Introduction

The Immersive Application Security Labs solution offers a comprehensive range of labs designed to enhance your application security skills and knowledge. Explore a variety of hands-on labs covering topics such as secure coding practices, vulnerability assessment, threat modeling, and secure development methodologies. Whether you are a beginner looking to build a strong foundation or an experienced professional seeking to advance your AppSec expertise, our catalog has something for everyone to sharpen their application security skills in a practical and engaging way.

The Immersive Labs Application Security lab collection consists of the following categories of collections (number of total labs in each category shown in parenthesis):  

• Application Security 
• Cloud Security 
• Offensive Cyber 
• Defensive Cyber
• Cyber Threat Intelligence 
• Challenges & Scenarios 
• Governance, Risk, and Compliance
• AI Essentials
• Secure AI Adoption

The full Immersive Labs Application Security catalog can be downloaded as an Excel file at the bottom of this page, which contains more details about each lab and lab series, as well as allowing you to filter, search, and sort.

Note that all labs in the Immersive Labs Application Security catalog are included in the Immersive Labs license.

Application Security

Secure by Design

The Secure By Design category on the Immersive Labs cybersecurity training platform teaches you to build security into software and systems from the outset, focusing on proactive risk identification, resilient architecture, and secure delivery practices. Through practical, scenario-driven labs, you learn to anticipate threats, reduce attack surface, and embed effective controls into design and development workflows rather than bolting them on after release. 

In the Threat Modeling Fundamentals collection, seven hands-on labs take you from core concepts and methodologies to practical application. You will use approaches such as STRIDE and attack trees, explore tool-assisted modeling with OWASP Threat Dragon, and work through a realistic case study to document assets, trust boundaries, threats, and mitigations. The Secrets Management collection comprises four labs that explain what secrets are and how they leak, define a secure secret lifecycle, and demonstrate implementation patterns to protect credentials, keys, and tokens across development and operations, including safe storage, least-privilege access, rotation, and leak prevention.

This category is ideal for software engineers, architects, DevOps and platform teams, and security practitioners who support product teams. By the end, learners will be equipped to incorporate threat modeling into the SDLC, implement robust secrets management across pipelines and runtime environments, communicate risks effectively, and make informed design decisions that strengthen security by default.

Collections

Threat Modeling Fundamentals

Secrets Management

Secure Coding

The Secure Coding category on the Immersive Labs cybersecurity training platform builds practical, language-specific skills to identify, exploit, and remediate common software vulnerabilities across web, API, mobile, desktop, and embedded systems. Through hands-on scenarios aligned to the OWASP Top 10 and secure SDLC principles, learners practice preventing issues such as injection (SQLi, command, JSON), cross-site scripting, authentication and authorization failures, insecure deserialization, SSRF, IDOR, path traversal, cryptographic mistakes, misconfiguration, and business logic flaws—developing both the attacker’s mindset and the defender’s toolkit.

Progressive, real-world collections help learners advance from fundamentals to expert capability. Core language tracks like Java – Beginner and Intermediate, Python – Beginner through Advanced, and C# .NET Core – Beginner, Intermediate, and Advanced take developers from simple misconfigurations to blind SQL injection, session fixation, encryption at rest, and unsafe file handling, while Java – Advanced and Java Spring Boot emphasize production hardening and modern attack surfaces. API-focused series including Java API – Beginner, Node.js API – Beginner, Python API – Beginner, TypeScript API – Beginner, and C# .NET Core API – Beginner cover the OWASP API Security Top 10, data exposure, input validation, and IDOR. Broader ecosystem coverage spans Go – Beginner and Intermediate, PHP and Rails tracks, C/C++ beginner-to-advanced collections centered on memory safety and race conditions, front-end security with React, Vue.js, and Angular, Kotlin for Android, and an Embedded Application Security collection exploring TLS, firmware integrity, and exploitation on platforms like ESP32. The Real-world Playground immerses learners in high-impact incidents and CVEs—such as Log4Shell (CVE-2021-44228), Spring4Shell (CVE-2022-22965), Confluence OGNL injection, MOVEit Transfer CVE-2023-34362, and ALPACA—while Find the Flaw series and Expert Challenges in Java and Python sharpen code review and problem-solving under pressure.

