Unit 2: Vulnerability Research & Exploitation

UNIT TITLE Develop and deliver a vulnerability research and exploit development programme

This unit develops the skills and knowledge required to find vulnerabilities in systems and write software to exploit identified vulnerabilities. This unit is primarily relevant in the intelligence and defence sectors.

It applies to individuals, employed or contractors who are working in positions of authority and are approved to implement change within a department or across the organisation. They have responsibility for directly supervising others.

No occupational licensing, certification or specific legislative requirements apply to this unit at the time of publication.

Elements describe the essential outcomes of the unit Performance criteria describe the performance needed to demonstrate achievement of the element.
1. Build a vulnerability research and exploit development unit

1.1 Consult with senior management or client to define programme goals and targets to exploit

1.2 Conduct an analysis to select and identify software and hardware targets to exploit

1.3 Establish goals and human, technological, equipment and time resource requirements to find and exploit target software

1.4 Identify relevant team members and stakeholders and allocate roles and responsibilities

1.5 Develop policies, procedures, methodologies, report templates and supporting documents

1.6 Obtain required resources to deliver programme outcomes

2. Discover and exploit vulnerabilities

2.1 Conduct vulnerabilities research to build offensive capabilities

2.2 Develop tools to automate parts of the vulnerability discovery process

2.3 Triage vulnerabilities and nominate criteria for exploitation

2.4 Write an exploit to take advantage of identified vulnerabilities

2.5 Lead and monitor team to ensure achievement of outcomes within designated timeframes

3. Document outcomes

3.1 Maintain accurate and structured records through all stages of the project

3.2 Document selected vulnerabilities, exploitation techniques employed, limitations and risks and store securely for future use


Foundation skills essential to performance are explicit in the performance criteria of this unit of competency

TITLE Assessment Requirements for CYBDDE002 Develop and deliver a vulnerability research and exploit development programme

Evidence of the ability to complete tasks outlined in elements and performance criteria of this unit in the context of the job role, and:

  • Effective use of verbal and nonverbal communication to gather information from range of stakeholders and clearly communicate with senior management, clients, stakeholders and team members
  • Language skills to translate technical findings to be understood by business and lay persons
  • Discover a minimum of three (3) unknown vulnerabilities and obtain common Vulnerabilities and Exposures references numbers from MITRE
  • Write a minimum of one (1) exploit for each of the following types of software:
    • Web Application
    • Mobile Application
    • Network Service
  • On a minimum of three (3) occasions reverse engineer a binary to discover a minimum of one vulnerability per binary

The learner must be able to demonstrate essential knowledge required to effectively do the task outlined in elements and performance criteria of this unit, manage the task and manage contingencies in the context of the work role.

This includes knowledge of:

  • Legal and ethical boundaries
  • Key vulnerability discovery and exploitation techniques:
    • Reverse Engineering
      • Code flow analysis
      • Recovering type information
      • Symbol recovery
      • Isolating interesting code and data
      • Binary diffing
    • Operating System Internals
      • User-mode vs. Kernel-mode
      • Memory Management
      • Process Lineage
      • Integrity Levels
      • Services and daemons
      • Inter-Process Communication
      • Local Inter-Process Communication
      • Remote Process Communication
      • The Windows Linker & Loader
      • Exception Handling
      • Memory protections
    • Debugging
      • Attaching the debugger
      • Setting breakpoints
      • Global flags
      • Image file execution options
    • Memory Corruption Vulnerabilities
      • Type confusion
      • Improper allocations
      • Arithmetic issues
      • Format strings
      • Memory overflows
      • Use-after-free
      • Information leakage
      • Return oriented programming
    • Web Application Vulnerabilities
      • Command injection
      • SQL injection
      • File inclusion
      • Cross-site scripting
      • Cross-site request forgery
      • Malicious file upload
      • Password guessing
      • Brute forcing
      • Insecure direct object reference
      • Security misconfiguration
      • Sensitive data exposure
      • Broken authentication and session management
    • Web Protections
      • Web application firewall
      • Brute force detection and prevention
      • User input encryption
      • User input filtering
      • Output filtering
      • Cryptography
    • Memory Protections
      • Address space layout randomization (ASLR)
      • Data execution prevention (DEP)
      • Stack and heap protections
      • Sandboxing
      • Kernel protections

Assessment may be in the form of:

  • work samples
  • written assignments
  • theoretical examination
  • observation

Both practical skills and knowledge must be assessed.

Assessor requirements

No specialist vocational competency requirements for Assessors apply to this unit.