The SpecterOps Difference

SpecterOps aspires to set the cadence for the rest of the security industry and bring unique insight into the advanced threat actor tradecraft. Our team has deep experience built through helping hundreds of clients shut down attack paths, evaluate, and develop security operations programs, providing premier training courses to thousands of students in advanced adversary Tactics, Techniques, and Procedures (TTPs), and sponsoring numerous projects to help the industry as a whole.

Industry Experts

Our team consists of some of the most sought-after industry experts, bringing deep knowledge of adversary tradecraft and years of experience in attack path management and improving detection and response capabilities across both commercial and government sectors.

Community Contributions

You have likely found many of our team members speaking at industry conferences on the latest adversary tools and techniques, providing numerous research papers and posts, and developing some of the most widely used open-source tools in the industry.

Unsurpassed Transparency

Our team members are on the forefront of security research, and we are always willing to share our knowledge openly. The objective of every solution we offer is to provide our customers with capabilities to improve their own security operations, not only while we’re there, but even after we’re gone.

How we can help

We Outfit Your Organization for Defense

Evaluate

Assessment Services

Assessment

Assessment Services

Leveraging expertise built through years of experience and assessments across industries and hundreds of environments, our operators use our understanding of advanced Tactics, Techniques, and Procedures (TTPs) to effectively assess and improve your security posture and ability to respond to today’s sophisticated attacks.

Develop

Program Development

Simulation

Program Development

Whether you are building new adversary detection and simulation teams or looking to mature existing competencies, we provide an effective approach focused on comprehensively integrating technical components into the overall security operations program, ensuring robust prevention, detection, and response capabilities.

Equip

Training Solutions

Training

Training Solutions

The human component to any security program is critical. Building fundamental knowledge and perfecting the skills necessary to protect the enterprise through realistic training is essential to robust security programs. Our training courses and solutions equip participants with the skills to attack, defend, and harden their environments against advanced threat actors.

Secure

BloodHound Enterprise

BloodHound Enterprise

BloodHound Enterprise

From the creators of BloodHound, an Attack Path Management solution that continuously maps and quantifies Active Directory Attack Paths. Remove millions of Attack Paths within your existing architecture and eliminate the attacker’s easiest, most reliable, and most attractive target.

Our community commitment

We’re Sharing Our Tools Openly For Our Community

In the spotlight

Topics We’re Discussing

Blog
Research
Solutions

On Detection: From Tactical to Functional

In his 1931 paper “A Non-Aristotelian System and Its Necessity for Rigour in Mathematics and Physics,” Mathematician Alfred Korzybski introduced an idea that many today find helpful when dealing with complex systems. The idea is commonly referred to as “The map is not the territory,” and Korzybski lays it out according to the following points: […]

14 min read | Jun 01
Jared Atkinson
Blog
Research
Solutions

Beyond Procedures: Digging into the Function Call Stack

Within the cybersecurity industry, many of us have a natural inclination towards digging into technical concepts and understanding what is going on under the hood. Or, if you are like me, you develop this over time and realize many of the complexities and dependencies you had missed, resulting in a desire to dig in and […]

19 min read | May 24
nathan d.
Blog
Research
Solutions

FOSS BloodHound 4.3.1 release

We are excited to share the release of BloodHound version 4.3.1. We have accepted a lot of pull requests made by BloodHound users for bug fixes and cool improvements in this release. We are super grateful for the continued support and contributions from our dedicated community. Together, we are making BloodHound a better tool. Let’s jump […]

2 min read | May 23
Jonas Bülow Knudsen
Blog
Research
Solutions

Security Distilled: Building a First-Principles Approach to Understanding Security

By Nathan Davis This body of work also appears in the form of a webinar, which can be accessed here. What is security? This is a question that struck me some time ago, and I realized that I didn’t have a concrete answer. For context, this question actually came about as a derivation of a separate issue […]

17 min read | May 19
nathan d.
Blog
Research
Solutions

From DA to EA with ESC5

There’s a new, practical way to escalate from Domain Admin to Enterprise Admin. ESC5 You’ve heard of ESC1 and ESC8. But what about ESC5? ESC5 is also known as “Vulnerable PKI Object Access Control”. Will Schroeder and Lee Christensen’s whitepaper mentions three classes of objects when discussing ESC5: The CA server’s AD computer object (i.e., […]

8 min read | May 16
Andy Robbins
Blog
Research
Solutions

C2 and the Docker Dance: Mythic 3.0’s Marvelous Microservice Moves

— Title by ChatGPT for introducing Mythic 3.0 What is Mythic? Mythic is a plug-n-play command and control (C2) framework that heavily leverages Docker and a microservice architecture where new agents, communication channels, and modifications can happen on the fly. Some of the Mythic project’s main goals are to provide quality of life improvements to operators, improve […]

12 min read | May 10
Cody Thomas
Blog
Research
Solutions

Exploring Impersonation through the Named Pipe Filesystem Driver

Introduction Impersonation happens often natively in Windows, however, adversaries also use it to run code in the context of another user. Recently I was researching named pipe impersonation which naturally led me digging into the Win32 API ImpersonateNamedPipeClient. I had never really dug into how ImpersonateNamedPipeClient worked under the hood, so I wanted to do […]

9 min read | May 03
Jonathan Johnson
Blog
Research
Solutions

Introducing BloodHound 4.3 — Get Global Admin More Often

Introducing BloodHound 4.3 — Get Global Admin More Often Discover new attack paths traversing Microsoft Graph and seven new Azure Resource Manager objects. Checking out BloodHound for the first time? Here are some handy resources: Get the latest version of BloodHound on GitHub Read our official documentation Come hang out with us in the BloodHound Slack Major Contributions from BloodHound […]

12 min read | Apr 18
Andy Robbins
Blog
Research
Solutions

I’d TAP That Pass

Summary: Given that: Temporary Access Passes (TAP) are enabled in the Azure AD tenantAND You have an authentication admin role in Azure AD You can assign users a short lived password called a Temporary Access Pass (TAP) that satisfies most multi-factor authentication requirements implemented in Azure AD conditional access without alerting the user or modifying their […]

21 min read | Mar 29
hotnops
Blog
Research
Solutions

Uncovering Windows Events

Threat Intelligence ETW Not all manifest-based Event Tracing for Windows (ETW) providers that are exposed through Windows are ingested into telemetry sensors/EDR’s. One provider commonly that is leveraged by vendors is the Threat-Intelligence ETW provider. Due to how often it is used, I wanted to map out how its events are being written within TelemetrySource. […]

6 min read | Mar 15
Jonathan Johnson