Advanced Penetration Testing & Red Team.

Chain patterns we see in production

• Info disclosure → deserialization → RCE. Stack trace leaks Java framework version; ysoserial CommonsCollections1 against the exposed RMI/JMX endpoint; shell as the app-server user.
• SSRF → cloud IAM compromise. Web app fetches user-supplied URL; fetch http://169.254.169.254/latest/meta-data/iam/security-credentials/; assume the role; pivot via aws sts assume-role across trust relationships.
• LDAP injection → AD enumeration → Kerberoast. Login form passes (uid=*) unfiltered into LDAP filter; enumerate users; spray weak passwords; Kerberoast surviving service accounts.
• Subdomain takeover → cookie scope abuse. Dangling CNAME to a deprovisioned SaaS; register the SaaS resource; set cookies under the parent domain; session-fixation against authenticated users.
• Cache poisoning → stored XSS → admin takeover. Unkeyed header reflected into cached response; poison the admin-panel HTML; admin browser executes payload; privilege escalation via admin-only IDOR.

Lab discipline for payload development

• Hypervisor pinning. ESXi or Proxmox host, no internet-facing management. VLAN tagging at the switch, not the VM. Never trust VM-level isolation alone.
• Three-tier topology. Build network (internet), staging network (mirrors target tech stack), payload network (air-gapped, all outbound dropped at the gateway).
• Snapshot before every run. Power off, snapshot, power on. Revert after each test cycle. Snapshots are cheap; not having one is expensive.
• Out-of-band C2 only. Lab payloads use lab callback hosts only. Production C2 infrastructure never touches lab payloads — separate certs, separate domains, separate VPS.

Red team operating model

• Objectives in writing. "Reach the SAP database" or "demonstrate access to the wire-transfer system" — never "find vulnerabilities".
• White cell. Trusted client contact who knows the engagement is live, available 24/7 for deconfliction. Phone + Signal, not email.
• Evasion budget. Tolerated IOC count agreed upfront. EDR alerts above the budget = pause and reassess, not escalate.
• After-action. Joint replay with the blue team. Walk every step, every alert that fired, every alert that should have fired. The engagement's value is in this session, not in the PDF.