Module 680 · TBZ ITCNE25 · 3. Semester
A course on ICT security testing — 28 topics across foundations, methodologies, pentest in depth, turning findings into value, and specialized assessment targets. Designed and delivered by Inference for TBZ Zurich, Frühlingssemester 2026.
Course orientation
Who teaches · structure of the course · lab platform · goals · assessment
FoundationsPart I T02The security testing landscape
What testing is & isn't · methodologies as peers · who buys testing & why · misconceptions
FoundationsPart I T03Standards & frameworks
OSSTMM · PTES · OWASP · NIST 800-115 · BSI · ISO/IEC 2700x · CIS Controls · sector layers
FoundationsPart I T04Engagement lifecycle: scoping, boundaries & readiness
Discovery · scope documents · BSI classification axes · black/grey/white box · RoE & SoW · pre-engagement readiness checklist
FoundationsPart I T05Legal implications
Swiss StGB Art. 143/143bis/144bis · EU Directive 2013/40 · FADP · GDPR · when to stop
FoundationsPart I T06Client consent & ethics
Valid consent · third-party consent · ethical dilemmas · the "should I do this?" filter
FoundationsPart IOSINT
Source categories · workflow · quality discipline · legal & ethical limits · the bright line vs. active recon
MethodologiesPart II T08Social engineering
Cialdini's principles · phishing/vishing/smishing/BEC/MFA fatigue · pretext ethics · reporting rate as metric
MethodologiesPart II T09Vulnerability scanning
Scanner categories · authenticated vs unauthenticated · false positives/negatives · vuln management lifecycle · RBVM
MethodologiesPart II T10Manual review
Code · config · architecture · IaC · policy · threat modeling · what only humans find
MethodologiesPart II T11Penetration testing (as methodology)
PTES phases · pentest types · what pentest can & cannot tell · bridge to Part III
MethodologiesPart II T12Red teaming
Goal-driven adversary simulation · TIBER-EU · trusted agents · kill chain & ATT&CK · replay phase
MethodologiesPart II T13Blue teaming (and purple)
Prevention · detection · response · recovery · detection engineering · purple teaming
MethodologiesPart IIReconnaissance & enumeration in practice
Passive → active → enumeration · Nmap · subdomain & AD & cloud · attack-candidate triage
Pentest deep divePart III T15Exploitation in practice
Classes — CVE · misconfig · credential · authz · logic · supply chain · crypto · planning · safe execution
Pentest deep divePart III T16Privilege escalation (Linux & Windows)
Seven patterns: misconfig · weak perms · leaked creds · capabilities · vuln software · trust abuse · container escape
Pentest deep divePart III T17Web application testing in practice
WSTG methodology · injection · broken authn/authz · SSRF · upload · XSS · JWT · OAuth · APIs · Burp workflow
Pentest deep divePart III T18Post-exploitation & kill-chain synthesis
Awareness · credential harvest · lateral movement · persistence · data access · MITRE ATT&CK · attack narrative
Pentest deep divePart IIIEvidence & traceability
Evidence properties · activity log · per-finding artefact · capture as you go · sensitive-data handling
Findings → valuePart IV T20Vulnerability evaluation & scoring
Severity vs risk vs priority · CVSS v3.1 & v4.0 · OWASP Risk Rating · BSI · KEV · EPSS
Findings → valuePart IV T21Remediation & prioritisation
Six forms of remediation · root cause vs symptom · actionable guidance · prioritised plans · retest
Findings → valuePart IV T22Reporting: structure & fundamentals
Why the report is the deliverable · standard structure · executive summary · per-finding structure · attack narrative
Findings → valuePart IV T23Bad vs. good reporting + drafting practice
Recognise antipatterns · good-report patterns · tone · drafting exercise · peer review · the retest test
Findings → valuePart IVNetwork infrastructure testing
Segmentation · firewall rules · L2/L3 weaknesses · VLAN hopping · VPN/ZTNA · IPv6 · management interfaces
Specialized targetsPart V T25Wireless assessment
802.11 auth modes · WPA2/WPA3 attack workflows · evil-twin & rogue AP · Bluetooth/BLE · Zigbee
Specialized targetsPart V T26Cloud assessment
IaaS/PaaS/SaaS/containers · IAM-centric assessment · AWS/Azure/GCP misconfigs · Kubernetes · shared responsibility
Specialized targetsPart V T27Active Directory & identity assessment
AD enumeration · Kerberoasting · ADCS · BloodHound path analysis · Entra ID · federated identity
Specialized targetsPart V T28API testing
REST/GraphQL/gRPC discovery · OWASP API Top 10 · BOLA/BFLA · OAuth/JWT/mTLS · gateway failure modes
Specialized targetsPart VAsk questions — your name is hidden from classmates. The teacher can see who posted to keep the board safe. Upvote, get teacher-answered.
View all questions with author names and reply as the teacher. Students see questions anonymously.
The S9 formative quiz, auto-graded, with instant feedback. Retake as many times as you want.
Preview the formative quiz the class will see.
Submit your pentest report draft — automated rubric feedback before the teacher grades.
Preview the submission form. Use the teacher dashboard to review submissions.
Module 680 access
Access exercise handouts, the course plan, and live tools.