Your Adversary
The SpecterOps Difference

SpecterOps aspires to set the cadence for the rest of the security industry and bring unique insight into the advanced threat actor tradecraft. Our team has deep experience built through helping hundreds of clients shut down attack paths, evaluate, and develop security operations programs, providing premier training courses to thousands of students in advanced adversary Tactics, Techniques, and Procedures (TTPs), and sponsoring numerous projects to help the industry as a whole.

Industry Experts

Our team consists of some of the most sought-after industry experts, bringing deep knowledge of adversary tradecraft and years of experience in attack path management and improving detection and response capabilities across both commercial and government sectors.

Community Contributions

You have likely found many of our team members speaking at industry conferences on the latest adversary tools and techniques, providing numerous research papers and posts, and developing some of the most widely used open-source tools in the industry.

Unsurpassed Transparency

Our team members are on the forefront of security research, and we are always willing to share our knowledge openly. The objective of every solution we offer is to provide our customers with capabilities to improve their own security operations, not only while we’re there, but even after we’re gone.

Upcoming Events

Join Us at Our Upcoming Talks & Trainings

We share our operational knowledge and lessons learned in the field with your team to hone their skill sets, their efficiency, and ultimately better secure your business.

How we can help

We Outfit Your Organization for Defense


Assessment Services


Assessment Services

Leveraging expertise built through years of experience and assessments across industries and hundreds of environments, our operators use our understanding of advanced Tactics, Techniques, and Procedures (TTPs) to effectively assess and improve your security posture and ability to respond to today’s sophisticated attacks.


Program Development


Program Development

Whether you are building new adversary detection and simulation teams or looking to mature existing competencies, we provide an effective approach focused on comprehensively integrating technical components into the overall security operations program, ensuring robust prevention, detection, and response capabilities.


Training Solutions


Training Solutions

The human component to any security program is critical. Building fundamental knowledge and perfecting the skills necessary to protect the enterprise through realistic training is essential to robust security programs. Our training courses and solutions equip participants with the skills to attack, defend, and harden their environments against advanced threat actors.


BloodHound Enterprise

BloodHound Enterprise

BloodHound Enterprise

From the creators of BloodHound, an Attack Path Management solution that continuously maps and quantifies Active Directory Attack Paths. Remove millions of Attack Paths within your existing architecture and eliminate the attacker’s easiest, most reliable, and most attractive target.

Our community commitment

We’re Sharing Our Tools Openly For Our Community

In the spotlight

Topics We’re Discussing


At the Edge of Tier Zero: The Curious Case of the RODC

The read-only Domain Controller (RODC) is a solution that Microsoft introduced for physical locations that don’t have adequate security to host a Domain Controller but still require directory services for resources in those locations. A branch office is the classic use case. While RODCs, by definition, are not part of the set of resources that can […]

18 min read | Jan 25
elad shamir

SCCM Site Takeover via Automatic Client Push Installation

tl;dr: Install hotfix KB15599094 and disable NTLM for client push installation. While reading SCCM Current Branch Unleashed and stepping through the site installation process, I found something interesting — the primary site server’s domain computer account is required to be a member of the local Administrators group on the site database server. During site installation, this account is […]

8 min read | Jan 12
Chris Thompson

Prioritization of the Detection Engineering Backlog

Written by Joshua Prager and Emily Leidy Introduction Strategically maturing a detection engineering function requires us to divide the overall function into smaller discrete problems. One such seemingly innocuous area of detection engineering is the technique backlog (a.k.a. the detection engineering backlog, attack technique backlog, or detection backlog). The concept of incorporating a backlog into the […]

16 min read | Oct 05
joshua prager

On Detection: Tactical to Functional

Part 7: Synonyms “Experience is forever in motion, ramifying and unpredictable. In order for us to know anything at all, that thing must have enduring properties. If all things flow, and one can never step into the same river twice — Heraclitus’s phrase is, I believe, a brilliant evocation of the core reality of the right hemisphere’s world — one […]

22 min read | Sep 29
Jared Atkinson

WMI Internals Part 3

Beyond COM In a previous blog post of mine — WMI Internals Part 2: Reversing a WMI Provider I walked through how the WMI architecture is foundationally built upon COM and in turn how WMI classes can end up invoking COM methods to perform actions. I used the PS_ScheduledTask WMI class as an example and how when […]

5 min read | Sep 12
Jonathan Johnson

On Detection: Tactical to Function

Part 6: What is a Procedure? Physical reality has structures at all levels of metric size from atoms to galaxies. Within the intermediate band of terrestrial sizes, the environment of animals and men is itself structured at various levels of size. At the level of kilometers, the earth is shaped by mountains and hills. At […]

15 min read | Sep 08
Jared Atkinson

Get your SOCKS on with gTunnel

Get Your SOCKS on with gTunnel tl;dr Steps to setup a wicked fast SOCKS proxy with a tool called gTunnel written by hotnops Foreword First and foremost, I would like to take a moment to commemorate my first ever blog post! See the confetti falling through the air, hear the raucous cheering and the whistles and whoops, […]

14 min read | Sep 07
Elliott Grey

Automating Azure Abuse Research — Part 2

0 min read | Aug 31
Andy Robbins

On Detection: Tactical to Functional

Part 5: Expanding the Operation Graph Welcome back to the On Detection: Tactical to Functional blog series. Previously we discussed operations and sequences of operations that I call operation paths. This article will explore the idea that there must be one operation path for any given technique or sub-technique, but there can be many. When […]

15 min read | Aug 18
Jared Atkinson

On Detection: Tactical to Functional

0 min read | Aug 18
Jared Atkinson