Laws of the forest

The forest, huge and wild, a digital landscape formed by nature’s own processes and humanoid activities and neglect throughout decades. The forest does have human-made laws and inescapable natural law though.

Conventional pentesting covers the finding of most technical vulnerabilities. The limitations on such processes include time and budget constraints, a limited scope, every effort being made to make the tests as non-disruptive as possible, and having a heavy IT focus. Real adversaries do not follow such ethical codes and are mostly unrestricted in their actions.

That does not mean pentesting is useless. We recommend having done enough pentesting and security awareness training before considering red teaming, unless you think you are already the target of an APT adversary.

We are offering free services to NGO’s and activists. And free does not necessarily mean our services are of low value. On the contrary. Contact us in the Unseen University to discover how we could work together. You do not have to wear a pointy hat or grow a beard. We just use unserious seriousness (or was it serious unseriousness) to maintain our sanity when in paranoia mode.

Pentesting

• Introduction
• Who?
• Contracts and agreements
• Disclaimers
• Scoping
• Rules of engagement
• Target considerations
• Scheduling and scope creep
• Cloud pentesting policy restrictions

Raising security awareness

• Introduction
• Identify vulnerabilities
• Human-readable guides
• Fun experiential workshops
• Simulations

Red Teaming

• Introduction
• Crown jewels
• Teams and roles
• Adversary emulation
• Scope and objectives
• Rules of engagement
• Campaign planning
• Concept of operation
• Resource plan
• Operations plan
• Mission plan

Security operations

• Introduction
• Develop an incident response plan
• Set up an incident response team (SIRT)
• Communications are key
• Security operations center in a nutshell
• Set up a security operations team (SOC)
• Measuring team effectiveness

Bug bounty hunting

• Introduction
• State of the bug bounty hunting industry
• Major platforms
• Private programs
• Self-hosted program
• Why (not) use a Bug Bounty platform?
• Asset types to hunt in
• Scope, payouts, and response times

Writeups

• Introduction