ACTP CNO Programmer Course

Intense, Hands-on Training

A Computer Network Operations (CNO) programmer develops technologies to defend, attack and exploit computer networks. This requires a deep understanding of operating systems and software internals, combined with advanced skills in C, assembly, networking, and reverse engineering. It also requires specialized knowledge and experience that can’t be gained through conventional education or programming work.
Cyberwar is constantly changing. Learn the skills and tools you’ll need to engage on the front line.

Course Description

The CNO Programmer course is the premier offering of our Advanced Cyber Training Program (ACTP). It is an intense, hands-on course focused on developing experienced systems programmers into CNO professionals on the Windows platform. The course comprises ten classes and three “Crucible labs” for a total of 47 days of training. Each class builds on the material presented in the weeks before. The class format emphasizes lab work over lectures.

Certified Advanced Cyber Programmer

A student who completes the entire course with an 80% test average will be accredited as a ManTech Certified Advanced Cyber Programmer (CACP) – the foremost and most comprehensive CNO developer certification in the industry. Our graduates go on to do cutting edge work as Intrusion Engineers, Reverse Engineers, and Cyber Warfare Developers.


Students should have a Bachelor’s degree in Computer Science or Computer Engineering, or equivalent experience. Strong C programming ability is required; individuals with limited experience in C should not enroll in this course. Experience in Windows programming and x86 assembly is also suggested. Success in the course requires an intense desire and capacity to learn. The course becomes progressively more difficult, so personal motivation is critical.
At this time, enrollment is limited to, only ManTech employees and government employees.


The instructors are an elite group of cyber professionals chosen for their technical knowledge, industry experience, and teaching skills. They understand the real world challenges facing CNO programmers because they perform the work professionally everyday.

Training Facility

Our state-of-the-art training facility, located in Hanover, MD offers an integrated sound system, dual projectors, and elevated seating to that ensure every student has an unobstructed view of the screen and can clearly hear the instructors. Each student is assigned a developer workstation with dual monitors – no need to bring your own laptop.
The course may also be scheduled at other locations in the U.S. for classes of eight or more students.

Class Size

We keep class sizes small to ensure students receive individual attention. The typical class size is twelve to fourteen students, with a maximum of eighteen. Classes of more than ten students have an assistant instructor to provide additional support during the entire class.


Each class features one or more quizzes and a final exam. An average exam score of 80% is a passing grade. Quiz scores do not contribute to the final grade. The labs are ungraded.
Students who complete all 10 graded classes with an 80% average or better are recognized as ManTech Certified Advanced Cyber Programmers (CACPs), and receive certification. Students that do not receive a certifying grade will receive certificates of attendance.

Class Descriptions

Python (3 Days)

The Python class is an introduction to the Python programming language with an emphasis on tools and techniques that are useful for CNO tasks such as test development and vulnerability research. The class concludes with an extensive lab in which students use Python to solve a real-world forensics problem.

Networks (5 Days)

The Networks class is a practical exploration of IPv4 and IPv6 networks and sockets programming. Students use Wireshark to inspect and analyze network traffic. Python is used to write client/server applications, and to develop tools for creating and modifying packets at the Ethernet and IP layers. Concepts studied include routing, network address translation, proxies, and packet filters. Protocols include Ethernet, IP, UDP, TCP, and HTTP.

Assembly (3 Days)

The Assembly class covers the x86 (IA-32) and x86-64 (AMD64) assembly languages. Students learn to read, write, and debug assembly code. Topics include registers, flags, types, operators, memory addressing, the stack, Windows calling conventions, and string processing instructions. The class introduces the Visual Studio development environment and the WinDbg debugger.

Software Reverse Engineering (5 Days)

The Software Reverse Engineering class introduces tools and techniques for analyzing x86 and x86-64 executable files. Students use IDA Pro, WinDbg, and other tools to perform both static and dynamic reverse engineering. Students learn how to identify data types, structures, function prototypes, imports, exports, and other constructs, and how to create IDA Pro definitions to document what they’ve found. Students analyze disassembled functions and manually produce equivalent C code. Students also use WinDbg to analyze running programs, using techniques such as break on access, conditional breakpoints, and tracing. The class concludes with the analysis and exploitation of a famous real-world vulnerability.

