CNO Developer Track

The structured path to becoming a Computer Network Operations Tool Developer (H15A). This track covers Python, C, systems programming, reverse engineering, exploit development, and the formal training programs that shape the Navy's most technical cyber operators.

Primary NEC

H15A — Tool Developer

Related NECs

H12A/B (EA), H16A (ION), H14A (Vuln Research)

What Does a CNO Tool Developer Do?

CNO Tool Developers (H15A) build, maintain, and adapt software tools used in cyberspace operations. Unlike general software engineers, CNO developers write code in adversarial environments — tools must be stealthy, reliable, and purpose-built for specific operational requirements that no commercial product can satisfy.

The role sits at the intersection of software development, penetration testing, and operational planning. Developers work closely with Exploitation Analysts (H12A), ION Operators (H16A), and CNO Planners (H17A) to translate mission requirements into working capabilities.

Core Responsibilities
  • Develop and maintain custom offensive and defensive cyber tools
  • Research and weaponize vulnerabilities for authorized CNO use
  • Reverse engineer malware and target software
  • Integrate tools into operational frameworks (e.g., C2 infrastructure)
  • Write Python scripts for automation, recon, and exploitation
  • Develop low-level C/assembly implants and shellcode
  • Support both OCO and DCO missions with tailored capabilities

Learning Path

Work through these stages in order. Each builds on the last. Rushing to exploit development without solid programming fundamentals will slow you down significantly.

0
Prerequisites — Linux, Networking & Scripting Basics
Must-have foundation before any development work
Beginner
What to Know First
  • Linux command line — navigation, file permissions, process management
  • TCP/IP networking — OSI model, sockets, common protocols (HTTP, DNS, SMB)
  • Basic scripting — Bash is sufficient to start
  • How executables work — ELF/PE format basics
  • Git version control
Recommended Starting Resources
1
Python for Operators
The primary language for CNO tooling, automation, and rapid prototyping
Beginner → Intermediate
Why Python First

Python is the dominant language in CNO tool development for good reason: rapid prototyping, rich libraries for networking and cryptography, and first-class support in frameworks like Metasploit, Impacket, and Scapy. Nearly every red team and CNO shop expects Python fluency.

Key Libraries to Master
socket struct ctypes subprocess scapy pwntools impacket requests paramiko cryptography
Resources
Beginner
Automate the Boring Stuff with Python
Free online book — best Python intro
Beginner
Real Python
High-quality tutorials, many free
Beginner
Python Official Docs
Reference for stdlib modules
Intermediate
Scapy Documentation
Packet crafting & network analysis
Intermediate
pwntools Docs
CTF/exploit dev framework
Advanced
Impacket — SecureAuth
Network protocol implementations
Recommended Reading: Black Hat Python (Justin Seitz) and Violent Python (TJ O'Connor) are the two books most commonly referenced in CNO developer billets. Neither is free, but both are available through military library programs and are worth purchasing.
2
C Programming & Systems Internals
Required for implant development, shellcode, and understanding what Python is doing under the hood
Intermediate
Why C Is Non-Negotiable

Implants and shellcode must be small, portable, and often position-independent. C gives direct memory control, minimal runtime overhead, and compiles to native code. Understanding C also makes reverse engineering significantly easier — most targets compile to patterns that match C constructs.

Topics to Cover
  • Pointers, memory layout, stack vs. heap
  • Dynamic memory management (malloc/free)
  • File I/O and system calls
  • Sockets programming (Winsock / POSIX)
  • Position-independent code (PIC)
  • Compiling with GCC/Clang, using GDB
  • Windows API basics (for Windows implants)
Resources
Beginner
CS50x — Introduction to Computer Science
Harvard's free intro course. Best structured C intro available.
Beginner
Beej's Guide to C Programming
Free, comprehensive, no-fluff C reference.
Intermediate
Beej's Guide to Network Programming
Free guide to POSIX sockets in C. Essential.
Beginner
Learn-C.org
Interactive in-browser C exercises.
Intermediate
GDB Tutorial — RMS
Debugging C with GDB — essential skill.
Advanced
Windows API Guide — Microsoft
Win32 API reference for Windows implant dev.
3
x86/x64 Assembly & Reverse Engineering
Read and write assembly; understand what compiled code actually does
Intermediate → Advanced
Why Assembly Matters

Shellcode is raw assembly bytes. Reverse engineering is reading assembly output from a decompiler. Writing ROP chains requires understanding gadgets at the instruction level. You don't need to hand-write entire programs in assembly, but you must be able to read it fluently and write small stubs.

Tools to Learn
Ghidra IDA Free GDB + pwndbg radare2 objdump nasm pwndbg
Key Concepts
  • x86/x64 registers, calling conventions
  • Stack frames, prologue/epilogue patterns
  • ELF/PE binary structure
  • NASM syntax, linking, objdump analysis
  • Dynamic analysis with GDB/pwndbg
  • Static analysis with Ghidra
Resources
Intermediate
OpenSecurityTraining2 (OST2)
Free, deep technical courses on RE, assembly, exploit dev. Best free structured RE curriculum available.
Intermediate
Malware Unicorn Workshops
Free RE workshops from industry experts. Covers static/dynamic analysis.
Intermediate
pwn.college
Free, structured exploit dev education from ASU. Assembly, RE, and binary exploitation tracks.
Intermediate
NSA Ghidra
Free, open-source SRE framework from NSA. Industry standard for RE in government/military environments.
Beginner
x86 Assembly Guide — Virginia
Concise x86 assembly reference for beginners.
Advanced
Nightmare — Binary Exploitation
Free CTF-based binary exploitation course. Covers RE, heap exploitation, ROP chains.
4
Exploit Development
Turning vulnerabilities into working capabilities
Advanced
What This Stage Covers

Exploit development combines everything from prior stages: you need C to write shellcode, assembly to understand what it compiles to, and Python/pwntools to automate the delivery. This stage is where the H14A (Vulnerability Researcher) and H15A (Tool Developer) tracks converge.

Topics
  • Stack-based buffer overflows (x86 and x64)
  • Shellcode writing and encoding
  • Return-Oriented Programming (ROP)
  • Heap exploitation (use-after-free, heap spray)
  • Format string vulnerabilities
  • Bypassing mitigations (ASLR, DEP/NX, stack canaries)
  • Kernel exploitation basics
Resources
Intermediate
pwn.college — Binary Exploitation
Best free, structured exploit dev curriculum. Progress from basic BOF to kernel exploitation.
Intermediate
ROP Emporium
Dedicated ROP chain challenges. Each challenge isolates one ROP concept.
Intermediate
exploit.education
Downloadable vulnerable VMs (Phoenix, Nebula). Classic exploit dev practice environment.
Advanced
OSED — OffSec Exploit Developer
EXP-301 course leading to the OSED cert. Gold standard for exploit dev. Fundable via Navy COOL.
Intermediate
LiveOverflow — Binary Exploitation
Free YouTube series on binary exploitation fundamentals.
Advanced
How2Heap — shellphish
Hands-on heap exploitation tutorial repository. Each example is a runnable exploit.

Formal DoD Training Programs

ManTech
ACTP
Advanced Cyber Training Program
Government-contracted CNO developer pipeline

ManTech's ACTP is one of the primary DoD-contracted training pipelines for developing CNO operators and tool developers. The curriculum is purpose-built for military cyber personnel and is significantly more operationally focused than commercial courses.

What ACTP Covers
Python for Operators
Offensive Python scripting, socket programming, automation
C / Systems Programming
Memory management, POSIX sockets, implant fundamentals
Assembly Language
x86/x64 assembly, shellcode writing, disassembly
CNO Concepts
Access, persistence, C2, operational tradecraft
Tool Development
Building and adapting custom capabilities
OpSec & Infrastructure
Secure development, attribution avoidance
Access: ACTP enrollment is through your command's training office and requires CNO mission assignment. Coordinate with your chain of command and TYCOM training coordinator. Not available as a self-service request — mission eligibility is required.
ManTech ACTP Overview
NSA/CSS National Cryptologic School
NSA

NCS offers DoD-exclusive courses in signals exploitation, tool development, and advanced CNO techniques. Access requires command sponsorship and clearance.

Learn More
SANS FOR610 — Malware Analysis
SANS

GREM certification course. Covers static/dynamic malware analysis using professional RE tooling. Fundable via Navy COOL for eligible NECs.

Learn More
SANS SEC760 — Advanced Exploit Dev
SANS

Advanced kernel and software vulnerability exploitation. Leads toward GXPN certification. High-cost but COOL-fundable for CNO developer billets.

Learn More
OffSec EXP-301 (OSED)
Offensive Security

Windows exploit development course from OffSec. Covers ROP, DEP/ASLR bypass, and custom exploit writing. Navy COOL fundable. Credential widely recognized.

