Federal Cyber Defense Skilling Academy – Vulnerability Assessment Analyst (VAA) Pathway
Learn the Skills of a Vulnerability Assessment Analyst
CISA’s Federal Cyber Defense Skilling Academy provides full-time federal employees an opportunity to focus on professional growth through an intense, full-time, three-month accelerated training program. Those interested in developing foundational cybersecurity skills are encouraged to apply.
The Vulnerability Assessment Analyst Session Is Now Closed
Continue to check back for future session dates!
The Federal Cyber Defense Skilling Academy - Vulnerability Assessment Analyst (VAA) Pathway
- What is the Vulnerability Assessment Analyst Pathway?
The Skilling Academy’s Vulnerability Assessment Analyst (VAA) Pathway helps full-time federal employees develop their cyber defense skills through training in the baseline knowledge, skills, and abilities of a vulnerability assessment analyst.
Vulnerability assessment analysts perform assessments of systems and networks within the network environment or enclave and identify where those systems and networks deviate from acceptable configurations, enclave policy, or local policy. Additionally, a vulnerability assessment analyst measures effectiveness of defense-in-depth architecture against known vulnerabilities.
The VAA Pathway provides students with the knowledge to detect weaknesses in networks and software and then take measures to correct and strengthen security within the system. The tools and techniques covered in this pathway enable students to perform a multitude of tasks, including:
- Applying Appropriate Tools for Penetration Testing
- Performing Social Engineering Tests and Reviewing Physical Security Where Appropriate
- Keeping Up to Date with Latest Testing and Hacking Methods
- Collecting Data and Deploying Testing Methodology
- Locating, Assessing, and Managing Vulnerabilities
Through the VAA Pathway, students begin to develop the skills required to engage in penetration testing and vulnerability management to prevent cyberattacks. It is important to note that these skills serve as a starting point, and additional practice and experience may be necessary for students to fully excel in this work role.
- Who Can Apply?
The Vulnerability Assessment Analyst (VAA) Pathway is an intermediate, fast-paced, three-month course. Applicants from all skill levels can apply; however, the Skilling Academy highly encourages applicants have prior exposure to cybersecurity concepts and practices before participating.
Prospective VAA Pathway students may strongly benefit from a foundational understanding of the following:
- Basic Cybersecurity Analysis and Operations
- Systems Administration
- Intermediate Cyber Core Exposure
- Cyber Threat Modeling
- Python Programming Fundamentals
- Network Fundamentals and Operations
All full-time federal employees, in any job series and any grade or grade equivalent for non-General Schedule (GS) employees, are eligible to apply to CISA's Federal Cyber Defense Skilling Academy. Government contractors are not permitted to participate.
Each session has limited capacity. Applicants should commit to attend, participate, and complete the entire rigorous three-month session.
Participants must apply using a “.gov/.mil” email address.
Visit the National Initiative for Cybersecurity Careers and Studies (NICCS) website for comprehensive information on Vulnerability Assessment and Management.
- Participation Expectations
While in the Skilling Academy, students must abide by the requirements stated below, as agreed to in the Supervisor and Applicant Agreement and Approval Form. There are very limited exceptions to these requirements.
- The applicant is currently a full-time federal employee within the United States Government.
- The Skilling Academy will be the student's sole focus for the 40-hour, full-time work week during the entire three-month duration of the course.
- Students will refrain from conducting activities associated with their regular duty assignment, including, but not limited to, meetings, calls, and work deliverables.
- Depending on agency requirements, accepted students may be required to complete an SF-182 to receive approval from their organization to attend the Skilling Academy. Applicants should discuss the requirements of the Skilling Academy with their supervisor to ensure session requirements can be fulfilled. Applicants are responsible for working with their supervisor to confirm compliance with their home agency’s policies, to include any necessary timekeeping to ensure salary payments from their home agency are not interrupted.
- During the Skilling Academy’s instruction periods, students will be required to be on camera and in business casual attire for every class.
- Due to the rigorous and fast-paced cadence of the course, the Skilling Academy strongly advises students against taking scheduled leave during the course. If a student accrues eight unexcused absences or does not finish 20% of the labs in the Skilling Academy, they will be marked as incomplete and will not graduate from the program. Students may, however, apply to future sessions.
- Sick leave and emergency personal leave are permitted; however, it is the student’s responsibility to make up any missed class content as soon as possible.
- To ensure students do not fall behind, missed instruction days and lab work must be made up by accessing class recordings and self-study materials. Class recordings are available for two weeks after each session.
