-
Section 1: Introduction
10 Lessons-
Start1 Welcome to the Training
-
Start2 Contrasting IT and OT
-
Start3 Attack Surface and Common Security Challenges
-
Start4 Evolution of Industrial Devices
-
Start5 Evolution of Industrial Communication
-
Start6 Default Credentials and Exposed Controllers
-
Start7 Framework for OT Resilience Testing and Risk Evaluation in Security Scenarios
-
Start8 Classification of Penetration Testing in this Training
-
Start9 Recap of IPv4 Addresses and Subnetting
-
Start10 Section 1 Summary and Community Q&A
-
-
Section 2: Offensive OSINT
6 Lessons-
Start11 Welcome to Offensive OSINT
-
Start12 Default Credentials in Industrial Devices
-
Start13 Google Dorking for Finding Industrial Controllers and Human Machine Interfaces
-
Start14 Using Shodan, ICSRank and Ipinfo.io
-
Start15 Finding Vulnerabilities with CISA-s ICS Advisories
-
Start16 Section 2 Summary and Community Q&A
-
-
Section 3: Setting Up Your Virtual Lab
8 Lessons-
Start17 Welcome to Setting Up Your Virtual Lab
-
Start18 Understanding Virtualization and Virtual Machines
-
Start19 Installation of Oracle VirtualBox
-
Start20 Installation the Kali Linux VM and Running the Installation Script
-
Start21 Installing the Ubuntu Desktop VM
-
Start22 Running the Installation Script
-
Start23 Setting Up the Virtual HostOnly Network
-
Start24 Section 3 Summary and Community Q&A
-
-
Section 4: Introduction to Kali Linux and Penetration Testing Tools
12 Lessons-
Start25 Welcome to Kali Linux Penetration Testing Tools
-
Start26 Netdiscover
-
Start27 Nmap Essentials
-
Start28 Snmp-Check for Device Enumeration
-
Start29 Dirb for Industrial Webserver Directory Traversal
-
Start30 Nmap Scripting Engine
-
Start31 Metasploit Framework
-
Start32 Exploit Database (Exploit-DB)
-
Start33 Wireshark
-
Start34 Other Tools for Industrial Penetration Testing
-
StartSection 4 Quiz
-
Start35 Section 4 Summary and Community Q&A
-
-
Section 5: Siemens Simatic S7 Controller Penetration Testing
26 Lessons-
Start36 Welcome to Siemens Simatic S7 Controller Penetration Testing
-
Start37 Introduction to Programmable Logic Controllers
-
Start38 Introduction to Simatic S7 Controllers
-
Start39 S7Comm Protocol Stack
-
Start40 NSE Script s7-info
-
Start41 Siemens_scanner and CPU Command (ExploitDB) in Metasploit
-
Start42 SiemensScan Python Script
-
Start43 Dissecting S7Comm with Wireshark
-
Start44 OSINT Task Exposed S7 Devices on Shodan
-
Start45 OSINT Solution Exposed S7 Devices on Shodan
-
Start46 OSINT Task Google Dorks for S7 Webservers
-
Start47 OSINT Solution Google Dorks for S7 Webservers
-
Start48 OSINT Task Default Credentials for Siemens Devices
-
Start49 OSINT Solution Default Credentials for Siemens Devices
-
Start50 Pentesting a Real Siemens Simatic S7-1200 PLC
-
Start51 Pentesting a Real Siemens Simatic S7-1500 PLC
-
Preview52 S7-1500 Penetration Testing Assignment
-
StartSection 5: Mid-Section Quiz
-
Preview53 Hint Video Methodology and Steps for S7-1500 Penetration Testing
-
Preview54 Step 1 Host Discovery
-
Preview55 Step 2 Scanning for Open Ports
-
Preview56 Step 3.1 + 3.2 Visiting the Webserver and NSE Script Scan
-
Preview57 Step 4 ExploitDB CPU Command Module in Metasploit
-
Start58 Findings and Mitigation Strategies
-
Start59 Penetration Testing Report with ChatGPT
-
Start60 Section 5 Summary and Community Q&A
-
-
Section 6: MQTT Penetration Testing
23 Lessons-
Start61 Welcome to MQTT Penetration Testing
-
Start62 Smart Factories
-
Start63 IIoT Communication with MQTT
-
Start64 Industrial Edge Devices Simatic IOT20xx and RevPi
-
Start65 Moxie
-
Start66 Mosquitto Client
-
Start67 NSE Script mqtt-subscribe
-
Start68 Dissecting MQTT with Wireshark
-
Start69 OSINT Task Exposed MQTT Brokers on Shodan
-
Start70 OSINT Solution Finding Exposed MQTT Brokers on Shodan
-
Start71 Pentesting a Real Siemens Simatic IOT2000 Industrial MQTT Broker
-
