Q: I am a beginner. Which training should I start with?
Your best option is the flagship Zero Day Engineering training. It covers all the bases with non-trivial details, and is specifically created for beginners. If you're looking at mini-classes for starters, try the "Hacking Open Source Fuzzers for Smarter Bughunting" on-demand mini-class, or anything else that looks interesting in the VULNDEV 102 series. It is suitable for all levels, with deep dives and advanced bits that you can revisit later as you progress.
Q: I employ an intern specialized in %SUBJECT%. Should I send him/her to a mini-class or to a full training?
Probably both. Conceptually, the main difference between full trainings and mini-classes is that full trainings are designed to establish a firm systematical foundation in a particular subject, while aiming to be both deep and comprehensive; while mini-classes are designed to augment existing knowledge base with ultra-narrow deep dives on an extremely specialized topic. So depending on your intern's level, you may want to send him/her to the full training first and then develop it with mini-classes, or the other way around.
Q: Can I trust you?
It's up to you! Training is not my main business and I don't strictly need your money, so I will not be running after you proving myself and convincing you to book. I am a participant in Pwn2Own competitions, which is documented both on the organizer's blog and in the competitions livestream recording. I have a personal Wikipedia page. My Twitter handle @alisaesage has a verified badge. My training courses have reviews from security researchers that you probably heard of. Website payments are handled by a well established e-commerce company that offers many layers of fraud protection nowadays (though honestly, I prefer Bitcoin!). If that's not enough, then you probably should attend a training on critical thinking and risk management, not on zero day engineering and vulnerability research. And then again, do you really need any trust to learn from someone the knowledge that is trivially falsifiable? Critical thinking right here.
Q: What is the content overlap between the different trainings that you offer?
There is virtually no overlap in quality content. All my training courses are very optimized for their respective purposes, meaning that the content of each training is developed specifically. Obviously, some common slides would be reused, such as abstract models or operating system fundamentals. There may be a small (under 10%) content overlap between training courses in the same subject line (for example, between the Hypervisor Vulnerability Research and Advanced Hypervisor Exploitation courses, that both cover hypervisors and virtualization). The overlapped content would be such topics that are shared and essential between the both training courses - for example, the Hypervisor Threat Model, or certain important vulnerability case studies. Between mini-classes and full trainings the content overlap may be upto 30-50% on the miniclass side (or around 2 hours' worth of). This is a feature. Note that, a training or a mini-class is not only content. In practice, a huge deal of valuable information is contained in the details that are narrated by an experienced instructor, but not fixed in the training content deliverables. Because of that, each training session even of the same training course is different, and de-facto perceived content overlap (if any) should really be negligible in all cases. To put it simply, you are not only welcome to take multiple trainings - they were specifically designed to be taken progressively by returning students.
Q: I hear that it's not possible to do a quality online training.
Bullshit. All my trainings are optimized for online experience, it works perfectly and my students have been learning enough so far to grab some big bounties and present at big conferences with that knowledge.
Q: What is a self-paced training? (Or an on-demand mini-class)
A self-paced training is a recording of a live/online training. It offers exactly the same content as live/online training, with the added bonus that you can self-schedule your study over extended or split periods of time. However, for self-paced students the instructor would be available for questions and feedback over email and not instantly as during a live training. Actually, a self-paced training is a really sweet deal, because it lets you attend the training twice at a great price point (first in recording, and then attend the live/online training on the same subject within a year).
Q: What is the value of a training certificate from a small brand?
Zero Day Engineering LLC offers simple training completion certificates for all the full (2-day or 4-day) trainings. You can put it out on your CV to impress a prospective employer. The insight is that nowadays everyone has a BS degree, plays CTF games and hunts for bug bounties. So if that's your main self-presentation points in your CV, you are not standing out of a big crowd of contenders. On the other hand, many CEOs in the security industry have heard about me and respect my work, so a training certificate awarded by Zero Day Engineering LLC would give you an instant advantage over the competition. At the very least, your prospective employer will apreciate the smarts that it takes to discover a top-value training system which is neither broadly advertised nor introduced at entry-level industry events. To take the employment advantage point even further, you can try to get an extended type of certificate (Training Achievement certificate) that not just proves attendance, but also proves (to some extent) your success at integrating the training knowledge.