- If a student fails to complete the required work assigned in the allotted class time, the student agrees to complete the required work as soon as possible.
- If a student decides to withdraw from the session after the start date, a formal withdrawal form signed by the student’s supervisor will be required.
- To fully participate in the Skilling Academy, students must have access to the following hardware and software requirements:
Minimum Configuration Requirements
- Personal or GFE laptop* or desktop computer with Windows 10 or newer
- Speakers or headset
- Camera
- Microphone
- Internet bandwidth: 10 Mbps
- CPU: 1.1 GHz, Dual Core
- RAM: 4.0 GB
- Browser: IE, Edge, Chrome, Firefox, Safari
- Apps: MS Teams
- Email: Access to federal government email account
*If you do not have a GFE laptop or desktop, you may be able to access your federal government email account and MS Teams account through another means. Contact your agency’s IT service desk for more information on accessing your federal email through non-GFE devices.
Recommended Configuration Requirements
- Internet bandwidth: 50+ Mbps
- CPU: 2.0 GHz, Quad Core or better
- RAM: 8.0+ GB
- Secondary monitor
- Sample Class Schedule
Below is a sample schedule of a typical day during the Skilling Academy. All students are required to join virtually Monday through Friday from 8 a.m. to 5 p.m. ET, excluding federal holidays. Students will not be able to maintain their alternative work schedule during the Skilling Academy. Students will return to their regular duty assignment during breaks unless the home agency has approved leave.
Time Event 8:00 AM - 8:10 AM ET Review daily agenda, answer any questions 8:10 AM - 10:00 AM ET Lectures 10:00 AM - 12:00 PM ET Lab time 12:00 PM - 1:00 PM ET Lunch break 1:00 PM - 2:30 PM ET Lectures 2:30 PM - 4:50 PM ET Lab time or self-study 4:50 PM - 5:00 PM ET Wrap up for the day *10-minute breaks will be given approximately every hour.
What Students Learn:
Vulnerability Assessment Analyst (VAA) Pathway coursework is mapped to the NICE Workforce Framework for Cybersecurity (NICE Framework) and provides valuable hands-on experience to practice VAA skills in a lab environment. As an added incentive, students receive CompTIA’s Penetration Testing (PenTest+) training and a voucher to take the certification exam. The VAA Pathway includes the following instructor-led modules:
- PEN101 - Intro to Pentesting
This module introduces students to the five phases of penetration testing. Students conduct reconsideration, scanning, vulnerability assessment, and exploitation. Upon this evaluation, students are required to report on findings. Students also explore the logistical implications of penetration testing and how to best conduct a successful penetration test within the guidelines provided.
- PEN300 - Open Web Security Application Project (OWASP) Top 10 Exploitation
Hackers routinely exploit web applications, especially as more services move to the cloud. This is despite the fact that companies can easily fix most vulnerabilities within web applications before releasing their code to the wild. This “Web Application Exploitation” module teaches students about the most common web vulnerabilities (OWASP Top 10) in modern web applications, why they often exist, and several methods to test for their existence.
- DEV300 - Hardening Personal Home Page (PHP) Web Apps
Web applications are routinely the source of many security vulnerabilities, especially as more and more move to the cloud. This is despite the fact it is often simple to fix most web application vulnerabilities before the code is released into the wild. This module walks students through the list of the OWASP Top 10 vulnerabilities common in web application code and demonstrates various methods of secure coding to harden web applications. Specifically, this module focuses on examples A1 through A8 of the OWASP Top 10 list.
- PEN450 - Hacking and Web Exploitation
This module introduces students to the tools and techniques used in hacking and web exploitation, basic penetration testing techniques, basic web application attacks, defensive measures, and cryptographic techniques. At the conclusion of this course, students will understand the basic tools of offensive cybersecurity and which tools to use for each situation. Students will also understand basic defense measures and have practiced counteracting them.
- PEN500 - Pentesting and Network Exploitation
This module exposes students to all manner of reconnaissance, scanning, enumeration, exploitation, and pillaging for 802.3 networks. Additionally, the topics expose students to a variety of recon, discovery, scanning, enumeration, exploitation, post-exploitation, pillaging, covering one’s tracks, and persistence.
- PEN540 - Wireless Pentesting and Network Exploitation
This module introduces students to all manner of reconnaissance, scanning, enumeration, exploitation, and reporting for 802.11 networks. The lab topics expose students to a variety of survey, database creation, scripting, and attack methods that can be used to gain a foothold into a client’s network during a penetration test.
