Nmap
TCP/UDP scan, OS/service fingerprinting, NSE scripts, timing, firewall evasion.
Before starting, we run a 1-minute tech check β microphone, ambient noise, connection. If your setup isn't good enough, the test is fully refunded.
TCP/UDP scan, OS/service fingerprinting, NSE scripts, timing, firewall evasion.
Before starting, we run a 1-minute tech check β microphone, ambient noise, connection. If your setup isn't good enough, the test is fully refunded.
Prove in 15 minutes that you actually know Nmap: stealth scans, NSE scripting, firewall evasion, and large-scale network strategies.
The Plume Nmap badge is a 15-minute AI-driven oral exam that tests whether you can truly use Nmap in professional audit and penetration testing contexts. The examiner covers advanced fundamentals: the differences between -sS, -sT, -sU and -sA, building a structured scan strategy across a /16 in production, using the NSE engine (http-enum, vuln, smb-os-discovery, ssl-heartbleed...), timing templates from T0 to T5, and firewall/IDS evasion via packet fragmentation, decoys, or source-port manipulation. The AI doesn't ask you to recite a man page. It pushes you to reason, justify your choices, and articulate the limits of your approaches under real-world constraints.
Unlike a paper certification or a self-declared LinkedIn skill, the Plume badge is built on a recorded oral evaluated by Claude Opus, which reads the full transcript and produces a 0-100 score, a proficiency level (Novice, Proficient, Advanced, Expert) and a detailed feedback report. Any recruiter or client who receives your badge can listen to the audio, check the score, and read the breakdown. It's verifiable evidence, not a self-assessment.
This badge is for pentesters, network auditors, security engineers, and cybersecurity students who want to give their Nmap skills an objective, shareable credential β on a resume, a LinkedIn profile, or a client proposal. Whether you're preparing for a Red Team engagement, a compliance audit, or your first offensive security role, the Nmap badge turns your expertise into something concrete and measurable.
Here are the concrete dimensions the AI examines during the 15-minute oral.
Design a structured discovery and enumeration strategy across large networks (/16 and beyond): sequencing phases (ping sweep, port scan, service scan), choosing the right timing template, and managing network load to avoid disrupting production services.
Understand the differences between -sS (SYN stealth), -sT (connect), -sU (UDP), -sA (ACK), -sN/-sF/-sX (stealthy scans) and know when to pick each one based on legal scope, network topology, and detection risk.
Use NSE script categories (default, safe, intrusive, vuln, auth, discovery) and key scripts like http-enum, smb-os-discovery, ssl-heartbleed, or vulners. Ability to modify or write a Lua script to meet a specific engagement requirement.
Interpret Nmap's OS detection (-O) and service version results (-sV), understand probability scores, and identify false positives or ambiguities caused by non-standard devices, load balancers, or hardened hosts.
Apply evasion techniques including packet fragmentation (-f), decoys (-D), source-port manipulation (--source-port), and T0/T1 timing. Understand their real-world impact on stealth versus scan duration, and know where they fall short against behavioral detection systems.
Connect Nmap with Metasploit (db_nmap), Nessus, or OpenVAS, and plug it into CI/CD pipelines for continuous scanning. Export to XML or grepable format to feed downstream analysis tools and automated reporting workflows.
Identify when Nmap isn't the right fit and make a technically sound case for alternatives: masscan for internet-scale speed, Zmap for research-grade scanning, or Rustscan for fast enumeration on constrained target sets.
Parse Nmap output (open/filtered/closed ports, state reasons, service banners) and draw actionable conclusions for an audit or pentest engagement, with communication that works for both a technical peer and a non-technical client.
Final scoring is performed by Claude (Anthropic), which reads back the full transcript and applies this weighted criteria grid.
Precise knowledge of Nmap's options, flags, and behaviors: scan types, timing templates, NSE, OS and service detection. The candidate must justify their choices with solid technical reasoning, not vague approximations.
Ability to build a scan strategy adapted to a real-world context: scope, network constraints, risk of disruption, legal authorizations. Graded on the reasoning process, not just the commands mentioned.
Depth of NSE usage: knowledge of script categories, ability to select relevant scripts for a given scenario, and ideally hands-on experience writing or modifying Lua scripts to address custom engagement needs.
Understanding of firewall and IDS bypass techniques with Nmap, and critically, awareness of where they break down: when a decoy or T0 timing is no longer effective against modern behavioral detection engines.
Quality of spoken delivery: structured answers, precise technical vocabulary, ability to explain a complex concept (e.g., SYN stealth vs connect scan) in a way that is both accurate and accessible.
A Plume session takes about 20 minutes, from tech check to badge delivery.
The AI checks your mic quality and ambient noise level. There's no screen sharing and no code to type: the Nmap oral is entirely conversational. You confirm you're ready, and the clock starts.
The AI asks you to introduce yourself briefly and describe your most recent or most significant Nmap use: an internal audit, a Red Team engagement, a CTF, or a dedicated lab. This calibrates the depth of the questions that follow.
