Hacker Tradecraft · Volume 21
Hacker Tradecraft Volume 21 — Glossary and the Canonical Anchor Index
A-Z glossary of every term of art used in the series + the complete frozen anchor catalog + worked link-in example — the reference other Hack Tools deep dives bookmark into
Contents
1. About this volume
Vol 21 is the closing volume of the 21-volume series and serves two purposes simultaneously: an A-Z glossary of every term of art used across Vols 1-20, and the canonical anchor index — the complete machine-readable table of every stable vol{NN}-<heading-slug> anchor that other Hack Tools deep dives can deep-link into. Where every other volume contributes content, this volume contributes navigation: a Ctrl-F surface over the entire series, with a depth pointer attached to every term and every section.
The reader uses this volume two ways. As a glossary it answers “what does Hack Tools mean by X?” — find the term, get a 1-3 sentence definition, jump to the volume where it is treated at depth. As an anchor index it answers “where is the canonical treatment of Y, and what link form do I write from a sibling deep dive?” — find the section, copy the anchor, paste the link. The volume is built to be read non-sequentially; sequential reading is not the intended mode.
The link-in contract that makes the anchor index load-bearing: heading text in Vols 6-20 — the hat cluster, reference cluster, and synthesis cluster — is frozen append-only from the moment each volume is committed. The builder (_shared/build/build_single_html.py) auto-generates each H2’s HTML id attribute as vol{NN}-<slug-of-heading-text>, where the slug is the heading text lowercased, hyphenated, with leading section numbers stripped. Renaming a heading changes its slug; the inbound link silently 404s. The discipline is: add new sections rather than renaming old ones; when a heading must truly change, leave a > Moved to [§X.X](#new-anchor) redirect under the old heading so incoming traffic still lands somewhere. §3 is the registry of what is currently frozen; §4 is the worked example of how to consume it.
Scope note on the glossary. The glossary draws from across the series but is not exhaustive in the strict lexicographic sense — a term appears here if it (a) is defined or used in a load-bearing way in at least one volume, (b) is the kind of term a reader of a sibling deep dive might land on this glossary trying to look up. Where a term is treated at depth in a single volume, the “see” pointer goes there. Where a term spans multiple volumes (MITRE ATT&CK, authorization, BadUSB, Cobalt Strike, the CFAA), the pointer is to the primary-depth source and ancillary mentions are noted.
As of early 2026. Pricing, certification fees, compensation bands, vendor ownership, and personnel-current-role facts move; the qualifier applies to any specific number in the glossary or any “X is now at company Y” claim. Where a fact is anchored to a court case, statute citation, or named historical event, no qualifier is needed.
2. A-Z glossary
Each entry is Term — Definition (1-3 sentences). See pointer to the volume + section where the term is treated at depth. Multi-volume terms list the primary-depth pointer first.
A
═══════════════════════════════════ A ═══════════════════════════════════Aaron Swartz — JSTOR-download case (2010-2011) at MIT; September 2012 superseding indictment stacked 13 federal counts (CFAA + wire fraud); died January 11, 2013; the case is the canonical illustration of CFAA stacked-charges geometry. See Vol 19 §2.6, Vol 3 §10.
ACR122U — Advanced Card Systems contactless NFC reader/writer (USB, libnfc-compatible) used as the entry-level HF NFC research reader in lab setups. See Vol 15 §6.
ADALM-PLUTO (PlutoSDR) — Analog Devices educational SDR (325 MHz – 3.8 GHz, 12-bit, 61.44 MS/s); software-modifiable to ~70 MHz – 6 GHz; ~$230. See Vol 13 §6.
ADC resolution — Bit depth of the analog-to-digital converter in an SDR receive chain; sets the dynamic range floor. RTL-SDR is 8-bit; HackRF is 8-bit; BladeRF and USRP are 12-bit. See Vol 13 §2.
ADS-B — Automatic Dependent Surveillance–Broadcast; aviation transponder broadcasts on 1090 MHz (and 978 MHz UAT in the US); receive-only is legal everywhere. See Vol 13 §3, Vol 19 §6.
Adversary emulation — Red-team mode in which the operator executes the named TTP sequence of a specific threat actor (e.g., APT29, FIN7) rather than improvising. See Vol 11 §4, Vol 12 §3.
