Our Services

We Help Build Best In-Class Security Operations

We are experts in developing and improving security operations capabilities, increasing our client’s readiness against adversary attacks. We leverage our deep experience and knowledge of adversary techniques to support our clients, all the way from point-in-time assessments improving specific defensive capabilities, to serving as the trusted advisor and partner driving improvements across the entire security operations program.

Who we are

Our Specialty is Understanding Adversary Tradecraft

Our experience across hundreds of government, defense industry, financial, and healthcare environments has taught us that the most vital component of a robust security posture is understanding how adversaries will operate against the organization’s enterprise environment. We build our services around that perspective, focused on analyzing and improving attack path detection capabilities and validating defensive efforts through attack simulation. We believe that technical capabilities have their place, but the human component to any security program is absolutely critical. Our objective is to train and arm our clients with the knowledge of how the effective use of the interlocking components of their security program provide a robust security posture and readiness against active directory attacks and other vulnerable system attacks.

Our assessments focus on adversary capabilities and techniques present in the “real world,” translating risk into actions an organization can achieve. Our advisory services are designed not to just help the organization install another technology, but to help improve attack path detection and response capabilities over time, keeping our clients informed of adversary capabilities and preventing effective operations of advanced threat actors.

What to Expect

“Assume Breach” Mindset

The question is not whether you will be breached, but when. We focus on helping effectively detect and eradicate the adversary before they can impact the organization.

Pioneering Industry Capabilities

Our team is at the cutting edge of developing and demystifying new attacks and techniques

Transparent Approaches

We are transparent in every service we execute; every engagement is a learning opportunity

Industry Experts

You can benchmark the caliber of our team members simply by listening to our talks, reading our content, or utilizing the tools we produce.

Tailored Execution

Every service is effectively built and best suited to the specifics of your environment

Actionable Deliverables

We strive for actionable results focused on improving organizational security

Our Services

Program Development

Whether you are building new adversary detection and simulation teams or looking to mature existing competencies, we provide an effective approach focused on comprehensively integrating technical components into the overall security operations program, ensuring robust prevention, detection, and response capabilities. SpecterOps team members bring extensive security experience from finance, healthcare, military, intelligence community, and federal programs. Leveraging lessons learned building and supporting teams across these diverse environments, we tailor our approach to your capability development and maturation needs. Save the wasted effort of months of ineffective trial and error by focusing your approach on building transparent, effective, and repeatable adversary simulation and assessment capabilities that measurably improve organizational security.

Developing Capabilities
Expert Support

It can be difficult to build out or grow a new adversary simulation and detection capability without prior experience. Whether you are trying to stand up an internal Penetration Testing, Red Team engagement, Purple Team, Threat Hunting, or Detection program, SpecterOps has the background to ensure your success. We work to ensure there are attainable goals and metrics and design a path to success. We strive to build a program that is owned and operated by you, not continually dependent on us, meeting your organization needs and avoiding common pitfalls plagued by many organizations.

ADVERSARY DETECTION PROGRAM DEVELOPMENT
Identify security gaps between current operational capabilities and strategic objectives, including staff skillsets, technical capabilities, and program support infrastructure. Develop and execute a strategic plan with a roadmap for bringing current detection capabilities to desired outcomes.
Evaluate internal adversary simulation and assessment capabilities against program objectives. Support capability development through skillset development, operational training, technical maturation, documentation and communications strategies.

Security Assessments

SpecterOps provides a third-party adversary focused perspective of your enterprise environments. Leveraging expertise built through years of experience and assessments across industries and hundreds of environments, our operators use our understanding of advanced Tactics, Techniques, and Procedures (TTPs) to effectively assess and improve your security posture and ability to respond to today’s sophisticated attacks.

Penetration Testing Services
Red Team Engagements
Purple Team Assessments
Maturity Assessments
Attack Path Assessments
Artificial Intelligence Red Team

The objective of our penetration tests is to assist the organization in understanding the full impact of a potential breach and evaluate how effective security controls work to protect the most critical assets. Our team of experts will work with you to design penetration testing engagements that will achieve the greatest impact on assessing your risk visibility into your environment. Our experience enables us to execute a methodology while also assuring penetration testing is cost-effective and timely.

The difference in our penetration testing service is that we focus on impact objective driven testing. Whether we are attempting to access sensitive information, breach security boundaries, or access management systems, you can be sure that our time is efficiently spent on comprehensively testing your organization’s capability to protect critical assets.