This category is designed for software developers, security champions, AppSec and DevSecOps practitioners, QA engineers, and students entering secure development roles. Upon completion, learners will be equipped to recognize and prevent prevalent vulnerability classes, review and test code with a security lens, secure APIs and microservices, harden configurations, respond to emerging CVEs, and embed robust secure coding practices throughout the development lifecycle.

Collections

Java – Intermediate

Real-world Playground

Java – Beginner

Python – Beginner

C# .NET Core – Intermediate

C# .NET Core API – Beginner

Java API – Beginner

PHP – Beginner

Python API – Beginner

TypeScript API - Beginner

C# .NET Core – Beginner

Go - Intermediate

Java Spring – Beginner

Node.js API – Beginner

Python – Intermediate

C/C++ – Intermediate

C# ASP.NET Core 8.0 API - Beginner

Go – Beginner

Node.js – Beginner

Node.js – Intermediate

PHP – Intermediate

Python – Business Logic Flaws

C/C++ – Beginner

C# .NET Framework (MVC)

Java Spring Boot

Python – Advanced

Rails – Beginner

C# .NET Core – Advanced

C# .NET Framework (Web Forms)

Java  – Advanced

C/C++ – Advanced

Find the Flaw: Java

Find the Flaw: Kotlin

Find the Flaw: Node.js (JavaScript)

Find the Flaw: Python

Find the Flaw: Ruby

Find the Flaw: TypeScript

Kotlin for Android

Rails – Intermediate

Embedded Application Security

Find the Flaw: C

Find the Flaw: C++

Find the Flaw: PHP

Find the Flaw: Rust

Angular

Java Expert Challenge

Python: Expert Challenge

Vue.js

React

PHP

Ruby

Secure Engineering

On the Immersive Labs cybersecurity training platform, the Secure Engineering category helps teams design, build, and operate web applications and services that are resilient by default. Through hands-on labs, participants learn browser- and protocol-level defenses, secure configuration patterns, and practical techniques to prevent common web threats, while reinforcing secure coding and supply chain awareness.

The Security Headers collection builds fluency with modern HTTP defenses—such as HSTS, CORS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy—so learners can choose appropriate directives, configure them correctly, and validate their effect to mitigate risks like clickjacking, XSS, MIME sniffing, session and caching issues, and data leakage. The Introduction to Content Security Policy (CSP) collection dives deep into directives and values, managing inline JavaScript, hashes and nonces, and reporting, enabling learners to design and deploy robust CSPs that block script injection without breaking functionality and provide actionable telemetry. The Secure Engineering collection rounds out the category with labs such as Stack Overflow and Threat Research: Dependency Confusion, translating fundamentals into secure coding practice and modern supply chain threat modeling to detect and prevent memory safety flaws and package-namespace attacks. This category is ideal for software engineers, application security and DevSecOps practitioners, and technical leaders who need to embed security into delivery; by completing it, they will be equipped to harden applications, set effective security policies, and proactively reduce attack surface across their stacks.

Collections

Security Headers

Introduction to Content Security Policy (CSP)

Secure Engineering

Secure Fundamentals

Secure Fundamentals on the Immersive Labs cybersecurity training platform builds the knowledge and hands-on skills needed to design, build, and operate secure systems across modern environments. Through practical labs and scenario-driven exercises, the category establishes core principles while mapping them to widely adopted standards and real-world attack techniques spanning web, mobile, cloud, AI, and cryptographic technologies.

Learners start with foundational concepts in the Secure Fundamentals collection, covering defense in depth, authentication and authorization, the principle of least privilege, security patching, attribution and accountability, the CIA triad, and secure data handling—skills that underpin every secure architecture. Technical depth is added through Introduction to Cryptography, which demystifies symmetric and asymmetric encryption, hashing, digital signatures, key management, and PKI, and TLS Fundamentals, where learners analyze X.509 certificates, understand cipher suites and key exchange, and configure modern TLS 1.3 securely.

To strengthen application security, OWASP Top 10 (2021) and OWASP Top 10 (2025) guide learners through identifying and mitigating risks such as broken access control, injection, cryptographic failures, security misconfiguration, software supply chain issues, and logging and alerting gaps, including a focus on APIs. Mobile Application Security Fundamentals aligns with OWASP MASVS and the MSTG to address insecure communication and storage, insufficient cryptography, binary protections, privacy, and auth weaknesses. Rounding out emerging risk areas, AI Fundamentals and OWASP Top 10 for LLMs and GenAI prepare learners to handle prompt injection, sensitive information disclosure, model and data poisoning, excessive agency, and other GenAI-specific threats. This category is ideal for developers, security engineers, DevSecOps, IT and cloud practitioners, and aspiring analysts, equipping them to apply secure-by-design practices, validate and harden configurations, prioritize remediation, and respond effectively to evolving threats across web, mobile, and AI-enabled systems.