AES — Advanced Encryption Standard; FIPS 197 (2001); 128/192/256-bit symmetric block cipher; the modern crypto baseline. Replaces DES and 3DES. Rolling-code remotes since ~2010 use AES-128 as the replay defense. See Vol 13 §4.
AID (NFC) — Application Identifier; the registered ID a smart-card application (payment, transit, access) advertises during SELECT APDU. See Vol 15 §4.
Aircrack-ng — Open-source 802.11 toolkit suite (airodump-ng, aireplay-ng, airmon-ng, aircrack-ng) for monitor-mode capture, deauth, handshake collection, and offline cracking. See Vol 14 §4.
Aireplay-ng — Aircrack-ng’s packet injection tool; deauthentication frame injection is the canonical use. See Vol 14 §4.
Airmon-ng — Aircrack-ng’s monitor-mode setup script; puts a wireless interface into monitor mode and kills conflicting processes. See Vol 14 §4.
Airodump-ng — Aircrack-ng’s 802.11 packet capture tool; collects beacon frames, probe requests, and EAPOL handshakes to pcap. See Vol 14 §4.
AiTM phishing — Adversary-in-the-Middle phishing; a reverse-proxy attack (Evilginx, Modlishka, Muraena) that relays victim credentials and the live MFA challenge to the real site, capturing the resulting session cookie. See Vol 17 §5.
Aliasing — DSP failure mode when sample rate is below 2× the highest input frequency (Nyquist); spectral content folds back into the alias zones, indistinguishable from real signal. Silent and ambiguous. See Vol 13 §2.
Alfa AWUS036ACH / AWUS036ACM / AWUS1900 — Alfa Network external USB Wi-Fi adapters; the AWUS036ACM (MT7612U) and AWUS1900 are the workhorse 802.11ac monitor-mode + injection adapters in Wi-Fi audit work. See Vol 14 §6.
AMSI — Antimalware Scan Interface; Windows API allowing AV to scan in-memory content (PowerShell, scripts, .NET assemblies) before execution. Red-team obfuscation routinely targets AMSI bypass. See Vol 11 §3.
Anti-BEC filters — Email-gateway features (impersonation detection, lookalike domain detection, display-name spoofing detection) targeting business-email-compromise rather than malware. See Vol 17 §7.
Anti-malware bypass — Generic term for the AV/EDR evasion subdiscipline; covers packer use, in-memory loading, AMSI bypass, ETW bypass, and direct syscalls. See Vol 11 §3.
Antoine Auernheimer (weev) — AT&T iPad email-leak case (2010); convicted under CFAA + identity-fraud statute; conviction vacated 2014 on venue grounds (third Circuit, 748 F.3d 525) — not on jurisdictional or substantive grounds. See Vol 8 §7, Vol 19 §4.
APDU — Application Protocol Data Unit; ISO 7816 / 14443 command-response unit used by smart cards. SELECT, READ BINARY, GET RESPONSE are common. See Vol 15 §4.
AppLocker — Windows application-whitelisting feature; offensive interest is bypass techniques (signed-binary proxy execution, AppLocker rule audit). See Vol 11 §3.
APT (Advanced Persistent Threat) — Originally USAF coinage (2006) for state-sponsored intrusion campaigns; now broadly any persistent, well-resourced threat actor. Numbered tracking schemes (APT1-NN by Mandiant, FIN-NN, UNC-NNNN, plus per-vendor weather/animal names). See Vol 4 §4, Vol 11 §4.
Arkime — Open-source full-packet-capture and search system (formerly Moloch); used in defender SOCs for retrospective traffic search. See Vol 10 §3.
ARRL — American Radio Relay League; the US amateur-radio national society; canonical Part 97 / amateur-license reference. See Vol 13 §7, Vol 19 §6.
ASR / ASP — Attack Surface Reduction / Anti-Spam Policy (Microsoft Defender); ASR rules block common offensive behaviors (Office child-process spawning, credential dumping, etc.) by default. See Vol 10 §3.
Atomic Red Team — Red Canary’s open-source library of small, ATT&CK-mapped test cases; the canonical “fire one TTP, see if blue catches it” primitive used in purple-team work. See Vol 12 §3.
ATT&CK — MITRE ATT&CK; the public taxonomy of adversary tactics (high-level objectives), techniques (the how), and procedures (the specifics); ~14 tactics, ~200+ techniques as of early 2026. The lingua franca of detection engineering and adversary emulation. See Vol 11 §3, Vol 12 §3, Vol 10 §3.