Start72 Smart Factory IIoT Penetration Testing Assignment
-
StartSection 6: Mid-Section Quiz
-
Start73 Hint Video Methodology and Steps for IIoT Penetration Testing (No Spoilers)
-
Start74 Step 1 Host Discovery
-
Start75 Step 2 Scanning for Open Ports
-
Start76 Step 3 Service Detection and NSE Script Scan
-
Start77 Step 4.1 MQTT Detection and Listening with Moxie
-
Start78 Step 4.2 MQTT Listening with mosquitto_sub
-
Start79 Step 5 FloodingDoS-ing the MQTT Broker
-
Start80 Findings and Mitigation Strategies
-
Start81 Penetration Testing Report with ChatGPT
-
Start82 Section 6 Summary and Community Q&A
-
-
Section 7: Rockwell Allen Bradley Controller Penetration Testing
21 Lessons-
Start83 Welcome to Rockwell Allen Bradley Controller Penetration Testing
-
Start84 Introduction to Rockwell Allen Bradley 1756-L61B LOGIX5561 Controller
-
Start85 EnIP & CIP Protocol Stack
-
Start86 EnIP & CIP Exploit Modules in Metasploit
-
Start87 NSE Script enip-info
-
Start88 Dissecting EnIP & CIP with Wireshark
-
Start89 OSINT Rockwell Allen Bradley Default Credentials
-
Start90 OSINT Task Exposed Rockwell Allen Bradley Controllers on Shodan
-
Start91 OSINT Solution Finding Exposed Rockwell Allen Bradley Controllers on Shodan
-
Start92 Penetration Testing Assignment
-
StartSection 7: Mid-Section Quiz
-
Start93 Hint Video Methodology and Steps for EnIPCIP Penetration Testing (No Spoilers)
-
Start94 Step 1 Host Discovery
-
Start95 Step 2 Scanning for Open Ports
-
Start96 Step 3.1 Directory Traversal of the PLC Webserver
-
Start97 Step 3.2 Service Detection and NSE Script Scan
-
Start98 Step 4.1 Metasploit Module 1
-
Start99 Step 4.2 Metasploit Module 2
-
Start100 Findings and Mitigation Strategies
-
Start101 Penetration Testing Report with ChatGPT
-
Start102 Section 7 Summary and Community Q&A
-
-
Section 8: Fuel Station Controller Penetration Testing
19 Lessons-
Start103 Welcome to Fuel Station Controller Penetration Testing
-
Start104 Introduction to Veeder Root TLS-350 Automated Tank Gauge (ATG) Controller
-
Start105 Configuration of the ATG with Function Codes using the Telnet Console
-
Start106 NSE Script atg-info
-
Start107 Metasploit Module atg_client
-
Start108 Dissecting ATG Communication with Wireshark
-
Start109 OSINT Task Exposed ATG Controllers on Shodan
-
Start110 OSINT Solution Exposed ATG Controllers on Shodan
-
Start111 Penetration Testing Assignment
-
StartSection 8: Mid-Section Quiz
-
Start112 Hint Video Methodology and Steps for ATG Penetration Testing (No Spoilers)
-
Start113 Step 1 Host Discovery
-
Start114 Step 2 Scanning for Open Ports
-
Start115 Step 3 NSE Script Scan
-
Start116 Step 4 Information Disclosure
-
Start117 Step 5 Setting Tampering
-
Start118 Findings and Mitigation Strategies
-
Start119 Penetration Testing Report with ChatGPT
-
Start120 Section 8 Summary and Community Q&A
-
-
Section 9: Human Machine Interface Penetration Testing
22 Lessons-
Start121 Welcome to Human Machine Interface Penetration Testing
-
Start122 Introduction to Human Machine Interfaces
-
Start123 HMI Panel Devices , Remote Access and HMI Screen Design
-
Start124 NSE Scripts vnc-brute, vnc-info, vnc-title
-
Start125 Introduction to Metasploit Modules vnc_none_auth and vnc_login
-
Start126 Hydra
-
Start127 Vncviewer
-
Start128 Exposed HMI on Shodan
-
Start129 Pentesting a Real Siemens Simatic HMI KTP 400 Panel
-
Start130 Penetration Testing Assignment 1
-
StartSection 9: Mid-Section Quiz
-
Start131 Hint Video 1 Methodology and Steps for HMI Penetration Testing (No Spoilers)
-
Start132 Step 1.1 Combined Discovery
-
Start133 Step 1.2 NSE Script Scan
-
Start134 Step 1.3 Accessing the HMI
-
Start135 Penetration Testing Assignment 2
-
Start136 Hint Video 2 Methodology and Steps for HMI Penetration Testing (No Spoilers)
-
Start137 Step 2.1 NSE Script Scan
-
Start138 Step 2.2 Brute-Force Attack with Hydra and Access to the HMI
