No multiple choice. No videos. You write the exploit — the judge proves it worked.
Three steps, no multiple choice.
Write the exploit
Pick a concept on the roadmap, read a scenario tied to a real CVE/CWE, and write shell commands in the in-browser editor.
We boot a real target
The judge spins up a deliberately vulnerable Docker container and your attacker box on an isolated, no-egress network.
The judge proves it
Your steps run verbatim against ordered oracle stages — recon, exploit, exfil — streaming a stage-by-stage verdict with partial credit.
A curriculum that maps to the real world.
Every problem is built around a real CVE or CWE and a deliberately vulnerable target you actually break into.
Web vulnerabilities
SQLi · XSS · SSRF
Linux privesc
SUID · sudo · cron
Cryptography
hashing · protocols
Forensics & triage
PCAPs · logs · memory
Request an invite.
PwnPath is in invite-only beta while we harden the sandbox. Drop your email and we'll send a magic link when a seat opens.
magic-link or GitHub · we never ask for a password