Your Adversary
The SpecterOps Difference

SpecterOps aspires to set the cadence for the rest of the security industry and bring unique insight into the advanced threat actor tradecraft. Our team has deep experience built through helping hundreds of clients shut down attack paths, evaluate, and develop security operations programs, providing premier training courses to thousands of students in advanced adversary Tactics, Techniques, and Procedures (TTPs), and sponsoring numerous projects to help the industry as a whole.

Industry Experts

Our team consists of some of the most sought-after industry experts, bringing deep knowledge of adversary tradecraft and years of experience in attack path management and improving detection and response capabilities across both commercial and government sectors.

Community Contributions

You have likely found many of our team members speaking at industry conferences on the latest adversary tools and techniques, providing numerous research papers and posts, and developing some of the most widely used open-source tools in the industry.

Unsurpassed Transparency

Our team members are on the forefront of security research, and we are always willing to share our knowledge openly. The objective of every solution we offer is to provide our customers with capabilities to improve their own security operations, not only while we’re there, but even after we’re gone.

Upcoming Events

Join Us at Our Upcoming Talks & Trainings

We share our operational knowledge and lessons learned in the field with your team to hone their skill sets, their efficiency, and ultimately better secure your business.

How we can help

We Outfit Your Organization for Defense


Assessment Services


Assessment Services

Leveraging expertise built through years of experience and assessments across industries and hundreds of environments, our operators use our understanding of advanced Tactics, Techniques, and Procedures (TTPs) to effectively assess and improve your security posture and ability to respond to today’s sophisticated attacks.


Program Development


Program Development

Whether you are building new adversary detection and simulation teams or looking to mature existing competencies, we provide an effective approach focused on comprehensively integrating technical components into the overall security operations program, ensuring robust prevention, detection, and response capabilities.


Training Solutions


Training Solutions

The human component to any security program is critical. Building fundamental knowledge and perfecting the skills necessary to protect the enterprise through realistic training is essential to robust security programs. Our training courses and solutions equip participants with the skills to attack, defend, and harden their environments against advanced threat actors.


BloodHound Enterprise

BloodHound Enterprise

BloodHound Enterprise

From the creators of BloodHound, an Attack Path Management solution that continuously maps and quantifies Active Directory Attack Paths. Remove millions of Attack Paths within your existing architecture and eliminate the attacker’s easiest, most reliable, and most attractive target.

Our community commitment

We’re Sharing Our Tools Openly For Our Community

In the spotlight

Topics We’re Discussing


I’d TAP That Pass

Summary: Given that: Temporary Access Passes (TAP) are enabled in the Azure AD tenantAND You have an authentication admin role in Azure AD You can assign users a short lived password called a Temporary Access Pass (TAP) that satisfies most multi-factor authentication requirements implemented in Azure AD conditional access without alerting the user or modifying their […]

21 min read | Mar 29

Abusing Azure App Service Managed Identity Assignments

Intro Azure App Service is a Platform-as-a-Service product that promises to improve web application deployment, hosting, availability, and security. Web Apps hosted by Azure App Service are organized into Azure App Service Plans, which are Virtual Machines that the Web Apps in that plan all run on. The individual Web Apps are isolated from one […]

10 min read | Feb 15
Andy Robbins

Telemetry Layering

Introduction Creating detections can be challenging. There often isn’t a “simple” way to detect something, and once we see an event that seems to correlate with the activity we are looking for, it is easy to become fixated. We create that detection and move on. However, what if other telemetry sources had helped provide a […]

9 min read | Feb 10
Jonathan Johnson

Ghostwriter v3.2 Release

SpecterOps has released Ghostwriter v3.2 with some significant enhancements we think you’ll like. We overhauled how you interact with operation logs and added support for tagging clients, projects, reports, findings, evidence files, domains, servers, operation logs, and log entries. Tagging Tags will help you organize and customize your projects. At the most basic level, a tag […]

3 min read | Feb 08
Christopher Maddalena

At the Edge of Tier Zero: The Curious Case of the RODC

The read-only Domain Controller (RODC) is a solution that Microsoft introduced for physical locations that don’t have adequate security to host a Domain Controller but still require directory services for resources in those locations. A branch office is the classic use case. While RODCs, by definition, are not part of the set of resources that can […]

18 min read | Jan 25
elad shamir

The Defender’s Guide to Windows Services

It’s dangerous to find malicious services alone! Take this! Authors: Luke Paine & Jonathan Johnson Introduction This is the second installment of the Defender’s Guide series. In keeping with the theme, we are discussing Windows Services, the underlying technology, common attack vectors, and methods of securing/monitoring them. Services are an important part of the Windows operating system, […]

11 min read | Jan 18
Jonathan Johnson

SCCM Site Takeover via Automatic Client Push Installation

tl;dr: Install hotfix KB15599094 and disable NTLM for client push installation. While reading SCCM Current Branch Unleashed and stepping through the site installation process, I found something interesting — the primary site server’s domain computer account is required to be a member of the local Administrators group on the site database server. During site installation, this account is […]

8 min read | Jan 12
Chris Thompson

Passwordless Persistence and Privilege Escalation in Azure

Adversaries are always looking for stealthy means of maintaining long-term and stealthy persistence and privilege in a target environment. Certificate-Based Authentication (CBA) is an extremely attractive persistence option in Azure for three big reasons: With control of a root CA trusted by AzureAD, the adversary can impersonate any user without knowing their password — including Global Admins. Configuring CBA […]

15 min read | Dec 21
Andy Robbins

Stalking inside of your Chromium Browser

Revisiting Remote Debugging Okay, you got your favorite agent running on the target machine. You did a process listing, but nothing interesting popped out. You searched through every possible thing, even the trash bins to find a clue of where exactly the user hid their secrets that could get you to the user’s Azure portal. Well, […]

7 min read | Dec 01
kai huang

Uncovering Window Security Events

Part 1: TelemetrySource Data is the foundation by which defense is built upon. This data can come from various telemetry sources — native logging, Endpoint Detection and Response (EDR) tools, network logging, etc. The data from these sources give us insight into activity happening with a given machine — user’s logging in, processes being created, incoming network traffic, etc. […]

7 min read | Nov 14
Jonathan Johnson