypothetical SMB client |
| 2 | OSINT and passive reconnaissance | OSINT dossier on a lab target |
| 3 | Active reconnaissance — Nmap, Masscan, service enumeration | Full scan and enumeration of the lab network |
| 4 | Web application recon — directory enumeration, fingerprinting, Burp Suite | Enumerate provided web targets, identify attack surface |
| 5 | Vulnerability identification — Nessus, Nuclei, manual analysis | Identify and triage vulnerabilities |
| 6 | Midterm practical — 3-hour scoped mini-engagement | Proctored exam |
| 7 | Exploitation I — Metasploit, public exploits, when not to use them | Exploit Metasploitable, DVWA, HTB retired boxes |
| 8 | Exploitation II — web-app (SQLi, XSS, SSRF, IDOR, file upload, deserialization) | Attacks on Juice Shop / WebGoat |
| 9 | Post-exploitation — Linux and Windows privilege escalation | Privilege-escalation labs both platforms |
| 10 | Lateral movement, pivoting, credential reuse; operational security | Simulated multi-host engagement |
| 11 | Reporting and client communication; ethics of disclosure | Write and present the engagement report |
Capstone — Five-Day Simulated Engagement
Students conduct a five-day simulated engagement against an instructor-built target network (three to five hosts with documented intentional vulnerabilities). Deliverables:
- Engagement report — executive summary, methodology, findings (CVSS-scored), evidence appendix, remediation roadmap.
- Oral debrief — simulated 20-minute client meeting with faculty playing technical and non-technical stakeholders, plus Q&A.
The report register is client-professional, not academic-publication. It is explicitly graded on actionability for the imagined client.
Required Hardware & Software
- No additional hardware beyond the standard student compute environment (personal laptop or rented Pi).
- The target network runs in program-owned lab infrastructure (Proxmox or VMware cluster, reset per cohort).
- Kali Linux in a VM or as the Pi distribution.
- Tools: Nmap, Masscan, Nessus Essentials, Nuclei, Burp Suite Community, Metasploit, Hashcat, Impacket. All free; Kali bundles most.
Texts: Weidman, Penetration Testing: A Hands-On Introduction to Hacking (No Starch, 2014); Hickey & Arcuri, Hands On Hacking (Wiley, 2020); OWASP Testing Guide v4.2 (free); PTES (free online).
Certification Alignment
CompTIA PenTest+ CompTIA Security+ OSCP Prep
Primary: CompTIA PenTest+ — course content exceeds the exam objectives in every domain. Students should sit PenTest+ within three months of completion. Long-term: OffSec OSCP — this course is explicit preparation for the OSCP skill register.
Interested in VCA-PEN-101?
Email academy@virtuscybersecurity.com with your register and why.