What to bring:

Just Yourself. All necessary equipment will be provided, including pre-configured laptops, tools and utilities.

Black Hat USA 2010 Weekday Training Session

July 24 - 27

Hacking by Numbers: PCI Edition
Hack Like You Mean It!


Register Button

Hacking By Numbers: PCI Edition is a new addition to the HBN series. This is a practical, technical course aimed at beginner penetration testers, that teaches method-based hacker thinking, skills and techniques, specifically focusing on the approach and priorities for penetration testing required by the PCI DSS standard.


The PCI Data Security Standard (DSS) has had a huge impact on the information security industry. One effect that it has had is to make annual penetration testing mandatory in some segments, and thereby spawn a whole new class of off-the-shelf penetration testers.

SensePost has a wealth of experience performing penetration tests and teaching people how conduct security assessments. SensePost has also undergone PCI QSA training and certification, as well as the PCI ASV certification process, and has conducted assessments and penetration tests for organizations aiming to comply with the PCI DSS.

This has developed the necessary insight to teach people performing assessments the technical aspects of penetration testing for the purpose of PCI certification. The context of the training is relevant to penetration testing within the confines of the approach and priorities of the PCI DSS standard.

The HBN PCI Edition course will initially cover the pertinent theory about the PCI DSS itself and where and how penetration testing fits in. This will set the context for the introduction to penetration testing.

At SensePost we believe that hacking is a way of thinking, and that this way of thinking can be taught. Combined with the correct tools and technical trade-craft hacking is developed into a predictable science. The next phase of the training focuses on teaching this technical method-based philosophy to hacking into networks and systems over the Internet.

Finally, students will spend some time on understanding the critical difference between a 'compliant' penetration test and a 'real-world' attack, focused on the actual compromise of cardholder information.

Students are provided with fully-configured laptop computers that are used stage-for-stage to complete the different technical exercises.

The course runs for two days during which the SensePost trainers will walk you, step-by-step, through understanding the role of different types of penetration testing in the overall PCI compliance process. We'll start by identifying the target systems, teach you how to breach the target perimeter, and demonstrate how to extend these attacks in order to completely compromise the Internet-facing or internal systems protecting cardholder data.


SensePost will provide fully configured laptop computers as well as CDs with all of the tools and materials used in the course. Students need to ensure they have the necessary level of skill.

No hacking experience is required for this course, but a solid technical grounding is an absolute must. Students are expected to have a solid practical grasp of computer operating systems, networks, web-based applications and databases.

Students without the requisite level of skill are encouraged to attend SensePost's HBN Cadet Edition, which can be taken back-to-back with PCI Edition.


This course is specifically aimed at assisting beginner penetration testers in understanding how to assess networks and systems according to the requirements and priorities of the PCI DSS. Please note that there is approximately a 60%-70% overlap in content with SensePost's HBN Bootcamp course.

Who should attend?

Information security officers, system and network administrators, security consultants, QSA's, card services risk managers and other nice people will all benefit from the valuable insights provided by this class.

Course Length

Two days


SensePost proposes to use experienced world-class technicians with extensive training experience. The course will be presented by one of the following course leaders:

Bradley Jayanath joined SensePost as the team leader for the assessment team after 9 years in the Networking and security industry. He has extensive experience on all types of security assessments and has completed major security projects in the Americas. Bradley has been involved in the training course material since appointment has got extensive experience that he brings to each training course.

Nicholas Arvanitis is an Associate at SensePost, where he leads SensePost's security assessment and penetration testing team. Nicholas has spoken and trained throughout South Africa, Europe and the United States, including at prestigious events such as the Black Hat Briefings and Defcon. His area of expertise is in web application assessment, network security assessment and vulnerability management.

Marco Slaviero (MSc) is an associate at SensePost focused on providing penetration testing services to global clients in the financial services, mining and telecommunications sectors. Marco specializes in web application assessments with a side interest in thick applications and network assessments. His background is academic and he finds the security industry a little bewildering if complete fun.

Ian de Villiers is an associate security analyst for SensePost. Coming from a development background, his areas of expertise are in application and web application assessments. Ian has spent considerable time researching application frameworks, and has published a number of advisories relating to portal platforms. He has also provided training on web application security at prestiguous events such as the BlackHat briefings in the USA and spoken at security conferences on this topic.

Super Early:
Ends Apr 1
Ends May 15

Ends Jun 15

Ends Jul 23