Kan ik de OSEE EXP-401 training ook boeken met hotelaccommodatie? Can I also book the OSEE EXP-401 training with hotel accommodation?

Zeker, net als bij al onze andere trainingen overnacht je tijdens de cursusdagen optioneel in het nabijgelegen Van der Valk Veenendaal hotel waarbij ook een dagelijks diner, onbijt en toeristenbelasting inbegrepen zijn. Certainly, just like with all our other training sessions, you can optionally stay at the nearby Van der Valk Veenendaal hotel during the course days, which also includes daily dinner, breakfast, and tourist tax.

Aan welke vereisten moet de laptop voldoen die ik meeneem bij de OSEE EXP-401 training? What requirements must the laptop meet that I bring to the OSEE EXP-401 training?

Het is essentieel om een krachtige laptop te hebben die voldoet aan de volgende specificaties: In staat om drie virtuele machines (VM’s) gelijktijdig probleemloos te draaien Besturingssysteem: Windows 10 (het enige ondersteunde host-besturingssysteem) Hardwarevereisten: VMware Workstation 15 of hoger 64-bit CPU met minimaal 4 cores, ondersteuning voor NX, SMEP, VT-d/IOMMU en VT-x/EPT Minimaal 160 GB vrije opslagruimte op de harde schijf Minimaal 16 GB RAM Gelieve geen gebruik te maken van netbooks of systemen met een lage resolutie. It is essential to have a powerful laptop that meets the following specifications: Able to run three virtual machines (VMs) simultaneously without issues Operating System: Windows 10 (the only supported host operating system) Hardware requirements: VMware Workstation 15 or higher 64-bit CPU with at least 4 cores, support for NX, SMEP, VT-d/IOMMU, and VT-x/EPT At least 160 GB of free storage space on the hard drive At least 16 GB of RAM Please do not use netbooks or systems with low resolution.

Bevat de OSEE EXP-401 cursus ook online inhoud? Does the OSEE EXP-401 course also include online content?

Nee, in tegenstelling tot de overige OffSec trainingen bevat de EXP-401 training geen online inhoud. De training is specifiek ontworpen om te worden uitgevoerd in een persoonlijke, praktijkgerichte omgeving om een optimaal leerproces en interactie met instructeurs en medecursisten te garanderen. No, unlike the other OffSec trainings, the EXP-401 training does not include online content. The training is specifically designed to be conducted in a personal, hands-on environment to ensure optimal learning and interaction with instructors and fellow students.

OSEE training (EXP-401) - Advanced Windows Exploitation

5 days Classroom Engels

Sharpest price in just 2 steps

Requesting more information and/or the current price of this training is easy. We take into account any ongoing promotions, subsidies, or relationship discounts.

Why OSEE training (EXP-401) - Advanced Windows Exploitation at TSTC?

You train with the Netherlands' only OffSec Accredited Training Partner.
That’s why you will receive the official EXP-401 training that is guaranteed to align with the most current exam.
And you will be taught by two highly experienced English-speaking OffSec accredited trainers.
The same training you attend at the international Black Hat conferences.
Unlike other OffSec titles, OffSec requires in-person attendance for OSEE / EXP-401.

Training Summary

Vendor:

OffSec
Training Language:

Engels
Duration:

5 days
Category:

Cybersecurity (Technical)

Ethical Hacking & Pentest Trainings

Description

Advanced Windows Exploitation (AWE) is one of the most challenging and advanced training programs in the field of exploit development and pentesting. This training builds on the knowledge and techniques you have learned in the Penetration Testing with Kali Linux (PEN-200/OSCP) and preferably also Evasion Techniques and Breaching Defenses (PEN-300/OSEP) training.

Modern exploits for Windows-based platforms require modern methods to bypass Microsoft’s defenses. In the Advanced Windows Exploitation (EXP-401) training, OffSec challenges participants to develop creative solutions that work in today’s increasingly difficult exploitation environments.

The case studies in AWE are based on large, well-known applications that are widely deployed in corporate networks. The training delves deeply into topics ranging from techniques to bypass security measures to complex heap manipulations and 64-bit kernel exploitation. Offensive Security Exploitation Experts (OSEE’s) possess the skill to analyze vulnerable software, identify problematic code, and develop working exploits for various modern Windows operating systems. These skills are highly valuable in the field of cybersecurity and penetration testing.

AWE is a particularly demanding penetration testing training. It requires a significant amount of interaction between the student and the instructor. Therefore, the AWE training (unlike other OffSec titles) can only be taken in a classroom, hands-on environment with a lot of individual guidance.

Advanced Windows Exploitation is OffSec’s flagship and our most rigorous offensive training and requires a significant time investment. In addition to the classroom days, you are expected to read case studies every evening and review the provided course materials.

The training is provided at TSTC by OffSec accredited trainers who are also OSEE EXP-401 certified themselves.