Authorization — The written permission to perform offensive testing against specified systems. The canonical paperwork stack is SOW + Scope + ROE + GOJL, optionally rooted in a published bug-bounty safe-harbor. The hat is the paperwork. See Vol 19 §4, Vol 6 §1.
Authority (Cialdini) — Cialdini’s fourth principle of influence; humans defer to perceived authority figures. The most-exploited principle in social engineering. See Vol 17 §2.
AWS — Amazon Web Services; cloud platform; security certifications include AWS Certified Security – Specialty (AWS-SS). See Vol 18 §3.
AWOK Dual Touch V3 — AWOK Dynamics third-party Flipper module: dual ESP32-WROOM + resistive touch + GPS; runs ESP32 Marauder firmware as daily driver; mounted on tjscientist’s AWOKflip. See Vol 14 §6.
B
═══════════════════════════════════ B ═══════════════════════════════════BadUSB — Karsten Nohl + Jakob Lell, Black Hat 2014; reprogramming a USB-stick’s controller firmware so the device re-enumerates as a different USB class (typically HID keyboard) and injects keystrokes. The principle behind the entire HID-injection / Ducky-Script family. See Vol 16 §2.
Badge cloning — Reading a building-access card (HID Prox / LF / Legacy MIFARE / HF) and writing a working duplicate; the canonical physical-entry → digital-access pivot. See Vol 15 §5, Vol 17 §6.
BAS (Breach and Attack Simulation) — Vendor-provided continuous-testing platforms (AttackIQ, SafeBreach, Cymulate, Picus, Mandiant Security Validation) that fire ATT&CK-mapped test cases and grade defender response. See Vol 12 §3.
Bash Bunny — Hak5 USB-stick-form-factor multi-payload device; ARM Cortex-A7 + 2-position payload selector + USB-A; runs Bash + DuckyScript; July 2017. See Vol 16 §5.
Beacon (Cobalt Strike) — Cobalt Strike’s primary post-exploitation agent; HTTP/HTTPS/DNS/SMB/named-pipe transport options; “malleable C2” configurable profile. The de facto red-team implant since ~2014. See Vol 11 §3.
BEC (Business Email Compromise) — Phishing/SE attack class targeting wire transfers, payroll changes, or invoice fraud via impersonation of executives, vendors, or HR. FBI IC3 2025: $3.04 billion in reported losses. See Vol 17 §5.
Bellingcat — Open-source intelligence collective founded by Eliot Higgins in July 2014; the canonical modern OSINT methodology lineage; investigative journalism via geolocation, image forensics, and public records. See Vol 17 §3.
Belmont Report / Menlo Report — Belmont (1979, US biomedical research ethics: respect for persons, beneficence, justice); Menlo (Dittrich + Kenneally, DHS S&T August 2012, the Belmont framework adapted for ICT research). See Vol 19 §7.
Bishop Fox “Tastic RFID Thief” — Long-range HID Prox reader-cloner project; the canonical demonstration that 125 kHz badges are readable from meters away with a beefed-up coil. See Vol 15 §5.
BladeRF 2.0 micro xA9 — Nuand SDR; 47 MHz – 6 GHz, 61.44 MS/s, 12-bit, FPGA-equipped; ~$700-800 depending on model. See Vol 13 §6.
BLE (Bluetooth Low Energy) — Bluetooth 4.0+ low-power variant; 2.4 GHz; advertising + connected + (5.0+) extended advertisements + coded PHY long-range. Attack surface: pairing observation, BLE-spam, BLE relay attacks. See Vol 14 §5.
BloodHound — Andy Robbins + Will Schroeder + Rohan Vazarkar (SpecterOps, 2016); Active Directory attack-path mapping via the Neo4j graph database; canonical AD-attack-path tool. SharpHound is the collector. See Vol 11 §3.
Blue hat (defender) — The modern primary sense: a defensive security practitioner — SOC analyst, incident responder, threat hunter, detection engineer. Authorized by employment role. See Vol 10 §1.
Blue hat (Microsoft BlueHat) — The Microsoft-program sense, since 2005; an invited security-researcher event; also gave its name to BlueHat IL (Tel Aviv, since 2017). Disambiguate from context. See Vol 10 §2.
Blue team — The defender team in a red-vs-blue exercise; routinely conflated with “blue hat (defender)” because in modern usage both meanings collapse to the same person. See Vol 10 §2.
