Building a C2 Framework in Go with Faan Rossouw

Project Development:
Transition from writing "bits of code" to building structured, maintainable projects, including version control, documentation, and other auxiliary considerations. 

Client-Server Applications:
Develop a fully functional client-server application, focusing on network programming and communication. Learn about basic API and backend communication patterns.

Network Programming Fundamentals:
Master core concepts like servers, listeners, connections, handlers, routers, and the differences between synchronous and asynchronous communication. 

Compositional Go Programming:
Learn the heart of Go programming—using structs, interfaces, constructor methods, and receiver methods to write clean, modular code. 

Design Patterns:
Get introduced to foundational design patterns like Factory and Adaptor, and learn how to apply them in real-world projects. 

Concurrency:
Learn how to use Go’s powerful concurrency system including: goroutines, channels, select statements, and mutexes.

Malware Development:
Learn the basics of malware development in Go by integrating numerous functions into our agent..

Deepen Core Protocol Knowledge:
Dive into HTTP/1.1, HTTP/2, and HTTP/3, Websockets, along with TLS versions, and gain confidence working with secure communication protocols. 

Data Serialization, Encryption, Encoding, and Handling:
Learn how to handle, transport, secure, and manage data between multiple nodes.

Authentication:
Implement authentication mechanisms to secure your applications.

You cannot defend against that which you don't understand.

Post-exploitation communication malware such as Command and Control (C2) frameworks and Remote Access Tools (RATs) are core components of modern threat campaigns, which often culminate in extortion attempts like ransomware attacks. By understanding how these applications are designed and how they behave on compromised systems, you will develop a much deeper insight into detection signals and patterns. The ability to detect the presence of C2 frameworks is a critical defensive capability, as it allows us to identify and stop attacks before they reach their destructive final stages.

Custom offensive security tooling is a legitimate + growing discipline

Tools like C2 frameworks aren't exclusive to threat actors - they're also essential for legitimate cyber offensive services like penetration testing and red teaming. Before modern EDR and NDR solutions, many firms could simply purchase and immediately use C2s "off the shelf". Since modern detection systems quickly flag these standard tools, security firms now typically either extensively modify existing software or develop and maintain their own proprietary C2 frameworks. This is an exciting and growing field within offensive cybersecurity, and this course offers a direct path into understanding and working with these essential tools.

You can use these same skills just about anywhere

Beyond the specifics of what we'll be creating,  the core development concepts and technical skills you'll gain from this course are directly applicable to virtually any security development project. Whether it's implementing client-server models more broadly, developing APIs, backend engineering, implementing encryption and authentication, using idiomatic Go design patterns, or mastering abstraction more broadly - these fundamental skills extend far beyond the specifics of developing a C2 framework. Think of this course as an engaging project that helps you build a robust technical foundation, developing capabilities you can then apply to almost any area of security engineering that interests you. The architectural principles and development practices you'll learn here will serve you well across the broader security landscape.

While AV/EDR evasion is indeed a crucial part of C2 agent development, this course primarily focuses on the more fundamental aspects - creation of the overall framework architecture, communication protocols and data flow, and basic offensive actions on the endpoint like command execution and shellcode injection.

The course is designed to give you a solid foundation in building the infrastructure of a C2 framework using Go, for those specifically interested in endpoint-based evasion techniques, I recommend checking out "Malware Development Academy" which specializes in those areas.

That said, the knowledge you gain in this course will provide the necessary foundation to later explore more advanced agent capabilities, including evasion techniques.

You don't need specific Go experience, but having some basic programming knowledge in any language is ideal. The fundamentals you should understand include:

What is a variable?
What are data types?
What is a declaration?
What is a function/method?
What are arguments/parameters?
What is a struct (or custom data types more broadly)?
What is a library/package/dependency?

It's not necessary to know how to build complete applications—that's precisely what we'll be learning together. You just need some basic comfort with programming syntax and basic concepts.

If you have no programming experience at all, don't worry! I'll provide a comprehensive guide with references and resources covering the minimum knowledge you'll need. Since the course launches in February 2026, you'll have plenty of time to prepare and get comfortable with these concepts beforehand.

You should have a basic understanding of networking protocols, especially HTTP. Key concepts include:

The client-server model
HTTP request and response cycle
TCP 3-way handshake
TLS handshake process
TCP vs UDP
Basic understanding of encryption, encoding, and authentication

As far as the OSI model goes, you don’t really need to know the entire model, but it is important that you are familiar with the networking layer, and it’s important that you have a clear understanding of the transport and application layers, and the difference between them. Many aspects of our application will touch on these layers, and I really recommend being very comfortable knowing what occurs where, and when we need to transition from one to the other.

As with programming prerequisites, I'll provide a detailed guide with resources covering these networking fundamentals. You don't need to be a networking expert, but familiarity with these concepts will help you get the most out of the course content as we build our C2 framework.

In general I feel strictly categorizing courses as beginner/intermediate/advanced is a little bit too low resolution. So allow me to add a few more conceptual pixels. I like to distinguish between a beginner, and an introductory course. This is a beginner's course, not an introductory course. Let me explain the distinction.

An introductory course assumes you have no prior exposure to cybersecurity concepts and serves as your first encounter with the field - i.e. it is an introduction.

A beginner's course (like this one) assumes you have some familiarity with the underlying concepts, even if only vaguely, and now desire to synthesize those separate ideas through practical application. You may not feel comfortable with the material yet, but you are ready to “take the next step”.

Yes, I'll provide two different resource guides before the course begins:

1. Essential Knowledge Guide: This covers concepts you should understand before the course starts. I won't be covering these topics during class and will assume you already have this foundation. If you don’t know these you’ll feel lost pretty quickly, so really they are, as the title suggests, essential.

2. Recommended Preparation Guide: This includes topics that, while not strictly required, are so foundational to the course material that familiarizing yourself with them beforehand would significantly enhance your learning experience. I will cover these concepts in class, but having prior exposure will help you get more out of our sessions.

Note that both guides will be bifurcated into both Programming and Networking sections, as well as providing references to free and paid references. I only ever recommend paid references if I completed it myself, and I really think it’s worth the money. But to reiterate - there will be NO requirement to use paid resources, the free ones will suffice.

Both guides will be made available well before the course starts to give you ample time to prepare at your own pace.

The course is heavily practical with approximately 25% lecture and 75% hands-on lab work. I'm a strong believer in learning by doing, so we'll be spending most of our time actively building the C2 framework.

That said, I never jump into practical exercises without proper context. The lectures are strategically placed to provide foundational concepts and explain both the “what” and "why" before we get to the “how”. I find this approach gives you both the practical skills and the deeper understanding needed to apply these concepts beyond the course.

The theoretical portions are kept concise and directly relevant to our upcoming hands-on work. You won't sit through long lectures - instead, we'll maintain a rhythm of brief theory followed by extended practical application.

We'll be coding most of the C2 framework, however in order to be able to cover the ground we intend to in 16 hours we will, from time-to-time, start a practical lab with templates where some boilerplate is provided. This will allow us to focus on implementing the essential logic, and not spend time writing repetitive stock logic.

Developing a 16-hour course like this requires careful balancing of breadth and depth. My aim is to provide enough detail for genuine understanding while covering sufficient ground to have a functioning C2 framework by the end. I've planned a balance between providing specific logic, and writing the rest ourselves, to ensure we meet both goals.

Also note that I will provide the complete final codebase/solution to all participants.

ABSO-FRIGGIN-LUTELY - you should only ever test the framework on machines that you either own yourself or have explicit permission to use. Nothing about a C2 framework is inherently illegal, but like many tools in cybersecurity, improper use can lead to serious legal consequences.

The same framework can be used legitimately for red team exercises or maliciously for unauthorized access. The difference comes down to permission and intent. Ensure common sense prevails at all times when working with these tools.

This course is designed to help you understand both offensive and defensive aspects of C2 frameworks, but the responsibility for ethical application of this knowledge rests with you.

As stated in the course description: "You cannot defend against that which you don't understand." By learning how C2 frameworks are designed and operate, defenders can develop more effective detection strategies focused on communication patterns, protocol anomalies, and behavioral indicators. This knowledge helps security teams identify compromises earlier in the attack chain, before destructive stages like ransomware deployment occur.

Further, the broader skills developed in this course—project creation, network programming, authentication, encryption, client-server architecture, idiomatic Go design etc—are all universally applicable and could just as easily be applied to projects with defensive goals in mind. Though we create an offensive tool, the core foundational skills we use are valuable across both offensive and defensive security domains.

Emphatic yes! I will dedicate an entire session at the end of the course to exploring ways you can continue this learning journey. This will include specific ideas, tips, references, resources, and methods for staying in touch with me as you develop further. This will also be available as a guide with extensive breadcrumb trails you can follow to journey as deep into this world as you desire.

I view this course as both self-contained and complete, while simultaneously planting a seed from which something awesome can grow for those who wish to continue. The course provides a solid foundation on its own, but for those with deeper interest, it creates numerous pathways for further exploration and development.

Go is an awesome choice for backend development, created by Google specifically for distributed systems and backend engineering. Taking a language-agnostic perspective, Go is simply the right tool for this specific job - it's fast, efficient, and specializes in exactly what we need to accomplish.

Go is low-level enough that we don't need to concern ourselves with higher-order abstractions like those present in OOP, while at the same time giving us a very effective garbage collector so we don't need to think about memory management. This balance makes it perfect for our course context.

Go also features a great package (dependency) management system and an excellent standard library which provides the vast majority of functions we need. This minimizes runtime dependency errors, eliminates the need for virtual environments, and reduces reliance on third-party libraries, overall leading to a more stable application and streamlined development process.

Go's syntax and concepts are remarkably simple and straightforward. The creators actually stated that one of their goals was that code written by beginners and experts would look very similar. This makes it ideal for a course where participants come with varying levels of programming experience.

Finally, Go has excellent cross-compilation built directly into the compiler. This means regardless of which OS you work on or want your agent to run on, it's very simple to compile with just a single command. This feature is particularly valuable when developing a C2 framework that might need to target multiple platforms.