Collections

OWASP Top 10 (2021)

Introduction to Cryptography

Mobile Application Security Fundamentals

OWASP Top 10 (2025)

OWASP Top 10 for LLMs and GenAI

AI Fundamentals

AI for Business

Secure Fundamentals

TLS Fundamentals

Secure Operations

On the Immersive Labs cybersecurity training platform, the Secure Operations category focuses on hardening and securely operating common web and application servers through hands-on, scenario-based exercises. Across the collections, learners practice reducing attack surface, enforcing least privilege, preventing information disclosure, and enabling audit-ready logging. Core skills include disabling risky features such as TRACE and SSI/CGI, trimming unnecessary modules, controlling directory listings, implementing granular access controls with Require/Allow/Deny, managing safe file permissions and symbolic links, removing identifying headers, ensuring services don’t run as root, and aligning configurations with CIS benchmarks.

The Apache collection guides learners through non-root execution, sanitizing server details, restricting directory access, disabling TRACE, configuring robust logs, applying Require and Allow/Deny rules, securing symbolic links and the ServerRoot directory, and disabling SSI/CGI, culminating in a Demonstrate Your Skills challenge that validates end-to-end hardening. The Apache Tomcat collection blends user management theory with practical configuration, addresses the dangers of running as root, walks through CIS Hardening steps, and covers remediation of outdated versions. The NGINX collection emphasizes suppressing server headers, managing directory listing, enabling effective logging, and removing unneeded modules before a practical assessment. This category is ideal for system administrators, DevOps and platform engineers, SREs, and security practitioners who need to build and maintain securely configured web services at scale; by the end, learners will be equipped to implement hardened configurations, validate them against standards, and operate them confidently in production.

Collections

Apache

Apache Tomcat

NGINX

Secure Testing

The Secure Testing category on the Immersive Labs cybersecurity training platform builds practical skills for safely identifying, validating, and documenting common web application vulnerabilities throughout the software lifecycle. Through guided, hands-on labs, learners practice mapping attack surfaces, designing effective test cases, and applying ethical testing techniques that uncover issues without disrupting systems or data.

The Secure Testing – Beginner collection introduces core techniques and flaws that testers encounter in real environments. Learners explore discovery and enumeration with Secure Testing: Sitemaps & Robots.txt and File and Directory Enumeration, then progress to input and logic weaknesses such as Secure Testing: URL Parameters, Logic Flaws, and Code Comments. They learn to detect and validate impactful vulnerabilities in Secure Testing: Path Traversal, Cross Site Scripting (XSS), Stored Cross Site Scripting (XSS), SQL Injection, Open Redirect, and Insecure Direct Object Reference (IDOR), gaining experience in reproducing issues, assessing risk, and recommending remediation. This category is ideal for QA testers, junior security analysts, developers, and DevSecOps practitioners who want a structured introduction to secure testing; by the end, they will be equipped to plan and execute low-risk, high-value security tests and collaborate effectively to prevent and fix common web application weaknesses.

Collections

Secure Testing – Beginner

Secure Tooling

On the Immersive Labs cybersecurity training platform, the Secure Tooling category equips learners to select, configure, and confidently operate the core tools used to build, test, and secure modern applications and infrastructure. Across these collections you’ll practice version-control hygiene, web application testing with intercepting proxies, client-side analysis with browser tooling, and static code analysis—while learning to interpret results, avoid common pitfalls, and fold these tools into day-to-day workflows. The Git Security collection builds robust repository habits through labs on SSH keys, managing public and private repositories, .gitignore, commit history analysis, verifying commits, understanding the .git folder, and defining a public security policy, helping you prevent secrets exposure and maintain code integrity.

