Pwn2Own Techniques · 11-Link Exploit Chain · Pre-Configured Labs

Learn the Exploit Chains
That Win Pwn2Own.
Samsung S8. 11 Links.

Taught by Ken Gannon, 3x Pwn2Own winner (2023–2025) and Head of Vulnerability Research at MHL. Build a complete 3-phase, 11-link exploit chain against a Samsung Galaxy S8 — from path traversal to full device compromise. Pre-configured virtual labs. No hardware.

€750 €500 Save €250
Code AAH-MAR-33 click to copy
Get 33% Off Now →
Lifetime access with updates Unlimited exam attempts Cloud devices — no hardware
Trusted by researchers at Google NCC Group Deloitte Adobe Revolut PwC EY 26,000+ learners
// The Gap This Course Fills

Most Android security courses teach you to scan and report. Not to exploit.

You can find bugs. You can run MobSF. You can write a CVSS score. But when it comes to actually building an exploit chain — chaining path traversals into file writes into device compromise — you're stuck.

Pwn2Own winners don't stop at "identified a vulnerability." They chain 8 bugs and 3 OS features into a full-device takeover. That's what this course teaches.

AAH teaches the step after identification: full exploit chain development.

Build the exact Samsung Galaxy S8 exploit chain that wins Pwn2Own. 3 phases, 11 links, start to finish. Every bug explained. Every link built. Every technique hands-on in a pre-configured virtual lab.

Taught by Ken Gannon, who actually won Pwn2Own with these techniques. Not theory. Not slides. Working exploits.

Get 33% Off →
// What's Inside AAH

Six reasons this course wins
over everything else on the market.

01
Real Pwn2Own Techniques
Learn the exact vulnerability classes and chaining methodology used to win Pwn2Own. Not theoretical — these are techniques that earned cash bounties on stage.
Battle-tested at Pwn2Own
02
11-Link Samsung Exploit Chain
Build a complete exploit chain against a Samsung Galaxy S8. 8 bugs, 3 OS features, 11 links. Path traversal through arbitrary file writes to full device compromise.
End-to-end chain
03
Pre-Configured Lab VMs
Every exercise runs on a virtual Android environment you access through your browser. No physical device. No emulator setup. Pre-rooted Samsung Galaxy S8 ready in seconds.
Zero hardware required
04
Taught by Ken Gannon
3x Pwn2Own winner (2023–2025), Head of Vulnerability Research at MHL. Direct access to the researcher who built these exploit chains in competition.
Pwn2Own winner 2023–2025
05
1:1 Mentorship Sessions
Get direct video mentorship from MHL's vulnerability research team. Ask questions, get unstuck, and get feedback on your exploit development approach.
Direct researcher access
06
Lifetime Access + Certification
Course material is yours forever, auto-updated with new techniques. Certification exam included — unlimited attempts, no extra fees. Djini AI assistant when you get stuck.
Exam included
// Course Preview

Watch real exploit development.

Road to Pwn2Own — Course Introduction

Ken Gannon introduces the Advanced Android Hacking course and the 11-link Samsung Galaxy S8 exploit chain you'll build from scratch.

The Road to Pwn2Own

The Pwn2Own journey and how this course builds the skills to compete at the world's top hacking competition.

Cloud Lab Environment Demo

Tour of the pre-configured virtual lab environments where you'll develop and test exploits on real Android device images.

// The 3-Phase Exploit Chain

8 bugs. 3 OS features. 11 links.
Full device compromise.

Phase 1 — Initial Access

Path Traversal to Arbitrary File Writes

Discover path traversal vulnerabilities in Android application components. Chain them to achieve arbitrary file writes to controlled locations on the device filesystem.

Phase 2 — Persistence

Forced App Installation & Device Reboot

Leverage the file write primitive to force-install a malicious application package. Trigger a device reboot to activate the payload and establish persistence.

Phase 3 — Full Compromise

Device Takeover via Browser Interaction

Complete the chain through browser-based interaction to achieve full device compromise. Exfiltrate data, demonstrate impact, and document the entire chain end-to-end.

// AAH vs the Alternatives

The only course that teaches
Pwn2Own-level exploit chains.

Capability MHL AAH SANS SEC575 Udemy
Real exploit chains 11-link Samsung chain Overview only Not covered
Virtual labs Pre-configured VMs Physical device Video-only
1:1 Mentorship Video sessions
Hands-on labs 100% lab-based Lecture-heavy Video-only
Certification included Exam included GIAC extra ($900+)
Price €500 (33% off) $8,000+ $15–$200

* Based on publicly available curriculum information as of 2026. Competitor features subject to change.

// Full Course Syllabus

What you'll master — module by module.

6 modules. 11 chain links. From path traversal to full device compromise — every step hands-on in your virtual lab.