The 72-hour OSEE exam is scheduled by you after the training, given the nature of the exam, at a time that suits you. You will take the exam at your own location, and an exam voucher is included with the training.

Trainers

The training is provided by OffSec accredited trainers at TSTC who are of course also OSEE EXP-401 certified themselves.

Certification

Participants who complete EXP-401 and pass the associated 72-hour practical exam will receive the Offensive Security Exploitation Expert (OSEE) certification. The OSEE exam tests not only your knowledge of the course content but also your ability to think laterally and continuously adapt to new challenges. The virtual lab environment has several targets to attack. The software within this environment contains specific, unknown vulnerabilities. Participants have 72 hours to develop and document exploits. The exam requires a stable, fast internet connection. Afterward, you will write a comprehensive penetration testing report, which you will submit as part of the exam. The report must include in-depth notes and screenshots that detail the steps taken and the exploit methods used.

Training Requirements

Exploitontwikkelaars die op zoek zijn naar geavanceerde Windows-vaardigheden.
Security professionals die diepgaandere exploitatietechnieken willen ontwikkelen.
Red teamers die zich richten op geavanceerde Windows-exploits.
Application Security (AppSec) analisten die geavanceerde exploitatiescenario’s willen verkennen.
Vereiste voorkennis: Cursisten moeten ervaring hebben in het ontwikkelen van Windows-exploits en bedreven zijn in het gebruik van een debugger. Bekendheid met tools zoals WinDBG, x86_64 assembly, IDA Pro en basisprogrammering in C/C++ wordt sterk aanbevolen. Een sterke bereidheid om hard te werken en echte inspanningen te leveren zullen de uiteindelijke resultaten van deze training sterk bevorderen.

Materials

Officieel OffSec OSEE/EXP-401 studiemateriaal (digitaal)
Eén OffSec OSEE examenvoucher

Training Content

Introduction

Custom Shellcode Creation

64-bit Memory Architecture

Writing Exploit Code

Shellcode Framework Creation

Reverse Shell

Wrapping Up

VMware Workstation Guest-to-Host Escape

Vulnerability Classes

Data Execution Prevention (DEP)

Address Space Layout Randomization

VMware Workstation Internals

UaF Case Study: VMware Workstation Drag & Drop Vulnerability

The Windows Heap Memory Manager

Low Fragmentation Heap

UaF Case Study: Triggering the Bug

UaF Case Study: A Deeper Look at the Bug

UaF Case Study: Reallocation Control

UaF Case Study: Fake Virtual Table

UaF Case Study: ROP Storage

UaF Case Study: Bypassing ASLR

UaF Case Study: Stack Pivoting

UaF Case Study: Defeating DEP

Restoring the Execution Flow

Executing Shellcode

Windows Defender Exploit Guard

Testing the WDEG Protections

ROP Mitigations

Wrapping Up

Microsoft Edge Type Confusion

Edge Internals

Type Confusion Case Study

Exploiting Type Confusion

Going for RIP

CFG Bypass

Data Only Attack

Arbitrary Code Guard (ACG)

Advanced Out-of-Context Calls

Remote Procedure Calls

Perfecting Out-of-Context Calls

Combining the Work

Browser Sandbox

Sandbox Escape Practice

The Great Escape

Upping The Game

Wrapping Up

Driver Callback Overwrite

The Windows Kernel

Kernel-Mode Debugging on Windows

Communicating with the Kernel

Windows Kernel Security Mitigations

Vulnerability Classes

Kernel-Mode Shellcode

Vulnerability Overview and Exploitation

ROP-Based Attack

Version Independence

Wrapping Up

Unsanitized User-mode Callback

Windows Desktop Applications

Triggering the Vulnerability

TagWND Write Primitive

TagWND Leak and Read Primitive

Privilege Escalation

Virtualization-Based Security

Executing Code in Kernel-Mode Wrapping Up

Wrapping Up

Description

The training is provided at TSTC by OffSec accredited trainers who are also OSEE EXP-401 certified themselves.

Trainers

The training is provided by OffSec accredited trainers at TSTC who are of course also OSEE EXP-401 certified themselves.

Certification

Training Requirements

Exploitontwikkelaars die op zoek zijn naar geavanceerde Windows-vaardigheden.
Security professionals die diepgaandere exploitatietechnieken willen ontwikkelen.
Red teamers die zich richten op geavanceerde Windows-exploits.
Application Security (AppSec) analisten die geavanceerde exploitatiescenario’s willen verkennen.
Vereiste voorkennis: Cursisten moeten ervaring hebben in het ontwikkelen van Windows-exploits en bedreven zijn in het gebruik van een debugger. Bekendheid met tools zoals WinDBG, x86_64 assembly, IDA Pro en basisprogrammering in C/C++ wordt sterk aanbevolen. Een sterke bereidheid om hard te werken en echte inspanningen te leveren zullen de uiteindelijke resultaten van deze training sterk bevorderen.

