This is a technical blog about getting to Pwn2Own.
The plan is called kernel.path. It runs five years and ends with a Pwn2Own attempt against Hyper-V Client in June 2031. Everything between here and there is the work, and the work is what this blog will document.
The plan
Two stages, each with a specific exit condition.
Stage one is the bridge to commercial offensive security. OSCP this November. CRTO in January. A home lab doing the work the posts describe. Nine technical posts along the way — this is post one. Eighteen targeted job applications when the credential stack and the public portfolio are both in place.
Stage two is the kernel and hypervisor track. Twelve months of Windows kernel internals foundations. Nine HEVD primitives covering the core Windows kernel exploit techniques — stack and pool overflows, use-after-free, type confusion, arbitrary write, integer overflows, NULL pointer dereferences, uninitialized memory, double-fetch. OSED in the middle. Then the pivot — Hyper-V internals, VMBus architecture, the published guest-to-host escape research. SEC760. A first CVE. OSEE.
Pwn2Own at the end.
The lab
The lab lives in my garage is where the actual work happens — Windows kernel debugging, exploit primitive practice, eventually Hyper-V research with nested virtualization running. As the work gets bigger, the lab gets bigger. Hardware and infrastructure writeups will come as they earn it.
The gap
I’m publishing this on day two of the plan. The lab is being assembled. The first OSCP machine hasn’t been rooted on the official platform yet. The first CVE is years away. Pwn2Own is half a decade away.
That gap — between what I’m claiming and what’s currently demonstrated — is real, and I’m not going to dress it up. The whole point of writing this in public is that the gap closes one post at a time, and you can watch it close.