Our Services

We Help Build Best In-Class Security Operations

Talk to an Expert Program Development Assessments

We are experts in developing and improving security operations capabilities, increasing our client’s readiness against adversary attacks. We leverage our deep experience and knowledge of adversary techniques to support our clients, all the way from point-in-time assessments improving specific defensive capabilities, to serving as the trusted advisor and partner driving improvements across the entire security operations program.

Who we are

Our Specialty is Understanding Adversary Tradecraft

Our experience across hundreds of government, defense industry, financial, and healthcare environments has taught us that the most vital component of a robust security posture is understanding how adversaries will operate against the organization’s enterprise environment. We build our services around that perspective, focused on analyzing and improving attack path detection capabilities and validating defensive efforts through attack simulation. We believe that technical capabilities have their place, but the human component to any security program is absolutely critical. Our objective is to train and arm our clients with the knowledge of how the effective use of the interlocking components of their security program provide a robust security posture and readiness against active directory attacks and other vulnerable system attacks.

Our assessments focus on adversary capabilities and techniques present in the “real world,” translating risk into actions an organization can achieve. Our advisory services are designed not to just help the organization install another technology, but to help improve attack path detection and response capabilities over time, keeping our clients informed of adversary capabilities and preventing effective operations of advanced threat actors.

What to Expect

“Assume Breach” Mindset

The question is not whether you will be breached, but when. We focus on helping effectively detect and eradicate the adversary before they can impact the organization.

Pioneering Industry Capabilities

Our team is at the cutting edge of developing and demystifying new attacks and techniques

Transparent Approaches

We are transparent in every service we execute; every engagement is a learning opportunity

Industry Experts

You can benchmark the caliber of our team members simply by listening to our talks, reading our content, or utilizing the tools we produce.

Tailored Execution

Every service is effectively built and best suited to the specifics of your environment

Actionable Deliverables

We strive for actionable results focused on improving organizational security

Our Services

Program Development

Whether you are building new adversary detection and simulation teams or looking to mature existing competencies, we provide an effective approach focused on comprehensively integrating technical components into the overall security operations program, ensuring robust prevention, detection, and response capabilities. SpecterOps team members bring extensive security experience from finance, healthcare, military, intelligence community, and federal programs. Leveraging lessons learned building and supporting teams across these diverse environments, we tailor our approach to your capability development and maturation needs. Save the wasted effort of months of ineffective trial and error by focusing your approach on building transparent, effective, and repeatable adversary simulation and assessment capabilities that measurably improve organizational security.

Developing Capabilities

Expert Support

It can be difficult to build out or grow a new adversary simulation and detection capability without prior experience. Whether you are trying to stand up an internal Penetration Testing, Red Team engagement, Purple Team, Threat Hunting, or Detection program, SpecterOps has the background to ensure your success. We work to ensure there are attainable goals and metrics and design a path to success. We strive to build a program that is owned and operated by you, not continually dependent on us, meeting your organization needs and avoiding common pitfalls plagued by many organizations.

ADVERSARY DETECTION PROGRAM DEVELOPMENT

Identify security gaps between current operational capabilities and strategic objectives, including staff skillsets, technical capabilities, and program support infrastructure. Develop and execute a strategic plan with a roadmap for bringing current detection capabilities to desired outcomes.

RED TEAM ENGAGEMENT PROGRAM DEVELOPMENT

Evaluate internal adversary simulation and assessment capabilities against program objectives. Support capability development through skillset development, operational training, technical maturation, documentation and communications strategies.

Security Assessments

SpecterOps provides a third-party adversary focused perspective of your enterprise environments. Leveraging expertise built through years of experience and assessments across industries and hundreds of environments, our operators use our understanding of advanced Tactics, Techniques, and Procedures (TTPs) to effectively assess and improve your security posture and ability to respond to today’s sophisticated attacks.

Penetration Testing Services

Red Team Engagements

Purple Team Assessments

Maturity Assessments

Attack Path Assessments

Artificial Intelligence Red Team

The objective of our penetration tests is to assist the organization in understanding the full impact of a potential breach and evaluate how effective security controls work to protect the most critical assets. Our team of experts will work with you to design penetration testing engagements that will achieve the greatest impact on assessing your risk visibility into your environment. Our experience enables us to execute a methodology while also assuring penetration testing is cost-effective and timely.

The difference in our penetration testing service is that we focus on impact objective driven testing. Whether we are attempting to access sensitive information, breach security boundaries, or access management systems, you can be sure that our time is efficiently spent on comprehensively testing your organization’s capability to protect critical assets.

NETWORK PENETRATION TESTING

Assess the effectiveness of enterprise environment defenses against advanced adversaries attempting to gain access to sensitive data and resources through internal or external attack vectors.

