Our Services

We Help Build Best In-Class Security Operations

We are experts in developing and improving security operations capabilities, increasing our client’s readiness against adversary attacks. We leverage our deep experience and knowledge of adversary techniques to support our clients, all the way from point-in-time assessments improving specific defensive capabilities, to serving as the trusted advisor and partner driving improvements across the entire security operations program.

Who we are

Our Specialty is Understanding Adversary Tradecraft

Our experience across hundreds of government, defense industry, financial, and healthcare environments has taught us that the most vital component of a robust security posture is understanding how adversaries will operate against the organization’s enterprise environment. We build our services around that perspective, focused on analyzing and improving attack path detection capabilities and validating defensive efforts through attack simulation. We believe that technical capabilities have their place, but the human component to any security program is absolutely critical. Our objective is to train and arm our clients with the knowledge of how the effective use of the interlocking components of their security program provide a robust security posture and readiness against active directory attacks and other vulnerable system attacks.

Our assessments focus on adversary capabilities and techniques present in the “real world,” translating risk into actions an organization can achieve. Our advisory services are designed not to just help the organization install another technology, but to help improve attack path detection and response capabilities over time, keeping our clients informed of adversary capabilities and preventing effective operations of advanced threat actors.

What to Expect

“Assume Breach” Mindset

The question is not whether you will be breached, but when. We focus on helping effectively detect and eradicate the adversary before they can impact the organization.

Pioneering Industry Capabilities

Our team is at the cutting edge of developing and demystifying new attacks and techniques

Transparent Approaches

We are transparent in every service we execute; every engagement is a learning opportunity

Industry Experts

You can benchmark the caliber of our team members simply by listening to our talks, reading our content, or utilizing the tools we produce.

Tailored Execution

Every service is effectively built and best suited to the specifics of your environment

Actionable Deliverables

We strive for actionable results focused on improving organizational security

Our Services

Program Development

Whether you are building new adversary detection and simulation teams or looking to mature existing competencies, we provide an effective approach focused on comprehensively integrating technical components into the overall security operations program, ensuring robust prevention, detection, and response capabilities. SpecterOps team members bring extensive security experience from finance, healthcare, military, intelligence community, and federal programs. Leveraging lessons learned building and supporting teams across these diverse environments, we tailor our approach to your capability development and maturation needs. Save the wasted effort of months of ineffective trial and error by focusing your approach on building transparent, effective, and repeatable adversary simulation and assessment capabilities that measurably improve organizational security.

Developing Capabilities
Expert Support

It can be difficult to build out or grow a new adversary simulation and detection capability without prior experience. Whether you are trying to stand up an internal Penetration Testing, Red Team engagement, Purple Team, Threat Hunting, or Detection program, SpecterOps has the background to ensure your success. We work to ensure there are attainable goals and metrics and design a path to success. We strive to build a program that is owned and operated by you, not continually dependent on us, meeting your organization needs and avoiding common pitfalls plagued by many organizations.

ADVERSARY DETECTION PROGRAM DEVELOPMENT
Identify security gaps between current operational capabilities and strategic objectives, including staff skillsets, technical capabilities, and program support infrastructure. Develop and execute a strategic plan with a roadmap for bringing current detection capabilities to desired outcomes.
Evaluate internal adversary simulation and assessment capabilities against program objectives. Support capability development through skillset development, operational training, technical maturation, documentation and communications strategies.

Security Assessments

SpecterOps provides a third-party adversary focused perspective of your enterprise environments. Leveraging expertise built through years of experience and assessments across industries and hundreds of environments, our operators use our understanding of advanced Tactics, Techniques, and Procedures (TTPs) to effectively assess and improve your security posture and ability to respond to today’s sophisticated attacks.

Penetration Testing Services
Red Team Engagements
Purple Team Assessments
Maturity Assessments
Attack Path Assessments
Artificial Intelligence Red Team

The objective of our penetration tests is to assist the organization in understanding the full impact of a potential breach and evaluate how effective security controls work to protect the most critical assets. Our team of experts will work with you to design penetration testing engagements that will achieve the greatest impact on assessing your risk visibility into your environment. Our experience enables us to execute a methodology while also assuring penetration testing is cost-effective and timely.

The difference in our penetration testing service is that we focus on impact objective driven testing. Whether we are attempting to access sensitive information, breach security boundaries, or access management systems, you can be sure that our time is efficiently spent on comprehensively testing your organization’s capability to protect critical assets.

