Know Your
Adversary

The SpecterOps Difference

SpecterOps aspires to set the cadence for the rest of the cyber security industry and bring unique insight and training into the advanced threat actor tradecraft. Our team has deep experience built through helping hundreds of clients shut down attack paths, evaluate, and develop security operations programs, providing premier adversarial training courses to thousands of students in advanced adversary Tactics, Techniques, and Procedures (TTPs), and sponsoring numerous projects to help the security industry as a whole.

Industry Experts

Our security team consists of some of the most sought-after industry experts, bringing deep knowledge of adversary tradecraft and years of experience in attack path management and improving threat detection and response capabilities across both commercial and government sectors.

Community Contributions

You have likely found many of our team members speaking at industry conferences on the latest adversary tools and techniques, providing numerous research papers and posts, and developing some of the most widely used open-source tools in the industry.

Unsurpassed Transparency

Our team members are on the forefront of security research, and we are always willing to share our knowledge of attack path management, tradecraft analysis, and other adversary tactics. The objective of every solution we offer is to provide our customers with capabilities to improve their own security operations, not only while we’re there, but even after we’re gone.

SpecterOps Cyber Security Awareness
How we can help

We Outfit Your Organization for Defense

Evaluate

Security Assessment Services

Security Assessment Services

Security Assessment Services

Leveraging expertise built through years of cyber security training, experience and assessments across industries and hundreds of environments, our operators use our understanding of advanced adversary Tactics, Techniques, and Procedures (TTPs) to effectively assess and improve your security posture and ability to respond to today’s sophisticated attacks.

Develop

Program Development

Cyber Security Awareness Program

Program Development

Whether you are building new adversary tradecraft detection and simulation teams or looking to mature existing competencies, we provide an effective approach focused on comprehensively integrating technical components into the overall cyber security operations program, ensuring robust prevention, detection, attack path management, and response capabilities.

Equip

Adversary Training Solutions

Adversarial Training

Adversary Training Solutions

The human component to any security program is critical. Building fundamental knowledge and perfecting the skills necessary to protect the enterprise through realistic adversary training is essential to robust security programs. Our cyber security training courses and solutions equip participants with the skills to attack, defend, and harden their environments against advanced threat actors.

Secure

BloodHound Enterprise

Secure with BloodHound Enterprise

BloodHound Enterprise

From the creators of BloodHound, an Attack Path Management solution that continuously maps and quantifies Active Directory Attack Paths. Remove millions of Attack Paths within your existing architecture and eliminate the attacker’s easiest, most reliable, and most attractive target.

Our Cyber Security Awareness Community

We’re Sharing Our Tools Openly For Our Community

In the spotlight

Security Topics We’re Discussing

Active Directory

Closing the Gaps: How Attack Path Management Improves Vulnerability Management Programs

In conversation: Pete McKernan & Luke Luckett As organizations seek to wrap their arms around potential cybersecurity exposures, CIOs and CISOs are increasingly pushing their vulnerability management teams to widen scope. With such a focus, the growing concept of continuous threat exposure management (CTEM) aims to prioritize whatever most threatens the enterprise, whether or not such […]

5 min read | Oct 02
luke luckett
Active Directory

Ghostwriter v4.3: SSO, JSON Fields, and Reporting with BloodHound

Ghostwriter v4.3 is available now, and it enhances features introduced in previous versions of v4 in some exciting ways! In particular, this article will dive into how you can integrate a tool like BloodHound Community Edition (BHCE) with Ghostwriter v4.3. First, we would be remiss if we did not mention the refreshed single sign-on (SSO) feature. […]

6 min read | Sep 23
Christopher Maddalena
Active Directory

ADCS Attack Paths in BloodHound — Part 3

ADCS Attack Paths in BloodHound — Part 3 In Part 1 of this series, we explained how we incorporated Active Directory Certificate Services (ADCS) objects into BloodHound and demonstrated how to effectively use BloodHound to identify attack paths, including the ESC1 domain escalation technique. Part 2 covered the Golden Certificates and the ESC3 techniques. In this blog post, […]

21 min read | Sep 11
Jonas Bülow Knudsen
Active Directory

Mythic 3.3 — Out of Beta

Mythic 3.3 — Out of Beta Mythic 3.3 was released in a Beta six weeks ago, and since then there has been a bunch of feedback, not just about new Mythic 3.3 features but about the framework overall. Now that Mythic is exiting Beta and going to a full release, I wanted to take a moment and highlight […]

8 min read | Aug 28
Cody Thomas
Active Directory

Ghostwriter ❤ Tool Integration

Incorporating new components into existing systems is such a pain, this process has been labeled “Integration Hell”. To ease tool integration, Ghostwriter v3.0.0 shipped with a GraphQL API. This API allows outside entities to easily query and manipulate Ghostwriter’s data. In this blogpost, we’ll use our Operation Log Generator to demonstrate the capabilities of this API. […]

4 min read | Aug 27
Alexander Sou
Active Directory

Life at SpecterOps: The Red Team Dream

TL;DR We are hiring consultants at various levels. The job posting can be found under the Consultant opening here: https://specterops.io/careers/#careers Introduction Hey there! I’m Duane Michael, a Managing Consultant and red teamer at SpecterOps. Over the past four years, I’ve had a front-row seat to the company’s incredible journey. In that time, we’ve grown by […]

8 min read | Aug 21
Duane Michael
Active Directory

Teach a Man to Phish

PHISHING SCHOOL A Decade of Distilled Phishing Wisdom I decided to give away all of my phishing secrets for free. I realized at some point that I have been giving away phishing secrets for years, but only to select individuals, and only one at a time. That method of knowledge dissemination is terribly inefficient! So here […]

4 min read | Aug 21
forrest kasler
Active Directory

Sleeping With the Phishes

Hiding C2 With Stealthy Callback Channels Write a custom command and control (C2) implant — Check ✅ Test it on your system — Check ✅ Test it in a lab against your client’s endpoint detection and response (EDR) product — Check ✅ Convince a target to download the payload — Check ✅ Get your hard […]

11 min read | Aug 14
forrest kasler
Active Directory

BloodHound Operator — Dog Whispering Reloaded

BloodHound Operator — Dog Whispering Reloaded It’s summer 2024 and we are back! Actually, we are SO back, so I decided that this required a little blog post. If you like BloodHound & PowerShell, and if you want to automate all the BloodHound things, this post is written for you. In the last part, I’ll be sharing a […]

19 min read | Aug 06
sadprocessor
Active Directory

Hybrid Attack Paths, New Views and your favorite dog learns an old trick

Introducing Hybrid Attack Paths Death from Above: An Attack Path from Azure to Active Directory With BloodHound When we introduced Azure Attack Paths into BloodHound, they were added as a completely separate sub-graph. At no point did Active Directory (AD) and Azure connect within a BloodHound dataset. Ever since adding Azure (honestly, even before that), we’ve […]

5 min read | Aug 02
Justin Kohler