c0c0n 2026 | HackTheWeb: Pentest Smarter with AI | Hacking & Cyber Security Briefing

Objective

Modern application security fails not because of single bugs, but because data moves in unexpected ways and traditional testing methods can't keep up. This intensive, lab-first course teaches you to map an application's data flow, identify high-value attack points, and execute real exploit chains that automated scans never find while leveraging AI to accelerate every phase of your workflow.

Designed for pentesters and security engineers with 1–3 years experience, this program builds both skill and mindset. You'll work through 30+ realistic labs spanning 8+ distinct web and API applications, using mind maps, data-flow diagrams, and local LLMs integrated directly into Burp Suite to guide discovery. Every module pairs theory with hands-on labs so you practise the exact steps attackers use from reconnaissance to privilege escalation and data exfiltration.

What makes this course different:

Data-Flow First: Use mind maps and flow diagrams to locate where sensitive data moves and how it can be abused.
AI-Augmented Testing: Learn when and how to use LLMs for payload generation, WAF bypass, wordlist creation, and vulnerability analysis—without over-relying on automation.
Mindset Training: Not just checklists - you’ll learn how attackers think and how to structure tests that find logic and design weaknesses.
Lab Intensity: 30+ real-world labs across 8+ applications (frontend, API, microservices) - practice chaining vulnerabilities end-to-end.
Actionable Outcomes: Walk away with a repeatable methodology, exploit recipes, and reporting guidance that gets developer buy-in.

COURSE HIGHLIGHTS

30+ real-world labs across 8+ applications– exploit vulnerabilities in environments that mirror today’s web and API stacks.
Data-flow driven bug hunting– trace how data moves through apps to uncover hidden attack paths scanners miss.
AI-integrated pentesting workflow- set up local LLMs with Ollama, connect them to Burp Suite, and use AI for recon, payload crafting, and vulnerability analysis.
Mind maps & attacker’s mindset– build repeatable frameworks and think like an adversary, not a checklist.
Exploit chaining & Burp Suite simplified– combine vulnerabilities into high-impact attacks using practical tools and techniques.
Actionable takeaways– walk away with a field-tested methodology, reusable mind maps, and skills you can apply immediately.

We will cover topics (not limited to):

Mapping the Data Flow– tracing requests, responses, and tokens to spot weak links
AI-Assisted Reconnaissance & Subdomain Enumeration
Security Misconfiguration & Cloud Storage Hunting
Authentication Attacks (JWT, 2FA bypass, password reset flaws)
Authorization Testing (IDOR, privilege escalation, SSRF)
Advanced Injection Attacks (SQLi, XXE, XSS, template injection, deserialization)
Cryptographic Failures (padding oracle, weak encryption)
Business Logic & Workflow Exploitation
Autonomous Pentesting Agents (Shannon, PentestGPT, HexStrike AI and more)
Automated Reporting with AI

Course Content

Day 1 - Mapping & Breaking the Basics

Introduction to Web app testing

OWASP Top 10 2021 to 2025 - What’s Changed ?
OWASP Web App Testing Guide
Introduction to Proxies
Reporting as you go

Introduction to AI for Pentesting

Why AI in pentesting ?
Local LLMs vs Cloud APIs (privacy, speed, cost)
Setting up Ollama + LLMs
Learning how to Prompt
When to trust Ai vs Verify Manually

Information Gathering

Search Engine discovery and reconnaissance for information leakage
Fingerprinting the web server
Enumerating applications on the web server
Fingerprinting Application and Application Framework
AI assisted Subdomain Enumeration
AI assisted Information Gathering

Security Misconfiguration and Deployment Testing

Detecting Application Platform MisConfiguration
- Traditional + AI Assisted
Automating Subdomain Takeover using AI
Hunting Cloud Storage Misconfigurations Traditional + AI

Integrating Burp with AI

Understanding the setup
Connecting your AI to Burp

Identity Management Testing

Testing for Roles and Privileges
Account Enumeration
Login Brute Force
- Generating Target specific wordlists with LLMs
Default Credentials Hunting using AI and Wordlists

Authentication Testing

Testing Lockout Mechanisms
Bypassing Authentication Schema
- JWT Attack
- JWT analysis and attacks with AI
Testing for Password Reset Functionalities
Testing for 2FA Bypass

Day 2 - Exploiting the Core Weaknesses

Creating Vulnerability HeatMaps using AI + Proxy Logs

Authorization Testing

Directory Traversal vulnerabilities
Bypassing Authorization Schema
Testing for Privilege Escalation
Insecure Direct Object References (IDOR)
- Leveraging AI models to hunt for IDOR vulnerabilities
SSRF Attacks
- SSRF on Traditional Web Apps
- SSRF over Cloud
- Leveraging AI to bypass WAF to exploit SSRF