-
Start139 Findings and Mitigation Strategies
-
Start140 Penetration Testing Report with ChatGPT
-
Start141 Section 9 Summary and Community Q&A
-
-
Section 10: Modbus Controller Penetration Testing
25 Lessons-
Start142 Welcome to Modbus Controller Penetration Testing
-
Start143 Introduction to Modicon Industrial Controllers and Modbus
-
Start144 Modbus TCP Protocol Stack
-
Start145 NSE Scripts modicon-info, modbus-discover
-
Start146 Metasploit Modbus Modules detect, banner_grabbing, findunitid, modicon_command
-
Start147 Memory of an Industrial Controller
-
Start148 Modbus Commandline Interface
-
Start149 Dissecting Modbus Communication with Wireshark
-
Start150 OSINT Task Exposed Modbus Controllers on Shodan
-
Start151 OSINT Solution Exposed Modbus Controllers on Shodan
-
Start152 OSINT Task Google Dorks for Exposed Schneider Electric Webservers
-
Start153 OSINT Solution Google Dorks for Exposed Schneider Electric Webservers
-
Start154 OSINT Task Default Credentials for Schneider Electric Devices
-
Start155 OSINT Solution Default Credentials for Schneider Electric Devices
-
Start156 Pentesting a Real Schneider Electric Modicon M221 PLC
-
Start157 Penetration Testing Assignment
-
StartSection 10: Mid-Section Quiz
-
Start158 Hint Video Methodology and Steps for Modbus Penetration Testing (No Spoilers)
-
Start159 Step 1 Combined Discovery
-
Start160 Step 2 Enumeration with Metasploit
-
Start161 Step 3 Memory Access
-
Start162 Step 4 Memory Manipulation
-
Start163 Findings and Mitigation Strategies
-
Start164 Penetration Testing Report with ChatGPT
-
Start165 Section 10 Summary and Community Q&A
-
-
Section 11: IEC-104 Substation Penetration Testing
16 Lessons-
Start166 Welcome to IEC-104 Substation Penetration Testing
-
Start167 Introduction to IEC-104
-
Start168 IEC-104 Protocol Stack Frames, ASDU-s and Commands
-
Start169 NSE Script iec-identify
-
Start170 Metasploit Module iec104
-
Start171 Dissecting IEC-104 Communication with Wireshark
-
Start172 Penetration Testing Assignment
-
StartSection 11: Mid-Section Quiz
-
Start173 Hint Video Methodology and Steps for IEC-104 Penetration Testing (No Spoilers)
-
Start174 Step 1 Combined Discovery
-
Start175 Step 2 Exposed Webservices and NSE Script Scan
-
Start176 Step 3 Dumping the ASDU
-
Start177 Step 4 Manipulating Information Objects
-
Start178 Findings and Mitigation Strategies
-
Start179 Penetration Testing Report with ChatGPT
-
Start180 Section 11 Summary and Community Q&A
-
-
Section 12: OT Network Security Assessment
9 Lessons-
Start181 Welcome to OT Network Security Assessment
-
Start182 Introduction to Historically Evolved Shop Floors, OT Networks, and VPN Access
-
Start183 Asset Inventory
-
Start184 Security Assessment Assignment
-
StartSection 12: Mid-Section Quiz
-
Start185 Hint Video
-
Start186 OT Network Assessment Host Discovery, Asset Inventory Matching
-
Start187 Findings and Mitigation Strategies
-
Start188 Section 12 Summary and Community Q&A
-
-
Section 13: Understanding Security Challenges
7 Lessons-
Start189 Welcome to Understanding Security Challenges
-
Start190 Common Security Challenges
-
Start191 Flat OT Network Architecture
-
Start192 Internet Access Gateways
-
Start193 Adversary Maturity Levels in IEC/ISA 62443
-
Start194 Understanding Attacks with the Mitre ICS ATT&CK Framework
-
Start195 Section 13 Summary and Community Q&A
-
-
Section 14: Mitigation and Protection
7 Lessons-
Start196 Welcome to Mitigation and Protection
-
Start197 Defense in Depth
-
Start198 System Hardening of a Siemens Simatic PLC
-
Start199 System Hardening of a Siemens Simatic HMI
-
Start200 Secure OT Network Design with Segmentation and DMZ
-
Start201 Securing Remote Access Services
-
Start202 Section 14 Summary and Community Q&A
-
Practical Offensive Industrial Security Essentials
Master Offensive OT Security in 12 Weeks with Realistic Hands-On Labs.