NETWORK PENETRATION TESTING
Assess the effectiveness of enterprise environment defenses against advanced adversaries attempting to gain access to sensitive data and resources through internal or external attack vectors.
Assess the effectiveness of the application stack’s defenses against advanced adversaries attempting to gain access to sensitive data and resources through authenticated and unauthenticated attack paths.
Evaluate the defensive capabilities of complex, specialized, and cutting-edge technology stacks in securing critical assets and detecting advanced attacks.
All our penetration testing services are designed to provide an technically experienced, unbiased, third-party perspective of the security posture presented by in-scope systems.
Get Started

Defend Against
Advanced Attacks.

In the spotlight

Security Topics We’re Discussing

Active Directory

Getting Started with BHE — Part 1

Understanding Collection, Permissions, and Visibility of Your Environment TL;DR Attack Path visibility is dependent upon scope of collection; complete collection is dependent upon appropriate permissions. Your collection strategy benefits from tiering just like your domain(s). Introduction Welcome to my series on Getting Started with BloodHound Enterprise! This series comes after having had several discussions with […]

5 min read | Mar 12
Nathan Davis
Active Directory

Decrypting the Forest From the Trees

TL;DR: SCCM forest discovery accounts can be decrypted including accounts used for managing untrusted forests. If the site server is a managed client, service account credentials can be decrypted via the Administration Service API. Introduction While Duane Michael, Chris Thompson, and I were originally working on the Misconfiguration Manager project, one of the tasks I took […]

9 min read | Mar 06
garrett foster
Active Directory

Fueling the Fight Against Identity Attacks

When we founded SpecterOps, one of our core principles was to build a company which brought unique insight into high-capability adversary tradecraft, constantly innovating in research and tooling. We aspired to set the cadence of the cyber security industry through a commitment to benefit our entire security community. Today, I am thrilled to announce that […]

3 min read | Mar 05
David McGuire
Active Directory

Getting the Most Value Out of the OSCP: The PEN-200 Course

In this second post of a five-part series, I provide advice on how to best utilize the PEN-200 course material for a successful career in ethical hacking. Disclaimer: All opinions expressed in this article are solely my own. I have reviewed the content to ensure compliance with OffSec’s copyright policies and agreements. I have not been […]

14 min read | Mar 04
kieran croucher
Active Directory

Don’t Touch That Object! Finding SACL Tripwires During Red Team Ops

During red team operations, stealth is a critical component. We spend a great deal of time ensuring our payloads will evade any endpoint detection and response (EDR) solution, our traffic is obfuscated and hard to trace, and our commands will interact with a system in a way that limits the number of possible detection opportunities […]

16 min read | Feb 20
alexander demine
Active Directory

Getting the Most Value out of the OSCP: Pre-Course Prep

The first post in a five-part practical guide series on maximizing the professional, educational, and financial value of the OffSec certification pursuit for a successful career in offensive cybersecurity consulting Disclaimer: All opinions expressed in this article are solely my own. I have reviewed the content to ensure compliance with OffSec’s copyright policies and agreements. […]

18 min read | Feb 12
kieran croucher
Active Directory

Enhancements for BloodHound v7.0 Provide Fresh User Experience and Attack Path Risk Optimizations

TL;DR: Refreshed user interface with a new vertical navigation layout for improved user experience. General Availability of “Improved Analysis Algorithm” that provides more accurate risk scoring for findings across your environment. Enhancements to the Posture page, including a new “Attack Paths” metric and increased visibility into your Attack Path security posture. Release highlights focus on […]

5 min read | Feb 11
dev bhatt
Active Directory

Further Adventures With CMPivot — Client Coercion

Further Adventures With CMPivot — Client Coercion Perfectly Generated AI Depiction based on Title TL:DR CMPivot queries can be used to coerce SMB authentication from SCCM client hosts Introduction CMPivot is a component part of the Configuration Manager framework. With the rise in popularity for ConfigMgr as a target in red team operations, this post looks to cover a way […]

7 min read | Feb 03
diego lomellini
Active Directory

Insurance companies can reduce risk with Attack Path Management

TL;DR Insurance companies host large amounts of sensitive data (PII, PHI, etc.) and often have complex environments due to M&A and divestitures Most breaches start with human error Fortune 500 companies rely on Microsoft Active Directory as a backbone for Identity and Access Management Attackers target Active Directory to move laterally and escalate privilege An Attack […]

3 min read | Jan 23
kirsten gibson
Active Directory

Introducing BloodHound CLI

We created a new tool to help you install and manage BloodHound instances, BloodHound CLI! GitHub – SpecterOps/bloodhound-cli Written entirely in Go, this command-line tool can be cross-compiled to support Windows, macOS, and Linux, so you can use whichever operating system you like as your host system for BloodHound. You only need to have Docker […]

2 min read | Jan 17
Christopher Maddalena