The SpecterOps Difference

SpecterOps aspires to set the cadence for the rest of the cyber security industry and bring unique insight and training into the advanced threat actor tradecraft. Our team has deep experience built through helping hundreds of clients shut down attack paths, evaluate, and develop security operations programs, providing premier adversarial training courses to thousands of students in advanced adversary Tactics, Techniques, and Procedures (TTPs), and sponsoring numerous projects to help the security industry as a whole.

Industry Experts

Our security team consists of some of the most sought-after industry experts, bringing deep knowledge of adversary tradecraft and years of experience in attack path management and improving threat detection and response capabilities across both commercial and government sectors.

Community Contributions

You have likely found many of our team members speaking at industry conferences on the latest adversary tools and techniques, providing numerous research papers and posts, and developing some of the most widely used open-source tools in the industry.

Unsurpassed Transparency

Our team members are on the forefront of security research, and we are always willing to share our knowledge of attack path management, tradecraft analysis, and other adversary tactics. The objective of every solution we offer is to provide our customers with capabilities to improve their own security operations, not only while we’re there, but even after we’re gone.

SpecterOps Cyber Security Awareness
How we can help

We Outfit Your Organization for Defense


Security Assessment Services

Security Assessment Services

Security Assessment Services

Leveraging expertise built through years of cyber security training, experience and assessments across industries and hundreds of environments, our operators use our understanding of advanced adversary Tactics, Techniques, and Procedures (TTPs) to effectively assess and improve your security posture and ability to respond to today’s sophisticated attacks.


Program Development

Cyber Security Awareness Program

Program Development

Whether you are building new adversary tradecraft detection and simulation teams or looking to mature existing competencies, we provide an effective approach focused on comprehensively integrating technical components into the overall cyber security operations program, ensuring robust prevention, detection, attack path management, and response capabilities.


Adversary Training Solutions

Adversarial Training

Adversary Training Solutions

The human component to any security program is critical. Building fundamental knowledge and perfecting the skills necessary to protect the enterprise through realistic adversary training is essential to robust security programs. Our cyber security training courses and solutions equip participants with the skills to attack, defend, and harden their environments against advanced threat actors.


BloodHound Enterprise

Secure with BloodHound Enterprise

BloodHound Enterprise

From the creators of BloodHound, an Attack Path Management solution that continuously maps and quantifies Active Directory Attack Paths. Remove millions of Attack Paths within your existing architecture and eliminate the attacker’s easiest, most reliable, and most attractive target.

Our Cyber Security Awareness Community

We’re Sharing Our Tools Openly For Our Community

In the spotlight

Security Topics We’re Discussing


I Will Make you Phishers of Men

PHISHING SCHOOL Convincing Targets to Click Your Links When it comes to phishing advice, the number one question I get from co-workers is “what campaigns are you using?”. People see my success, and wish to emulate it. Well, if a phish is what you wish, I would like you to meet my friend Ish: Who am I? […]

20 min read | Jun 25
forrest kasler

Mapping Snowflake’s Access Landscape

Attack Path Management Because Every Snowflake (Graph) is Unique Introduction On June 2nd, 2024, Snowflake released a joint statement with Crowdstrike and Mandiant addressing reports of “[an] ongoing investigation involving a targeted threat campaign against some Snowflake customer accounts.” A SpecterOps customer contacted me about their organization’s response to this campaign and mentioned that there seems […]

27 min read | Jun 13
Jared Atkinson

Lateral Movement with the .NET Profiler

Lateral Movement with the .NET Profiler The accompanying code for this blogpost can be found HERE. Intro I spend a lot of my free time modding Unity games. Since Unity is written in C#, the games are very easy to work with compared to those that compile to unmanaged code. This makes it a perfect hobby project to […]

7 min read | Jun 11
daniel mayer

Automating SCCM with Ludus: A Configuration Manager for Your Configuration Manager

TL;DR: Using Ludus as the backend, and with the help of Erik at Bad Sector Labs, I present a fully customizable SCCM deployment you can integrate into your home lab. Intro The past couple of years have been an exciting time in Microsoft Endpoint Configuration Manager (formerly System Center Configuration Manager [SCCM]) tradecraft. I’ve […]

12 min read | Jun 06
zach stein

Part 14: Sub-Operations

On Detection: Tactical to Functional When the Operation is not Enough Introduction A while back, I was working on deconstructing a standard variation of Token Theft and stumbled into a couple of interesting edge cases that my model still needed to account for. Below is the operation chain for one of the most common Token Impersonation […]

16 min read | Jun 05
Jared Atkinson

Behavior vs. Execution Modality

On Detection: Tactical to Functional Part 12 Introduction At Shmoocon 2015, Will Schroeder (Harmj0y) gave a talk titled “I Hunt Sys Admins,” describing how attackers can hunt (or find the location of) system administrators throughout the network. The talk is only 15 minutes long, so I highly recommend you watch it to understand the motivations […]

19 min read | May 21
Jared Atkinson

Plenty of Phish in the Sea

Phishing School How to Find the Right Phishing Targets A weapon is useless unless you have something to aim it at. When we weaponize social engineering, our targets are the humans who have the ability to give us access to the systems and data we want to compromise. In this post, we’ll explore ways to find […]

16 min read | May 15
forrest kasler

Manual LDAP Querying: Part 2

This post is a follow-up to my previous post on manual LDAP querying. I would highly recommend reading that post prior to reading this one if you are interested in some of the basics of searching LDAP. A few people asked why I chose dsquery and ldapsearch for the last blog. There are several options […]

19 min read | May 02
hope walker

ADCS Attack Paths in BloodHound — Part 2

ADCS Attack Paths in BloodHound — Part 2 In Part 1 of this series, we explained how we incorporated Active Directory Certificate Services (ADCS) objects into BloodHound and demonstrated how to effectively use BloodHound to identify attack paths including the ESC1 abuse technique. In this blog post, we will continue to explore more of the new edges we […]

12 min read | May 01
Jonas Bülow Knudsen

Nemesis 1.0.0

In August of last year, @tifkin_, @0xdab0, and I released Nemesis, our offensive data enrichment platform. After lots of feedback, operational testing, hundreds of commits, and another solid dev cycle, we’re proud to finally announce Nemesis’ 1.0.0 release. This post will detail several of the major changes we’re excited about, from host modeling, to a […]

9 min read | Apr 25
will schroeder