FOXGRID’s flagship training for engineers, IT→OT switchers, and motivated newcomers who want real skills—not marketing slides. Learn how attackers map, probe, and exploit industrial systems, then translate that knowledge into practical defenses.
Why This Training Works
Learn not from an IT‑centric crash training, but from someone who’s designed, deployed, and protected industrial systems in the field. You’ll get a true perspective—spotting real device risks and building your own protection strategies, free of marketing noise.
If you're serious about learning how industrial systems really work—and how to protect them with clarity, not guesswork—this is the training you’ve been looking for.
✅ Learn from a Pro: Training built by a veteran automation engineer — academic theory and real‑world OT know‑how.
✅ Cut Through the Hype: Hands‑on labs expose genuine vulnerabilities so you can distinguish real threats from OT‑security marketing bullshit.
✅ Holistic ICS Security: Deep dive into tools, device internals, and network architecture.
✅ Portfolio Builder: 8 real‑world hands on labs you can showcase on LinkedIn or in your CV.
✅ Community & Support: Join our community channel
“The training equipped me to learn about testing real life [although simulated] ICS devices. The final Red team assignment was icing on the cake, reminded me of Matrix 2 movie scene of shutting down Power Plant”
Khanjen P. ⭐⭐⭐⭐⭐
PICSPT Alumni
"Well laid out, detailed with practical examples and exercises, bridging the gap between theory and practical. I would highly recommend this training."
Rohan V. ⭐⭐⭐⭐
PICSPT Alumni
"Training was put together well and identified all of the necessary tools. Hits close to home as one of the devices shown was only a few miles away from where I live. Hopefully they have fixed that since the data was collected eight years ago."
Michael E. ⭐⭐⭐⭐
PICSPT Alumni
Meet Your Instructor
Marcel — Automation Engineer
turned Offensive OT Expert
With 20+ years in automation and control, Marcel has commissioned production lines, wrestled PLCs into shape at 3 AM, connected HMIs in complex networks, reversed firmware, and defended real industrial environments.
Marcel’s journey spans debugging industrial systems in substations to securing entire production floors under real-world pressure.
Most OT security training is designed from the outside in—this one starts from the inside. He is not just someone who studied industrial security; He lived it.
Who It’s Built For
Built for anyone ready to roll up their sleeves, ask smart questions, and own their learning. You might be an IT pro, an engineer, a student, or someone starting fresh. It doesn’t matter where you’re coming from. At FOXGRID, your curiosity is what counts.
👨💻 For IT Professionals:
Step into the world of OT security with confidence. This training bridges your IT know-how with hands-on exposure to real industrial systems.
Learn how attacks work on PLCs, field devices, and protocols like Modbus and S7—so you can better protect, assess, or even red-team industrial environments.
No guesswork—just structured, practical learning built for IT pros entering OT.
🤖 For Automation Professionals and Engineers:
Your machines are safe. But are they secure?
This training shows how attackers view industrial environments—from scanning networks to exploiting PLCs and HMIs.
With real simulations of Siemens, Rockwell, and more, you'll gain powerful insight into threats and how to prevent them.
No fluff—just actionable knowledge to help protect the systems you know best.
🌱 For Complete Newcomers:
Curious about how hackers break into industrial systems? This training is your perfect starting point.
No prior experience required—just curiosity! You'll explore real-world ICS environments, learn to use hacking tools step by step, and understand how industrial networks and devices are attacked (and protected).
It’s hands-on, beginner-friendly, and built to help you grow fast—whether you're aiming for cybersecurity, OT, or a new tech career.
Does This Sound Like You?
This training is for you if…
✅ You want real OT cybersecurity experience, not just buzzwords
✅ You want to understand how OT systems are exposed, how attackers think, and how to mitigate real-world risk
✅ You’re tired of $2,000+ courses with locked ecosystems
✅ You learn best by doing, not watching slides.
