Applied Penetration Testing Engineer: Hands-on Course Syllabus 1 Applied Penetration Testing Engineer: Hands-on Experience Practical-Oriented Course Syllabus For CSE Students and Early-Stage Professionals Suggested Duration: 80 Hours | Nature: Theory + Lab + Project Delivery Scale: Suitable for around 20 training batches, with approximately 20 trainees in each batch 1. Course Rationale Cybersecurity has become a core requirement for modern computing systems, software platforms, networks, web services, cloud environments, and digital infrastructure. For Computer Science and Engineering students and early-stage professionals, learning ethical hacking only at the conceptual level is not enough. They need structured and supervised exposure to secure laboratory environments, threat awareness, safe testing methods, vulnerability assessment, system hardening, log analysis, and incident-oriented thinking. This course is therefore designed as a practical, defense-focused training program that develops hands-on cybersecurity skills while maintaining clear ethical, legal, and professional boundaries. 2. Target Participants and Delivery Context This course is intended for: • undergraduate and graduate students in Computer Science and Engineering, Applied Penetration Testing Engineer: Hands-on Course Syllabus 2 • recent graduates seeking practical cybersecurity foundations, and • early-stage professionals requiring hands-on exposure to defensive security assessment and secure system practices. The syllabus is structured so that it can be delivered repeatedly across around 20 batches, with approximately 20 trainees in each batch. All practical activities should be carried out only in authorized, instructor-controlled laboratory or sandbox environments. The current document presents the complete course syllabus in training format. If approved, the detailed contents of each module may later be expanded and organized in book format for structured teaching, supervised lab delivery, and self-study 3. Ethical and Legal Scope This course is designed strictly for authorized security learning. It emphasizes ethical conduct, responsible disclosure, safe laboratory practice, and legal compliance. Practical activities are limited to institutionally approved lab systems, local virtual machines, training platforms, and intentionally vulnerable educational environments prepared for defensive learning. The course does not support unauthorized intrusion, misuse of tools, or real-world offensive activity. 4. Course Objectives After successful completion of the course, learners should be able to: 1. explain the ethical, legal, and technical foundations of ethical hacking and defensive cybersecurity, 2. understand common threat categories, attack surfaces, and risk Applied Penetration Testing Engineer: Hands-on Course Syllabus 3 indicators in modern computing environments, 3. perform basic system, web, and network security assessment activities in controlled lab environments, 4. use selected security tools for observation, analysis, vulnerability identification, and defensive verification, 5. apply secure configuration, authentication, access control, and logging practices, 6. analyze incidents and propose mitigation strategies based on practical evidence, and 7. design and present a small defensive security project using supervised lab workflows. 5. Course Outcomes On successful completion of the course, learners will be able to: CO1. Explain ethical, legal, and technical principles related to ethical hacking and responsible security practice. CO2. Identify common threats, vulnerabilities, and exposure points in systems, web applications, and networks. CO3. Perform basic security observation and controlled vulnerability Applied Penetration Testing Engineer: Hands-on Course Syllabus 4 assessment tasks in authorized lab settings. CO4. Apply secure system configuration, password, authentication, and access-control practices. CO5. Use logs, packet traces, and host-level evidence to support troubleshooting and incident-oriented analysis. CO6. Evaluate and communicate practical mitigation measures for identified security weaknesses. CO7. Design, document, and present a supervised mini project related to defensive security assessment and hardening. 6. Hour Distribution Component Hours Percentage Theory 28 35% Hands-on Lab and Guided Practice 42 52,5% Project, Demonstration, and Presen- tation 10 12.5% Total 80 100% 7. Module-Wise Syllabus 7.1 Module 1: Foundations of Penetration Testing and Cybersecurity 6 Hours Applied Penetration Testing Engineer: Hands-on Course Syllabus 5 Theory focus: penetration testing goals, ethical hacking concepts, threat landscape, attack surface, terminology, legal boundaries, and professional ethics Hands-on focus: setting up a supervised virtual lab, understanding isolated environments, and preparing a safe penetration testing workflow 7.2 Module 2: Information Gathering and Reconnaissance 8 Hours Theory focus: OSINT techniques, footprinting, passive reconnaissance, data sources, and attack surface discovery Hands-on focus: using WHOIS, DNS tools, Shodan, and Maltego for information gathering 7.3 Module 3: Scanning and Enumeration 8 Hours Theory focus: port scanning, service discovery, enumeration techniques, and protocol analysis Hands-on focus: using Nmap and enumeration tools to identify live systems and services 7.4 Module 4: Vulnerability Assessment 8 Hours Theory focus: vulnerability concepts, CVE analysis, risk scoring, and misconfiguration detection Hands-on focus: running OpenVAS/Nessus scans and validating findings 7.5 