Reference notes on offensive security: methodologies, tooling, and per-service exploitation matrices. Hand-titled, cross-mapped to engagement phases, kept free of dated artifacts.
Looking up an acronym? Open the Glossary
Methodologies, frameworks, and red-team playbooks. The how-we-test layer.
Featured
Three-column reference combining a tooling catalog, a vulnerability-class checklist, and a per-service CVE matrix. The most concrete tooling reference in the index.
PTES, the craft notes on engagement sequencing, and the web-application methodology variants — consolidated into one navigable reference.
Past the OWASP basics: chained exploitation, air-gapped lab setup for payload trials, and the operating notes for full-scope adversary simulation.
The recon catalog end-to-end: passive vs. active modes, subdomain discovery across CT logs and DNS, web-stack fingerprinting, and port-to-service mapping.
Per-server-class attack chains paired with the corresponding hardening — Apache, nginx, IIS, Tomcat, JBoss — and the decision tree from first 200 OK to authenticated context.
AD attack surface end-to-end: enumeration, Kerberos, ACL abuse, GPO weaponization, the Tier-0 chase — including the internal-engagement playbook from foothold to domain dominance.
Tunnel topologies, port-forwarding patterns, the handoff from web compromise to internal foothold, and a worked JBoss-to-domain case.
Reference
nmap scan templates by goal, transform-driven entity discovery in Maltego, and the timing-vs-stealth tradeoffs that decide when to use what.
Meterpreter, PowerShell, and the broader pentest toolkit catalog — recommended defaults per slot, with the Linux and Python operator notes that round out the kit.
Where automation earns its keep, where it misses by design, and the seams where a human reviewer must take over — paired against the manual techniques that resist tooling.
Background
Pretext design, channel selection, and the patterns specific to phishing privileged users — including the failure modes that turn a campaign into an internal incident on your side.
Senior-tester skill rubric, repo-archaeology techniques for security engineers, and the CTF tooling and infrastructure references that keep practice sharp.
OWASP-adjacent vulnerability classes — from XSS to business logic flaws.
Featured
The canonical vulnerability catalog: every class with at least one concrete proof-pattern. The single most-cited entry in the index.
Each vulnerability class presented as an attack/defense pair, with the briefing-level overview and the protocol/header/encoding points where weaknesses recur.
The full XSS landscape: reflected, stored, DOM, mutation. Sink-versus-source structuring, CSP/WAF bypass, hook-and-control patterns, and the conditions under which payloads become worm-like.
Server-side request forgery, XML external entity weaponization, and path-traversal cousins — vector enumeration, blind-channel exfiltration, parser-quirk routing.
Password-recovery logic flaws, JWT/CORS/TLS architecture issues, the working top-10 business-logic patterns, and how a real intrusion looks in logs vs. test traffic.
Reference
Stack-specific notes for Java and PHP — deserialization gadgets, expression-language injection, tainted-input flow — paired with SQLmap operator flags and the OWASP testing checklist.
Background
Per-platform attack surface and skills reference: Android permission model and APK static/dynamic attacks, iOS entitlement reasoning, macOS TCC and codesign.
Public-cloud security models and enterprise architecture patterns.
Reference
IAM modeling, cross-account boundaries, and the highest-leverage misconfigurations to look for first on AWS.
Cross-provider security concepts that survive cloud-vendor differences: identity, network, data, control plane vs. data plane.
Reference architecture patterns for security at enterprise scale, paired with the cross-industry view of which platform choices the field is moving toward.
Background
Python idioms specific to security work: subprocess discipline, robust HTTP, async scanners, and the regex patterns recurring in log triage.
Surfaces outside conventional IT: ICS/SCADA, IoT, automotive, wireless.
Reference
Wireless attack surface across WPA2/WPA3 and enterprise EAP variants, with the practical detection telltales for each technique.
Background
Where industrial control systems and IoT surface meet, where their threat models diverge, and the CSA-aligned reference for device, edge, network, cloud, and lifecycle.
Vehicle attack surface map: in-cabin networks, telematics gateway, software-update channel, supplier dependency graph.
Diamond model, kill chains, attribution, and threat modeling.
Featured
Open-source intelligence routes by entity type: people, organizations, infrastructure, code, leaks. The recon companion to engagement scoping.
Background
STRIDE, LINDDUN, attack-tree, and the Diamond model as a structured note-taking template — paired with the preventive and responsive control maps over the attack lifecycle.
How sustained adversaries operate end-to-end: initial-access patterns, tooling and TTP overlap, Windows persistence ranking, and the discovery/impact assessment workflow.
Adversary-simulation planning tree (objective, profile, infrastructure, evasion, deconfliction) and the source-rating discipline that keeps a threat-intel report honest about confidence.
Triage workflow for a suspicious email (header reasoning, detonation, URL pivot) and the investigative routes for transaction fraud across account, device, and payment dimensions.
Low-level attack surfaces — exploitation, fuzzing, and malware behavior.
Background
End-to-end memory-corruption pipeline: corruption classes, fuzzing-driven crash discovery, mitigation tradeoffs per stage, and the Windows internals that earn offensive relevance.
Quick-reference for disassemblers, debuggers, and the signatures to look for first — including an ARM reference for analysts moving from x86 and the modern browser as an attack surface.
Triage workflow, packer recognition, behavioral exploit profile, RAT family-behavior reference, and the template for documenting a sustained adversary group.
PDF as a delivery vehicle (structure, script extraction, parser quirks) and the Java-runtime exploit reference — historical and current patterns, with what each reveals about the deployed JRE.
Machine-learning security, blockchain, and data-layer threats.
Background
Vendor-neutral landscape map: model families, training pipelines, deployment patterns — plus which statistical/ML models fit which security-analytics problems and where they reliably fail.
Natural-language processing applied to security work: log clustering, phishing detection, report summarization, and where modern LLM-driven techniques fit (and don't).
Smart-contract, bridge, and consensus-layer threat classes — where the field's actual losses cluster, and the audit patterns that catch them.
Practitioner-level hashing reference: when collision resistance matters, when length-extension bites, and what to pick today.
Blue-team operations, the security-product landscape, and compliance posture.
Reference
Reference architecture for a working SIEM: ingestion, normalization, detection layer, response loop — with the cost and quality trade-offs at each junction.
TLS attack surface organized by ceremony stage: handshake, certificate path, cipher choice, record layer — with the deprecation and mitigation timeline.
DDoS attack-class taxonomy with the corresponding mitigation layers — anycast, scrubbing, app-layer rate logic.
Linux operator hardening, TCP/IP operational notes for detection engineers, AD defense from the defender's perspective, and data-center host hardening where physical access intersects vendor patches.
Background
What changes at the perimeter, the realities of office network hardening (BYOD, printers, guest segmentation), and database security beyond SQL injection — replication, backup, encryption-at-rest.
Cross-walk between common control frameworks, the reference architecture for an in-house risk-control platform, and the field-level orientation map of the discipline.
Methodology
Every entry is fingerprinted by SHA-256 against the source corpus, deduplicated, machine-extracted from diagrammatic form, and manually re-titled in neutral English. Where a topic has aged out (dated tooling, year-stamped surveys), it is removed rather than rebranded.
Entries are mapped to the engagement phase they support, so a tester reading a finding in our report can land on the exact reference that informed it.
Looking up an acronym? Open the Glossary
From reference to evidence