Q: How do you get a Training Achievement certificate?
By default, all attendees of full trainings are awarded a simple Training Completion certificate. It proves that the student has attended the training, and nothing else. In addition, students with Advanced package seats in live trainings can aim for a Training Achievement certificate that grants them a CV-friendly distinction. Training Achievement certificates offer two levels of distinction. You get a "plus" on your certificate grade (such as C0DE3+, more on the "C0DEz" later), if you were actively engaged in the live training, completed most assignments, and asked relevant questions, suggesting that you're keeping up with the study well. Thus, from the perspective of an external observer, a "plus" certificate is a simple indicator that the student didn't just sit through the training consuming content, but actually learned something, and demonstrated a good grasp of the training subject. Next level of distinction is given with a "plus plus" certificate, on which your grade would look like this: C0DE3++. This distinction is given if the student was able to show that s/he has successfully internalized the knowledge given at the training. As a student, you ask for this kind of certificate by sending us an email with some proof of independent achievement: such as a zero day bug found, a non-trivial research article published or a tool designed based on what you have learned from the training. Both "plus" and "plus plus" certificates are currently awarded at the instructor's discretion, there is no formal assessment whatsoever, that may change in the future.
Q: Why don't you offer your trainings at security conferences?
There is a number of reasons why Zero Day Engineering trainings are not offered at security conferences. One reason is that conferences offer a revenue share model that doesn't really favor (or even respect, in many cases) the training creator and instructor. For example, some conferences may take upto 80% of your training ticket payment while leaving a meager 20% for the creator. This is not fair. On the other hand, because my trainings are already quite successful and trusted, I don't need the extra value that a conference brand can lend - such as credibility, organizing ticket sales, handling payments, reaching new potential attendees, providing physical space and feeding attendees, and promotion. Thus, most conference training deals simply don't make sense to me. Another reason is travel costs - meaning costs in a broad sense, and not just air fare and hotel room reservation. For example, there is a lot of time wasted in transit and on travel visa procedures, which I prefer to keep on hands for my technical research projects. All Zero Day Engineering trainings are optimized for online classes, so an in-person presentation is not strictly necessary. With all that said, I don't mind conference-hosted training in principle, so if you are a conference representative, feel free to get in touch.
Q: I am from the United States. Are you able to work with me?
No problem. I decided not to block out any attendees by nationality or citizenship, or by any other attributes, for now.
Q: I am from the United States. Is there a chance that you'll offer a public training in my time zone?
Currently all my online trainings are held in the time slot 09-17 UTC, that was chosen as a universal time to cover most of the world's time zones, with some inevitable trade-offs. I certainly hope to offer dedicated public trainings for US time zones, but it's not planned soon. Usually my students from the US would skip the first hours of the class, and catch up later in recordings. If that is unacceptable, a self-paced training would be your best option for now.
Q: Is there any hope for an in-person training this year?
Q: We need a custom training on a topic that is not listed on your website. Can you develop it for us?
Probably not. However, if you believe that your offer/idea is really very important for the future of humanity, email us.
Q: Can we have you for a private training at our place? Also, can you customize the trainng content for us?
Yes, it's possible in theory. For a private training the minimal group size is 10 persons. In-person training at your place will also come with a 10% surcharge to cover extra time losses and other indirect costs related to travels. Please note that training is not my main job, and my yearly capacity is limited to a handful of public and private trainings. I'd say that booking of private trainings should be done on at least a 6-month notice. For private trainings some minor customization would be included in the price, anything beyond that would be charged at my hourly consulting rates.
Q: What are the other payment methods mentioned on your website?
For all new attendees booking as individuals, website checkout is the preferred payment method. For returning students, corporate bookings (if your company pays for you) and private trainings, I can offer a direct wire transfer method or a Bitcoin payment option. That would be a better rate due to excluded merchant fees.
Q: Is the training ticket purchase refundable?
Website purchases are non-refundable due to merchant fees being non-refundable on their side. Payments by other methods are refundable for up to one week before the event.