A hands-on security training program where you attack real vulnerable web applications, write professional penetration testing reports, and get reviewed by an actual practitioner. No flags. No guided hints. No automated scoring.
A vulnerability scanner finds known CVEs. A penetration tester finds what the scanner misses — business logic flaws, broken access controls, and chained vulnerabilities that only make sense in context.
DoPentest trains the second skill. Every lab is built around vulnerabilities found during real security assessments — the same class of bugs that appear in professional pentest reports, not CTF competitions.
You are not scored on how many bugs you find. You are scored on whether your report would be useful to the client.
Capture the flag
Write a report the client can act on
Planted flags, guided hints
Real bugs from real engagements
How many flags captured
Quality of the report, not quantity of findings
Flag string or score
Professional PDF pentest report
Automated / none
Manual line-by-line review by a practitioner
These are not skills you pick up from tutorials. They come from doing the work under conditions that resemble the real thing.
The application has no flags to capture. There are no hints telling you where to look. You enumerate the surface, form hypotheses, and test them. You think like an attacker or you miss the finding.
A low-severity information disclosure ships in real reports. An IDOR on a non-critical endpoint still gets documented. Completeness is a professional skill. Missing low findings is a reporting failure, not an acceptable gap.
Showing alert(1) is not a finding. Demonstrating that the same XSS allows session hijacking on an authenticated admin panel — and explaining what data is at risk — is a finding.
Clients don't pay for a list of vulnerabilities. They pay for a path to fix them. Every finding must include clear, actionable remediation steps. That is what separates a pentest report from a scanner output.
Every lab is built around vulnerability classes encountered during actual penetration tests — not theoretical textbook examples, not CVE reproductions. Business logic flaws, broken access controls, auth weaknesses. The bugs that scanners miss.
A report with three findings documented professionally — with full impact analysis, clear PoC, and actionable remediation — outscores a report listing ten findings with no context. This is how real engagements are evaluated.
There is no automated scoring. A practitioner reads every report manually and evaluates it against the same criteria used in actual client engagements.
You can find fewer vulnerabilities than other participants and still pass — if your documentation of those findings is professional, complete, and would genuinely help a developer remediate the issue. Quality of work matters more than quantity of findings.
Clear, numbered steps that allow a developer to reproduce the issue from scratch. Screenshots and HTTP requests where relevant.
What does this vulnerability mean for the business? Data exposure, financial risk, compliance implications, reputational damage. Stated in plain language, not technical jargon.
CVSS score or qualitative rating with a written justification. The rating must match the impact you've described.
Specific, actionable steps to fix the issue. Not "sanitize input" — how to sanitize, what library to use, what the secure pattern looks like.
A non-technical overview of what was found, the overall risk posture, and the most critical issues — written for someone who will not read the technical details.
Each batch runs for a fixed duration with a defined set of labs. Pass both labs to earn the batch completion certificate.
Two vulnerable web applications with real business logic flaws, broken access controls, and authentication weaknesses. Each application is isolated to your own instance. Black-box — no source code, no hints.
More complex applications, more interacting vulnerabilities, higher bar for report quality. Details announced after Batch 01 closes.
DoPentest assumes you already know the basics. The program trains professional execution — not foundational concepts.
Submit your application with background and experience. Every application is reviewed manually. You'll hear back within 48 hours.
Accepted participants receive the NDA, Scope of Work, and their dedicated lab URL — delivered directly. No dashboard. No setup.
Attack the application within scope. Document every finding — complete with impact, reproduction steps, and remediation. Submit your PDF report before the deadline.
A practitioner reads your report manually. You receive written feedback on every finding. Pass both labs and the completion certificate is yours.
Apply now. Get your scope doc. Find real bugs. Write a real report. Get reviewed by someone who has done this professionally.