Hands-on web testing is covered in OWASP ZAP – Basics, where you’ll set up ZAP, work with authentication and contexts, intercept and edit requests, run active and passive scans, spider and fuzz targets, and produce actionable reports. The Burp Suite collection complements this with essentials on HTTPS interception, scoping with Target, and focused testing using Intruder and Repeater. Browser Developer Tools provides practical client-side techniques—inspecting the DOM, executing JavaScript in the console, analyzing cookies and storage in Chrome and Firefox, and tracing requests in Network panels—to uncover logic and configuration issues from the user’s perspective. Secure Tooling – Beginner offers a guided on-ramp featuring Nikto and core browser tooling to quickly build confidence. Diving into SonarQube introduces SAST fundamentals, project setup, differentiating issues from security hotspots, and interpreting findings so you can bring code scanning into your development workflow. This category is ideal for developers, QA engineers, security analysts, and aspiring penetration testers who want to operationalize security tools, triage findings effectively, and turn test results into prioritized remediation and clear, evidence-based reporting.

Collections

Git Security

OWASP ZAP – Basics

Browser Developer Tools

Secure Tooling – Beginner

Diving into SonarQube

Burp Suite

Cloud Security

Amazon Web Services

On the Immersive Labs cybersecurity training platform, the Amazon Web Services category builds practical cloud security capability from fundamentals to advanced defense and response. Learners start with the “Amazon Web Services” collection to ground themselves in core services, then deepen expertise with “IAM (Identity and Access Management)” to master users, groups, policies, roles, MFA, STS, and guardrails like resource policies and permissions boundaries. They apply secure-by-design practices in “EC2 (Elastic Compute Cloud)” across encryption, security groups, AMIs, launch templates, load balancing, and auto scaling; harden storage in “S3 (Simple Storage Service)” with access controls, MRAPs, protection mechanisms, inventory, and recovery; segment networks and enable private connectivity in “VPC & Network Security”; protect secrets and data with “Secrets and Encryption in AWS” using Secrets Manager and AWS KMS; secure serverless pipelines in “Securing Serverless Workflows with AWS Lambda”; and operationalize safe administration in “AWS Systems Manager” with Session Manager, Run Command, Automation, and patching.

Detection, compliance, and incident response are developed through “Logging & Monitoring in AWS,” where learners operationalize CloudTrail, EventBridge, CloudWatch, VPC Flow Logs, SIEM integration, and automated response; and “Advanced Logging in AWS,” covering the CloudWatch agent, Logs Insights, and investigations with Athena. Governance and central visibility are reinforced with “AWS Config” for rules and remediation and “AWS Security Hub” for control aggregation and custom actions, while “Threat Detection with Amazon GuardDuty” builds managed threat detection skills. Real-world investigation capability is sharpened in “Investigating IAM Incidents in AWS,” “Introduction to Incident Response & Forensics in AWS,” and “Incident Response and Forensics for EC2,” and web defenses are addressed in “Securing Web Applications with AWS WAF and CloudFront.” The “Top 10 AWS Attacker Techniques 2023” collection exposes common cloud attack paths and mitigations, and the “AWS Challenge: Jobs at Metrolio” scenario validates offensive, defensive, and remediation skills under pressure. This category is designed for security engineers, cloud architects, DevOps practitioners, SOC analysts, and incident responders who need to design, harden, monitor, detect, investigate, and respond across AWS environments with confidence and at scale.

Collections

IAM (Identity and Access Management)

Logging & Monitoring in AWS

EC2 (Elastic Compute Cloud)

Top 10 AWS Attacker Techniques 2023

S3 (Simple Storage Service)

Amazon Web Services

AWS Systems Manager

VPC & Network Security

AWS Config

Advanced Logging in AWS

AWS Security Hub

Introduction to Incident Response & Forensics in AWS

Securing Serverless Workflows with AWS Lambda

Investigating IAM Incidents in AWS

Secrets and Encryption in AWS

Securing Web Applications with AWS WAF and CloudFront

Threat Detection with Amazon GuardDuty

AWS Challenge: Jobs at Metrolio

Incident Response and Forensics for EC2

Google Cloud

On the Immersive Labs cybersecurity training platform, the Google Cloud category develops practical skills for building, securing, and defending workloads on Google Cloud and within Google Security Operations. The Google Cloud Basics collection introduces core cloud concepts and hands-on experience with the Google Cloud Console, Identity and Access Management (IAM), Cloud Storage, VPC networks, and Compute Engine, culminating in a skills demonstration to reinforce foundational knowledge. Building on that, the Google Security Operations: Fundamentals collection equips learners to detect and respond to threats using Google’s SecOps stack, covering the Unified Data Model (UDM), efficient event searching, writing YARA-L detection rules, creating SOAR playbooks for automation, managing detection rules, and handling cases, with a final capstone to consolidate capabilities.