Input Validation/Injection Testing

SQL Injection vulnerabilities
- Time-Based SQL Injection
- AI Generated SQLI payloads
- Automating SQLMap using AI
- Data Exfiltration via Blind OOB SQL Injection
- Example of using LLMs to generate Obfuscated Payloads
XML Injection vulnerabilities
- Vanilla XXE attack
- Data Exfiltration via Blind XXE attacks
- LLM assisted XXE attacks
Modern XSS Attacks
Template Injection Attacks
Exploiting File Upload functionalities
Deserialization Attacks

Day 3 - Exploiting Workflows & Business Logic

Session Management Testing

Testing Logout Functionality
Testing for Session Hijacking
Testing for Misconfigured Cookie Attributes
Using AI for Identifying and exploiting Session Weaknesses

Cryptographic Failures

Padding Oracle Attacks
Weak Encryptions Detection and Exploitation

Software Supply Chain Security

Attacking PHP Symphony
Attacking vulnerable third-party libraries
Case Studies: Log4J / Log4Shell
Case Studies: Compromised npm/PyPI Packages

Business Logic Testing

Building models for Business logic Flows
Attacking Coupon Functionality / Process Timing Attacks
Attacking Payment Gateways
Using LLMs to identify logic flaws and attack Chains
Circumventing Workflows

Automating complete Pentest + Human in the loop using AI

Autonomous Pentesting Agents
- Demo: Shannon
AI - Powered Pentesting Assistants
- Demo: PentestGPT, HexStrike AI, Strix

Reporting

Reporting Pitfalls
Creating Impactful Reports
Understanding Opensource Reporting Tools
Automating the Reporting Process
Creating Reports using AI

Pre-requisite

Basic understanding of Pentesting
Familiarity with HTTP/HTTPS protocols and web architecture
Prior experience with at least one vulnerability class (SQLi, XSS, etc.)

Who Should Attend

Pentesters, Red Teamers, and Bug Bounty Hunters (1–3 years’ experience) who want to move beyond surface-level bugs into real exploit chains
AppSec Engineers, SOC Analysts, and DevSecOps Professionals seeking attacker-mindset skills to uncover what scanners miss.
Developers & Security Researchers eager to understand and defend against real-world exploitation of design flaws, workflows, and misconfigurations.

Participant's Requirements

What Students Should Bring:
To get the most out of the hands-on labs, please come prepared with the following:

Administrator (admin) privileges on your laptop - required to install VirtualBox and Burp Suite and import the lab images.
Hardware requirements for running AI locally:
- CPU - Minimum 4 cores ( Intel i5 / AMD Ryzen 5)
- RAM - Mentioned Below
- GPU Optional but good to have
Apple Silicon (M1/M2/M3) Good to have: Excellent performance. Ollama runs natively and leverages the unified memory architecture.
Alternatively you can purchase a 20$ Subscription of Claude or Cursor but rate limits will apply.
Minimum 32 GB RAM (recommended) - Burp Suite and multiple VMs perform best with more memory.
At least 80 GB free disk space - we’ll provide a custom Kali Linux .ova (preloaded with tools) that needs room to import and run.
Reliable internet access - needed for some labs, updates, and downloads.
Virtualization support / VirtualBox installed - so you can load the supplied Kali .ova. (If you prefer VMware, let us know in advance.)

We supply the Kali .ova and step-by-step setup instructions. If you hit any setup snags, bring your charger and we’ll help you get everything running before the labs start.

What to expect

30% theory and 70% Hands-on
Focuses on the Web application Pentesting in modern days.
Focuses on a black/grey box pentest, keeping in mind helping bug bounty hunters understand application workflows to find improved Business logic flaws.
AI as a force multiplier, use LLMs throughout the course for recon, payload generation, WAF bypass, and reporting with a "trust but verify" mindset.
Designed with Data Flow analysis to understand the endpoints that could have potential vulnerabilities
Designed with the state of the art lab with simulated real world applications and more than 30+ exercises to perform
Take-home resources leave with mind maps, AI prompt templates, exploit recipes, and a methodology you can use on your next engagement.

Trainer(s)

Dhruv Shah

Founder/ Technical Head
TCP Infosec LLP

Venue & Date

Contact Us

c0c0n 3-Day Professional Training

HackTheWeb: Pentest Smarter with AI