FORGE — Offensive Security Field Manual

Featured this week

View all paths

Web · AppSec

PortSwigger Academy: 200+ labs that made bug bounty serious.

★★★★★ · Completely free

Active Directory

BloodHound maps the attack path you didn't know was there.

Used in 87% of enterprise assessments

Defense · Hardening

CIS Benchmarks + Lynis: break it, then prove you can fix it.

Level 1 & Level 2 profiles

Department 01 · Academy

Training Academy

Hand-picked, 100% free platforms used by professional pentesters and red team operators worldwide.

Department 02 · The Arsenal

Tools of the trade

Battle-tested tools used daily by professional red teams — with install notes, usage, and pro tips inside each detail sheet.

All tools are open-source or have generous free tiers. Always verify install instructions on the official repos.

Department 03 · Forge & Shield

Break it, then build it back stronger

Knowing how to break systems makes you exceptional at hardening them. Production-grade checklists and tooling used by top security teams.

Why pentesters must master hardening

Every finding in a report should ship with a clear remediation path. Clients expect you to exploit and advise on defense.

Core principles

Least privilege & zero trust
Defense in depth
Reduce attack surface
Continuous monitoring & auditing

Linux Server Hardening

Ubuntu / RHEL

PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
MaxAuthTries 3

Full checklist + Lynis commands

Windows Hardening

Server / WS

Apply CIS / DISA STIG baselines via Group Policy or LGPO, then layer Defender ASR, BitLocker, and Credential Guard.

# Enable ASR rules (Defender)
Set-MpPreference -AttackSurfaceReductionRules_Ids …

Full Windows checklist + tools

Recommended hardening & auditing tools

Lynis

Open-source Linux/Unix auditing. lynis audit system

cisofy.com →

Wazuh

Free XDR / SIEM + vulnerability detection & compliance.

wazuh.com →

CIS Benchmarks

Gold-standard configuration guides for 100+ technologies.

cisecurity.org →

Ubuntu USG

Automated CIS & STIG hardening for Ubuntu.

ubuntu.com →

ScoutSuite

Multi-cloud posture assessment (AWS, Azure, GCP).

GitHub →

Department 04 · Methodology

The engagement, phase by phase

A structured, battle-tested methodology with Arsenal tools mapped to each phase. This is how mature operators approach authorized assessments.

01

Reconnaissance & OSINT

Passive and active information gathering. Never skip this — poor recon leads to noisy or failed engagements.

theHarvesterAmass / SubfinderNmap (light)Shodan / CensysLinkedIn / OSINT

Goal: a complete external + internal footprint before touching anything noisy.

02

Initial Access & Delivery

Gaining the first foothold. This phase carries the highest risk of detection.

Gophish / custom phishingExternal vuln exploitationPassword sprayingResponder (internal)

Pro tip: always plan multiple vectors. Document everything for the report.

03

Execution, Persistence & Privilege Escalation

Establishing reliable access and escalating privileges. Favour living-off-the-land where possible.

Metasploit / SliverEvil-WinRMCertipy + RubeusBloodHound + CrackMapExec

04

Lateral Movement & Domain Dominance

Moving through the environment and achieving domain-level objectives (usually DA or equivalent).

CrackMapExec / netexecImpacket suiteRubeus + CertipyBloodHound path analysis

Critical: map attack paths early. Many engagements are won or lost here.

05

Collection, Exfiltration & Impact

Achieving the objectives (data access, ransomware simulation) while maintaining OPSEC.

Impacket + custom scriptsSliver / Covenant C2Encrypted exfil

06

Cleanup, Reporting & Lessons Learned

The most important phase for the client. Professional red teams spend significant time here.

Remove all implants, scheduled tasks, and persistence
Document findings with evidence and reproduction steps
Provide prioritized remediation (not just "patch this")
Debrief with the blue team — purple team value

Department 05 · Scenarios

Red team playbooks

Scenario-based operational playbooks — structured approaches used in real authorized engagements.

Core scenarios · more coming

Assumed Breach — Internal Network

A common starting point for mature engagements.

Phase 1 · Initial foothold
Phishing or compromised credential · Responder / LLMNR poisoning · external vuln if in scope

Phase 2 · Situational awareness
BloodHound (SharpHound) · CrackMapExec / netexec · Certipy find

Phase 3 · Privesc & lateral
Rubeus + Certipy · Impacket secretsdump · Sliver / Evil-WinRM

High success rateEDR considerations

External Web Application Assessment

Focused external testing with a bug-bounty mindset.