APPLICATION PENETRATION TESTING

Assess the effectiveness of the application stack’s defenses against advanced adversaries attempting to gain access to sensitive data and resources through authenticated and unauthenticated attack paths.

SPECIALTY TECHNOLOGY PENETRATION TESTING

Evaluate the defensive capabilities of complex, specialized, and cutting-edge technology stacks in securing critical assets and detecting advanced attacks.

INDEPENDENT EXPERT PERSPECTIVE

All our penetration testing services are designed to provide an technically experienced, unbiased, third-party perspective of the security posture presented by in-scope systems.

Knowing what to expect from a red team engagement can be difficult since there are almost as many definitions of what “red teaming” means as there are companies that provide them. Our perspective of red teaming comes from our military backgrounds, rooted in the adversarial analysis mindset to train, and improve adversary simulation, detection and response capabilities.

The difference in our approach starts with focusing red team engagements first and foremost a training opportunity for detection and response capabilities. Whether using novel or well-known adversary Tactics, Techniques, and Procedures (TTPs), our objective is to provide a realistic understanding of the true risk posed by an attack by advanced threat actors. We pride ourselves on building meaningful exercise objectives that help the organization close gaps in adversary detection and investigation technology, processes, and staff training, and ensure our debrief provides the context needed to improve future response. We let you practice response against worst-case scenarios without the worst-case security risk.

RED TEAM ENGAGEMENT EXERCISE

Provide live-fire training scenarios through adversary simulation, improving detection and response capabilities and the organization’s readiness against attacks.

THREAT REPLICATIVE ASSESSMENT

Assess the effectiveness of enterprise incident response people, processes, and technology against an advanced adversary attempting to gain access to sensitive information or critical assets.

TRANSPARENCY

We work to demystify adversary TTPs, share tradecraft, and collaboratively work with defensive to build an understanding of how an adversary may operate against the environment.

EXPERIENCED EXECUTION

Built from experience in operating in hundreds of highly critical enterprises, we work to provide effective training conditions and realistic adversary simulations in production environments minimizing any impacts to the business.

Our Purple Team assessment services focus on validating and improving the effectiveness of security controls leveraging both our adversary simulation and detection expertise.

We have found that in Purple Team assessments, dynamic evaluation is the best way to evaluate the efficacy of security controls. This dynamic approach is especially important given that a preponderance of security controls are vendor supplied and thus the analytic itself is opaque. While dynamic evaluation with test cases is a standard for Purple Teaming as many know it, we believe that the “devil is in the details” with respect to test case selection to represent each behavior. Therefore, we leverage our research and adversary tradecraft knowledge to generate a set of test cases that provide a representative sample of the possible variations of each target behavior.

COLLABORATIVE APPROACH

We collaborate with the organization’s detection team to enhance their understanding of specific detection capabilities and promote effective adversary detection and validation testing. This involves deploying a diverse array of test cases for each technique, covering various attack path variations that may be encountered.

EVALUATE PREVENTATIVE AND DETECTIVE CONTROLS

In our Purple Team assessments, security controls can be split into two primary categories. Preventative controls are those that focus on blocking the execution of a behavior. Detective controls are those that identify when a behavior has occurred in the monitored space even when it cannot be addressed automatically. Our methodology is built to understand the scope of both types of controls.

LEAVE-BEHIND CAPABILITIES

Our Purple Team assessment fosters an educational environment, equipping client security staff with adversary tradecraft knowledge, demystifying attack paths and techniques, and sharing test case methodologies. This knowledge integration enables detection validation testing within internal security operations. Customers receive tactical and strategic recommendations, comprehensive technical details for independent penetration testing, and executive-level summary reports.

Gaining a realistic understanding of the effectiveness of your security operations program capabilities is a challenging problem. We have unique expertise in building adversary simulation and detection teams based on our roots leading U.S. Department of Defense teams, experience building internal capabilities for Fortune 500 corporations and the focus on training as a core component of our services. We bring experience learned from developing dozens of Red and Purple teams, both in what makes effective capabilities and lessons learned along with way.

SpecterOps provides a third-party, expert perspective of where the organization currently sits, with clear observations of security deficiencies and recommendations for correcting shortfalls. We evaluate capabilities to meet strategic objectives, repeatedly perform desired activities with organizational competence level, not just surviving based on the individual competence of a few key hard-working individuals. Our assessment team approach helps to establish a baseline understanding of the current security program, prioritize issues, and map out a roadmap for addressing capability gaps.

EVALUATE CAPABILITY MATURITY

Identify gaps in current adversary detection capabilities, including staff skill sets, technical capabilities and program support infrastructure.

MEET STRATEGIC OBJECTIVES

Develop a security roadmap to increase program maturity and meet overall organization expected outcomes.

