Information Security Training Paths - Offensive Security

Information Security Training Paths at OffSec


Offensive Security offers information security courses to develop our students along three paths: penetration testing, web application security, and wireless security.

While our courses are best-known among established or aspiring penetration testers, those in IT careers can also benefit from information security training. System, network, and database administrators, IT analysts, web app developers, and others in IT and web development should also consider how they can secure their systems, networks, and apps.

Which training path should you consider at OffSec?

  • IT professionals and information security pros who haven’t already taken an OffSec course should start with penetration testing to learn the foundations of offensive cybersecurity.
  • Web application security specialists and web developers should consider the web application security path to learn how to uncover vulnerabilities that can be chained into more serious attacks.
  • Network administrators and penetration testers should consider the wireless security track to learn how to audit and secure wireless devices.

Learn more about starting each path in the following sections.

Jump to section: Penetration Testing | Web Application Security | Wireless Security

For IT and Aspiring Infosec Professionals: Penetration Testing

Understanding how systems and networks can be attacked – and how an attacker thinks – gives you the edge in better security. If you learn how to attack a system, you can spot new ways to defend it – which is why OffSec believes that a solid understanding of offensive techniques improves your ability to counter them defensively.

A penetration tester focuses on identifying vulnerabilities within a system, network, or application. They conduct assessments to identify issues or weaknesses in a client’s environment that an attacker may abuse.

Required Skills

The foundational knowledge required to become a pentester is often developed in software development, network and system administration, and other IT roles.

A solid understanding of Linux and Windows operating systems forms the basis of a penetration tester’s skill set. Knowledge of scripting languages such as Python, Ruby, and Bash also helps.

Finally, good communication skills are critical. Being able to draft findings into a report and to help other areas of the business understand the impact beyond the IT department is key.

Penetration Testing Training

Penetration Testing with Kali Linux (PWK) is the foundational penetration testing course at Offensive Security. It introduces tools and techniques while instilling the Try Harder mindset.

In PWK, some of the things you’ll learn include:

  • Active Directory attacks
  • PowerShell for pentesting
  • Buffer overflows
  • Remote code execution and local privilege escalation attacks
  • Client-side attacks
  • XSS and SQL injections

This course was massively overhauled for 2020; we more than doubled the course materials, refreshed the existing lab machines, and added 33% more new machines. You can review the full course syllabus here.

Completing the course and passing the exam confers the Offensive Security Certified Professional (OSCP) certification, which will be especially valuable if you seek to transition from IT to a more security-focused role.

Back to top

For Pentesters and Web Developers: Web Application Security

Web app security training at OffSec focuses on taking a deep dive into source code review. While still focusing on penetration testing, a web app security specialist offers greater value if they can read, understand, and exploit code, not just scan it.

Web application security assessments are most effective when you have access to the source code – the white box approach. Reviewing code for logical vulnerabilities can reveal a function that can be exploited externally or on the backend, one that may not have been uncovered in a simple scan.

Required Skills

The strongest web application security specialists will have a deep understanding of the entire software development lifecycle from both a front-end and a back-end perspective. A solid understanding of HTML, JavaScript, Java, Python, and .NET is the foundation of this path.

To grow your skill set, get familiar with Linux and Windows operating systems, including file permissions, navigation, editing, and running scripts. Next, become familiar with standard attack vectors, theory, and practice. Finally, you’ll want to get some experience with web proxies like Burp Suite. A course like PWK can help with this.

Web Application Security Training

We teach white box web app pentesting in Advanced Web Attacks and Exploitation. In AWAE, you’ll learn how to:

  • Perform advanced security assessments on source code
  • Chain attacks to exploit vulnerabilities
  • Use what you’ve learned to optimize code and reduce the potential for manipulation

Students following this learning path can take an exam to earn their Offensive Security Web Expert (OSWE) certification. Earning your OSWE will demonstrate to employers that not only are you a capable penetration tester, but also that you possess specialized knowledge of web application security.

For web developers – particularly those building apps for sensitive industries like healthcare, finance, and government – it signals your dedication to security by design, not just privacy by design.

Back to top

For Network Admins: Wireless Security

Wireless networks and devices represent additional security challenges. Insufficiently secured wireless networks can represent opportunities for attackers to access confidential information, deliver malware, execute man-in-the-middle attacks, and more. Learning how these and other vulnerabilities can be exploited enables you to better defend against them.

Required Skills

To progress on the wireless security path, you’ll need familiarity with Linux and a solid understanding of TCP/IP and the OSI model. Previous experience in network administration will provide a firm starting point to transition to wireless security.

Wireless Penetration Testing Training

Our Wireless Attacks (WiFu) course offers greater insight into wireless security and increases our students’ awareness of the need for real-world security solutions. In WiFu, you’ll learn how to audit, compromise, and secure wireless devices and networks.

Competencies gained include:

  • Attacking both WEP and WPA-PSK networks, using passive and active attacks
  • Executing advanced attacks, such as PRGA key extraction and one-way packet injection
  • Using various wireless reconnaissance tools
  • Understanding how to execute rogue access point attacks

To take the course, the student will need their own wireless card and access point. Hardware recommendations can be found under the course description. Students will practice concepts learned in the course in a home lab.

For those students seeking to prove their wireless security skills, OffSec also offers the Offensive Security Wireless Professional (OSWP) certification.

Back to top

Selecting an Infosec Training Path

Before engaging in any information security training or penetration testing course, step back and consider your learning goals.

  • Why are you considering a course? Are you taking the course purely to learn? Or to earn a certification?
  • How will a given course develop your skills, knowledge, and attitude about the topic?
  • Where are you trying to grow or advance in your career?

At OffSec, we stress the importance of learning, rather than simply gathering certifications. While a certification serves as formalized proof of your skills and can open doors, what’s more important is that you’ve understood and can use the course content.

Starting Your Journey with OffSec

We recommend starting your learning journey with OffSec by taking PWK, regardless of which path you choose. As the foundational penetration testing course, PWK teaches the tools, techniques, and mindset necessary to succeed as a top information security professional.

While AWAE is an advanced course, penetration testers and web developers with extensive experience may be able to start here. You should be solid in all of the areas listed under the “Required Skills” in the Web Application Security Training section before starting AWAE.

Likewise, you may be able to attempt WiFu without taking PWK if you have solid experience with networking and wireless devices.

If you’re trying to decide how to select information security training for your business or organization, download our free guide as a starting point. We also have a dedicated team of experts available to answer questions.

Download Now: Selecting the Best Information Security Training for Your Organization
Free download: Selecting the Best Information Security Training for Your Organization