The core of the exam. The AI works through scan types (SYN vs UDP vs ACK), the NSE engine, large-network scanning strategies, evasion techniques (fragmentation, decoys, source-port), toolchain integration, and alternatives to Nmap. It follows up on your answers to probe for gaps or dig deeper into what you know.
The AI presents a concrete scenario: for example, mapping a /16 in production without triggering SOC alerts, or deciding between Nmap and masscan for an internet-scale engagement. You argue your approach in real time, including trade-offs and risks.
The session ends automatically. Claude Opus reads the full transcript and generates your score (0-100), your Nmap proficiency level, and a personalized feedback report. Your badge with its shareable URL is delivered as soon as the analysis is complete.
Your score out of 100 translates into a level a recruiter can grasp at a glance.
You know the basic Nmap commands (nmap -sV, nmap -A) and can run a simple scan against a single target. You struggle to explain the difference between a SYN scan and a connect scan, and NSE is largely unexplored territory. You use Nmap as a black box without really understanding what's happening at the network layer.
You have a solid grip on the main TCP scan types and use common options (-p, -T4, -O, -sV, --script). You've run scripts from the default or safe NSE categories and know how to export to XML. You can scan a reasonably sized network but still lack a systematic strategy for large perimeters or heavily filtered environments.
You build scan strategies tailored to the context: timing, phased discovery, UDP port scanning, basic evasion (fragmentation, T1). You use NSE deliberately with vuln, auth, or discovery scripts, and you integrate Nmap into workflows alongside tools like Metasploit or Nessus. You interpret ambiguous results and know when to reach for alternatives like masscan or Rustscan.
You run optimized scanning campaigns across /8 ranges or internet-facing scopes, write or adapt NSE scripts in Lua, and master advanced evasion techniques (decoys, TTL manipulation, source-port) while understanding exactly where they fail against modern behavioral IDS. You plug Nmap into CI/CD pipelines for continuous scanning and can train others or write detailed audit procedures.
No degree or years of experience required to take the badge. Here are the profiles it makes the most sense for.
Nmap is your primary reconnaissance tool. The badge lets you prove your technical depth when applying for roles or submitting proposals, going far beyond a line on a resume or a LinkedIn endorsement.
You use Nmap for asset inventory, unauthorized service detection, and compliance checks. The badge validates your ability to use it methodically and safely in production environments, not just in a lab.
You're preparing for your first security role and don't yet have significant professional experience. The Nmap badge gives you a concrete, verifiable technical credential to put in front of recruiters who need more than a degree.
Your clients want assurance before handing over an audit scope. A badge with a score, audio, and feedback report makes your proposal credible and signals the methodological rigor clients expect from a trusted partner.
You've built up Nmap skills through years of network administration and want to formalize that knowledge as you move into a security role. The badge gives you an objective measurement of where you stand and a clear signal to hiring managers.
Where and how your Nmap badge will help you day to day.
You're applying for a junior or mid-level pentester role. Your Nmap badge with a score of 78/100 and an Advanced level lets the technical hiring manager verify your skills before the first interview, setting you apart from candidates who only have theoretical certifications.
You're responding to an RFP for a network security audit. You include your Nmap badge in the proposal: the client can listen to the oral, see the score, and read the feedback report. It's tangible evidence of your skill level, not just a list of certification logos.
After five years in systems administration, you want to prove your Nmap skills are real and applicable in an offensive security context. The badge gives you an objective positioning (e.g., Proficient) and precise feedback on what you need to deepen next.
You add your Nmap badge URL to your LinkedIn profile. Recruiters and managers who click see a numerical score, a proficiency level, and can listen to the oral. It's infinitely more credible than a skill endorsement or a self-declared competency.
A CISO wants to benchmark the Nmap depth of their Red Team before investing in training. Each team member takes the badge, and the aggregated results highlight collective gaps: IDS evasion, advanced NSE usage, pipeline integration, giving the CISO a data-driven training roadmap.
You're preparing for the OSCP or eJPT and want to validate your Nmap fundamentals before tackling more complex topics. The Plume oral gives you targeted feedback on blind spots β UDP scanning, specific NSE scripts, large-network strategy β so you know exactly where to focus your prep.
A few minutes to check you have everything you need.
At the end of your session you don't just get a score β here's everything that awaits you.
You get a precise score and a proficiency level (Novice, Proficient, Advanced, or Expert) that objectively reflects your real Nmap mastery, from TCP/UDP scan types to advanced evasion techniques.
Claude Opus generates a detailed breakdown of your performance: strengths in NSE usage or scan strategy, areas to improve in evasion or toolchain integration, and concrete recommendations to reach the next level.
Your oral recording stays private and under your control. You decide whether to share it with a recruiter or client as raw proof of your Nmap competence in action, not just a number on a page.
Your Nmap badge gets a permanent URL you can drop on your resume, LinkedIn profile, or client proposal. Anyone who clicks sees your score, your level, and can read the detailed feedback report.
Discover related skills you can validate with Plume.
A 15-min oral exam with an AI, a shareable badge for your recruiters.
Choose this badge Β· β¬19.99