The SpecterOps Difference

SpecterOps aspires to set the cadence for the rest of the security industry and bring unique insight into the advanced threat actor tradecraft. Our team has deep experience built through helping hundreds of clients shut down attack paths, evaluate, and develop security operations programs, providing premier training courses to thousands of students in advanced adversary Tactics, Techniques, and Procedures (TTPs), and sponsoring numerous projects to help the industry as a whole.

Industry Experts

Our team consists of some of the most sought-after industry experts, bringing deep knowledge of adversary tradecraft and years of experience in attack path management and improving detection and response capabilities across both commercial and government sectors.

Community Contributions

You have likely found many of our team members speaking at industry conferences on the latest adversary tools and techniques, providing numerous research papers and posts, and developing some of the most widely used open-source tools in the industry.

Unsurpassed Transparency

Our team members are on the forefront of security research, and we are always willing to share our knowledge openly. The objective of every solution we offer is to provide our customers with capabilities to improve their own security operations, not only while we’re there, but even after we’re gone.

How we can help

We Outfit Your Organization for Defense


Assessment Services


Assessment Services

Leveraging expertise built through years of experience and assessments across industries and hundreds of environments, our operators use our understanding of advanced Tactics, Techniques, and Procedures (TTPs) to effectively assess and improve your security posture and ability to respond to today’s sophisticated attacks.


Program Development


Program Development

Whether you are building new adversary detection and simulation teams or looking to mature existing competencies, we provide an effective approach focused on comprehensively integrating technical components into the overall security operations program, ensuring robust prevention, detection, and response capabilities.


Training Solutions


Training Solutions

The human component to any security program is critical. Building fundamental knowledge and perfecting the skills necessary to protect the enterprise through realistic training is essential to robust security programs. Our training courses and solutions equip participants with the skills to attack, defend, and harden their environments against advanced threat actors.


BloodHound Enterprise

BloodHound Enterprise

BloodHound Enterprise

From the creators of BloodHound, an Attack Path Management solution that continuously maps and quantifies Active Directory Attack Paths. Remove millions of Attack Paths within your existing architecture and eliminate the attacker’s easiest, most reliable, and most attractive target.

Our community commitment

We’re Sharing Our Tools Openly For Our Community

In the spotlight

Topics We’re Discussing


What is Tier Zero — Part 2

What is Tier Zero — Part 2 Round 2! This is Part 2 of our webinar and blog post series Defining the Undefined: What is Tier Zero. In Part 1, we gave an introduction to the topic and explained why the reader should care. We discussed Microsoft’s original list of Tier Zero Active Directory (AD) groups, and we defined […]

12 min read | Sep 14
Jonas Bülow Knudsen

Shadow Wizard Registry Gang: Structured Registry Querying

Why Do We Need New Tooling for Registry Collection? The Windows registry, an intricate database storing settings for both the operating system and the applications that run on it, is a treasure trove of valuable information. It is known. For this reason, countless offensive security tools have emerged to query the Windows registry, especially for […]

9 min read | Sep 05
max harley

Site Takeover via SCCM’s AdminService API

tl:dr: The SCCM AdminService API is vulnerable to NTLM relaying and can be abused for SCCM site takeover. Prior Work and Credit Before I get started, I’d like to acknowledge some of the work previously done that inspired researching SCCM. Chris Thompson previously covered multiple issues involving SCCM, including a site takeover primitive via MSSQL, and […]

8 min read | Aug 10
garrett foster

BloodHound Community Edition: A New Era

I’m proud to announce the availability of BloodHound Community Edition (BloodHound CE)! What you need to know: The free and open-source version of BloodHound is now known as BloodHound CE and will remain free and open-source forever under the Apache 2.0 License BloodHound CE now shares a common code base and documentation with BloodHound Enterprise (BHE), and […]

5 min read | Aug 08
Andy Robbins

BloodHound Enterprise Learns Some New Tricks

Summary The BloodHound code-convergence project brings some significant and long-desired feature enhancements to BloodHound Enterprise (BHE): Cypher search, including pre-built queries for AD and Azure Built-in support for offline data collection (i.e., control systems or acquisition use cases) Expanded capabilities for pathfinding BloodHound Enterprise customers will get access to these features on Monday, August 7, 2023, and […]

3 min read | Aug 03
stephen hinck

Your new best friend: Introducing BloodHound Community Edition

Summary SpecterOps is pleased to announce BloodHound Community Edition (CE) will be available in early access on August 8, 2023! In this blog: BloodHound is now BloodHound CE; new name, slightly different look, same purpose and capability. BloodHound CE has new features and is based on the BloodHound Enterprise (BHE) code base. As a result, BloodHound CE […]

5 min read | Aug 01
stephen hinck

On (Structured) Data

Introduction The offensive security industry is a curious one. On the one hand, we are ahead in various trends (or “thought leadership,” as some would have us term it) and are used to literally “moving fast and breaking things.” On the other hand, we’re far behind similar disciplines. One major area where offensive security has […]

9 min read | Jul 26
will schroeder

Performance, Diagnostics, and WMI

Windows offers tons of useful tools that administrators can leverage to perform their daily jobs. A lot of times, those tools are looked at from an offensive standpoint and use cases for them are discovered. Earlier this year I read a message from a co-worker Lee Christensen (@tifkin_) about Service Performance DLLs and upon further […]

9 min read | Jul 11
steven f

Sowing Chaos and Reaping Rewards in Confluence and Jira

Introduction Let me paint a picture for you. You’re on a red team operation, operating from your favorite C2, and have just landed on a user’s workstation. You decide to take a look at their DNS cache to get a list of internal resources the user has been browsing and as you look through the […]

10 min read | Jun 28
craig wright

What is Tier Zero — Part 1

What is Tier Zero — Part 1 Tier Zero is a crucial group of assets in Active Directory (AD) and Azure. Its purpose is to protect the most critical components by creating a security boundary and preventing a complete compromise. Defining Tier Zero for your environment is not a straightforward task. It involves examining various assets and their […]

13 min read | Jun 22
Jonas Bülow Knudsen