Core Crucible (1 Day)

In the Core Crucible, students work in teams to analyze and exploit a botnet. They must use the skills and knowledge attained from the preceding classes to observe the botnet network traffic, reverse engineer the protocol it uses, and develop tools for communicating with botnet nodes. Successful communication with the botnet yields additional CNO challenges to complete and score points in a Capture-the-Flag (CTF) style event.

Windows Systems Programming (4 Days)

The Windows Systems Programming class introduces Windows development tools and the Win32 API. Students write 32 and 64 bit C programs and dynamic libraries that use APIs for file I/O, registry access, memory management, Structured Exception Handling, thread operations, asynchronous I/O, IPC mechanisms, and more.

Windows Internals (4 Days)

Windows Internals moves beyond the Win32 API introduced in the previous class to describe the advanced Windows operating system concepts used to implement it. The class begins by introducing the underlying executive system services, and then proceeds to describe other major elements of Windows in detail. Topics include: handle manipulation, process and thread manipulation, security construct manipulation, and memory manipulation.

CNO User Mode Development (5 Days)

Building on the material from the preceding classes, the CNO User Mode Development class provides instruction on fundamental techniques and best practices for CNO tool development. Lab work includes: writing position-independent code packages that can import symbols from system DLLs, injecting payload code into another process, safely hooking functions, and writing a self-deleting executable. Additional topics discussed include: CNO network communications, Windows File Protection, stealth techniques, and Windows security features. The final test includes extensive lab work.

Vulnerability Research and Exploitation (5 Days)

Students in the Vulnerability Research and Exploitation class learn how to analyze and exploit vulnerabilities in software. Several types of software vulnerabilities are discussed as well as techniques for discovering them. Students use the reverse engineering and advanced debugging techniques learned from previous classes to analyze exceptional conditions to determine if and how the target may be exploited. They craft payloads to exploit stack and heap buffer overflows. Lab work includes: target enumeration, continuity of execution, return-to-libc, ROP chains, and mitigations for SafeSEH, NX, and ASLR.

User Mode Crucible (2 Days)

In the User Mode Crucible, students work in teams to analyze and exploit a vulnerable network service. The training from the previous classes will enable them to reverse engineer the target binary and develop a CNO tool to copy files of interest from a remote target running that service. The CNO tool must operate in the presence of a Personal Security Product (PSP).

Kernel Internals (3 Days)

The Kernel Internals class expands on the user mode content to introduce students to the Windows kernel architecture and fundamentals of driver development. The class discusses the details of kernel components such as the Memory Manager, I/O Manager, Scheduler, and Object Manager. Emphasis is given to kernel functionality and data structures frequently exploited by CNO tools. Lab work includes: writing a simple driver, remote kernel debugging with WinDbg, process hiding, function hooking, and modifying kernel security constructs.

CNO Kernel Mode Development (5 Days)

The CNO Kernel Mode Development class builds on the previous class to introduce techniques useful for Windows Kernel CNO. Lab work includes: analyzing crash dumps, reverse engineering kernel code, IO processing, manipulating user mode process attributes, hooking kernel functions, injecting code into user processes, logging keystrokes, hiding objects from user mode processes, and exploiting a vulnerability in a kernel driver. The final test involves extensive lab work.

Kernel Mode Crucible (2 Days)

In the Kernel Mode Crucible, students work in teams to extend their User Mode Crucible tool to evade a more aggressive PSP. They must employ advanced CNO techniques to gain access to a privilege system process and the data it holds in a password database.

Registration and Info

Francis Foley, ACTP Administrator
Direct Dial: (443) 820-2195
Fax: (410) 712-4055

See the course schedule.