Limited Time · 33% Off

Learn the Exploit Chains
That Win Pwn2Own.

Taught by Ken Gannon, Pwn2Own winner 2023-2025 and Head of Vulnerability Research at MHL. Build a 3-phase, 11-link exploit chain against a Samsung Galaxy S8 — from path traversal to full device compromise. Pre-configured virtual labs. No hardware needed.

€750 €500 Save €250

Get 33% Off Now → Try Free Labs First

Lifetime access with updates

Unlimited exam attempts

Cloud devices — no hardware needed

26,000+ learners worldwide

Trusted by researchers from

Lifetime Updated Access

Course material is yours forever. Auto-updated with new techniques, tools, and exploit chains as they emerge.

Unlimited Exam Attempts

Take the certification exam as many times as needed. No extra fees. No pressure. Pass when you're ready.

Cloud VMs & Mobile Devices

Pre-rooted Android devices and ARM64 VMs in the cloud. No hardware to buy. Launch a lab in your browser.

Real End-to-End Exploits

Not slides and theory. Build working exploit chains from vulnerability discovery to full device compromise.

Samsung Galaxy S8

Real ARM64 firmware. The same target Ken Gannon used at Pwn2Own.

Pre-Rooted

Full filesystem access, debugger attached, all tools pre-installed.

<1m

Instant Access

Browser-based. Spins up in under 60 seconds from any machine.

9:41MHL Lab

11-Link Exploit Chain

Path traversal to full device compromise — every link explained.

90d

90-Day Access

Lab environment included with enrollment. Extend anytime.

Djini AI Assistant

AI-powered hint system when you get stuck on a chain link.

Course preview

Watch Real Exploit Development

Sample lessons from the course. No slides, no theory dumps — watch actual vulnerability exploitation on real Android devices.

Road to Pwn2Own — Course Introduction

Ken Gannon (3x Pwn2Own winner) introduces the Advanced Android Hacking course and the 11-link Samsung Galaxy S8 exploit chain you'll learn to build from scratch.

The Road to Pwn2Own

Course sample: the Pwn2Own journey, what it takes to compete at the world's top hacking competition, and how this course builds the skills to get there.

Cloud Lab Environment Demo

Tour of the pre-configured virtual lab environments where you'll develop and test exploits on real Android device images. No hardware needed.

What you'll learn

The 3-Phase Exploit Chain

Reverse-engineer and replicate a real Samsung Galaxy S8 exploit chain — 8 bugs, 3 OS features, 11 total links in the chain.

Phase 1 — Initial Access

Path Traversal to Arbitrary File Writes

Discover path traversal vulnerabilities in Android application components. Chain them to achieve arbitrary file writes to controlled locations on the device filesystem.

Phase 2 — Persistence

Forced App Installation & Device Reboot

Leverage the file write primitive to force-install a malicious application package. Trigger a device reboot to activate the payload and establish persistence without user interaction.

Phase 3 — Full Compromise

Device Takeover via Browser Interaction

Complete the chain through browser-based interaction to achieve full device compromise. Exfiltrate data, demonstrate impact, and document the entire chain end-to-end.

Why this course

Built for Serious Exploit Developers

Real Pwn2Own Techniques

Learn the exact vulnerability classes and chaining methodology used to win Pwn2Own. Not theoretical — these are techniques that earned cash bounties on stage.

Pre-Configured Lab VMs

Every exercise runs in a virtual Android environment you access through your browser. No physical device. No emulator setup. No wasted time on configuration.

Real Samsung Exploit Chain

Build a complete exploit chain against a Samsung Galaxy S8. 8 bugs, 3 OS features, 11 links. Path traversal through arbitrary file writes to full device compromise.

1:1 Mentorship Sessions

Get direct video mentorship from MHL's vulnerability research team. Ask questions, get unstuck, and get feedback on your exploit development approach.

AI Bug-Finding Tools (Djini)

Access Djini AI, MHL's proprietary bug-finding assistant. Use AI-augmented analysis alongside manual techniques to accelerate your vulnerability research workflow.

Lifetime Access + Certification

Lifetime access to course content with updates as new techniques emerge. Certification exam included — prove your exploit development skills with a recognized credential.

How it compares

MHL AAH vs the Alternatives

Feature	MHL Advanced Android Hacking	SANS SEC575	Udemy
Real exploit chains	✓ 11-link Samsung chain	✗ Overview only	✗ Not covered
Virtual labs	✓ Pre-configured VMs	Physical device required	✗ Video-only
1:1 Mentorship	✓ Video sessions	✗	✗
Hands-on labs	✓ 100% lab-based	Lecture-heavy	Video-only
Certification included	✓ Exam included	GIAC extra ($900+)	✗
Price	€500 (33% off)	$8,000+	$15 - $200

Full course syllabus

What You'll Master — Module by Module

6 modules. 11 chain links. From path traversal to full device compromise — every step hands-on in your virtual lab.