Learn More

Target Certifications for This Track

OSCP — Offensive Security Certified Professional
Intermediate

The baseline offensive credential. Required or strongly recommended for most CNO operator billets. Hands-on 24-hour exam. Navy COOL fundable.

Offensive Security Details
OSED — Offensive Security Exploit Developer
Advanced

The gold-standard exploit development credential. EXP-301 covers ROP, DEP/ASLR bypass, and Windows exploit writing. Navy COOL fundable.

Offensive Security Details
GREM — GIAC Reverse Engineering Malware
Advanced

Validates malware analysis and RE skills. Directly maps to H14A/H15A work roles. Proctored open-book exam. COOL fundable.

GIAC/SANS Details
GXPN — GIAC Exploit Researcher & Advanced Penetration Tester
Advanced

Advanced exploitation and custom tooling credential. Validates Python/C-based exploit writing skills. High ceiling — marks you as a serious developer.

GIAC/SANS Details
OSEP — Offensive Security Experienced Penetration Tester
Advanced

PEN-300 covers advanced evasion, custom C2, and bypassing modern defenses. Directly relevant to implant/tool development tradecraft.

Offensive Security Details
CASP+ / CompTIA Advanced Security Practitioner
Intermediate

DoD 8140 IAT Level III credential. Lower technical ceiling than GIAC/OffSec but required for some billets and COOL-fundable.

CompTIA Details

Tool Development Resource Library

Advanced
How2Heap — Heap Exploitation Techniques

Repository of runnable heap exploitation examples demonstrating real-world techniques (fastbin dup, …

5h
Advanced
Impacket — Network Protocol Implementations

Python library implementing dozens of network protocols (SMB, DCE/RPC, Kerberos, LDAP, etc.). Founda…

2h
Advanced
Nightmare — Binary Exploitation Course

Free, CTF-based binary exploitation curriculum covering RE, format strings, stack/heap exploitation,…

10h
Advanced
Windows API Reference — Microsoft

Official Win32 API documentation. Required for developing Windows implants, injectors, and persisten…

1h
Beginner
Automate the Boring Stuff with Python

Free online book by Al Sweigart. The most recommended beginner Python resource. Covers practical scr…

10h
Beginner
Beej's Guide to C Programming

Free, no-nonsense C programming reference. Covers the entire language including pointers, memory, st…

8h
Beginner
CS50x — Introduction to Computer Science (Harvard)

Free Harvard course that teaches C as its primary language. Covers memory management, data structure…

20h
Beginner
Learn-C.org — Interactive C Tutorial

Browser-based interactive C exercises. Good supplement to Beej for practicing syntax and concepts wi…

3h
Beginner
Python Official Documentation

The authoritative Python 3 reference. Essential for understanding stdlib modules like socket, struct…

1h
Beginner
Real Python — Tutorials & Courses

High-quality Python tutorials covering everything from basics to advanced topics like async programm…

5h
Intermediate
Beej's Guide to Network Programming

Free guide to POSIX socket programming in C. Covers TCP/UDP sockets, client-server architecture, and…

5h
Intermediate
Malware Unicorn — Free RE Workshops

Free hands-on malware analysis and reverse engineering workshops from industry experts. Includes sta…

8h
Intermediate
NSA Ghidra — Software Reverse Engineering Tool

Free, open-source SRE framework developed and released by the NSA. Industry standard for reverse eng…

2h
Intermediate
OpenSecurityTraining2 (OST2)

Free, deeply technical courses covering architecture, assembly, RE, malware analysis, and exploit de…

20h
Intermediate
ROP Emporium

Dedicated Return-Oriented Programming challenges. Each challenge isolates a specific ROP concept (re…

5h
Intermediate
Scapy — Packet Manipulation Library

Python library for crafting, sending, sniffing, and dissecting network packets at a low level. Core …

2h
Intermediate
exploit.education — Vulnerable VM Practice

Downloadable vulnerable Linux VMs (Phoenix, Nebula, Protostar) for exploit development practice. Cla…

8h
Intermediate
pwn.college — Binary Exploitation

Free, structured exploit development education from ASU. Covers assembly, RE, stack overflows, forma…

15h
Intermediate
pwntools — CTF & Exploit Dev Framework

Python library for writing binary exploits. Provides utilities for network I/O, ELF parsing, shellco…

2h
Assess Your Skills

Rate your current proficiency across CNO developer skill domains.

Take Assessment
Certification Funding

OSCP, OSED, GREM, and GXPN are all Navy COOL fundable.

Navy COOL
NEC Paths

Understand how H15A relates to H12A, H14A, and H16A NECs.

View NEC Paths