Bluetooth Mesh — Bluetooth SIG mesh networking spec built on BLE; flooding-based topology; introduced 2017. Attack surface is provisioning-phase trust establishment. See Vol 14 §5.
Brute Ratel — Chetan Nayak’s commercial C2 framework (2020-); positioned as a Cobalt Strike alternative with stronger anti-EDR posture. See Vol 11 §3.
BSides (Security BSides) — Community-organized regional security conferences (BSides Las Vegas, London, Berlin, etc.); the lower-barrier speaker tier feeding DEF CON / Black Hat. See Vol 18 §7.
Budapest Convention — Council of Europe Convention on Cybercrime (2001, in force 2004); ~70 ratifying states (notably not Russia or China); the multilateral baseline for cybercrime law harmonization. See Vol 19 §3.
Bug bounty — Vulnerability-disclosure program with paid rewards; platforms (HackerOne, Bugcrowd, Intigriti) intermediate between researchers and companies; safe-harbor language converts the legal posture from grey to white inside scope. See Vol 8 §6, Vol 4 §5.
Burglary tools statutes — State-level laws criminalizing possession of tools designed for unauthorized entry (lock picks, badge cloners); applicability to security researchers varies by jurisdiction and intent. See Vol 15 §7, Vol 17 §6.
Burp Suite — PortSwigger’s web-app proxy + scanner; the canonical web pentest tool. Community + Professional + Enterprise tiers. See Vol 6 §3, Vol 18 §3.
Bus Pirate 6 — Dangerous Prototypes embedded-protocol Swiss-army knife: UART / I²C / SPI / JTAG / SWD / 1-Wire / smart-card / DDR5-SPD on 8 buffered I/O pins; BP6 REV2 uses RP2350B; the “follow-along logic analyzer” via 74LVC8T245 look-behind buffer. See comparison.md.
C
═══════════════════════════════════ C ═══════════════════════════════════CALDERA — MITRE’s open-source adversary-emulation framework; ATT&CK-native operations; the canonical complement to Atomic Red Team for purple-team work. See Vol 12 §3, Vol 11 §3.
Capture-analyze-replay — The canonical RF tradecraft workflow: capture I/Q to disk, identify modulation and protocol structure in URH / Inspectrum / GNU Radio, replay with hackrf_transfer / Flipper firmware / SDR transmit. See Vol 13 §5.
Carbon Black — VMware (now Broadcom) endpoint product line; EDR-class; competes with CrowdStrike Falcon, Microsoft Defender for Endpoint, SentinelOne. See Vol 10 §3.
CC (Common Criteria) — ISO/IEC 15408 product-evaluation standard; assigns Evaluation Assurance Levels (EAL1-7); applicable to crypto modules, smart cards, network devices targeted for government procurement. See Vol 15 §3.
CC1101 — Texas Instruments sub-GHz transceiver IC (300-928 MHz); the radio inside Flipper Zero’s sub-GHz subsystem; also used by Hak5 Shark Jack daughter slots and various ESP32 add-ons. See Vol 13 §4.
CCDC — Collegiate Cyber Defense Competition; red-vs-blue collegiate event; the canonical blue-team training/recruiting circuit at US universities. See Vol 9 §4, Vol 10 §6.
CEH — Certified Ethical Hacker; EC-Council certification; broad multiple-choice format; one of the oldest “pen test” certs; HR-filter weight in many organizations. See Vol 18 §3.
CERT/CC — Computer Emergency Response Team Coordination Center at Carnegie Mellon SEI; founded after the Morris worm (1988); historically the canonical coordinated-disclosure mediator. See Vol 3 §5, Vol 19 §5.
CFAA — Computer Fraud and Abuse Act; 18 U.S.C. § 1030; Pub. L. 99-474 (1986); the foundational US federal anti-hacking statute; subsections (a)(1)-(a)(7) define seven prohibited categories. See Vol 19 §2, Vol 3 §4.
ChameleonUltra — RRG / ProxGrind contactless NFC emulator; 7 slot card emulation; popular for MIFARE Classic / DESFire research; Bluetooth + USB-C. See Vol 15 §6.
Cialdini’s principles — Robert Cialdini, Influence (1984; expanded 2021 with Unity); six (then seven) principles of influence — reciprocity, commitment/consistency, social proof, authority, liking, scarcity, +unity. The applied-psychology foundation of social engineering. See Vol 17 §2.