Recon & discovery
theHarvester + Amass/Subfinder · PortSwigger methodology · Nmap + ffuf/Gobuster

Vulnerability hunting
Burp Suite + OWASP ZAP · SQLMap · business-logic flaws

Exploitation & impact
Chaining vulns · account takeover · data exfil simulation

PortSwigger focusHigh report quality

Ransomware Simulation Path

Demonstrate impact safely, without real destruction.

Access & spread
Establish foothold · map shares & backups · stage simulation payload

Impact (simulated)
Benign canary "encryption" · backup-reachability test · blast-radius mapping

Reporting
Recovery-time insight · detection gaps · resilience recommendations

Safe / non-destructiveExecutive impact

Post-Exploitation & Lateral Movement

What to do after initial access in Windows/AD environments.

Credential harvesting
secretsdump.py + Rubeus · SafetyKatz · LSASS techniques

Lateral movement
CrackMapExec / netexec · Impacket (psexec, wmiexec) · Evil-WinRM

Persistence & evasion
Scheduled tasks/services · LOLBins · Sliver / Covenant implants

Core red team skillWindows / AD focus

Department 06 · Practice Range

Free sandbox labs

Hands-on vulnerable environments you can run locally or in-browser for safe practice. Essential for skill development.

Web

OWASP Juice Shop

Modern vulnerable web app with 100+ challenges. Great for web pentesting and secure-coding practice.

Docker · in-browser demoVisit →

PHP / SQL

Damn Vulnerable Web App

Classic PHP/MySQL vulnerable app. Excellent for learning SQLi, XSS, CSRF and the basics.

Docker · XAMPPGitHub →

Linux VM

Metasploitable 2 / 3

Intentionally vulnerable Linux VM. Perfect for Metasploit, enumeration, and post-exploitation.

VulnHub · Rapid7VulnHub →

Java

WebGoat

OWASP project for learning web application security through guided lessons and challenges.

Docker availableSite →

VM Library

VulnHub Collection

A huge library of community vulnerable VMs. Great for realistic full-scope practice.

VirtualBox / VMwareBrowse →

In-browser

PortSwigger Academy Labs

Hundreds of free interactive web-security labs, right in the browser. No setup required.

Free · no installStart →

Department 07 · Tradecraft

OPSEC & tradecraft

Operational security separates professionals from operators who get burned. Habits, mindset, and practical techniques used by experienced red teams.

Pre-Engagement

Infrastructure attribution (no personal domains or payment methods)
C2 profiles & redirector chains
Implant diversity & realistic user-agents
Secure team comms (Signal, self-hosted)
Tool updates & signature-evasion testing

During Engagement

Prefer living-off-the-land (LOLBins)
Time activity to normal user behavior
Rotate C2 on long engagements
Monitor blue-team activity and adjust
Minimal noisy actions early; clean as you go

Post-Engagement

Systematic removal of all persistence
Artifact cleanup (logs, files, tasks)
Secure data destruction after reporting
Internal lessons-learned debrief
Update playbooks and tool configs

Common OPSEC failures that get teams caught

Reusing infrastructure across unrelated engagements
Obvious artifacts (default implant names, file paths)
Using personal accounts or emails during testing
Ignoring time zones and working hours

Overly aggressive or noisy techniques early
Poor C2 hygiene (same profile for months)
Not cleaning up scheduled tasks / services
Sharing screenshots with metadata intact

Department 08 · The Kit Bag

Resources & templates

Professional-grade templates and assets used by experienced operators. Download, customize, and use in real engagements.

Rules of Engagement template

Comprehensive RoE covering scope, authorized techniques, out-of-scope items, communication protocols, and legal protections.

Linux + Windows hardening checklist

Production-ready checklist aligned with CIS Benchmarks Level 1 & 2. Includes commands and verification steps.

Red team OPSEC checklist

Pre-engagement, during, and post-engagement OPSEC. Covers C2, implants, exfil, and operational security.

Engagement report template

Professional structure for red team and pentest reports: executive summary, findings, risk ratings, remediation.

Purple teaming guide

How to run effective purple-team exercises: detection mapping, debrief structure, and improvement tracking.

Zero tolerance

Ethics & legal responsibility

FORGE exists to advance authorized security testing only. Every resource here assumes you have explicit written permission.

Always get authorization

Never test systems without a signed Rules of Engagement or bug-bounty scope agreement.

Responsible disclosure

Report vulnerabilities through proper channels. Never exploit for personal gain or publish without coordination.

Stay within scope

Respect time windows, data-handling rules, and out-of-scope targets. When in doubt — stop and ask.

FORGE and its contributors are not responsible for misuse of any information or tools presented. This publication is strictly for educational and professional authorized use.

The operator's field manual for breaking in — and locking down.