To validate skills in a realistic context, the Google Cloud Challenges collection includes the Google Cloud Challenge: Traflytics at Metrolio – Offensive, an applied scenario that tests the ability to identify and analyze malicious activity in a Google Cloud environment. This category is ideal for security analysts, SOC and incident response teams, detection engineers, cloud security practitioners, and cloud administrators seeking end-to-end proficiency. Learners will be equipped to design and govern secure GCP deployments, operationalize detections in Google Security Operations, automate responses with SOAR, and conduct end-to-end investigations in cloud-first environments.

Collections

Google Security Operations: Fundamentals

Google Cloud Basics

Google Cloud Challenges

Microsoft Azure

On the Immersive Labs cybersecurity training platform, the Microsoft Azure category provides hands-on labs that take learners from Azure fundamentals to advanced security operations across Microsoft’s cloud ecosystem. The pathway builds practical fluency in Azure services, Kusto Query Language (KQL), cloud security posture management, SIEM deployment and monitoring with Microsoft Sentinel, and SOAR automation, culminating in real-world threat hunting with workbooks and notebooks.

Learners start with Microsoft Azure Basics to understand core cloud concepts and practice navigating the portal, configuring storage accounts, virtual networks, virtual machines, Function Apps, and Logic Apps. The Kusto Query Language collection develops the analytical foundation needed to query and transform telemetry at scale, covering syntax, filtering, aggregation, time analysis, parsing complex data, and advanced operations used throughout Sentinel. Microsoft Defender for Cloud guides learners through setup, CSPM and compliance, inventory and recommendations, alert triage, and Attack Path analysis with the Cloud Security Explorer. Microsoft Sentinel Blue Team Ops focuses on operational detection and response with KQL-driven analytics rules, incident handling, and enrichment with threat intelligence, while Microsoft Sentinel Deployment & Log Ingestion covers initial setup and the ingestion of platform and VM logs via diagnostic settings. Rounding out operations, Microsoft Sentinel: Security Orchestration Automation and Response (SOAR) teaches automation rules and playbooks with Logic Apps, and Microsoft Sentinel: Threat Hunting with Notebooks and Workbooks equips learners to visualize metrics, analyze security data, and conduct investigations. This category is designed for security analysts, SOC and blue team practitioners, and cloud engineers; upon completion, they will be ready to deploy and secure Azure workloads, operationalize Sentinel, automate incident response, and proactively hunt threats in Microsoft cloud environments.

Collections

Kusto Query Language

Microsoft Azure Basics

Microsoft Defender for Cloud

Microsoft Sentinel Blue Team Ops

Microsoft Sentinel Deployment & Log Ingestion

Microsoft Sentinel: Security Orchestration Automation and Response (SOAR)

Microsoft Sentinel: Threat Hunting with Notebooks and Workbooks

Cloud Fundamentals

On the Immersive Labs cybersecurity training platform, the Cloud Fundamentals category builds core cloud knowledge and practical security skills through hands-on labs mapped to real-world frameworks and operating models. Learners progress from foundational concepts—service models (SaaS, PaaS, IaaS), virtualization, Infrastructure as Code, identity federation with SAML, secrets management, and security automation—in the Cloud Fundamentals collection, to structured assurance using Cloud Security Alliance Cloud Controls Matrix v4.0 and other standards. The NCSC – Cloud Security Guidance collection translates the UK NCSC’s cloud security principles into practice, enabling learners to assess and implement controls for data in transit, asset protection and resilience, user separation, governance, operational and personnel security, secure development and supply chain, identity and authentication, external interface protection, secure administration, auditability, and safe service use.

Complementing this, the NIST – Guidelines on Security and Privacy in Public Cloud Computing (800-144) collection strengthens decision-making around governance, compliance, trust, architecture, IAM, software isolation, data protection, availability, and incident response. The DevSecOps collection walks through the full software lifecycle—plan, code, build, test, release, deploy, operate, and monitor—to embed security into pipelines and cloud-native delivery. Finally, Zero Trust in the Cloud equips learners to apply identity-centric access, endpoint hardening, and network micro-segmentation patterns across cloud environments. This category is ideal for security analysts, cloud engineers and architects, DevOps/Platform teams, and risk and compliance professionals moving workloads to the cloud. Graduates will be equipped to evaluate providers against recognized frameworks, architect and operate secure cloud services, implement zero trust and robust IAM, automate controls and compliance, and respond effectively to cloud security incidents.

