Cyber Security Training


Other Courses Just Teach Concepts

Our Offensive Development is the first course dedicated to building payloads that bypass modern AV/EDR products

There are a lot of other courses which focus on concepts, discuss bypasses, but none of them take the student through building payloads from scratch and then bypassing EDR live.

This course focuses on a brief introduction towards Windows Internals and calling Windows API functions dynamically, and ends with students buildings payloads and bypassing modern defensive solutions.

Each student gets access to an isolated cyber range where they will develop their malware and deploy it with Cobalt Strike. That’s right, Cobalt Strike is built into the course.

During the course, you will learn how AV/EDR products work so that you can understand how brittle they truly are.

Topics that will be covered are: AMSI/ETW bypass, writing shellcode, writing BOFS, malleable C2 profile, various process injection techniques, hiding strings and imports, and more.

This course isn’t just for red teamers: you will learn how to hunt for default Cobalt Strike usage, detect process injection by looking at memory permissions and strange parent/child relationships, and detecting dynamically calling Windows APIs via LoadLibrary/GetProcAddress.

map of endpoints in WKL Offensive Development course.

Offensive Development Course

The total course duration is 2 days and consists of online interactive training sessions over Zoom. Registered students will receive an email invitation to the training.

Inside the cloud environment, the students will have access to a plethora of Windows machines with various EDR/AV products installed. The students will also have access to the Cobalt Strike C2 platform for the duration of training.

Strongly recommended: create an AWS account BEFORE the course begins

This is an intermediate level course

If you’re completely new to programming and Windows Internals, it might be difficult to keep up.

A background in the following topics would be useful before taking this course:

During the course, we will be interacting with different AWS EC2 instances using Guacamole.

Students will utilize their personal AWS account.

From that point, students will deploy the environment which consists of the following machines in the same subnet:

Here is a list of tools/requirements for the Offensive Development course (they’ll be preinstalled on the machines):

Training Course Details

Instructor Led Training Course

Course materials and lab environment are included in course fee

Course Overview

Dive deep into cutting edge techniques that bypass or neuter modern endpoint defenses. Learn how these solutions work to mitigate their utility and hide deep within code on the endpoint. The days of downloading that binary from the internet and pointing it at a remote machine are over. Today’s defenses oftentimes call for multiple bypasses within a single piece of code.

This course is designed to take you deep into defensive and offensive tooling – an apex attacker must know their own indicators of compromise (IOCs) they’re creating and the artifacts they’re leaving behind.

Who should Attend?

Anybody that is deeply passionate about red teaming and has a strong desire to excel. This course is intended for intermediate students with a good understanding of the fundamentals of cybersecurity and penetration testing.

It is designed for individuals who want to take their skills to the next level and challenge themselves while gaining practical experience.

Prerequisite Knowledge

This is an intermediate level course – a background in C programming, Windows Internals, .NET programming, and how AV/EDR products work would be useful.

Lab Environment

Students will have access to their own contained lab environment within Snap Labs that consists of the following:

  • Windows Server 2019 running Sophos Intercept X EDR
  • Ubuntu Cobalt Strike Team Server
  • Windows 10 Development Machine
  • Kali Linux
  • Admin Machine running Apache Guacamole
  • Fully Patched Windows 10 Machine
Learning Objectives
  • Learn the IOCs and artifacts of using off-the-shelf tooling. Without understanding the defender’s capabilities, an attacker brings little value to a red team engagement.
WKL Instructors

White Knight Labs is a Cyber Security Consultancy.

Our Co-Founders, Greg Hatcher and John Stigerwalt are passionate experts that deliver significant technical expertise in world-class offensive cyber security engagements.

With experience working in major cybersecurity firms, government agencies, and testing Fortune 500 organizations, they are industry thought leaders that give back to the security community.

Criteria for Success

This course is designed to challenge you across areas that you may not be comfortable with, and that is the point. 

A determination to learn and not give up is essential to your success.

Keeping the Course Relevant

This course is hyper-current and changes are made frequently to ensure that students receive the most up-to-date and relevant content possible.  Changes reflect both industry trends and influence from our real world engagements.

As a result, the syllabus is subject to change, and course content may be modified based on student skill level, course progression, and other factors.


Day 1 – Understanding Modern Defenses

  • Hiding from the Import Address Table (IAT)
  • Dynamically Building Your Strings
  • Defeating string detection via encryption
  • Finding EDR’s DLL
  • Unhooking EDR products
  • .NET and Assembly.Load
  • Obfuscating .NET assemblies and their IOCs
  • AMSI bypass
  • ETW bypass

Day 2 – Process Injection and Cobalt Strike

  • Process Injection Variants
  • Malleable C2 Profiles
  • Beacon Object Files
  • Cobalt Strike IOCs
  • Attacking AV/EDR Products
  • Dumping LSASS in 2022
  • Making the final binary to bypass multiple EDR products


This Course is Hyper-Current

Changes are always made at the last minute to ensure that students receive the most up-to-date and relevant content possible. As a result, the syllabus is subject to change, and course content may be modified based on student skill level, course progression, and other factors.


Not Just Concepts

We get you into the trenches, putting you  into real world scenerios that may frustrate you as we challenge your skills and knowledge.

Hands On Lab Environemnt

Eight virtual machines using Ubuntu, Windows 10, Kali, and Windows Server 2019

Not for Beginners

Students should have experience in cybersecurity fundamentals and an understanding of penetration testing and execution of red team operations

To the Limits

This course is designed to challenge you and you must be willing to face the difficulties we present and not give up

Advanced Red Team Operators

Basic Overview

Students will learn to understand modern defenses, process injection variants, Cobalt Strike and attacking AV/EDR products.

The course includes topics such as defeating string detection, unhooking EDR products, along with AMSI and ETW bypass. 

Take Your Skills to the Next Level

Challenge Yourself

Discover new heights and overcome personal barriers with WhiteKnightLabs’ groundbreaking training program, created to foster growth and unleash your capabilities.


Enhance your skillset and deepen your understanding through our expert-developed courses, focused on delivering the most pertinent and up-to-the-minute information in your field.


Aim for the stars and experience the thrill of success with WhiteKnightLabs’ extensive training program, enabling you to tackle challenges head-on and excel in your chosen profession.

Register Now for the Next Session

You will receive additional details by email once you complete the registration

Click the link to secure your seat right now!

Need additional information?

4 + 14 =

Cyber Security Training represented by image of female hacker in front of computer screens.

Contact us with Questions

If you have questions let us know.  If you’re unable to use the form. please give us a call at 877-864-4204