Book a meeting
Cart
Register
Sign in

Certified Active Directory Pentesting Expert
(HTB CAPE)

Includes 16 instructor-led training sessions + HTB hands-on labs

This course supports professionals looking to build advanced Active Directory attack capabilities through structured methodology, guided hands-on labs, and focused development of modern AD exploitation techniques.

Fill in the following form to get course updates & enrollment info.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply. 

In collaboration with:

This training is delivered through custom-built, guided training by Cyber Helmets, enriched with Hack The Box Academy’s sophisticated labs and curated content.

What you’ll gain:

  • Learn advanced AD exploitation workflows you can immediately apply in enterprise environments.
  • Enhance your red-team capability with practical skills across modern AD attack surfaces
  • Acquire an expert-level AD pentesting methodology from enumeration to domain takeover
  • Develop skills you can apply immediately in red team, offensive security, or consulting roles

Level:
Intermediate to
Advanced

Duration:
8 weeks
(8h/week)

Who this course is designed for

This course supports professionals looking to build advanced Active Directory attack capabilities through structured methodology, guided hands-on labs, and focused development of modern AD exploitation techniques.

Red Teamers & pentesters ready to specialise in AD attack-chains

Blue-team or SOC practitioners who want to deepen attacker mindset in Active Directory

Security consultants focused on internal network and AD compromise scenarios

Security engineers who already know the basics and are ready for real domain-wide challenge

HTB Certified Active Directory Pentesting Expert

(HTB CAPE)

The HTB CAPE certification builds elite-level Active Directory penetration-testing capability through expertly crafted training by Cyber Helmets (in partnership with Hack The Box). Participants follow the AD Attack job-role path in HTB Academy, complete immersive labs, and pass a full practical exam simulating enterprise-style AD compromise, covering kerberoasting, AS-REP/NTLM abuse, trust-pivoting, ADCS/WSUS exploitation, Exchange/AD hybrid, and large-scale domain lateral movement and domain controller takeover.

Skills you'll develop:

> Advanced Active Directory enumeration & attack surface mapping

> Kerberos & NTLM exploitation techniques (AS-REP Roast, Kerberoast, etc.)

> ADCS/WSUS/Exchange abuse, hybrid-cloud AD pivoting

> Trusts & forest compromise, lateral-movement at scale

> Post-exploitation domain-wide control, evasion, red-team operations

> Reporting & evidence-based deliverables for professional engagements

How the training works:

>Instructor-led live online sessions aligned to real pentesting methodology

> Access to HTB labs

> Exam voucher includes two (2) exam attempts.

> Course materials such as slides, links to further reading, code snippets, lab exercises, etc.

> HTB Active Directory Pentesting Expert Certification after successfully passing the exam.

FAQs:

Accordion Content

  • The HTB Certified Active Directory Pentesting Expert (HTB CAPE) certification is not designed for beginners in cybersecurity. It assumes prior knowledge and experience in network penetration testing and foundational principles of Active Directory (AD) environments. To succeed, candidates should already possess a solid pentesting foundation.
  • Obtaining the HTB Certified Penetration Testing Specialist (HTB CPTS) certification is highly recommended before pursuing HTB CAPE. The HTB CPTS ensures that individuals have a robust understanding of key penetration testing concepts, which are critical for navigating the advanced topics assessed in HTB CAPE.

A certification is not a mandatory prerequisite to become an Active Directory Penetration Tester or practice any other cybersecurity role, but a great asset if you are looking to learn new skills in a structured way and prove your knowledge to potential employers.

Hack The Box is a trusted, highly respected, and community-backed IT security training vendor, with a long history in the domain. The training standards of the company are set quite high and this applies to all offerings, machines, challenges, Pro Labs, and now, the certifications.

Through the years, Hack The Box has been a training partner of major organisations, government/military agencies, and academic institutions worldwide. We plan to continue being a trusted training partner, and also provide certification services from now on, while retaining the same level of content-excellence, quality, and integrity.