✅ You’re ready to take ownership of your education
This training is not for you if…
❌ You expect hand-holding every step of the way
❌ You expect traditional IT-style hacking focused on full system takeover, RCEs, or buffer overflow chains
❌ You’re not comfortable doing a bit of setup and troubleshooting
❌ You want to “watch and forget”—this training requires doing
❌ You don't want to think independently and research like an engineer
Get your hacker hoodie and black hat ready - we are going to look at industrial control systems and networks
from an adversary perspective!
By the end of this training, you’ll:
✅ Understand the real OT attack surface—protocols, devices, vulnerabilities.
✅ Learn how attackers think, work, and gain access in industrial systems.
✅ Gain hands-on experience with 8 unique labs of industrial environments.
✅ See how OT systems are often insecure by design—and what you can realistically do to improve security.
✅ Build your own lab from open-source tools you can keep using—even after the training ends.
✅ Get a certificate of completion and join an active OT security community.
🚀 Build Your Portfolio with Eight Unique Labs:
- Simatic S7-300/1500 PLC
- Modbus Modicon Controller
- Veeder Root TLS 350
- IEC-104 Substation
- Smart Factory MQTT Broker
- Rockwell Allen-Bradley Controller
- Simatic KTP700 HMI
- Flat OT Network
Unsure? Watch how two Siemens industrial controllers can be hacked using knowledge from the training. 👉
Get Certified with FOXGRID
When you complete this course, you’ll receive a FOXGRID Certificate of Completion – a verifiable digital credential you can share with employers, clients, and your professional network.
✅ Showcase your expertise on LinkedIn
✅ Strengthen your CV and stand out in job applications
✅ Demonstrate hands-on skills in real-world OT cybersecurity
✅ Join a growing community of certified FOXGRID professionals
🎯 Your 12-Week Journey
Ready to go from curious to capable? Follow this roadmap — designed to build practical skills week by week.
✅ Week 1:
Get the basics. Build your attack lab. Launch your first scans.
✅ Week 2:
Compromise a Siemens S7 controller — used in operations worldwide.
✅ Week 6:
Pentest smart factory operations and fuel station ATG controllers.
✅ Week 9:
Take over Human-Machine-Interfaces, substation comms, and ICS memory storage
✅ Week 12:
Understand how to protect your critical operations.
Level Up Your Learning with FOXGRID XP
Learning industrial cybersecurity with FoxGrid isn’t just about watching lessons — it’s about building momentum.
Every student now earns XP and levels up by completing lessons, maintaining learning streaks, and finishing courses.
These unique motivation mechanics are inspired by the same engagement systems that make great apps so habit-forming — but without the paywalls or “in-game currency.” It’s a fun, psychologically proven way to stay consistent and reach your goals — like completing your training in 12 weeks.
What’s Inside the Training
This training is a hands-on journey into the real OT attack surface—engineered for learners who want depth, realism, and structure. This is just a high-level overview. Scroll down to preview the full curriculum with 200+ lessons on FOXGRID.
Section 1 - 2 : OT Basics & OSINT
✅ Intro to OT environments
✅ Search for exposed systems online
✅ Real-world context from day one
Section 3 - 4 : Build Your Virtual Lab Step-by-step lab setup
✅ Offensive tool introduction
✅ Everything runs on open source—no extra costs
Section 5 - 12: Offensive OT Security
✅ Simulations of PLCs, HMIs, MQTT & more
✅ Guided security assessments
✅ Tool-based exploitation + mitigation debriefs
Section 13 - 14: Lessons learned from attacker & defender view
✅ Lessons learned from attacker & defender view
✅ Practical mitigation strategies
✅ Balance between offense and real-world protection
⚠️ What You’ll Need to Get Started ⚠️
To make the most of the hands-on simulations in this training, ensure your system meets the following requirements:
✅ Windows 10 or 11 with Admin rights to install and run Oracle VirtualBox
✅ At least 8 GB RAM (16 GB recommended for optimal performance)
✅ A stable internet connection for streaming and downloads
No industrial hardware or expensive tools needed — the entire lab runs virtually using open-source resources.
Ready to Learn OT Security the Right Way?
Start today.
Build your lab.
Compromise your first PLC next week.
Full Curriculum
Ready to Get Started?
200+ lessons, 6.5+ hours of content, 4.0+ hours of practical lab exercises.
Click here to enroll:
