Risk and Vulnerability Assessment (RVA) Training

Location type


The Risk and Vulnerability Assessment (RVA) course gives the tools students would need to develop an in-depth analysis which would detail what a sample attack path which a cyber threat actor could take, to compromise a given organization’s weaknesses. The attacks paths are representative of Tactics, Techniques, and Procedures (TTPs) which CISA has observed being leveraged by malicious actors. Course content and infographics provide a high-level snapshot of five potential attack paths and breaks out the most successful techniques for each tactic that the RVAs have documented. Both the analysis and resulting infographics, map threat actor behavior to the MITRE ATT&CK® framework.

Role options for this course:

Assessment Lead

The Assessment Lead (AL) is responsible for the overall preparation, execution, and post-execution stages of a CISA Assessment. The lead is the primary point of contact for the assessment team and will coordinate all assessment activities with the organization point of contact. The AL will schedule all assessment activities and ensure that appropriate Subject Matter Experts are available, and that technical access is granted to operators. The AL is also responsible for ensuring all assessment artifacts are completed and delivered to the appropriate stakeholders at the conclusion of the assessment.


The Operator (OP) is primarily responsible for simulating and emulating potential adversaries’ exploitation or attack capabilities against an enterprise by using known Tactics, Techniques, and Procedures (TTP)s and tools, to discover weaknesses in the enterprise’s cyber security defense. RVA operators are experienced penetration testers who can operate safely within a team and describe findings. RVA operators are responsible for ensuring that the penetration test is properly scoped for technical testing and that the rules of engagement are defined and adhered to. The OP is responsible for conducting all testing requirements per CISA standards and generating a detailed penetration testing report.

*As of April 2023, this course will satisfy the requirements for Operators seeking to conduct HVA assessments.


Operator Candidates should be mid to senior level penetration testers. This course does not teach basic penetration testing and students should come to the class with experience testing applications, networks, and cloud environments. At least one industry recognized penetration testing certification is recommended.


To register for this course, please email your intent to