Exp-401 Advanced Windows Exploitation [best] Jun 2026

EXP-401: Advanced Windows Exploitation (AWE) is an expert-level, in-person OffSec course focused on modern Windows exploit development, leading to the OSEE certification. The intensive 72-hour exam covers advanced topics like user-mode mitigation bypasses, heap manipulation, and kernel-mode exploitation. For more details, visit

Without a memory leak, ASLR makes exploitation probabilistic (brute force), which is useless in a real engagement or the exam environment. You will learn to abuse: exp-401 advanced windows exploitation

Most people fail the GXPN (the exam tied to this course) the first time. Not because the questions are tricky, but because the lab time runs out. You spend 8 hours trying to get a ROP chain to align, only to realize your pivot was off by 8 bytes. You will learn to abuse: Most people fail

In userland, you want a cmd.exe . In kernel land, you want to steal the SYSTEM token. You will write shellcode that: In userland, you want a cmd

This article deconstructs the core curriculum, the mindset required, and the technical arsenal required to survive EXP-401.

Most students enter EXP-401 thinking they understand stack overflows. The first lesson humbles them. You cannot just overwrite EIP/RIP with a jmp esp anymore.

To survive, you need: