Know
Your Adversary
The SpecterOps Difference

SpecterOps aspires to set the cadence for the rest of the security industry and bring unique insight into the advanced threat actor tradecraft. Our team has deep experience built through helping hundreds of clients shut down attack paths, evaluate, and develop security operations programs, providing premier training courses to thousands of students in advanced adversary Tactics, Techniques, and Procedures (TTPs), and sponsoring numerous projects to help the industry as a whole.

Industry Experts

Our team consists of some of the most sought-after industry experts, bringing deep knowledge of adversary tradecraft and years of experience in attack path management and improving detection and response capabilities across both commercial and government sectors.

Community Contributions

You have likely found many of our team members speaking at industry conferences on the latest adversary tools and techniques, providing numerous research papers and posts, and developing some of the most widely used open-source tools in the industry.

Unsurpassed Transparency

Our team members are on the forefront of security research, and we are always willing to share our knowledge openly. The objective of every solution we offer is to provide our customers with capabilities to improve their own security operations, not only while we’re there, but even after we’re gone.

How we can help

We Outfit Your Organization for Defense

Evaluate

Assessment Services

Assessment

Assessment Services

Leveraging expertise built through years of experience and assessments across industries and hundreds of environments, our operators use our understanding of advanced Tactics, Techniques, and Procedures (TTPs) to effectively assess and improve your security posture and ability to respond to today’s sophisticated attacks.

Develop

Program Development

Simulation

Program Development

Whether you are building new adversary detection and simulation teams or looking to mature existing competencies, we provide an effective approach focused on comprehensively integrating technical components into the overall security operations program, ensuring robust prevention, detection, and response capabilities.

Equip

Training Solutions

Training

Training Solutions

The human component to any security program is critical. Building fundamental knowledge and perfecting the skills necessary to protect the enterprise through realistic training is essential to robust security programs. Our training courses and solutions equip participants with the skills to attack, defend, and harden their environments against advanced threat actors.

Secure

BloodHound Enterprise

BloodHound Enterprise

BloodHound Enterprise

From the creators of BloodHound, an Attack Path Management solution that continuously maps and quantifies Active Directory Attack Paths. Remove millions of Attack Paths within your existing architecture and eliminate the attacker’s easiest, most reliable, and most attractive target.

Our community commitment

We’re Sharing Our Tools Openly For Our Community

In the spotlight

Topics We’re Discussing

Blog

Prioritization of the Detection Engineering Backlog

Written by Joshua Prager and Emily Leidy Introduction Strategically maturing a detection engineering function requires us to divide the overall function into smaller discrete problems. One such seemingly innocuous area of detection engineering is the technique backlog (a.k.a. the detection engineering backlog, attack technique backlog, or detection backlog). The concept of incorporating a backlog into the […]

16 min read | Oct 05
joshua prager
Blog

On Detection: Tactical to Functional

Part 7: Synonyms “Experience is forever in motion, ramifying and unpredictable. In order for us to know anything at all, that thing must have enduring properties. If all things flow, and one can never step into the same river twice — Heraclitus’s phrase is, I believe, a brilliant evocation of the core reality of the right hemisphere’s world — one […]

22 min read | Sep 29
Jared Atkinson
Blog

WMI Internals Part 3

Beyond COM In a previous blog post of mine — WMI Internals Part 2: Reversing a WMI Provider I walked through how the WMI architecture is foundationally built upon COM and in turn how WMI classes can end up invoking COM methods to perform actions. I used the PS_ScheduledTask WMI class as an example and how when […]

5 min read | Sep 12
Jonathan Johnson
Blog

On Detection: Tactical to Function

Part 6: What is a Procedure? Physical reality has structures at all levels of metric size from atoms to galaxies. Within the intermediate band of terrestrial sizes, the environment of animals and men is itself structured at various levels of size. At the level of kilometers, the earth is shaped by mountains and hills. At […]

15 min read | Sep 08
Jared Atkinson
Blog

Get your SOCKS on with gTunnel

Get Your SOCKS on with gTunnel tl;dr Steps to setup a wicked fast SOCKS proxy with a tool called gTunnel written by hotnops Foreword First and foremost, I would like to take a moment to commemorate my first ever blog post! See the confetti falling through the air, hear the raucous cheering and the whistles and whoops, […]

14 min read | Sep 07
Elliott Grey
Blog

Automating Azure Abuse Research — Part 2

0 min read | Aug 31
Andy Robbins
Blog

On Detection: Tactical to Functional

Part 5: Expanding the Operation Graph Welcome back to the On Detection: Tactical to Functional blog series. Previously we discussed operations and sequences of operations that I call operation paths. This article will explore the idea that there must be one operation path for any given technique or sub-technique, but there can be many. When […]

15 min read | Aug 18
Jared Atkinson
Blog

On Detection: Tactical to Functional

0 min read | Aug 18
Jared Atkinson
Blog

On Detection: Tactical to Functional

Part 4: Compound Functions Introduction Welcome back to the On Detection: Tactical to Functional series (links to all posts are at the bottom of the post). Thus far, we’ve explored the OS Credential Dumping: LSASS Memory sub-technique, specifically mimikatz, as an example to understand how this sub-technique works. The first post focused on identifying the […]

11 min read | Aug 16
Jared Atkinson
Blog

On Detection: Tactical to Functional

Part 3: Expanding the Function Call Graph Introduction In the previous post in this series, I introduced the concept of operations and demonstrated how each operation has a function call graph that undergirds it. In that post, I purposely presented incomplete, relative to my knowledge, function call graphs because I wanted only to show the extent […]

15 min read | Aug 09
Jared Atkinson