Offensive Security
& Adversary Simulation
Understanding attacker behaviour to strengthen detection, triage, and incident response in SOC environments.
Why Offensive Knowledge
Makes Better Defenders
Understanding attacker techniques isn't about hacking — it's about closing the gap between what attackers know and what defenders see.
Know What Attackers See
SOC analysts who understand attack paths and reconnaissance techniques catch threats before they escalate — because they're watching the same signals attackers rely on.
Faster Alert Triage
Recognising attack patterns in SIEM telemetry reduces mean time to detect and respond. Offensive experience turns ambiguous alerts into clear, actionable intelligence.
Precision Response
Offensive knowledge removes guesswork from containment decisions. When you know how an attacker thinks and moves, you can anticipate and cut off their next step.
Attack Simulations
Each simulation is documented from both the attack execution and the SOC detection perspective — in a controlled lab environment.
Scenario
Targeted a local lab SSH service with a wordlist attack to simulate credential stuffing from a threat actor attempting initial access via compromised credentials.
Attack Execution
Ran Hydra with a 10,000-word common password list against SSH on a test VM. Generated 847 failed login attempts over 4 minutes before triggering account lockout thresholds.
Detection Signals
- SIEM alert fired: >10 failed authentications from a single IP within 60 seconds
- auth.log showed rapid sequential failures — same username, incrementing timestamps
- Source IP outside trusted IP range with no prior access history in baseline
Investigation Steps
- 1Confirmed source IP is external with zero prior activity in environment logs
- 2Checked for any successful logins post-attack window on the targeted account
- 3Reviewed whether account holds service permissions or privileged sudo access
- 4Correlated with firewall and VPN logs to identify potential lateral movement
SOC Response Actions
- Temporary IP block applied via perimeter firewall rule — logged and ticketed
- Account suspended pending investigation and credential hygiene review
- Escalated to Tier 2 analyst for full investigation scope assessment
- Asset owner and IT team notified per incident response playbook
Outcome
Attack fully contained. No successful authentication recorded. Source IP added to blocklist. Playbook updated with refined threshold tuning recommendations.
Scenario
Simulated a spear-phishing campaign targeting a finance persona with a crafted email directing to a cloned internal login page designed to harvest credentials in a controlled lab environment.
Attack Execution
Crafted a convincing email mimicking an internal IT access request. Hosted a cloned login page on a test domain. Tracked click-through and credential submission. No real credentials were used — test environment only.
Detection Signals
- Email gateway flagged sender domain mismatch and SPF/DKIM alignment failure
- Proxy logs showed user navigating to unrecognised external domain not in whitelist
- SIEM alerted: successful login from new geographic location (different country, same account, within 10 minutes of phish delivery)
Investigation Steps
- 1Reviewed email headers for spoofing indicators, domain registration age, and routing anomalies
- 2Pulled proxy logs to confirm suspicious domain access timeline and scope
- 3Checked authentication logs for impossible travel anomaly and concurrent session conflicts
- 4Reviewed recent file access and outbound email activity for the compromised account
SOC Response Actions
- Forced immediate password reset on the potentially compromised account
- Revoked all active sessions and OAuth tokens associated with the account
- Blocked phishing domain across DNS filter, proxy, and email gateway
- Notified affected user and initiated targeted phishing awareness follow-up
Outcome
Credential exposure fully contained. No data accessed post-simulated compromise. Phishing domain blocked across all enforcement points. Detection rules tuned for impossible travel.
Scenario
Tested a deliberately vulnerable web application for SQL injection in the login form to understand exactly what WAF and application logs would surface, and how to triage the associated alerts from a SOC perspective.
Attack Execution
Intercepted login request via Burp Suite Proxy. Modified the username field to inject a classic `' OR '1'='1` payload. Successfully bypassed authentication on the unprotected test application. Tested multiple payload variants for completeness.