To prepare effectively for the HTB CAPE program, consider the following recommendations:

Access to HTB Academy’s content is vital for your participation in this course. A discount voucher will be provided to you upon registration via e-mail, which you can use to activate your subscription to HTB Academy.

The following modules are specifically chosen to provide a strong foundational understanding and skill set, which are critical for your success in the seminar and future endeavors in penetration testing:
1. Introduction to Academy: This module provides an overview of the Academy platform and guides on how to effectively utilize it for self-training, setting the foundation for your learning journey.
2. Linux Fundamentals: Essential for cybersecurity, this module offers in-depth training in Linux, covering its structure, shell usage, and system administration, complete with practical exercises and an assessment to solidify your understanding.
3. Learning Process: Focusing on the learning journey, this module covers aspects such as mindset, efficiency, organization, and coping with frustration, crucial for excelling in the information security field.

Unfortunately we don’t record our sessions therefore you’ll need to catch up with the rest of the group. The support team can help you to catch up with the previous sessions and guide you on the materials that you need to read.

To obtain the HTB Certified Active Directory Exploitation (HTB CAPE) certification, all individuals must complete the entire Active Directory Penetration Tester job-role path, which consists of 15 comprehensive modules. Each module includes hands-on exercises and a skills assessment at the end, designed to validate your understanding of the covered topics. Completing these modules is a mandatory step before being eligible to take the certification exam.

For those subscribed to the Gold Annual certification, solutions for the modules are provided. This ensures the learning process is more guided and efficient, reducing unnecessary frustration while allowing candidates to focus on mastering the content. This subscription makes completing the modules a manageable and rewarding experience.

Find below the facts that differentiate HTB Certified Active Directory Pentesting Expert (HTB CAPE) from standard certifications::

  • Continuous Evaluation – To be eligible to start the examination process, one must have completed all modules of the “Active Directory Penetration Tester” job-role path 100% first. Each module in the path comes with its own hands-on skills assessment at the end that students must complete to prove their understanding of the presented topics. The answers to the skills assessment exercises are not provided. Evaluation takes place throughout the journey, not only during the examination!

  • Hands-on & Real-world Exam Environment – HTB Certified Active Directory Pentesting Expert (HTB CAPE) candidates must perform advanced Active Directory penetration tests in realistic Active Directory environments, encompassing real-world Active Directory environments, demanding a full understanding of how Windows and the Active Directory environments work and assessing the candidate’s ability to execute complex attacks without relying on multiple-choice questions!

  • Focus on Advanced & Applicable Skills – The “Active Directory Penetration Tester” job-role path advances the competencies acquired in the “Penetration Tester” job-role path. It emphasizes the development of sophisticated skills crucial for Active Directory exploitation. The curriculum emphasizes practical, high-stakes scenarios involving Active Directory enumeration, exploiting trust relationships, misconfigured DACLs, and leveraging specialized tools. This path is enriched with practical demonstrations encompassing a wide range of contemporary Windows and Active Directory implementations, allowing them to understand Active Directory authentication protocols deeply.

  • Outside-the-box Thinking – HTB Certified Active Directory Pentesting Expert (HTB CAPE) candidates will be required to think outside the box and utilize the various skills and techniques they learned throughout the path to achieving the exam’s objectives. Like in real-world engagements, creativity and in-depth knowledge will be necessary for a successful outcome.

  • Commercial-grade Report Requirement – Successfully attacking and exploiting a complex Active Directory environment is not enough to obtain the HTB Certified Active Directory Pentesting Expert (HTB CAPE) certification. As part of their assessment, candidates must explain the process of identifying and exploiting vulnerabilities. Additionally, candidates are expected to propose remediation for identified vulnerabilities. HTB Certified Active Directory Pentesting Expert (HTB CAPE) candidates must prove they are market-ready and client-centric professionals.

  • Seamless Experience Powered By Pwnbox – The entire exam and certification process can be conducted through the candidates’ browser from start to finish. All penetration test attacks can be performed via the provided and in-browser Pwnbox. There are no infrastructural or tool requirements.

HTB certifications are on Credly!

