Cybersecurity, learned like a practitioner.
24 learning paths · 398 modules live · every lesson written by someone who has shipped the control or run the engagement. Free to start.
Active Directory Security · modules
Red-team and blue-team AD. Kerberos, BloodHound, defensive hardening.
Module 12 · DPAPI — Windows Data Protection API Attacks
Why this module exists. DPAPI is how Windows stores “secrets” — Wi-Fi passwords, browser-saved credentials, RDP credentials, OneDrive tokens, certificates. Attackers who understand DPAPI extract dozens of credentials per compromised host. Defenders who don’t understand it can’t tell which alert means “credential theft” vs “noise”. The DPAPI mental model Each Windows user has a master […]
Module 11 · Kerberos Delegation Abuse — Unconstrained, Constrained, RBCD
Why this module exists. Kerberos delegation is one of the most-misunderstood AD features and one of the most-abused. Three flavours, all dangerous when misconfigured: Unconstrained (legacy, terrifying), Constrained (better, still bad), and Resource-Based Constrained Delegation (the new one, with its own attack class). Every red team checks all three. Why delegation exists Tiered apps need […]
Module 10 · DCSync — Domain Replication Abuse
Why this module exists. DCSync is the technique that lets an attacker dump every credential in your domain — without ever touching a domain controller’s filesystem. It’s not an exploit; it’s a feature being abused. Most AD environments have multiple non-DC accounts that can DCSync, and most defenders don’t know who. The mechanic Active Directory […]
Module 9 · Pass-the-Hash & Pass-the-Ticket
Why this module exists. Pass-the-Hash was first published in 1997. Microsoft has shipped 28 years of mitigations and the technique still works on most enterprise networks. Understanding why it persists, and what actually stops it, is foundational to defending AD. NTLM in 30 seconds NTLM authentication doesn’t transmit the password. The client transmits the NT […]
Module 8 · AS-REP Roasting — The Quiet Cousin of Kerberoasting
Why this module exists. Every AD pentester checks Kerberoasting first. Most check AS-REP Roasting second. The astonishing thing is how often it works in 2026 — accounts with DONT_REQ_PREAUTH set, often “temporarily” by an admin in 2014 and never unset. One vulnerable account is enough to crack a domain user’s password offline. The bug, structurally […]
Module 7 · Hybrid AD & ADFS Attack Surface
Entra Connect crown jewel, ADFS Golden SAML, PHS attacks, on-prem ↔ cloud lateral movement, Tier 0 isolation.
Module 6 · Active Directory Certificate Services Attacks
Active Directory Certificate Services (ADCS) is how Windows issues certificates — for user authentication, computer authentication, web services, VPN, code signing. It’s also, since SpecterOps’s 2021 “Certified Pre-Owned” research, one of the fastest paths from user to Domain Admin. This module covers the attack classes (ESC1-ESC8+) and defences. ADCS primer Certification Authority (CA) — issues […]
Module 5 · Golden and Silver Tickets
Forged Kerberos tickets are the ultimate AD compromise. A Golden Ticket grants domain-wide impersonation for 10 years. A Silver Ticket grants service-specific impersonation without ever touching the DC. Understanding both is essential for any practitioner serious about AD. Kerberos ticket refresher Two ticket types in a Kerberos flow: TGT (Ticket Granting Ticket) — issued by […]
Module 4 · NTLM Relay Attacks
NTLM Relay is one of the most effective attacks against modern Windows environments — and it works even on fully-patched systems if defenders haven’t enabled specific hardening. This module covers how relay works, common exploit chains, and the defences that actually block it. How NTLM authentication works NTLM is a challenge-response protocol. Client sends NTLM_NEGOTIATE; […]
Module 3 · BloodHound for Attack Paths
Individual AD misconfigurations look innocuous on their own. A group with a few extra members. A computer with delegation enabled. A user with GenericWrite on a colleague’s account. In isolation, each is a “maybe low risk.” When graph-analysed together, they form attack paths — concrete, stepwise routes from any foothold to Domain Admin. BloodHound is […]
Practitioners who've
shipped the controls.
Every module is written by someone who has built the defence or run the engagement. No repackaged tutorials, no generic theory.
Why learn here
Practitioner-written.
Each lesson is authored by someone who has shipped the control or run the engagement in production.
Quiz after every module.
20+ questions with explanations. 70%+ to mark complete. Unlimited retries.
Progress tracked.
Completions, scores and streaks saved automatically. Resume exactly where you left off.
India-priced.
Start free. ₹499/mo for intermediate. ₹4,999/yr for advanced. No hidden fees, ever.