Detection Signals
- WAF logs showed SQLI_MATCH alert with the raw payload visible in request body
- Web server access logs: unusually high 200 responses to /login from single IP in short window
- Application logs recorded successful auth event with no corresponding valid credential match
Investigation Steps
- 1Correlated WAF SQLI_MATCH alert with web server access logs to confirm exploit execution
- 2Extracted and reviewed the raw request log to confirm malicious payload content
- 3Identified the affected endpoint and assessed scope of potential data exposure risk
- 4Reviewed outbound connection logs for data exfiltration attempts post-exploitation
SOC Response Actions
- Blocked source IP immediately via WAF rule — applied emergency signature update
- Raised P2 incident ticket with application development team for urgent review
- Recommended parameterised query implementation as permanent remediation
- Audited application for additional unprotected endpoints with similar vulnerability patterns
Outcome
Exploit contained to isolated test environment. Application team notified with full evidence package. WAF ruleset updated with targeted signature. Vulnerability patched within defined SLA.
How I Use Offensive Knowledge
in a SOC Role
Offensive experience isn't about attacking — it's about thinking like an attacker to defend more effectively.
Faster Alert Triage
I recognise attack patterns in SIEM alerts quickly because I have executed them in controlled environments. This reduces triage time significantly and improves first-response accuracy.
Better False Positive Identification
Understanding what real attack telemetry looks like means I can confidently dismiss noise without unnecessary escalation — reducing analyst fatigue and improving signal quality.
Stronger Incident Response Decisions
When investigating an active incident, I can anticipate the attacker's next move. Containment decisions are made with context, not guesswork — improving response speed and precision.
More Effective Threat Hunting
Offensive knowledge enables me to write precise detection rules and hunt for TTPs that automated tools miss — closing detection gaps before they become incidents.
MITRE ATT&CK
Techniques Covered
Techniques mapped from hands-on simulation work in controlled lab environments.
Brute Force
Credential AccessAdversaries systematically guess credentials to gain unauthorised access to accounts. Typically targets SSH, RDP, web applications, or email portals.
Detection focus: Authentication log volume anomalies, rapid sequential failures, source IP reputation analysis in SIEM.
Phishing
Initial AccessMalicious messages are crafted to harvest credentials or deliver payloads. Spear-phishing targets specific individuals using contextual social engineering.
Detection focus: Email header analysis, SPF/DKIM failures, impossible travel alerts, and proxy log anomalies post-click.
Command Injection
ExecutionAttacker-controlled commands are executed through vulnerable application endpoints or interpreters, enabling arbitrary code execution on the target system.
Detection focus: WAF alert correlation, web access log anomalies, unexpected outbound connections from web-tier hosts.
Tools Used
in These Simulations
All tools were used in isolated, controlled lab environments for educational and detection-improvement purposes.
Burp Suite
Web application security testing and proxy interception
Hydra
Network login brute-force testing tool
Nmap
Network discovery and port scanning
Wireshark
Packet capture and network traffic analysis
Metasploit
Exploit framework for controlled vulnerability testing
Security Onion
Network security monitoring and intrusion detection
Case Study:
Brute Force Attack Response
A walkthrough of how this attack was detected, investigated, and contained from a SOC analyst perspective — from alert to closure.
SIEM rule fired: >10 failed SSH authentications from a single external IP within 60 seconds. Severity classified as Medium. Alert assigned to analyst queue via ITSM integration.
Pulled auth.log entries confirming 847 failed attempts in 4 minutes. IP geolocation returned Eastern Europe. No prior activity in the environment. Account targeted has sudo access — elevated priority.
Determined this is an active, ongoing brute force attempt — not a false positive. No successful authentication recorded yet. Immediate containment actioned; Tier 2 escalation deferred pending outcome.
Firewall rule added to block source IP at perimeter. Account temporarily locked to prevent any residual access attempts. Asset owner notified per comms protocol. Incident ticket created and documented in ITSM.
No successful authentication recorded throughout the incident. Incident closed after 24-hour monitoring period with no recurrence. Threshold alerting rule updated to reduce future false positive rate. Playbook updated.
All simulations performed in isolated lab environments for detection and response improvement.
The purpose of this work is to build better defensive instincts — not to demonstrate offensive capability for its own sake.