Module 20 · Initial Access — Modern Techniques in 2026

Manish Garg
Manish Garg Associate of (ISC)² · RingSafe
May 14, 2026
3 min read
Read as
100% Free

No signup. No paywall. No catch. One of our 10 most-requested practitioner modules — published in full so anyone can learn for free. We earn through consulting, not by gating knowledge.

See all 10 free modules →

Why this module exists. Initial access — getting first execution in a target environment — has evolved as defences have improved. Spear-phishing still works but with refined techniques. Cloud-credential abuse is rising. This module covers the 2026 initial-access landscape and the operator’s modern toolkit.

The initial-access categories

  • Phishing: targeted email with malicious link or attachment.
  • Valid accounts: stolen / purchased credentials; password spray.
  • Exposed services: VPN, RDP, web-app vulnerabilities.
  • Supply chain: compromise a vendor; reach the target.
  • Drive-by compromise: malicious website; user visits and is compromised.
  • Removable media: USB drops, infected media.
Need a real pentest?

Get a VAPT scoping call

Senior practitioner-led VAPT — not a checklist run by juniors. CVSS-scored findings, free retest, attestation letter. India's SMBs and SaaS teams.

Book VAPT scoping call Replies in 4 working hrs · India-only · Senior consultants
← Previous · Module 19
Module 19 · Living-off-the-Land Binaries (LOLBins) Mastery
← Back to Academy Hub
Continue Learning

Other modules in this track

View all modules
Academy
Module 1 · Beginner

Red team vs pentest, engagement types, objectives, rules of engagement, and what a good red team…

Apr 22, 2026 · 4 min read
Academy
Module 2 · Intermediate

Phishing infrastructure, HTML smuggling, password spray, OAuth consent, and exposed-service exploitation.

Apr 22, 2026 · 5 min read
Academy
Module 3 · Advanced

Cobalt Strike, Sliver, Havoc, Mythic compared. Beacon anatomy, transports, malleable profiles, redirector architecture.

Apr 22, 2026 · 4 min read