PentesterLab is a hands-on training platform for advanced web hacking and security code review. 700 labs. 700 video walkthroughs. Built around real CVEs and real exploitation, not gamified challenges. Used worldwide, from some of the biggest banks to small specialised red teams. Founded and run by Louis Nyffenegger since December 2011.
In late 2011, after running an in-person training at Ruxcon, Louis Nyffenegger had a folder of exercises that worked. The choice was wait for the next conference, or put the content online so people could work through it on their own time. He picked the second option. PentesterLab launched in December 2011.
The platform grew from there. New exercises added regularly. Real vulnerabilities. No filler.
PentesterLab is built and operated by Louis Nyffenegger, a pentester, code reviewer and AppSec practitioner. For seven years he ran the platform alongside a full-time security job. In September 2018 he went full-time on PentesterLab. The platform has stayed mostly solo since, with a small number of employees over the years.
Louis is also the author of CVE Archeologist's Field Guide, a methodology book that dissects ten real-world vulnerabilities across five programming languages and seventeen years of CVE history. Each chapter walks through the code, the bug, the fix, and the lessons learned. The same methodology shapes how PentesterLab exercises are built.
This matters because the content is written by the person doing the work, not by an instructional designer adapting someone else's notes. Every exercise reflects how a real reviewer or pentester actually approaches a bug.
Gamification and certifications push people to finish things. PentesterLab is not optimised for finishing. It is optimised for the moment a learner figures out the exploit themselves. That moment is the entire point.
Manual exploitation, every time. Tools find what they were built to find. Writing the exploit yourself is what teaches you the bug class. Every lab requires you to do the work.
Real environments, not abstractions. No browser-based jumpbox. No VPN tunnel hiding the network layer. You run the exploit from your own machine against a real target. That is how the job actually works.
Depth compounds, breadth does not. Each exercise builds on the last. After fifty SQL injection labs you stop guessing and start seeing patterns. That is the skill that matters on a real assessment, not a list of completed challenges.
The aha moment is the product. When you spend two hours on a lab, get nowhere, and then suddenly see it, the platform did its job. Spoon-feeding the answer would be cheaper to build and faster to consume. It would also produce nothing.
Help when you actually need it. Every lab has a deep-dive video walkthrough explaining the bug, the exploit, and the fix. The videos are there as a fallback after you have tried, not as a shortcut. They exist because real learning sometimes needs a second perspective, not because the lab is meant to be skipped.
700 hands-on labs covering web hacking and security code review. 700 deep-dive video walkthroughs. 500+ real-world CVEs reproduced as exercises, from 2014 to 2025. Code review content across Java, Python, Go, and other languages and frameworks. Badge tracks for structured progress in areas like authentication, JWT, SAML, OAuth2, deserialization, SSRF, SSTI and more. Subtitles in eight languages.
For practitioners learning JWT, OAuth2, SAML, SSTI, deserialization or other web vulnerability classes in real depth. For AppSec teams upskilling on security code review across multiple languages. For pentesters and bug bounty hunters who want to practice on real CVEs, not synthetic challenges. For engineering and security teams that prefer manual mastery over tool-driven workflows.
If you want gamified CTF-style challenges, leaderboards, or a points-based progression, there are platforms built for that. PentesterLab is not one of them. If you are preparing for OSCP or a similar certification exam, the platform will help your fundamentals but is not exam-aligned. If you want guided, hand-held content that finishes itself, the no-spoiler model will frustrate you. That is by design.
PentesterLab Enterprise gives security teams shared access to the full library, with team progress reporting and centralised billing. Customers range from global banks to specialised security consultancies. The platform is the same one used by individual practitioners worldwide. There is no watered-down "enterprise edition." Same content, same depth, same approach.