By the time you successfully complete the HTB CAPE exam and claim your certificate, HTB CAPE’s digital badge will arrive on your email. Accept it and share it on your social media, so that third parties can verify your obtained skills!

Syllabus:

Intro to GCP

  • GCP Hierarchy
  • Google Workspace
  • gcloud config
  • Basic Hacking Techniques

Exploitation of GCP Services

  • IAM
  • KMS
  • Secrets 
  • Storage
  • Compute Instances & VPC
  • Cloud Functions
  • CloudSQL
  • Pub/Sub
  • App Engine
  • Google APIs
  • Cloud Shell

Methodologies

  • White box

Security Services

  • GCP Logging & Monitoring

Syllabus:

Intro to AWS

  • AWS Organization
  • AWS Principals
  • Basic Hacking Techniques

Exploitation of AWS Services

  • IAM
  • STS
  • KMS
  • Secrets Manager
  • S3
  • EC2 & VPC
  • Lambda
  • RDS
  • SQS
  • SNS

Methologies

  • White box

Common Detection Mechanisms

  • CloudTrail

Syllabus:

Azure Basics

  • Azure Organization
  • Entra ID
  • Azure Tokens & APIs
  • Basic Enumeration Tools

 

Exploitation of Azure Services

  • Entra ID IAM
  • Azure IAM
  • Azure Applications
  • Azure Key Vault
  • Azure Virtual Machine & Networking
  • Storage Accounts
  • Azure File Share
  • Azure Table Storage
  • Azure SQL Database
  • Azure MySQL & PostgreSQL
  • Azure CosmosDB
  • Azure App Service
  • Basic Azure Research Technique
  • Azure Function Apps
  • Static Web Apps
  • Azure Container Registry
  • Azure Container
  • Instances, Apps & Jobs
  • Azure Queue
  • Azure Service Bus
  • Azure Automation Account
  • Azure Logic Apps
  • Azure Cloud Shell
  • Azure Virtual Desktop

 

Methologies

  • White box
  • Black box
  • Pivoting between Entra ID & AD

 

Common Detection Mechanisms

  • Azure & Entra ID Logging & Monitoring
  • Microsoft Sentinel
  • Microsoft Defender for Cloud & Microsoft Defender EASM

Fundamentals and Setup

  1. Overview of Android’s architecture and ecosystem dynamics.
  2. Exploration of security features native to Android using Java, Kotlin, C++, and Rust.
  3. Mobile Application Threat Model
    a) Differences between mobile and web application threat models.
    b) Applying threat modeling techniques specifically to mobile applications.
    c) Case studies highlighting potential threats and vulnerabilities.
    d) How do we secure and test cross platform apps (e.g. ReactNative, Xamarin, etc).
  4. Introduction to industry mobile security standards
    a) OWASP Mobile Application Security (MAS) project
    b) Effective usage of the Mobile Application Security Verification Standard (MASVS).
    c) Effective usage of the Mobile Security Testing Guide (MSTG).
    d) Overview of the OWASP top 10 for mobile.
  5. Setting up and preparing a mobile security testing lab
    a) Configuration of industry-standard tools and guidance on their appropriate use.
    b) Setup of virtual mobile devices using Corellium, including its advantages.
    c) Introductory exercises to familiarize with the tools.
  6. Secure Coding Overview
    a) Exercises to identify vulnerabilities in code examples
    b) Discussion of the appropriate mechanisms for remediation
    c) Practical session on remediation and re-testing the app
  7. Secure storage
    a) Overview of application storage mechanisms.
    b) Introduction to cryptographic storage solutions on Android.

Advanced Techniques and Practical Application

  • Mobile penetration testing methodology
    a) Methodologies used in real-world scenarios with practical tips and tricks.
  • Identifying issues with backend APIs
    a) Examination of client-side trust issues.
    b) Analysis of insecure communications including certificate validation and pinning.
  • Cryptography in Android apps
    a) Utilization of Android’s Crypto APIs.
    b) Implementation of native cryptography using libraries like libnacl and OpenSSL.
    c) Management of cryptographic keys.
  • Authentication and Authorization
    a) Testing client-side authentication mechanisms, including secure usage of biometrics.
    b) Strategies to detect and bypass authentication flaws.
    c) Security measures for API authentication.
  • Android IPC
    a) Detailed exploration of Intents, deep links, Binders/services, and broadcast receivers.
  • Webviews
    a) Identifying and resolving common security issues in Android Webview configurations.
  • Software Composition Analysis (SBOM)
    a) Techniques to determine the components of an Android app.
    b) Identifying known vulnerabilities within these components.
  • Mobile Device Management (MDM)
    a) Introduction to Mobile Device Management: definition, core features, and its role in enhancing organizational security.
    b) Discussion on the benefits and practical applications of MDM in controlling and securing mobile devices across an enterprise.
  • Mobile Application Management (MAM)
    a) Overview of Mobile Application Management: what it entails and its significance in enterprise environments.
    b) Exploration of how MAM contributes to managing and securing applications specifically, detailing its utility for enterprise security strategies.

Advanced Techniques and Practical Application

  • Mobile penetration testing methodology
    a) Methodologies used in real-world scenarios with practical tips and tricks.
  • Identifying issues with backend APIs
    a) Examination of client-side trust issues.
    b) Analysis of insecure communications including App Transport Security issues & certificate pinning.
  • Cryptography in IOS apps
    a) Utilization of iOS’s CryptoKit & CommonCrypto APIs.
    b) Implementation of native cryptography using libraries like libnacl and OpenSSL.
    c) Management of cryptographic keys and leveraging the secure enclave.
  • Authentication and Authorization
    a) Testing client-side authentication mechanisms, including secure usage of Local Authentication (biometrics).
    b) Strategies to detect and bypass authentication flaws.
    c) Security measures for API authentication.
    d) Using Device Check and App Attest
  • iOS IPC
    a) Detailed exploration of URL schemes, deep (universal) links, and extensions.
  • Webviews
    a) Identifying and resolving common security issues in iOS Webview configurations.
  • Software Composition Analysis (SBOM)
    a) Techniques to determine the components of an iOS app.
    b) Identifying known vulnerabilities within these components.
  • Implementing App Integrity
    a) What to look for
    b) How to implement
  • Mobile Device Management (MDM)
    a) Introduction to Mobile Device Management: definition, core features, and its role in enhancing organizational security.
    b) Discussion on the benefits and practical applications of MDM in controlling and securing mobile devices across an enterprise.
  • Mobile Application Management (MAM)
    a) Overview of Mobile Application Management: what it entails and its significance in enterprise environments.
    b) Exploration of how MAM contributes to managing and securing applications specifically, detailing its utility for enterprise security strategies.

Fundamentals & Setup

  1. Overview of iOS’s architecture and ecosystem dynamics.
  2. Exploration of security features native to to iOS using Objective-C, Swift, and C(++).
  3. Mobile Application Threat Model
    a) Differences between mobile and web application threat models.
    b) Applying threat modeling techniques specifically to mobile applications.
    c) Case studies highlighting potential threats and vulnerabilities.
    d) How do we secure and test cross platform apps (e.g. ReactNative, Xamarin, etc).
  4. Introduction to industry mobile security standards
    a) OWASP Mobile Application Security (MAS) project
    b) Effective usage of the Mobile Application Security Verification Standard (MASVS).
    c) Effective usage of the Mobile Security Testing Guide (MSTG).
    d) Overview of the OWASP top 10 for mobile.
  5. Setting up and preparing a mobile security testing lab
    a) Configuration of industry-standard tools and guidance on their appropriate use.
    b) Setup of virtual mobile devices using Corellium, including its advantages.
    c) Introductory exercises to familiarize with the tools.
  6. Secure Coding Overview
    a) Exercises to identify vulnerabilities in iOS code examples
    b) Discussion of the appropriate mechanisms for remediation
    c) Practical session on remediation and re-testing the app
  7. Secure storage
    a) Overview of application storage mechanisms.
    b) Introduction to cryptographic storage solutions on iOS.