Materials

Officieel OffSec OSEE/EXP-401 studiemateriaal (digitaal)
Eén OffSec OSEE examenvoucher

Training Content

Introduction

Custom Shellcode Creation

64-bit Memory Architecture

Writing Exploit Code

Shellcode Framework Creation

Reverse Shell

Wrapping Up

VMware Workstation Guest-to-Host Escape

Vulnerability Classes

Data Execution Prevention (DEP)

Address Space Layout Randomization

VMware Workstation Internals

UaF Case Study: VMware Workstation Drag & Drop Vulnerability

The Windows Heap Memory Manager

Low Fragmentation Heap

UaF Case Study: Triggering the Bug

UaF Case Study: A Deeper Look at the Bug

UaF Case Study: Reallocation Control

UaF Case Study: Fake Virtual Table

UaF Case Study: ROP Storage

UaF Case Study: Bypassing ASLR

UaF Case Study: Stack Pivoting

UaF Case Study: Defeating DEP

Restoring the Execution Flow

Executing Shellcode

Windows Defender Exploit Guard

Testing the WDEG Protections

ROP Mitigations

Wrapping Up

Microsoft Edge Type Confusion

Edge Internals

Type Confusion Case Study

Exploiting Type Confusion

Going for RIP

CFG Bypass

Data Only Attack

Arbitrary Code Guard (ACG)

Advanced Out-of-Context Calls

Remote Procedure Calls

Perfecting Out-of-Context Calls

Combining the Work

Browser Sandbox

Sandbox Escape Practice

The Great Escape

Upping The Game

Wrapping Up

Driver Callback Overwrite

The Windows Kernel

Kernel-Mode Debugging on Windows

Communicating with the Kernel

Windows Kernel Security Mitigations

Vulnerability Classes

Kernel-Mode Shellcode

Vulnerability Overview and Exploitation

ROP-Based Attack

Version Independence

Wrapping Up

Unsanitized User-mode Callback

Windows Desktop Applications

Triggering the Vulnerability

TagWND Write Primitive

TagWND Leak and Read Primitive

Privilege Escalation

Virtualization-Based Security

Executing Code in Kernel-Mode Wrapping Up

Wrapping Up

I am taking this next step in my lifelong learning journey.

What Can I Learn After The OSEE training (EXP-401) - Advanced Windows Exploitation?

Bypassing and evading security measures in user mode such as DEP, ASLR, CFG, ACG, and CET
Reverse engineering of 64-bit Windows Kernel Driver and discovering vulnerabilities

Advanced heap manipulations to achieve code execution, as well as guest-to-host and sandbox escapes.
Bypassing security measures in kernel mode such as kASLR, NX, SMEP, SMAP, kCFG, and HVCI

Disabling WDEG measures and creating version independence for weaponization

Schedules

This training is scheduled as follows in the coming period. Missing a date? Feel free to contact us.

Date: 2 - 6 november 2026

Location: TSTC Veenendaal - Klassikaal

Request current price

Date: In overleg

Location: TSTC Veenendaal - Klassikaal

Request current price

Learning paths

This training can also be taken as part of the below learning path(s). If you want to follow multiple titles from a learning path, please contact our advisors for a suitable bundle offer.

Expert

Intermediate

Fundamentals

OffSec Pentesting (Klassikaal)

Expert

OSEE training (EXP-401) - Advanced Windows Exploitation

Intermediate

OSCP training (PEN-200) - Pentesting with Kali Linux (PWK)

OSEP training (PEN-300) - Evasion Techniques and Breaching Defenses

OSAI training (AI-300) - Advanced AI Red Teaming

Fundamentals

LINUX LPIC 1 Training

PEN-100 Training - Network Penetration Testing

Frequently Asked Questions

Certainly, just like with all our other training sessions, you can optionally stay at the nearby Van der Valk Veenendaal hotel during the course days, which also includes daily dinner, breakfast, and tourist tax.

It is essential to have a powerful laptop that meets the following specifications: Able to run three virtual machines (VMs) simultaneously without issues Operating System: Windows 10 (the only supported host operating system) Hardware requirements: VMware Workstation 15 or higher 64-bit CPU with at least 4 cores, support for NX, SMEP, VT-d/IOMMU, and VT-x/EPT At least 160 GB of free storage space on the hard drive At least 16 GB of RAM Please do not use netbooks or systems with low resolution.

No, unlike the other OffSec trainings, the EXP-401 training does not include online content. The training is specifically designed to be conducted in a personal, hands-on environment to ensure optimal learning and interaction with instructors and fellow students.

I am taking this next step in my lifelong learning journey.

Why experienced professionals choose TSTC for their studies

Train smarter, not harder. TSTC's unique approach guarantees the effective acquisition of skills and the greatest chance of success.

Learn more about TSTC