How HTB scaled high-quality training for hundreds of consultants

Disclaimer: These are real results from a Hack The Box customer who wishes to remain anonymous.

A global leader in software security, IP integration, and quality testing with more than $5 billion in annual revenue came to Hack The Box (HTB) after looking for a solution to fit their cybersecurity upskilling needs.

With a large team consisting of hundreds of consultants that serve thousands of clients per quarter, we wondered: 

How could they upskill teams in a way that empowers each consultant to deliver the distinctive cybersecurity services and products the company is renowned for?

Scaling state-of-the-art skills (without sacrificing consultant productivity) 

Every cybersecurity team grapples with the challenge of keeping skills sharp against an evolving threat landscape, making it a mission-critical priority. 

Coupled with the need for quick onboarding and streamlined processes, it can pose a challenge for many consultancy firms. 

Our contact, who is a Senior Consultant at the company, in charge of the Hack the Box (HTB) deployment, explained: “We wanted to accelerate the rate at which consultants were ready to serve clients, without sacrificing the quality of our service or reducing the billable hours of other employees.”

Given these goals, scaling high-quality training for hundreds of consultants who specialized in a slew of disciplines was difficult for three key reasons: 

1. In addition to developing internal guidance and documentation (e.g., playbooks for technical offerings, standard operating procedures, and contracts) subject matter experts were also hand-crafting technical content to train other consultants and new hires. 
   

2. Keeping up with the latest cybersecurity news, vulnerabilities, and exploits, and then converting cutting-edge knowledge into practical training content for hundreds of consultants in different specialties (and at different skill levels) was extremely time-consuming for subject matter experts.

3. Tracking the completion of training and then mapping it to a consultant’s ready-to-deliver skills on real engagements was a complex process. With services broadly covering the software and development lifecycle (SDLC) and a range of different offerings—plus hundreds of consultants to train—it was hard to measure and report progress. 

Ultimately, consultants were being overutilized on activities that did not directly contribute to the delivery of services. To get consultants client-ready at a rapid pace without sacrificing the quality of training, the program needed to: 

• Give employees the technical know-how to think out of the box and deliver a service of “exceptional quality” to clients. 

• Ensure that they knew how to integrate testing processes and internal methodologies during real engagements for specific offerings. 

This is where Hack The Box’s (HTB) Enterprise Platform came in to help streamline the upskilling program.

Unifying multiple technical disciplines under a single system

Get me any consultant who isn’t ready to deliver services, and within a year, you won’t even recognize them. This is what I’ve told management. It’s how much I trust the platform and the integrity of the content. 

Senior Consultant and Training Coordinator.

Within many consulting teams, a junior consultant should be able to deliver technical services under the supervision of a manager. 

A manager, on the other hand, needs great client management skills and a firm grasp of internal processes—in addition to technical know-how on a specific service. 

HTB Academy’s cybersecurity courses made this vision a possibility by providing upskilling programs that the firm can trust and integrate with its internal systems. 

“We get learners started on the HTB Academy. It teaches them how to approach targets and more importantly builds the mindset of a tester—which requires a shift in how individuals approach problem-solving and quality assurance. Then, our learning management system helps them master how we tackle specific services and our processes.” 

Senior Consultant and Training Coordinator.

For example, if a consultant is preparing to provide Web API testing services to clients, they can log into the company’s internal learning management system (LMS) and complete the assigned HTB Academy Web API training modules. 

After training on HTB Academy, practical skills are further developed with HTB’s Professional Labs and are then assessed through a mock engagement within a customized Lab. 

Finally, the consultant marks their training as complete and continues the rest of the training path on the LMS, which guides them on their company’s internal process and unique methodology. This ensures they can safely deliver testing services to a client. 

Our contact highlighted how the HTB Academy teaches new hires to follow safe testing approaches and best practices (like staying in scope and not testing systems that are off limits). This is critical to avoid damaging client infrastructure during tests on live production environments and minimizes legal risks. 

“When a consultant has completed an Academy module on a subject, I know they’re job-ready. Based on the training provided by the HTB platform, I trust they’re capable of technically delivering a specific security service to a client. From there, and depending on their skill level, consultants will advance to training on any one of HTB’s Enterprise Labs.”

Senior Consultant and Training Coordinator.

Tailoring practical training to business (and consultant) needs 

The next key step for many consultancy firms is a program that bridges the gap between knowledge and practical skills. 

