top of page
04 STM Academy Mural previev.jpg


Our training offer is addressed not only to IT specialists but also to management staff and every employee of the organization who, due to their professional duties, has contact with the ICT infrastructure or part of it. After completing each training, participants receive certificates confirming the acquisition of competencies in their subject area. 

Are you interested in the offer?

Please write to us!

[email protected]



training duration - 8 days

People say that the best defense is an attack - this is also the assumption of cybersecurity experts. Our lecturers during the training will show what safety looks like from the "red" side. Participants will have the opportunity to familiarize themselves with the basic Hacker's workshop, learn the basics of communication, and the Linux operating system, and understand the goals of attackers. Finally, they will have the opportunity to access the holy grail of all hackers - executing commands on the server with escalation of privileges. Participants will also learn how to conduct a penetration test step by step and look for vulnerabilities, both in... manual and automatic. There will also be verification of the scope of the test and preparation of a report in which students can boast about their findings.



- Command line basics​
- Bash basics​
- Client-Server model​
- Data transfer techniques​
- Reverse shells​
- Bind shells​
- Interactive shells


- Network scanning​
- HTTP basics​
- Remote command execution​
- Automatic privilege escalation​
- Network pivoting​
- Backdoor detection​
- Reporting


- Enumeration​
- Password security​
- Command injection​
- Client-side security​
- File upload security​
- SQL Injection​
- Template Injection​
- XML external entity injection​
- Cross-site scripting​
- Cross-Site Request Forgery​
- Local file inclusion​
- Remote file inclusion


- File permissions
- sudo permissions
- Cron jobs misconfiguration
- Privileged containers
- Local services
- OS exploits


- SUID and capabilities
- Hardcoded data
- Buffer overflows
- Environment variables
- Side channel attacks
- Handling signals
- Symlinks
- Inherited file descriptors



training duration - 8 days


Digitization has allowed us to transfer many aspects of our lives to the Internet, but it has brought with it several new threats. One small programmer error can expose users to harm and generate multi-million losses for the company. During our training, participants will learn in an accessible way the processes invisible to the human eye that happen when, for example, we order a transfer, log in to an office, or look for a recipe on a forum, and the risks associated with them. Additionally, practical exercises prepared by our specialists will allow you to thoroughly consolidate the acquired knowledge.



  1. Basics of the HTTP protocol

  2. Enumeration and reconnaissance of web applications

  3. Authentication, authorization, and session management

  4. HTML Injection and Cross-Site Scripting (XSS)

  5. Cross-Site Request Forgery (CSRF)

  6. Path Traversal and Local/Remote File Inclusion 

  7. SQL Injection and NoSQL Injection

  8. Command Injection (Command Injection) 

  9. Server-side Includes and Server-Side Template Injection (SSTI)

  10. XML (XXE) vulnerabilities

  11. Server-Side Request Forgery (SSRF)

  12. Vulnerabilities related to the file upload mechanism (File Upload)


training duration - 5 days


Nowadays, an increasing part of users' lives is focused on a mobile device - the Phone. Our training takes this important aspect under the microscope. During the classes, participants will become familiar with the two most popular platforms (Android and iOS) from the inside. We will also discuss issues related to not only the mistakes programmers make in their applications, but also how the structure of the functioning of mobile operating systems allows them to attack the user without the need for direct interaction with their banking, SMS, etc. applications.


The scope of training includes:

1. Introduction:

- General presentation of the concept of mobile applications (Division into native/hybrid/web application)

- Overview of the most popular platforms (Android / iOS)

- Basic problems related to mobile applications

- Available tools used in application security verification processes


2. Android:


- Android ecosystem overview

- Preparing the test device - Android

- What is APK, how is it built?

- Dalvik, ART, JVM - how much Java there really is in this Java

- Android security:

- Application construction

- IPC and Deeplinks communication

- Secure data storage

- Android Apps - Threat Model


3. iOS:


- Apple ecosystem overview

- Preparing the test device - iOS

- What is IPA, and how is it constructed?

- Introduction to About ObjC and Swift

- iOS Security (Permissions, Storage & Data Protection, 3rd-party Keyboards, Code Signing, Secure Enclave Processor)

- IPC and Universal Links communication

- App Extensions

- iOS Keychain

- iOS Apps - Threat Model


4. Attacker's perspective:


- Static application analysis

- Dynamic application analysis

- How found bugs are used:

- Modification of an existing application

- Interaction from malware


training duration - 5 days

Many companies implement firewalls, separate DMZ networks, or introduce many other network separation methods. What if the attacker is already in our network? No matter how strong the wall is, it will not protect us from threats from within. During the training, participants will learn the methods used by attackers who are already in our network. During the training, you will be able to learn about methods of bypassing device authorization, "hopping" between networks, impersonating existing devices, and finally finding a lucrative target and taking full control over it.


