SpecterOps expands Identity Attack Path Management to Okta, GitHub, and Mac. Learn More
blog category

Research & Tradecraft

image for Leveraging Tailscale Keys

Research & Tradecraft

Leveraging Tailscale Keys

TL;DR: This post introduces red team operators to Tailscale concepts and tradecraft that can be leveraged...

By: Andrew Luke
Mar 12, 2026 • 15 min read
Read Post
image for Emergent Architectural Leakage in Frontier Models: The Dual-Claude Phenomenon

Research & Tradecraft

Emergent Architectural Leakage in Frontier Models: The Dual-Claude Phenomenon

TL;DR: A pleasant evening conversation last summer with Claude resulted in a possible disclosure of its...

By: Max Andreacchi
Mar 11, 2026 • 12 min read
Read Post
image for The Nemesis 2.X Development Guide

Research & Tradecraft

The Nemesis 2.X Development Guide

TL;DR: Nemesis 2.X makes it easy to extend the platform – this guide walks through creating...

By: Will Schroeder, Lee Chagolla-Christensen
Mar 10, 2026 • 16 min read
Read Post
image for Offensive DPAPI With Nemesis

Research & Tradecraft

Offensive DPAPI With Nemesis

TL;DR: Nemesis 2.2 automates the entire DPAPI decryption chain – from SYSTEM/user masterkeys through CNG keys...

By: Will Schroeder, Lee Chagolla-Christensen
Mar 4, 2026 • 16 min read
Read Post
image for Nemesis 2.2

Research & Tradecraft

Nemesis 2.2

TL;DR: Nemesis 2.2 introduces a number of powerful new features focusing on large container processing, data...

By: Will Schroeder, Lee Chagolla-Christensen
Feb 25, 2026 • 22 min read
Read Post
image for Mapping Deception Solutions With BloodHound OpenGraph  – Configuration Manager

Research & Tradecraft

Mapping Deception Solutions With BloodHound OpenGraph  – Configuration Manager

TL;DR: At SpecterOps, we look at Attack Path Management from multiple perspectives, including those of identifying...

By: Joshua Prager
Feb 19, 2026 • 20 min read
Read Post
image for STOP THE CAP: Making Entra ID Conditional Access Make Sense Offline

Research & Tradecraft

STOP THE CAP: Making Entra ID Conditional Access Make Sense Offline

TL;DR: Conditional Access is powerful but hard to reason about once policies start to overlap. CAPSlock...

By: Lee Robinson
Feb 17, 2026 • 18 min read
Read Post
image for V8 Heap Archaeology: Finding Exploitation Artifacts in Chrome’s Memory

Research & Tradecraft

V8 Heap Archaeology: Finding Exploitation Artifacts in Chrome’s Memory

TL;DR : This post aims to introduce readers to the anatomy and detection of JavaScript memory corruption...

By: Liam D.
Feb 11, 2026 • 17 min read
Read Post
image for Weaponizing Whitelists: An Azure Blob Storage Mythic C2 Profile

Research & Tradecraft

Weaponizing Whitelists: An Azure Blob Storage Mythic C2 Profile

TL;DR: Mature enterprises lock down egress but often carve out broad exceptions for trusted cloud services....

By: Andrew Gomez, Allen DeMoura
Jan 30, 2026 • 10 min read
Read Post