DCSync Attack: Dumping AD Credentials with Mimikatz

What Is a DCSync Attack? DCSync is a credential dumping technique that abuses Active Directory’s replication mechanism. Instead of running code on a Domain Controller, an attacker with the right privileges impersonates a Domain Controller and requests password data directly from another DC using the MS-DRSR (Directory Replication Service Remote Protocol). The result: you get NTLM hashes, Kerberos keys, and plaintext passwords (in some configurations) for any account in the domain — including krbtgt and Domain Admins — without ever touching LSASS on a DC. ...

July 14, 2026 · 7 min · Red Team Guide

Pass-the-Hash vs Pass-the-Ticket: Complete Guide

Active Directory credential attacks come in two flavors that confuse people constantly: Pass-the-Hash (PtH) and Pass-the-Ticket (PtT). Both let you authenticate as another user without knowing their plaintext password. But they work on completely different protocols, hit different defenses, and fail in different ways. This guide covers how each attack actually works under the hood, when to reach for one vs the other, how defenders detect them, and how red teamers stay ahead of detection. ...

July 10, 2026 · 9 min · Red Team Guide

NetExec (CrackMapExec) Complete Guide 2026

CrackMapExec is dead. Long live NetExec. If you’ve been in offensive security for more than a few years, CrackMapExec (CME) was probably one of the first tools you learned. It became the go-to for Active Directory enumeration, credential testing, and lateral movement — packed into a single framework with clean output and a protocol-agnostic design. In 2023, the original author archived the project. The community forked it and kept building under a new name: NetExec (nxc). Same DNA, actively maintained, and compatible with everything CME could do. ...

July 7, 2026 · 11 min · Red Team Guide

Kerberoasting Attack: How It Works and How to Exploit It

Kerberoasting is one of the most reliable privilege escalation techniques in Active Directory environments. It’s quiet, requires no special privileges to execute, and often yields domain admin within hours — because organizations routinely set weak passwords on service accounts and never rotate them. This guide covers everything: how Kerberos works, why the attack is possible, what you need to execute it, and how defenders detect it. What Is Kerberoasting? Kerberoasting targets service accounts in Active Directory that have a Service Principal Name (SPN) set. Any authenticated domain user can request a Kerberos Ticket Granting Service (TGS) ticket for any SPN — and those tickets are encrypted with the service account’s NTLM hash. ...

July 3, 2026 · 8 min · Red Team Guide

BloodHound Complete Guide: AD Attack Path Mapping

BloodHound is the closest thing to a cheat code for Active Directory pentesting. Feed it your domain data and it draws a map of every path from regular user to Domain Admin — paths that would take you days to find manually. This guide covers everything: installation, data collection with SharpHound, running Cypher queries, and using the attack paths you find to actually escalate privileges. What BloodHound Does (and Why It Matters) Active Directory environments are complex. Thousands of users, hundreds of groups, nested permissions, ACL misconfigurations, Kerberos delegation settings — no human can reason about all of it manually. ...

June 30, 2026 · 10 min · Red Team Guide

Best Cybersecurity Books for Red Teamers 2026

Reading shapes how you think. Tools change every year — the mindset behind using them doesn’t. The best red teamers I’ve seen aren’t just tool runners. They understand why attacks work, and that understanding comes from deep reading, not just lab time. This is the list I’d hand someone serious about red teaming in 2026. Not everything published. Not what looks impressive on a shelf. What actually moves the needle. ...

June 26, 2026 · 7 min · Red Team Guide
CCSP Certified Cloud Security Professional Review 2026

CCSP Review 2026: Is It Worth It for Red Teamers?

The CCSP — Certified Cloud Security Professional — is ISC2’s answer to the question nobody asked out loud but everyone in enterprise security eventually faces: what actually separates the people who architect cloud security from the ones who just configure it? Short answer: about 150 exam questions, five years of experience, and $599. This is a practitioner’s review. I’ll tell you what the cert actually covers, how hard the exam is, whether it’s worth your time, and — critically — whether it makes sense for red teamers specifically. Spoiler: it depends on where you’re headed. ...

June 23, 2026 · 8 min · Red Team Guide
AZ-500 Microsoft Azure Security Engineer Review 2026

AZ-500 Review 2026: Is Microsoft Azure Security Engineer Worth It?

If you’ve been working through the cloud security track — AWS pentesting, IAM escalation, S3 misconfigs — the natural next question is: do you validate those skills with a cert? For Azure specifically, the AZ-500: Microsoft Azure Security Engineer Associate is the answer. This review breaks down whether it’s worth your time and money in 2026. What Is the AZ-500? The AZ-500 is Microsoft’s vendor cert for Azure security. It covers: ...

June 19, 2026 · 5 min · Red Team Guide
AWS Certified Security Specialty Review 2026: Is SCS-C02 Worth It?

AWS Certified Security Specialty Review 2026: Is SCS-C02 Worth It?

The cloud is where the money is. It’s also where most of the misconfiguration lives, the IAM sprawl runs unchecked, and the attack surface has grown faster than most organizations can track. If you’re doing offensive or defensive cloud security work in 2026, the AWS Certified Security Specialty (SCS-C02) is one of the few certifications that actually reflects what the job looks like. This is a full honest review — what the exam covers, how hard it is, what it costs, and whether it belongs in your cert stack. ...

June 16, 2026 · 10 min · Red Team Guide
GCP Pentesting Guide 2026: Attacking Google Cloud

GCP Pentesting Guide 2026: Attacking Google Cloud

Google Cloud is no longer just AWS’s little sibling. It’s the backbone of YouTube, Google Workspace, and thousands of Fortune 500 environments. In 2026, GCP powers a significant chunk of enterprise infrastructure — and most red teams still don’t know how to attack it properly. This guide fixes that. We’ll walk through a complete GCP attack chain: from passive recon through persistence, using real commands against real services. If you’ve done our AWS pentesting guide or Azure pentesting guide , this follows the same structure — but GCP has its own quirks that’ll trip you up if you treat it like AWS. ...

June 9, 2026 · 11 min · Red Team Guide