Consultants build hands-on skills by practicing on corporate-level networks, common misconfigurations, and enterprise-specific system vulnerabilities via HTB’s virtual Labs and Machines. 

This comprehensive approach means hundreds of consultants—who offer a range of specialist cybersecurity testing and security services—develop the “muscle memory” necessary to deliver extremely high-quality services to clients. 

We ensured the client’s consultants weren’t just script kiddies following a checklist of attacks. The near real-world environment provided by HTB ensures testers can think outside the box.

Director of Training & Enablement.

HTB Labs have been customized to map the consultancy’s core services. Skills tagging, customizable Lab, and API features are all available on the Enterprise platform. These features help ensure that training: 

1. Measures a consultant’s individual skill level while highlighting areas of improvement. 

2. Aligns with the goals of the company. 

3. Adapts to the needs of consultants within a specific discipline. 

As well as enabling a scalable workflow, HTB’s Enterprise upskilling platform allows a flexible approach in which consultants can request to train on specific disciplines or areas of interest. 

If a consultant is interested in vulnerability assessments, for example, the admin can direct them to a customized lab they’ve built dedicated to that practice.

“The labs are challenging enough to engage learners to solve the problem presented while not being so challenging that only a minority of folks can complete the challenge. In short, the challenges are in the Goldilocks zone of being ‘just right.’”

Director of Training & Enablement.

Measuring skills development to plan for client engagements 

For a consultancy firm that values streamlined processes, the HTB platform API is an exciting feature. The API makes it easier to incorporate HTB training into existing internal systems and processes.

Teams are able to use this feature to:

• Accelerate the onboarding of new hires. 

• Learn what consultants are actively upskilling on.

• Help teams efficiently identify and hand-pick consultants with the requisite skills for upcoming projects. 

“For example, a senior leader will ask me if there’s an ideal consultant available for an upcoming web application engagement with a client. I can refer to HTB training data to see a consultant’s activity (the number of Machines and Challenges they’ve completed that are mapped to a specific skill) in our customized Lab for web application pentesting.” 

With this particular client, even staff outside of the consultancy team showed a keen interest in learning new skills on the HTB platform. The team is now running weekly sessions on Hack The Box and aims to keep employees engaged and motivated to continuously upskill. 

From the operational level all the way up to management, the impact and value of HTB for consultancy firms has been clear. 

“We’ve increased the pool of consultants that are available for testing and providing services to clients. Consultants no longer need to spend time constantly updating internal content, setting up complicated practice environments, or creating new material from scratch. It’s a win-win.” 

Director of Training & Enablement.

In less than a year, the new upskilling program has: 

• Decreased overutilization hours consultants spent creating and maintaining training content. 

• Helped the consultancy to onboard a team of new consultants with an enriched, high-quality upskilling experience 

• Contributed to the upskilling of dozens of teams in Web/API testing. 

• Achieved a high satisfaction rate amongst consultants—80% of consultants who upskilled with HTB confirmed the training to be helpful in advancing their skills and knowledge.

• Resulted in more than 2000 flag captures and more than 600 Machines being compromised on the HTB platform.

About HTB

Loved by an infosec community of more than 2 million members, HTB is helping security leaders across the globe equip their teams with the skills and expertise needed to proactively secure and protect their organizations.

Whether you’re sharpening specific techniques, training up junior staff, or looking to recruit skilled cybersecurity talent, Hack The Box has a solution to fit your needs. Measure, assess, and proactively close your organization’s cybersecurity skills gap with a single platform focused on improving cyber workforce upskilling and development.

Let’s talk

Author bio: Hassan Ud-deen (hassassin), Content Marketing Manager, Hack The Box Hassan Ud-deen is the Content Marketing Manager at Hack The Box. Combining thought leadership and SEO to fuel demand generation is his jam. Hassan’s also fascinated by cybersecurity, enjoys interviewing tech professionals, and when the mood strikes him occasionally tinkers within a Linux terminal in a dark room with his (HTB) hoodie on. #noob. Feel free to connect with him on LinkedIn.

 

Author bio: Fiona Leake (fileake), Content Writer, Hack The Box Fiona Leake is a Content Writer at Hack The Box. Digging deep into how people think to create meaningful content that solves problems is what gets her out of bed in the morning. Fiona loves simplifying technical topics and enjoys occasionally trying her hand at only the most beginner-friendly HTB Machines. Feel free to connect with her on LinkedIn.