  1. ARP Spoofing attacks

  2. Attacking the DHCP protocol, Spoofing

  3. ICMP security, ICMP Redirect attacks

  4. NAC bypass techniques, MAC Filtering

  5. Switch security, VLAN Hopping attacks

  6. IPv6 security

  7. Replay Attacks on the example of SMB

  8. Attacking WiFi networks

  9. Scan the network for hosts

  10. Machine enumeration, scanning for services

  11. Exploitation of found vulnerabilities

  12. Privilege escalation in Windows and Linux



training duration - 1 Day

Nowadays, attackers use even more sophisticated and advanced techniques to infect or take control of our devices than when we first started using computers. Analysts must constantly update their knowledge to keep up with the evolving malware industry. During the training, participants will prepare a test environment, learn the principles of hygiene when working with malware, and become familiar with the most popular methods used to analyze actions performed by software in controlled conditions.

Scope of malware analysis training (based on training malware):

1.  Preparing the environment for static and dynamic analysis of malware,

2. Basic static analysis (PE file analysis, review of imports, resources, etc.),

3. Basic dynamic analysis (monitoring changes made to the file system, registry, network traffic (fakenet / inetsim)),

4. Defining Indicators of Compromise,

5. Advanced dynamic analysis - instrumentalization and tracking of code execution, including deciphering secured network traffic,

6. Advanced static analysis - software reverse engineering using IDA or Ghidra,

7. Advanced network traffic analysis - disabling certificate-pinning, and configuring a transparent proxy server.


attacks using physical devices, social engineering, and malware 

training duration - 1 Day

Nowadays, when technology has developed to such an extent that severe mistakes must be made by programmers almost on purpose, humans remain the weakest link in any security system. You can conduct training and workshops, but we never know how our employees will behave in a real situation. With Red Team training, your security team will be ready always to be one step ahead of attackers. Our experts will show you what tools and methods criminals use, how phishing emails are created, how anti-virus protection is bypassed, and how easy it is to impersonate existing infrastructure.

The scope of Red Teaming training includes the following topics:

1. Planting malicious devices in the organization's infrastructure:

 - pendrives

 - HID devices

 - USB cables

 - summary and safety tips

2. Installation of malicious devices in the organization's infrastructure

 - network implants

 - HDMI implants

 - hiding implants inside other devices

 - summary and safety tips

3. Example Phishing Campaign:

- Enumeration of e-mail addresses
- Email security:
   a. SPF
   b.  DKIM
   c.  DMARC
- Remote control over infected computers
- Steal user credentials in three different ways:
   a. Keylogger
   b. DLL Injection
   c.  Fake Authentication
- Bypassing antivirus protection
- Bypassing the firewall


training duration - 1 Day

Currently, the Linux operating system constitutes the majority of the world's server infrastructure. It's there - behind the terminal, many old but proven solutions make sure that users can view our websites, routers can forward packets, and all types of applications can exist. However, even there, many errors can threaten the security of any organization. During the training, our experts will prepare you so that you will be able to find your way around the Linux system, independently locate, learn to use, and ultimately repair both the most common and the most advanced errors that still plague even the largest systems today. During the course, you will learn about buffer and integer overflow, find hard-coded passwords, learn how to escape from isolated environments, detect data leaks, learn how applications and the operating system communicate, and face heap exploitation. Together we will secure the world.

Scope of training:

1.  Overview of Linux security,

2. Analysis of the operation of bash shells. Explanation of the mechanism of inheritance (processes).

3. Identification and exploitation of errors such as:

   a.  buffer overflows,

   b.  integer overflows,

   c.  hardcoded passwords,

   d.  relative paths,

   e.  insecure signal handling,

   f.   data leaks,

   g.  heap exploitation.

4. Mitigation of the above errors.


  • Java application code analysis,

  • .NET application code analysis,

  • PHP application code analysis.

This block will discuss selected Server-Side vulnerabilities. The presenters will show both errors in the source code itself and their practical use by the attacker.  Additionally, issues related to dependency security and code audit methodology will be discussed. The summary of this part of the training will be a presentation of the best practices for writing secure code of the selected technology.

Report to us!

Thank you for reporting!

I consent to the processing of personal data provided in the form in accordance with the Personal Data Protection Act for the purpose of:

I have been informed that providing the telephone number is voluntary, but necessary to respond to the contact request and that I have the right to access, change, delete, and stop processing the data. The administrator of personal data is STM Academy Sp. zoo. with its registered office at ul. Żwirki i Wigury 16a, 02-092 Warsaw. You can find the Information Clause on page

04 STM Academy Mural previev.jpg



Follow us

662 141 800

  • Facebook
  • LinkedIn
  • Instagram
bottom of page