Collections

NCSC - Cloud Security Guidance

Cloud Fundamentals

NIST – Guidelines on Security and Privacy in Public Cloud Computing (800-144)

DevSecOps

Zero Trust in the Cloud

Cloud Tooling

The Cloud Tooling category on the Immersive Labs cybersecurity training platform builds practical, hands-on skills for securing the services, tooling, and automation that underpin modern cloud environments. Learners progress from foundational hardening of web platforms in Apache, NGINX, and Apache Tomcat through to identity, secrets, and policy controls with OAuth and OpenID Connect and Secrets Management with HashiCorp Vault. They deepen cloud-native security competence with Container Hardening – Docker, including image scanning with Trivy and Dockle, and advance their infrastructure-as-code assurance through Secure Terraform collections for AWS, Azure, and Google Cloud Platform, covering encryption, network controls, and service-specific hardening. Network boundary and inspection skills are developed with Fortinet’s Next-Generation Firewall and Palo Alto Network’s Next-Generation Firewall, while AWS Community – Security Tooling introduces reconnaissance and assessment with awspx and compliance checking with Prowler.

Across these collections, learners practice real configuration hardening, least-privilege access, and secure defaults: disabling risky methods and modules, enforcing logging and access controls, running services as non-root, implementing Vault policies and dynamic secrets with PKI, standing up OIDC with Keycloak and Kubernetes RBAC, tightening container images, and codifying cloud controls in Terraform for repeatable, auditable deployments. This category is designed for cloud and security engineers, DevOps/SRE, system administrators, and architects who need to build and maintain resilient, compliant cloud platforms. Graduates will be equipped to design, deploy, and operate secure cloud tooling end to end—reducing attack surface, automating guardrails, and validating posture across web services, identity, containers, firewalls, and multi-cloud infrastructure.

Collections

Apache

Secrets Management with HashiCorp Vault

Apache Tomcat

OAuth and OpenID Connect

Container Hardening – Docker

Fortinet's Next-Generation Firewall

NGINX

Palo Alto Network's Next-Generation Firewall

Secure Terraform - AWS

Secure Terraform - Azure

Secure Terraform - Google Cloud Platform

AWS Community – Security Tooling

Kubernetes

On the Immersive Labs cybersecurity training platform, the Kubernetes category develops practical skills for building, securing, monitoring, and testing cloud‑native workloads. Learners begin with Kubernetes – Fundamentals to master orchestration essentials—pods and services, multi‑container patterns, volumes and secrets, workload resources, namespaces, network policies, and shell access—so they can confidently deploy and troubleshoot applications across a cluster.

Security depth follows with Kubernetes – Pod Security, where you apply Role Based Access Control, craft effective Network Policies, use immutable file systems, understand Pod Security Policies and resource controls, harden images, and protect secrets. The CISA and NSA Kubernetes Hardening Guidance collection translates authoritative recommendations into hands‑on practice across pod security, network separation and hardening, authentication and authorization, audit logging and collection, and continuous monitoring and threat detection. For operational visibility, Kubernetes – Logging covers native logging, cluster auditing, seccomp auditing, and log forwarding to strengthen incident response and compliance. To round out defender knowledge with attacker perspective, Kubernetes – Offensive Security uses labs such as Kube‑hunter, Attacking the Kubelet API, and Not So Secret to surface common misconfigurations and demonstrate how to detect and remediate them.

This category is ideal for DevOps and platform engineers, SREs, cloud security practitioners, SOC analysts, and red/purple teamers. After completing these collections, learners will be equipped to design and operate resilient clusters, enforce least privilege, align with NSA/CISA hardening guidance, instrument robust logging and auditing, proactively identify weaknesses, and respond effectively to Kubernetes‑focused threats.

