The SpecterOps Difference

SpecterOps aspires to set the cadence for the rest of the cyber security industry and bring unique insight and training into the advanced threat actor tradecraft. Our team has deep experience built through helping hundreds of clients shut down attack paths, evaluate, and develop security operations programs, providing premier adversarial training courses to thousands of students in advanced adversary Tactics, Techniques, and Procedures (TTPs), and sponsoring numerous projects to help the security industry as a whole.

Industry Experts

Our security team consists of some of the most sought-after industry experts, bringing deep knowledge of adversary tradecraft and years of experience in attack path management and improving threat detection and response capabilities across both commercial and government sectors.

Community Contributions

You have likely found many of our team members speaking at industry conferences on the latest adversary tools and techniques, providing numerous research papers and posts, and developing some of the most widely used open-source tools in the industry.

Unsurpassed Transparency

Our team members are on the forefront of security research, and we are always willing to share our knowledge of attack path management, tradecraft analysis, and other adversary tactics. The objective of every solution we offer is to provide our customers with capabilities to improve their own security operations, not only while we’re there, but even after we’re gone.

SpecterOps Cyber Security Awareness
How we can help

We Outfit Your Organization for Defense


Security Assessment Services

Security Assessment Services

Security Assessment Services

Leveraging expertise built through years of cyber security training, experience and assessments across industries and hundreds of environments, our operators use our understanding of advanced adversary Tactics, Techniques, and Procedures (TTPs) to effectively assess and improve your security posture and ability to respond to today’s sophisticated attacks.


Program Development

Cyber Security Awareness Program

Program Development

Whether you are building new adversary tradecraft detection and simulation teams or looking to mature existing competencies, we provide an effective approach focused on comprehensively integrating technical components into the overall cyber security operations program, ensuring robust prevention, detection, attack path management, and response capabilities.


Adversary Training Solutions

Adversarial Training

Adversary Training Solutions

The human component to any security program is critical. Building fundamental knowledge and perfecting the skills necessary to protect the enterprise through realistic adversary training is essential to robust security programs. Our cyber security training courses and solutions equip participants with the skills to attack, defend, and harden their environments against advanced threat actors.


BloodHound Enterprise

Secure with BloodHound Enterprise

BloodHound Enterprise

From the creators of BloodHound, an Attack Path Management solution that continuously maps and quantifies Active Directory Attack Paths. Remove millions of Attack Paths within your existing architecture and eliminate the attacker’s easiest, most reliable, and most attractive target.

Our Cyber Security Awareness Community

We’re Sharing Our Tools Openly For Our Community

In the spotlight

Security Topics We’re Discussing


Plenty of Phish in the Sea

Phishing School How to Find the Right Phishing Targets A weapon is useless unless you have something to aim it at. When we weaponize social engineering, our targets are the humans who have the ability to give us access to the systems and data we want to compromise. In this post, we’ll explore ways to find […]

16 min read | May 15
forrest kasler

Manual LDAP Querying: Part 2

This post is a follow-up to my previous post on manual LDAP querying. I would highly recommend reading that post prior to reading this one if you are interested in some of the basics of searching LDAP. A few people asked why I chose dsquery and ldapsearch for the last blog. There are several options […]

19 min read | May 02
hope walker

ADCS Attack Paths in BloodHound — Part 2

ADCS Attack Paths in BloodHound — Part 2 In Part 1 of this series, we explained how we incorporated Active Directory Certificate Services (ADCS) objects into BloodHound and demonstrated how to effectively use BloodHound to identify attack paths including the ESC1 abuse technique. In this blog post, we will continue to explore more of the new edges we […]

12 min read | May 01
Jonas Bülow Knudsen

Nemesis 1.0.0

In August of last year, @tifkin_, @0xdab0, and I released Nemesis, our offensive data enrichment platform. After lots of feedback, operational testing, hundreds of commits, and another solid dev cycle, we’re proud to finally announce Nemesis’ 1.0.0 release. This post will detail several of the major changes we’re excited about, from host modeling, to a […]

9 min read | Apr 25
will schroeder

LSA Whisperer

Thank you to SpecterOps for supporting this research, to Elad for helping draft this blog, and to Sarah, Daniel, and Adam for proofreading and editing! Crossposted on GitHub. What follows is the culmination of two years of research with funding by SpecterOps and contributions from many of my coworkers. Special thanks are needed to Elad, Lee, […]

34 min read | Apr 17
Evan McBroom

Rooting out Risky SCCM Configs with Misconfiguration Manager

tl;dr: I wrote a script to identify every TAKEOVER and ELEVATE attack in Misconfiguration Manager. Ever since Garrett Foster, Duane Michael, and I released Misconfiguration Manager at SO-CON last month, we’ve had tons of great conversations with people interested in finding and fixing configurations that leave an SCCM environment vulnerable to attack, including those that […]

3 min read | Apr 11
Chris Thompson

Ghostwriter v4.1: The Custom Fields Update

Let’s dive into what makes this so exciting! There’s so much to cover that we won’t be offended if you want to look at the CHANGELOG for a quick synopsis. Introducing Customizable Fields Over the years, we’ve had many requests for database adjustments to make it easier for Ghostwriter to fit different workflows and team […]

6 min read | Apr 05
Christopher Maddalena

Getting Intune with Bugs and Tokens: A Journey Through EPM

Written by Zach Stein & Duane Michael SpecterOps Hackathon Back in January, SpecterOps held our annual hackathon event, loosely based on Atlassian’s “FedEx Day” (now called “ShipIt Day”). The gist of the event was a bunch of hackers hanging out for a few days and presenting their results. At the event’s start, Specters broke into teams […]

18 min read | Apr 02
zach stein

Pwned by the Mail Carrier

How MS Exchange on-premises compromises Active Directory and what organizations can do to prevent that. At SpecterOps, we recommend our customers establish a security boundary around their most critical assets (i.e., Tier Zero) of Active Directory (AD). We help them find and remediate the attack paths that cross this security boundary with BloodHound Enterprise. One of […]

27 min read | Mar 20
Jonas Bülow Knudsen

Summoning RAGnarok With Your Nemesis

I hope I’m Not Too Late With the explosion of large language model (LLM) use, everyone is rushing to apply LLMs to their specific industry and it’s the same for information security. While LLMs have a huge range of applications in the security domain, we’re going to focus on one specific use case: answering questions about […]

15 min read | Mar 13
will schroeder