01 Introduction & Lab Setup

▸ Course introduction with Ken Gannon (3x Pwn2Own winner)
▸ The history of the Samsung Galaxy S8 Pwn2Own chain
▸ Cloud lab environment setup — connecting to your pre-rooted device
▸ Understanding the target: Samsung app components & attack surface
▸ Exploit chain architecture: how 8 bugs + 3 OS features form 11 links

02 Phase 1 — Path Traversal & Arbitrary File Writes

▸ Identifying path traversal vulnerabilities in Android application components
▸ Code analysis & reverse engineering of vulnerable Samsung apps
▸ Building the arbitrary file write primitive
▸ Controlling file write destinations on the Android filesystem
▸ Lab: Exploit the path traversal and achieve arbitrary file writes on your lab device

03 Phase 2 — Forced App Installation & Device Reboot

▸ Leveraging file write primitives to force-install application packages
▸ Crafting a malicious APK payload for persistence
▸ Triggering a forced device reboot without user interaction
▸ Establishing persistence after reboot via installed payload
▸ Lab: Install your malicious package and persist across device reboot

04 Phase 3 — Full Device Compromise & Data Exfiltration

▸ Combining Phase 1 & Phase 2 into a single exploit chain
▸ Browser-based interaction to trigger the full chain
▸ Achieving complete device compromise via a single user click
▸ Exfiltrating sensitive data (photos, contacts) to attacker-controlled server
▸ Lab: Execute the full compromise chain and exfiltrate data from the target device

05 Building Your Own Exploit Chain

▸ Programming your own version of the complete bug chain
▸ End-to-end chain testing, debugging & optimization
▸ Impact demonstration & documentation for reports
▸ Using Djini AI to accelerate vulnerability research
▸ Lab: Replicate the Pwn2Own chain — compromise the device on your own

06 Certification & Mentorship

▸ 1:1 mentorship video sessions with MHL's vulnerability research team
▸ Certification exam preparation & walkthrough
▸ Practical hands-on exam — unlimited attempts, no extra fees
▸ Applying exploit chain techniques to new targets
▸ Lifetime access to course updates as new techniques emerge

Limited time offer

Get 33% Off Advanced Android Hacking

Advanced Android Hacking: Road to Pwn2Own

Taught by Ken Gannon · Pwn2Own winner 2023-2025

€750 €500

Save €250 — 33% off

Full course: 11-link Samsung Galaxy S8 exploit chain
90-day access to pre-configured virtual lab environments
1:1 mentorship video sessions
AI bug-finding tools (Djini AI)
Certification exam included
Lifetime course access with updates

Get 33% Off Now →

Common questions

FAQ

Do I need a physical Android device or Samsung hardware?

No. All labs run on pre-configured virtual Android environments that you access through your browser. There is no hardware to buy, no device to root, and no emulator to configure. You get 90 days of lab access included with the course.

What is the Samsung exploit chain I'll be building?

You will build a complete exploit chain against a Samsung Galaxy S8 that chains 8 distinct bugs and 3 OS features into an 11-link attack. The chain starts with path traversal vulnerabilities to achieve arbitrary file writes, escalates through forced app installation and device reboot, and culminates in full device compromise through browser interaction and data exfiltration. These are the same techniques used in real Pwn2Own competitions.

Is there 1:1 mentorship included?

Yes. The course includes 1:1 mentorship video sessions with MHL's vulnerability research team. You can ask questions, get help when you are stuck on a specific chain link, and receive feedback on your exploit development approach. This is direct access to researchers who actively compete in Pwn2Own.

How does the promo code work?

Enter the promo code AAH-MAR-33 at checkout on the Mobile Hacking Lab website. The discount of 33% (saving you €250) will be applied automatically. The code reduces the price from €750 to €500 and includes the full course, 90 days of lab access, and the certification exam.

How does this compare to SANS SEC575?

SANS SEC575 is a broad mobile security overview that costs $8,000+ before the optional GIAC certification ($900+). AAH goes significantly deeper on exploitation specifically — you build a complete 11-link exploit chain against real hardware, learn Pwn2Own techniques from an actual winner, and get 1:1 mentorship. At €500 with the promo code, AAH delivers deeper exploitation training at a fraction of the cost, with the certification exam included in the price.

Limited Time — 33% off with code AAH-MAR-33

Start Building Pwn2Own-Level Exploit Chains.

€500 instead of €750. Course, 90-day labs, certification exam, 1:1 mentorship — all included. Taught by Ken Gannon, 3x Pwn2Own winner.