Cybersecurity, learned like a practitioner.
24 learning paths · 398 modules live · every lesson written by someone who has shipped the control or run the engagement. Free to start.
Attacker Mindset — Active Directory · modules
Fragile-by-design AD, BloodHound graphs, ACL abuse, ADCS (ESC1-16), trusts, delegation, hybrid attacks — end-to-end AD compromise mindset.
Module 11 · The Implicit Trust of AD
Active Directory assumes a cooperative environment. Members trust each other. Domain controllers trust members. Trusts between domains assumed friendly. Every “feature” — Kerberos delegation, ACL inheritance, group nesting — is a cooperation primitive. Each is exploitable when the cooperation assumption fails. The mindset: AD’s features are its attack surface. Each was designed for ease, not […]
Module 12 · Service Accounts Outlive Their Purpose
Service accounts get created. They stay forever. The original requester left in 2019. The service was decommissioned in 2021. The account remains, with the same permissions, the same password. Audit reveals: 30-50% of high-priv service accounts have no current owner. 20%+ haven’t had password change in 5+ years. The mindset: service accounts need lifecycle. Ownership, […]
Module 13 · Permission Drift
User joins team A. Gets group memberships. Moves to team B. Gets new memberships. Old memberships rarely removed. Repeats over years. Result: senior engineers have memberships from every team they’ve been on. The set of effective permissions is unknowable without explicit query. The mindset: permissions need negative review (what should be removed) more than positive […]
Module 14 · Reading the Directory as a Graph
Microsoft Management Console shows AD as a tree. BloodHound shows it as a graph. The graph view changes everything. Nodes: users, groups, computers, GPOs, OUs. Edges: HasMember, AdminTo, GenericWrite, GenericAll, ForceChangePassword, etc. Attack paths emerge from graph structure. The mindset: think in graphs. Every node has incoming edges (who controls me) and outgoing edges (what […]
Module 15 · Why GPO Defaults Matter
GPOs have defaults. Defaults from when AD launched. “Not Defined” usually means “system default” — which may be insecure. Examples: NTLM still allowed. LM hash still stored on some configs. Anonymous SID enumeration enabled. Each is a backdoor that nobody actively turned on. The mindset: assume nothing is restricted unless explicitly restricted. Apply CIS or […]
Module 16 · The Time Aspect of Kerberos
TGT typical lifetime: 10 hours. Forged Golden Ticket: any lifetime. Until krbtgt rotates, attacker maintains DA via tickets attacker forges. Service ticket cache: residual access for hours after permission revocation. Cache flushing rare; impact uncertain. The mindset: time-bound credentials need time-bound revocation, not just permission revocation.
Module 17 · Cross-Forest, Cross-Tenant Trust
M&A: company A acquires company B. Trust between forests established for “convenience.” Compromise of one becomes compromise of both. Hybrid AD + Entra: AD Connect bridges; compromise of either side reaches the other. Multi-tenant Entra: B2B guest accounts persist; compromise of guest tenant reaches host. The mindset: every trust relationship is a control merge. Document; […]
Module 18 · The Backup-Account Anti-Pattern
Every AD has a “break glass” account: backup_admin, recovery_account, etc. Reasoning: “what if everything else fails?” Reality: account exists with full rights, no MFA, password unchanged for years. Attackers find it. Use it. Backup-admin compromise = full domain compromise with no anomaly detection. The mindset: break-glass accounts must be specifically monitored. Any login = SOC […]
Module 19 · Why Passwords Persist 5+ Years
Service-account password rotation breaks services. Documentation incomplete. Owner unknown. Last person who knew has left. Result: passwords from 2018 still active. This is the structural reason Kerberoasting works at every internal pentest. The mindset: gMSA (Group Managed Service Account) where possible — Windows manages rotation. Where not possible, ≥25-char passwords (cracking economically unfeasible).
Module 20 · Defenders’ Worst Assumption
Defenders frequently believe their AD is too complex, too custom, too unique for attackers to navigate. Attackers run BloodHound in 90 minutes. Get a complete map. Find the shortest path to DA. The complexity defenders rely on is a 30-second query for the attacker. The mindset: assume the attacker maps AD better than you do. […]
Practitioners who've
shipped the controls.
Every module is written by someone who has built the defence or run the engagement. No repackaged tutorials, no generic theory.
Why learn here
Practitioner-written.
Each lesson is authored by someone who has shipped the control or run the engagement in production.
Quiz after every module.
20+ questions with explanations. 70%+ to mark complete. Unlimited retries.
Progress tracked.
Completions, scores and streaks saved automatically. Resume exactly where you left off.
India-priced.
Start free. ₹499/mo for intermediate. ₹4,999/yr for advanced. No hidden fees, ever.