- DEV550 - Python for Pentesters
This module is an intermediate level course designed for pentesters who want to use Python to build specialized tools. This challenging course exposes students to target scanning, enumeration, exploit development, web application attacks, and persistence mechanisms through Python scripting. Upon successful completion of this module, students will have built an arsenal of more than 20 penetration testing tools.
- CompTIA Pentest+ Course and Certification
The CompTIA PenTest+ training module helps students develop the skills necessary for effective penetration testing. This module covers planning, information gathering, attacks and exploits, reporting tools, and code analysis. Participants should have intermediate knowledge of information security concepts and practical experience securing various computing environments.
- PEN550 - Advanced Pentest Bootcamp
This module is an advanced level course designed for pentesters who want to develop competency in scripting and building their own tools. This module provides students with a strong foundation in the Python scripting language at the intermediate level while taking the student much deeper into advanced techniques for penetration testing. Students learn how to look at a variety of technical situations and build specialized tools to solve problems. During the module, students create a variety of scripts and tools, including scanners, exploits, web application attack tools, and more.
- PEN600 - Advanced Web Application Exploitation
Web applications are the source of many security vulnerabilities. Because of this, many web developers try to lock down the security of their web applications. However, not all of them do it correctly or completely, leaving certain avenues of attack still open. This module explores how to search for, find, and exploit these hard-to-find vulnerabilities. At the end of this course, students will understand the shortcomings of incomplete fixes to these vulnerabilities. Students will also understand how these vulnerabilities might manifest themselves and how to modify their attack strategy to compensate.
- MAL400 - Fundamentals of Malware Analysis
This module is an introductory course that exposes students to theoretical knowledge and hands-on techniques for analyzing malware. Students learn how to identify and analyze software that causes harm to users, computers, and networks as part of an overall cyber defense and incident response plan. Understanding how malware works and what it was designed to do is crucial to thwarting future attacks.
- CYBRScore Final Assessment - Vulnerability Assessment Analyst
The CYBRScore® Vulnerability Assessment Analyst assessments are designed to assess an individual’s knowledge, skills, and abilities related to performing assessments of systems and networks within the network environment or enclave and identifying where those systems/networks deviate from acceptable configurations, enclave policy, or local policy.
- King of the Hill Capture the Flag (CTF)
In this CTF scenario, students use the skill sets of both the red team and blue team to react to a simulated environment. The goal is for the student to compromise the system(s) in the environment and plant their team flag. Students need to think both offensively and defensively to strike the appropriate balance to win the CTF. This CTF ensures that students think of security and how compromises will impact the job of defending the system.
Upcoming Sessions
Information about upcoming courses and schedules will be announced in FY25.
How to Apply
Apply for the Skilling Academy in two simple steps:
- Complete the application package – The application package consists of a Federal Resume, Statement of Interest and Supervisor and Applicant Agreement Form.
- Submit the completed application package – Submit your application package through your federal government email address.
Please review the FAQs before applying
Frequently Asked Questions
Have questions? Learn everything you need to know and more about the Federal Cyber Defense Skilling Academy by reading the FAQs below.
Contact Us
Need more information?
Contact the Skilling Academy Team by emailing SkillingAcademy@cisa.dhs.gov. Emails are typically responded to within three business days.
Federal Cyber Defense Skilling Academy Privacy Act Statement
Authority: 5 U.S.C. § 301, 44 U.S.C. § 3101, and 6 U.S.C. 652(c)(11) authorize the collection of this information.
Purpose: The information gathered will be used to establish the federal applicant's eligibility for the Federal Cyber Defense Skilling Academy, and if selected to participate in the program, create a Cyberworld Institute (CWI) and COMTECH Corp. account, contact students about opportunities for cyber security training, and provide information about the classes offered by the Skilling Academy.
Routine Uses: Information collected may be disclosed as generally permitted under 5 U.S.C. § 552a(b) of the Privacy Act of 1974, as amended. This includes using the information as necessary and authorized by the routine uses published in DHS/All-003 Department of Homeland Security General Training Records, November 25, 2008, 73 FR 71656 and DHS/ALL-004 General Information Technology Access Account Records System (GITAARS), November 27, 2012, 77 FR 70792. If accepted into the program, names and email addresses will be disclosed to Cyberworld Institute (CWI) and COMTECH Corp. to allow access to the learning content.
Disclosure: Providing this information is voluntary. However, failure to provide this information may prevent CISA from deciding applicant eligibility, creating a Cyberworld Institute (CWI) and COMTECH Corp. account if selected to participate in the program and contacting you in the event there are queries about your request or registration.