01 Introduction & Lab Setup
+
  • Course introduction with Ken Gannon (3x Pwn2Own winner)
  • The history of the Samsung Galaxy S8 Pwn2Own chain
  • Cloud lab environment setup — connecting to your pre-rooted device
  • Understanding the target: Samsung app components & attack surface
  • Exploit chain architecture: how 8 bugs + 3 OS features form 11 links
02 Phase 1 — Path Traversal & Arbitrary File Writes
+
  • Identifying path traversal vulnerabilities in Android application components
  • Code analysis & reverse engineering of vulnerable Samsung apps
  • Building the arbitrary file write primitive
  • Controlling file write destinations on the Android filesystem
  • Lab: Exploit the path traversal and achieve arbitrary file writes on your lab device
03 Phase 2 — Forced App Installation & Device Reboot
+
  • Leveraging file write primitives to force-install application packages
  • Crafting a malicious APK payload for persistence
  • Triggering a forced device reboot without user interaction
  • Establishing persistence after reboot via installed payload
  • Lab: Install your malicious package and persist across device reboot
04 Phase 3 — Full Device Compromise & Data Exfiltration
+
  • Combining Phase 1 & Phase 2 into a single exploit chain
  • Browser-based interaction to trigger the full chain
  • Achieving complete device compromise via a single user click
  • Exfiltrating sensitive data (photos, contacts) to attacker-controlled server
  • Lab: Execute the full compromise chain and exfiltrate data from the target device
05 Building Your Own Exploit Chain
+
  • Programming your own version of the complete bug chain
  • End-to-end chain testing, debugging & optimization
  • Impact demonstration & documentation for reports
  • Using Djini AI to accelerate vulnerability research
  • Lab: Replicate the Pwn2Own chain — compromise the device on your own
06 Certification & Mentorship
+
  • 1:1 mentorship video sessions with MHL's vulnerability research team
  • Certification exam preparation & walkthrough
  • Practical hands-on exam — unlimited attempts, no extra fees
  • Applying exploit chain techniques to new targets
  • Lifetime access to course updates as new techniques emerge
// Limited Time Offer

Get 33% off Advanced Android Hacking.

Advanced Android Hacking: Road to Pwn2Own

Taught by Ken Gannon · Pwn2Own winner 2023–2025

€750 €500
Save €250 — 33% off
  • Full course: 11-link Samsung Galaxy S8 exploit chain
  • 90-day access to pre-configured virtual lab environments
  • 1:1 mentorship video sessions
  • AI bug-finding tools (Djini AI)
  • Certification exam included
  • Lifetime course access with updates
Code AAH-MAR-33 click to copy
Get 33% Off Now →
// Common Questions

Straight answers.

Do I need a physical Android device or Samsung hardware? +
No. All labs run on pre-configured virtual Android environments that you access through your browser. There is no hardware to buy, no device to root, and no emulator to configure. You get 90 days of lab access included with the course.
What is the Samsung exploit chain I'll be building? +
You will build a complete exploit chain against a Samsung Galaxy S8 that chains 8 distinct bugs and 3 OS features into an 11-link attack. The chain starts with path traversal vulnerabilities to achieve arbitrary file writes, escalates through forced app installation and device reboot, and culminates in full device compromise. These are the same techniques used in real Pwn2Own competitions.
Is there 1:1 mentorship included? +
Yes. The course includes 1:1 mentorship video sessions with MHL's vulnerability research team. You can ask questions, get help when you are stuck on a specific chain link, and receive feedback on your exploit development approach. This is direct access to researchers who actively compete in Pwn2Own.
How does the promo code work? +
Enter the promo code AAH-MAR-33 at checkout. The 33% discount (saving you €250) will be applied automatically. The code reduces the price from €750 to €500 and includes the full course, 90 days of lab access, and the certification exam.
How does this compare to SANS SEC575? +
SANS SEC575 is a broad mobile security overview that costs $8,000+ before the optional GIAC certification ($900+). AAH goes significantly deeper on exploitation — you build a complete 11-link exploit chain against real hardware, learn Pwn2Own techniques from an actual winner, and get 1:1 mentorship. At €500, AAH delivers deeper exploitation training at a fraction of the cost, with the certification exam included.
Is there a free trial? +
MHL offers free access to Android App Security and iOS App Security labs — full lab environments, real vulnerability targets. Try those first to see what the MHL lab experience feels like, then decide on the AAH course.
33% Off · Lifetime Access · Exam Included

Start building Pwn2Own-level
exploit chains.

€500 instead of €750. Course, 90-day labs, certification exam, 1:1 mentorship — all included. Taught by Ken Gannon, 3x Pwn2Own winner. Use code AAH-MAR-33.

Get 33% Off Now → Try Free Labs First