Module 5: Exploitation Techniques 10 Hours Theory focus: exploit fundamentals, payloads, attack vectors, and frameworks Applied Penetration Testing Engineer: Hands-on Course Syllabus 6 Hands-on focus: using Metasploit and manual exploitation techniques 7.6 Module 6: Post Exploitation and Privilege Escalation 8 Hours Theory focus: privilege escalation, persistence, lateral movement, and access maintenance Hands-on focus: credential dumping, privilege escalation, and pivoting techniques 7.7 Module 7: Web Application Security 10 Hours Theory focus: OWASP Top 10, authentication flaws, input validation, and session management Hands-on focus: testing SQL injection, XSS, and authentication bypass 7.8 Module 8: Password Attacks and Cracking 6 Hours Theory focus: password security, hashing mechanisms, brute force and dictionary attacks Hands-on focus: using Hashcat, Hydra, and John the Ripper 7.9 Module 9: Network Attacks and Sniffing 6 Hours Theory focus: network protocols, sniffing techniques, and MITM attacks Hands-on focus: capturing and analyzing traffic using Wireshark Applied Penetration Testing Engineer: Hands-on Course Syllabus 7 7.10 Module 10: Evasion Techniques 4 Hours Theory focus: IDS/IPS evasion, antivirus bypass, and obfuscation Hands-on focus: testing payload evasion techniques 7.11 Module 11: Reporting and Documentation 4 Hours Theory focus: report structure, risk rating, executive summary, and technical documentation Hands-on focus: creating professional penetration testing reports 7.12 Module 12: Final Project and Presentation 10 Hours Theory focus: project planning, scoping, and communication Hands-on focus: conducting a full penetration test and presenting findings 8. Suggested Laboratory Activities and practice Activities The course may include, but is not limited to, the following practical activities: 1. preparing isolated virtual machines and snapshots for security training, 2. using Linux and Windows command-line tools for security Applied Penetration Testing Engineer: Hands-on Course Syllabus 8 observation, 3. identifying services and communication behavior in a supervised lab network, 4. documenting an asset inventory and exposure checklist, 5. running approved vulnerability assessment tools in an educational sandbox, 6. reviewing scan results and mapping them to defensive remediation, 7. analyzing common web security weaknesses using intentionally vulnerable local practice applications, 8. applying secure password, access-control, and multi-factor authentication settings, 9. hardening local operating systems and services, 10. capturing and reviewing packet traces for selected lab scenarios, 11. collecting and filtering log data for suspicious events, 12. evaluating phishing indicators using sample educational content, 13. preparing a basic incident timeline and summary report, 14. reviewing cloud or application security misconfiguration cases in a classroom setting, and 15. completing a mini project on defensive review, secure configuration, or supervised lab security assessment. Applied Penetration Testing Engineer: Hands-on Course Syllabus 9 9. Teaching and Training Methodology The course is designed to emphasize practical skill development in supervised environments. A suitable delivery approach may include: • short interactive lectures for conceptual grounding, • instructor-led demonstrations in controlled laboratories, • guided hands-on exercises using isolated virtual machines and training applications, • individual and group-based practice, • case-based discussion on risk, ethics, and incident response, • project-oriented implementation, and • presentation and viva components for evaluating real understanding 10. Indicative Tools and Lab Resources A supervised training implementation may use a carefully selected set of educational tools and resources such as: • virtual machines and sandbox platforms, • Linux and Windows lab systems, • packet analysis and log review tools, Applied Penetration Testing Engineer: Hands-on Course Syllabus 10 • approved exposure and vulnerability assessment tools, • intentionally vulnerable educational web applications hosted locally, • browser developer tools, • basic firewall and host-hardening utilities, and • instructor-provided datasets, scenarios, and reporting templates. 11. Assessment and Marks Distribution For training-oriented implementation, the following assessment pattern may be adopted: Assessment Component Weight Mid-term Examination 20% Final Examination 25% Quizzes / Class Tests 20% Project / Practical 25% Attendance 10% Total 100% 12. Suggested Reference Areas The following reference areas may support teaching and later expansion into book format: • cybersecurity foundations and information assurance, • ethical hacking principles and responsible practice, • network security and secure system administration, Applied Penetration Testing Engineer: Hands-on Course Syllabus 11 • web application security and secure software development, • incident response and digital forensics awareness, • cloud and modern application security, • operating system hardening and access control, and • security monitoring, logging, and threat awareness. 13. Future Development Scope This syllabus is intentionally structured in a way that allows later expansion into a more detailed instructional package. If approved, each module can be developed further into book-style teaching material with expanded theory, guided lab instructions, case studies, review questions, reporting templates, and supervised project frameworks suitable for repeated delivery across multiple training batches.