This technical article provides a detailed overview of various techniques and tools that can be used to bypass firewalls, including examples and best practices for red teamers and pen testers.
Mastering advanced physical security bypass techniques is essential for any red teamer, providing a significant edge in testing and enhancing an organization’s overall security posture through a blend of technical skills, social engineering, and creative problem-solving.
Explore the power of OSINT in Red Teaming. Dive into techniques like social network profiling, dorking, and domain recon to bolster your social engineering skills.
Explore advanced physical security bypass techniques, including lock picking, key duplication, RFID exploitation, access control system bypass, and social engineering, for red teaming and pen testing.
This article explains Scenario-Based Testing (SBT) in detail, its benefits, tools and techniques used, and provides examples of how SBT can be used in Red Team Exercises to identify vulnerabilities and weaknesses in an organization’s security defenses.
This article provides an in-depth analysis of the vulnerabilities and best practices for securing Industrial Control Systems (ICS) against cyber-attacks for an advanced audience of experienced security professionals, including sections on lack of network segmentation, weak authentication, outdated software and firmware, lack of monitoring and logging, vulnerable remote access, and SCADA hacking tools.
This article explores a range of covert communication and exfiltration techniques for Red Team operations, including protocol-level channels, social media, and out-of-band exfiltration techniques.
This article provides an in-depth discussion of advanced red team exercises specifically focused on supply chain attacks, including reconnaissance, weaponization, delivery, exploitation, and post-exploitation phases, with technical details and real-world examples.
SharpSocks is a powerful .NET-based proxy tool for red teaming and network penetration testing that enables encrypted communications, protocol obfuscation, and access to internal resources, providing professional hackers with stealth and persistence in their engagements.
This article explores the world of red team exercises, discussing various types of exercises, tools and techniques used, real-world examples, and the five phases of a typical red team exercise.
This article explores techniques and best practices for physical security testing, including social engineering, physical bypass, lock picking, surveillance, and physical access control.
A working operator’s look at the layer 2 and layer 3 attacks that actually move an engagement forward: IPv6 shadow networks and mitm6/ntlmrelayx, NAC bypass against modern profiling-aware appliances, DTP and double-tagging VLAN hopping, and HSRP/VRRP gateway hijacking with Loki. Plus the 2024–2026 defender changes (Server 2025 EPA, LDAP channel binding) that have made some of these noisier.
A walk through the modern phishing campaign architecture from an operator’s seat. Domain warming, redirector tiers, ASN and geo cloaking, CAPTCHA gates to defeat sandbox click-time URL scanning, HTML smuggling via the Blob API, SVG smuggling, and homograph tricks. Plus the current state of the arms race in 2026 with AiTM kits like Tycoon and EvilProxy, and what defenders should actually focus on.
How a stack-based buffer overflow actually corrupts a stack frame, what the classic mitigations (ASLR, DEP/NX, stack canaries) do and how each gets bypassed, why modern Windows and Linux added more layers (CFG, CET shadow stacks, PIE, PAC), and the development workflow for writing a first exploit against an unhardened target. Aimed at operators who’ve used Metasploit but never written an exploit from scratch.
A working operator’s view of red teaming versus pen testing, the Unified Kill Chain as a practical mental model rather than a theoretical framework, how modern C2 infrastructure is actually built (and why domain fronting isn’t the answer anymore), purple teaming as collaborative tuning, deconfliction with the white cell, and the operator-side OPSEC habits that decide whether you finish the engagement quietly.
Past nmap -sC -sV — TCP/IP behavior that shapes scan results, NSE for real enumeration, IDS-aware timing, packet-level evasion, and where RustScan and Masscan are actually faster.
Manual UNION-based exfiltration, error-based and blind SQLi, WAF evasion, out-of-band data theft over DNS and HTTP, second-order injection, and the sqlmap flags that matter on real engagements.
A deep-dive into XSS from an offensive perspective. Beyond alert(1) — cookie theft, weaponized BeEF hooks, blind XSS, and bypassing modern WAFs and CSPs.
An introduction to penetration testing for people getting into the field. The differences between VA, PT, and red teaming; PTES as a workflow; what actually goes into a good report; and the legal lines you can’t cross.
A guide for red team operators coming from Linux. Where Darwin differs from Linux at the userland and kernel level, how SIP and TCC change what root means, how to live off the land with JXA and AppleScript, and how to persist with launchd.
A specialized guide for Red Team operators on exfiltrating and migrating data from a target MySQL database to a local PostgreSQL instance. Learn how to use Docker for rapid infrastructure deployment, pgloader for automated schema conversion, and handle both live network migrations and offline dump analysis.
A guide to SSH multiplexing and master control sockets for red team work. Covers running concurrent sessions over a single TCP connection, reducing connection churn, and the risks of socket hijacking.
Master the art of flight without leaving a footprint. A comprehensive guide to disabling shell history, managing operational hygiene, and understanding the forensic limit of these techniques across Bash, Zsh, Fish, and PowerShell on Linux.
This article explores how Red Team members can use alternate data streams on Windows NTFS to hide data, with specific examples and cautionary considerations.
A comprehensive guide to mastering port scanning on both Linux and Windows, covering standard tools like Nmap, stealthy built-in techniques, and modern PowerShell-based enumeration.