Guides

Full tradecraft reference: evidence labeling, source reliability, confidence tiering, attribution methodology, infrastructure pivoting, detection candidate mapping.

Applying kill chain analysis to real adversary behavior; evidence labeling at each stage with worked examples.

End-to-end workflow: actor assessment → TTP extraction → detection candidate → hunting hypothesis → backlog item.

Structured analytic judgment: words of estimative probability, source critique, and bias mitigation in CTI production.

Moving beyond the matrix: technique selection, sub-technique context, Navigator usage, and detection hypothesis construction.

Tool-to-technique mapping reference: which adversary tools map to which ATT&CK techniques and why.

Scoping, collection, analysis, delivery, and feedback loop for a structured client-facing CTI engagement.

Alert triage, escalation criteria, SIEM query patterns, and analyst workflow for Tier 1 analysts.

Behavioral detection: data staging, exfiltration patterns, access anomaly queries, and Sigma rule construction.

Scan types, timing templates, OS detection, and output formats.

Banner grabbing, version detection flags, and service fingerprinting.

Fragmentation, decoy scans, timing evasion, and source routing.

NSE categories, writing scripts, vuln detection, and automation.

Shodan search operators, filters, API usage, and OSINT pivoting from exposed services.

OSINT automation: module configuration, scan profiles, and result analysis.

Subdomain enumeration, ASN mapping, and infrastructure graphing with Amass.

PCAP-based hunting: protocol anomalies, C2 traffic patterns, beaconing detection, and display filters.

Spider, active scan, passive scan, authentication handling, and report generation.

Intercepting proxies, intruder brute-force, repeater, and login form attacking.

Tamper scripts, WAF bypass, blind injection techniques, and database enumeration.

Protocol modules (SSH, FTP, HTTP, SMB), wordlist selection, rate limiting, and success detection.

Hash identification, wordlist + rule attacks, incremental mode, and format specification.

Target-aware wordlist generation using personal data, leet transforms, and pattern rules.

RDP brute-force with Crowbar: target specification, threading, and credential handling.

SSH login scanner module, wordlist configuration, and session handling.

hashcat + John workflows for DOC/DOCX/PPT/XLSX with real samples.

PDF hash extraction (pdf2john) and cracking with rule-based attacks.

zip2john, hashcat modes, and practical wordlist strategies for encrypted archives.

IP camera stream brute-forcing with the RTSP-brute-force tool.

Architecture, db_nmap integration, workspace management, and module selection fundamentals.

Scanner, sniffer, and fuzzer auxiliaries: configuration, RHOSTS, THREADS, and output handling.

Exploit + payload selection, target configuration, check command, and post-exploitation.

AI-assisted recon and exploitation walkthrough against a Metasploitable lab.

Autonomous PT with Cursor AI + MCP servers: recon → exploitation → reporting workflow.

Prompt injection, indirect injection, goal hijacking, and exfiltration techniques against real LLM agent architectures.

LIEF-based import triage, risk classification workflow, and JSON output integration.

Binary string extraction, IOC identification, entropy filtering, and structured output.

Packer identification with DIE, unpac.me integration, and de4dot deobfuscation workflow.

APK static analysis: manifest review, permission analysis, DEX inspection, and IOC extraction.

Full APK assessment workflow: static triage → dynamic analysis → YARA → ATT&CK mapping → report.

GCP attack path: service account privilege escalation, metadata server abuse, and CloudTrail detection.

End-to-end cloud PT on the vulnerable-cloud-lab: initial access → lateral movement → exfil.

Log collection, audit policy, Fluent Bit pipelines, and detection rule integration for K8s.

NTLM relay to ADCS, ESC8 exploitation, certificate request, and Pass-the-Certificate.

Step-by-step AD domain setup with GPO misconfigurations, Kerberoasting targets, and AS-REP roasting.

CVSS-BTE scoring, environmental modifier impact, CISA KEV integration, and prioritization workflow.