IMPROVE SECURITY POSTURE

Increase the organization’s readiness against attack through effective use of robust adversary simulation and detection capabilities.

Our Active Directory (AD) and Azure Attack Path Assessments puts you back in control of your directory and eliminates the adversary’s favorite target for lateral movement. Attack Paths are chains of abusable privileges and user behaviors creating direct and indirect connections between users and assets. Traditional methods can’t patch these misconfigurations, as they aren’t vulnerabilities. Years pass, teams change, complexity increases, and Attack Paths explode in numbers. This is the fundamental problem behind most ransomware and breaches events today.

This technology-enabled testing service comprehensively maps AD and Azure Attack Paths and identifies remediation Choke Points to remove millions of paths with the fewest fixes. Powered by BloodHound Enterprise, each Attack Path is prioritized by impact to the organization and accompanied with step-by-step remediation guidance. Let us show you how an adversary sees your directory and show you how to take back control.

COMPREHENSIVELY MAP ACTIVE DIRECTORY ATTACK PATHS

Powered by BloodHound Enterprise, comprehensively map relationships and connections across Active Directory and Azure to identify lateral movement and privilege escalation Attack Paths. Use the advisory visibility and expertise derived from thousands of environments and billions of directory relationships.

RISK-BASED CHOKE POINT ANALYSIS

Exposing all the Attack Paths is just the first step. We’ll identify optimal remediations by:

Measuring the empirical exposure of each Attack Path
Pinpointing Choke Points to block the largest number of Attack Paths
Ranking remediation Choke Points by collective risk reduction

REAL-WORLD REMEDIATION GUIDANCE

Step-by-step guidance eliminates the guesswork of the specific configurations required to eliminate Attack Paths. Prioritize your teams and move fast.

SECURE CRITICAL ASSETS

Understand the risk to your Tier Zero and Privileged Access identities and resources in Active Directory or Azure. Implement and validate least privilege.

Our AI red team service exposes hidden safety and security threats across the entire lifecycle of artificial intelligence (AI) systems by applying our industry leading expertise. By leveraging an adversarial mindset, we assess AI systems during the design, development, deployment, and operations stages. We focus projects on model evaluations, supporting identity and infrastructure assessments, and production application testing through these stages. This comprehensive approach ensures that security principles are effectively applied to emerging technologies like machine learning, large language models, generative AI, and agentic workflows.

Our service decomposes AI systems into their individual components and holistically evaluates them for attack vectors and vulnerabilities both unique to artificial intelligence and traditional technologies. We focus on impact-driven objectives, helping clients protect what they care about most. By simulating advanced threat actors and employing both novel and well-known adversary tactics, SpecterOps provides insight and visibility on worst-case scenarios without incurring actual security risks, ultimately enhancing their overall security posture. Our deliverables provide clients with a realistic and clear understanding of potential attack vectors while providing actional approaches for resolution and defense against adversaries.

Design

We work to understand the system’s purpose and acceptable use to conduct threat modeling during the ideation phase to identify and anticipate potential attacks and vulnerabilities, providing crucial inputs for secure design and compensating security controls.

Development

Large language models and pipelines are evaluated during inference for safety, security, privacy, and alignment risks, assessing the complete model development workflow for issues such as supply chain risks, data poisoning, sensitive information disclosure, and other vulnerabilities from the OWASP Top 10 for LLM & Gen AI Project.

Deployment

Systems deployed and integrated into operational environments are assessed from the perspective of a compromised user, evaluating the security of cloud and compute providers, host operating systems, databases, and processing pipelines, including authentication, access, and authorization controls.

Operations

Traditional red team exercises are conducted against production AI systems to generate telemetry and create realistic adversary simulations, providing live-fire training scenarios that improve detection and response capabilities.

Get Started

Defend Against
Advanced Attacks.

Talk to an Expert

In the spotlight

Security Topics We’re Discussing

All Resources

Blog

OneLogin, Many Issues: How I Pivoted from a Trial Tenant to Compromising Customer Signing Keys

TL;DR OneLogin was found to have security vulnerabilities in its AD Connector service that exposed authentication credentials and enabled account impersonation. This research showed that attackers could access credentials and signing keys to generate valid JWT tokens, allowing user impersonation. Leaked AWS credentials allowed SpecterOps to register an unclaimed S3 bucket referenced in the OneLogin […]

Blog

Update: Dumping Entra Connect Sync Credentials

TL;DR Microsoft has recently changed how Entra Connect Sync authenticates to Entra ID. This blog post will discuss what has been changed and how to adjust attacker tradecraft. Recently, Microsoft changed the way the Entra Connect Connect Sync agent authenticates to Entra ID. These changes affect attacker tradecraft, as we can no longer export the […]