Collections

Kubernetes – Fundamentals

Kubernetes – Pod Security

CISA and NSA Kubernetes Hardening Guidance

Kubernetes – Logging

Kubernetes – Offensive Security

Offensive Cyber

Web App Hacking

The Web App Hacking category on the Immersive Labs cybersecurity training platform builds hands-on skills for identifying, exploiting, and mitigating weaknesses in modern web applications. Learners start with strong fundamentals in collections like Introduction to Web App Hacking, which covers mapping applications, reviewing page source, using OWASP ZAP, and common flaws such as directory traversal and command injection. The OWASP Top 10 (2021) collection reinforces core risk areas—Broken Access Control, Injection, Security Misconfiguration, and more—while Hack Your First Web Application guides learners through enumeration to exploiting low-, medium-, and high-risk issues. Practical tooling is covered in the Burp Suite collection, and related foundations are supported by Databases and Introduction to Penetration Testing for broader context.

Deeper technical capability is developed through targeted tracks such as SQL Injection Basics and the advanced SQL Injection collection, Cross-Site Scripting (XSS), and Server-Side Template Injection, alongside Authentication and Authorization Flaws and Intermediate Web App Hacking for topics like SSRF, XXE, JWT weaknesses, and log poisoning. Real-world exposure comes from the extensive CVEs (Web App Hacking) collection, where learners investigate high-impact vulnerabilities—including Spring4Shell (CVE-2022-22965), Apache Struts flaws, Redis Lua RCE, Dirty Pipe, and Text4Shell—across both offensive and defensive scenarios to understand exploitation, detection, and remediation. Language-specific risks are addressed in OWASP (2017) Java, and skills are validated in the Assessment: Web Application Security Testing. This category is ideal for aspiring and practicing penetration testers, defenders, and developers; by completing it, learners will be equipped to test web applications end to end, communicate risk effectively, and implement practical fixes and controls.

Collections

CVEs (Web App Hacking)

OWASP Top 10 (2021)

Introduction to Web App Hacking

Authentication and Authorization Flaws

OWASP (2017) Java

Cross-Site Scripting (XSS)

Intermediate Web App Hacking

SQL Injection Basics

Hack Your First Web Application

Server-Side Template Injection

Burp Suite

Databases

Introduction to Penetration Testing

SQL Injection

Assessment: Web Application Security

Infrastructure Hacking

Infrastructure Hacking on the Immersive Labs cybersecurity training platform covers the end-to-end skills required to assess, exploit, and defend modern enterprise infrastructure. Learners progress from core reconnaissance, enumeration, and protocol abuse through privilege escalation, lateral movement, persistence, and post-exploitation, with mappings to adversary behavior via the MITRE ATT&CK collection. Alongside network and operating system tradecraft, the category extends into Active Directory, Kerberos, databases, embedded and automotive systems, and practical tool usage that mirrors real-world operations.

Hands-on collections anchor these skills. The CVEs (Infrastructure Hacking) and CVEs (Privilege Escalation) collections immerse learners in reproducing and mitigating high-impact vulnerabilities such as Log4j, PrintNightmare, ProxyLogon, F5 BIG-IP flaws, and PwnKit—often with paired offensive and defensive labs to reinforce both perspectives. Infrastructure Pen Testing and the Infrastructure Hacking collections build practical tradecraft—network enumeration, SNMP, Java RMI, pivoting, Kerberoasting, Responder, and DNS hijacking—while Introduction to Metasploit and Post Exploitation With Metasploit develop proficiency with modules, payloads, Meterpreter, and pivoting. Privilege Escalation: Windows and Privilege Escalation: Linux focus on identifying misconfigurations and exploiting SUID bits, cron jobs, weak services, and DLL hijacking. Windows Exploitation and Persistence deepen capability in evasion and long-term access, and Credential Access covers password spraying, dumping, and cracking with tools like Mimikatz and John the Ripper. For enterprise identity attacks, Kerberos and Introduction to Active Directory Attacks teach ticket theft, delegation abuse, and BloodHound analysis. Offensive PowerShell and PoshC2 build scripted tradecraft and command-and-control operations; Discovery accelerates enumeration; Databases introduces SQL, MongoDB, and osquery; and IoT & Embedded Devices plus CANBus extend expertise beyond traditional IT. The Tuoni 101 and 102 series adds real-world operator workflows such as listeners, payloads, redirectors, and lateral movement, with an Assessment: Infrastructure Security to validate readiness.

This category is designed for penetration testers, red teamers, SOC analysts, incident responders, and system administrators seeking practical, repeatable skills. Graduates will be equipped to emulate adversaries using ATT&CK, identify and exploit weaknesses, prioritize and remediate CVEs, harden Windows and Linux estates, operate C2 frameworks responsibly, and communicate findings that measurably improve infrastructure security.

Collections