NETWORK PENETRATION TESTING
Assess the effectiveness of enterprise environment defenses against advanced adversaries attempting to gain access to sensitive data and resources through internal or external attack vectors.
Assess the effectiveness of the application stack’s defenses against advanced adversaries attempting to gain access to sensitive data and resources through authenticated and unauthenticated attack paths.
Evaluate the defensive capabilities of complex, specialized, and cutting-edge technology stacks in securing critical assets and detecting advanced attacks.
All our penetration testing services are designed to provide an technically experienced, unbiased, third-party perspective of the security posture presented by in-scope systems.
Get Started

Defend Against
Advanced Attacks.

In the spotlight

Security Topics We’re Discussing

Blog

This One Weird Trick: Multi-Prompt LLM Jailbreaks (Safeguards Hate It!)

TL;DR: Using multiple prompts within the context of a conversation with an LLM can lead to safeguard bypasses. How can we safely evaluate AI systems at scale to determine their susceptibility to multi-prompt attacks? The AI tools that we use on a daily basis are becoming more sophisticated in terms of safeguards. The fine folks […]

12 min read | Sep 05
Max Andreacchi
Blog

BloodHound Operator: The Six Degrees Of Master Yoda

A Technical Dive Into BloodHound OpenGraph With BloodHound Operator & Master Yoda… TL;DR: The latest version of BloodHound introduces BloodHound OpenGraph. This new feature allows for ingestion of any type of custom data into BloodHound. This post describes the OpenGraph functionality and demonstrates the new PowerShell cmdlets added to the BloodHound Operator module to work […]

16 min read | Sep 04
SadProcessor
Blog

Dough No! Revisiting Cookie Theft

TL;DR Chromium based browsers have shifted from using the user’s Data Protection API (DPAPI) master key and started using Application Bound encryption primitives to protect cookie values. Threat actors can still steal a user’s cookies via custom extensions, enabling the remote debugging port, calling the DecryptData COM function, or recreating the Application Bound decryption process […]

14 min read | Aug 27
Andrew Gomez
Blog

Operating Outside the Box: NTLM Relaying Low-Privilege HTTP Auth to LDAP

TL;DR When operating out of a ceded access or phishing payload with no credential material, you can use low-privilege HTTP authentication from the current user context to perform a proxied relay to LDAP, then execute tooling through the SOCKS5 proxy to complete LDAP- related objectives completely off-host.  Introduction Typically, when operating using command and control […]

12 min read | Aug 22
Logan Goins
Blog

Transforming Red Team Ops with Mythic’s Hidden Gems: Browser Scripting

TL;DR Mythic’s browser scripting provides tons of flexibility that operators can tailor to their unique needs to best analyze the data provided to them, beyond raw text output. Developers can further enable the operator experience by ensuring the agents are designed around using structured data in message responses. Command and control (C2) frameworks have become […]

29 min read | Aug 21
Alexander K. DeMine
Blog

ARM-ed and Dangerous: Dylib Injection on macOS 

Modern Dylib Injection Techniques for AArch64 macOS TL;DR This post details how I extended the Mythic Poseidon agent to support ARM64 Dylib injection on Apple Silicon. The method leverages Mach APIs to enumerate processor sets, obtain task ports, and inject ARM64 shellcode that loads dynamic libraries (i.e., Dylibs) into non-hardened macOS processes. Full technical details […]

23 min read | Aug 21
West Shepherd
Blog

Will WebClient Start

TL;DR WebClient is a common targeted service for NTLM relay attacks. In this post we will cover if it is possible to start the service remotely as a low privileged user. This will also dive into what is happening when the service is started and the associated protocols and technologies used. “Can you enable the […]

30 min read | Aug 19
Steven Flores
Blog

Pantheon Introduction: A Guide and Script Collection for Mythic Eventing

TL;DR Mythic Eventing automates repetitive tasks during red team operations (RTO). This blog documents the eventing system and provides a collection of starter YAML scripts for reconnaissance and other common tasks. These can be modified to execute specific commands or Beacon object files (BOFs) based on your needs. The repository for these scripts are located […]

8 min read | Aug 15
Gavin Kramer
Blog

Juicing ntds.dit Files to the Last Drop

TL;DR Several new Active Directory offline attack capabilities have recently been added to the DSInternals PowerShell module. These enhancements include the Golden dMSA Attack, full support for Local Administrator Password Solution (LAPS), and the ability to extract trust passwords and BitLocker recovery keys. And thanks to some changes made under the hood, large ntds.dit files (100K+ users) process much faster and […]

10 min read | Aug 14
Michael Grafnetter
Blog

Going for Broke(ring) – Offensive Walkthrough for Nested App Authentication

TL;DR: Microsoft uses nested app authentication (NAA) for many applications. Access and refresh tokens for select applications, such as administrator portals, can be exchanged for tokens to other applications with a brokered request to authentication endpoints.  Introduction Starting in October 2024, Microsoft made NAA generally available with the goal to “[provide] better security and greater […]

18 min read | Aug 13
Hope Walker