Blog

Chatting with Your Attack Paths: An MCP for BloodHound

TL;DR In an effort to learn about Model Context Protocol servers, I created a MCP server that allows Claude Desktop to access and analyze data contained with a running instance of BloodHound Community Edition. This MCP is recommended to be used with Lab or Example data. Future releases will have Local LLM support. Introduction During […]

Blog

Tokenization Confusion

TL;DR Tokenization Confusion: We look at the new Prompt Guard 2 model from Meta, how “confusing” Unigram tokenization can lead to misclassification of malicious prompts, and why building up our ML knowledge will lead to better findings when assessing LLM API’s. Recently, upon getting ready to board a flight across the Atlantic, I was deciding […]

Blog

Getting the Most Value Out of the OSCP: After the Exam

TL;DR In the final post of this series, I’ll discuss what to do after your latest exam attempt to get the most value out of your OSCP journey. Introduction Throughout this series, I’ve shared practical advice for PEN-200: Penetration Testing with Kali Linux students seeking to maximize the professional, educational, and financial value of pursuing […]

Blog

Revisiting COM Hijacking

TL;DR: This post shows how COM hijacking can serve as a reliable persistence method while also enabling execution within commonly used applications across an environment. Overview Persistence is one of the most important steps in any red team engagement. Without persistence, all it takes is a reboot, a user logout, or some unexpected disruption, and […]

Blog

Understanding & Mitigating BadSuccessor

TL;DR: BadSuccessor is a new AD attack primitive that abuses dMSAs, allowing an attacker who can modify or create a dMSA to escalate privileges and take over the forest. The DACL-based parts of the attack have relatively straightforward mitigations. Recently Yuval Gordon at Akamai released the blog post BadSuccessor: Abusing dMSA to Escalate Privileges in […]

Blog

(Why) IAM demands an #AttackGraph First Approach

TL;DR: Don’t start with access lists—start with attacker movement. Your new baseline: “Be the best at predicting how an attacker would reach identities that control critical assets.”. Lead with an Attack Graph First approach. Add context and clear narrative to attack paths. Expose real risk and prioritize the most impactful fixes. Quick What Is; An […]

Blog

Running From Complacency: Getting Off Your InfoSec Hamster Wheels

TL;DR Breaking free from InfoSec complacency: We discuss how security leaders can align their security strategy with business goals, evaluate metrics critically, and collaborate with peers instead of running aimlessly on their information security hamster wheels. The past months have been your typical Information Security chaos with a bit of extra political flair. A rapidly […]

Blog

Getting the Most Value Out of the OSCP: The Exam

TL;DR A practical guide to maximizing the short- and long-term benefits of your upcoming OSCP exam attempt(s). Introduction In the last post in this series, I discussed a few proactive steps students should take throughout the PEN-200: Penetration Testing with Kali Linux labs as part of their efforts to earn the Offensive Security Certified Professional […]

Newsroom

SpecterOps Privilege Zones enables security teams to define logical access boundaries

Announcement

SpecterOps Launches Privilege Zones in BloodHound Enterprise to Protect Mission-Critical Assets from Identity Compromise

Announcement

SpecterOps Expands Executive Team Following $75M Series B, Adding New CFO, CRO and CMO to Accelerate Growth in Identity Risk Management

Our Services

We Help Build Best In-Class Security Operations

Who we are

Our Specialty is Understanding Adversary Tradecraft

What to Expect

“Assume Breach” Mindset

Pioneering Industry Capabilities

Transparent Approaches

Industry Experts

Tailored Execution

Actionable Deliverables

Our Services

Program Development

ADVERSARY DETECTION PROGRAM DEVELOPMENT

RED TEAM ENGAGEMENT PROGRAM DEVELOPMENT

Security Assessments

NETWORK PENETRATION TESTING

APPLICATION PENETRATION TESTING

SPECIALTY TECHNOLOGY PENETRATION TESTING

INDEPENDENT EXPERT PERSPECTIVE

RED TEAM ENGAGEMENT EXERCISE

THREAT REPLICATIVE ASSESSMENT

TRANSPARENCY

EXPERIENCED EXECUTION

COLLABORATIVE APPROACH

EVALUATE PREVENTATIVE AND DETECTIVE CONTROLS

LEAVE-BEHIND CAPABILITIES

EVALUATE CAPABILITY MATURITY

MEET STRATEGIC OBJECTIVES

IMPROVE SECURITY POSTURE

COMPREHENSIVELY MAP ACTIVE DIRECTORY ATTACK PATHS

RISK-BASED CHOKE POINT ANALYSIS

REAL-WORLD REMEDIATION GUIDANCE

SECURE CRITICAL ASSETS

Design

Development

Deployment

Operations

Get Started

Defend Against Advanced Attacks.

In the spotlight

Security Topics We’re Discussing

Sign Up For Updates From SpecterOps

Defend Against
Advanced Attacks.