CIA Triad — Confidentiality / Integrity / Availability; the foundational security-property triplet taught in every introductory course. Predates the field’s broader vocabulary. See Vol 1 §2.
CISA — Cybersecurity and Infrastructure Security Agency; US federal agency under DHS; canonical coordinated-vulnerability-disclosure resource for US federal systems. See Vol 19 §5.
CISSP — Certified Information Systems Security Professional; (ISC)² certification; the canonical managerial/architect cert; requires 5 years of experience + endorsement. See Vol 18 §3.
CISO — Chief Information Security Officer; the executive-level defender role; in F100 organizations, comp lands $800k-$2.5M+ as of early 2026. See Vol 18 §6.
Clone (RFID) — Reading a card’s UID + sector content and writing it to a write-capable card (magic Chinese card for MIFARE; T5577 for LF) or emulator (Flipper, Chameleon, Proxmark). See Vol 15 §5.
Cloud C2 — Hak5’s fleet management web service for deployed implants (Pineapple, LAN Turtle, Bash Bunny, Key Croc); subscription. See Vol 16 §5, Ducky Script deep dive.
CMA (Computer Misuse Act 1990) — UK foundational anti-hacking statute; §§ 1/2/3/3ZA/3A. CyberUp Campaign (Dec 2025: Dan Jarvis government signal) lobbies for a security-research defense. See Vol 19 §3.
Cobalt Strike — Raphael Mudge’s commercial threat-emulation platform (acquired by HelpSystems / Fortra in 2020); Beacon agent + Aggressor Script + malleable C2; license ~$5,900/user/year. The single most-used red-team C2 of the past decade. See Vol 11 §3.
Cofense (formerly PhishMe) — Phishing-awareness platform founded 2008 by Rohyt Belani + Aaron Higbee; commercial launch 2011; rebranded 2018. See Vol 17 §7.
Cognitive load — Meta-principle in SE: putting the target under pressure (urgency, multitasking, decision fatigue) reduces their probability of catching the manipulation. See Vol 17 §2.
Combined workflow (RF + physical implant staging) — The discipline of staging an HID-implant payload that uses an RF-derived credential (badge clone) or that exfiltrates via an RF-capable implant (LAN Turtle + Pineapple). See Vol 16 §6.
Coordinated disclosure — Disclosure path in which the researcher notifies the vendor privately, agrees a disclosure window, and publishes after fix or window expiration. Synonym: “responsible disclosure” (the older, contested term). See Vol 19 §5.
CORE Group (TOOOL) — The CORE Group of TOOOL (The Open Organisation Of Lockpickers); Deviant Ollam et al.; the canonical physical-entry / lock-picking education community. See Vol 17 §6.
CRTO — Certified Red Team Operator; Zero-Point Security; practical red-team cert centered on Cobalt Strike Community Edition usage. See Vol 18 §3.
CrowdStrike Falcon — CrowdStrike’s flagship EDR/XDR platform; major outage July 19, 2024 (faulty channel-file deployment, ~8.5M Windows hosts BSOD). See Vol 10 §3.
Crypto-1 — Proprietary stream cipher used in MIFARE Classic; broken multiple times since 2008 (Garcia, Nohl, Plötz, Verdult); routine to crack in seconds with Proxmark or Chameleon. See Vol 15 §3.
CSRF — Cross-Site Request Forgery; web-app vulnerability class; the browser submits an attacker-crafted state-changing request on behalf of an authenticated victim. See Vol 6 §3.
CTF (Capture the Flag) — Competition format in which players solve security challenges (web, crypto, reverse-engineering, pwn, forensics, OSINT) to recover “flag” strings. CTFtime aggregates the global circuit. See Vol 9 §4, Vol 4 §8.
CTI (Cyber Threat Intelligence) — Discipline of producing actor-tracking, IoC, and TTP intelligence for defender consumption; MISP + STIX/TAXII are the canonical interchange formats. See Vol 10 §3.
CVE — Common Vulnerabilities and Exposures; MITRE-administered global ID scheme for vulnerabilities; CVE-YYYY-NNNNN; the canonical “first CVE” milestone in a portfolio. See Vol 18 §4.
CyberDefenders / Blue Team Labs Online (BTLO) — Defender-focused CTF / hands-on lab platforms; the blue-team analog to HackTheBox + TryHackMe. See Vol 9 §4, Vol 10 §6.
CyberUp Campaign — UK lobby (since 2019) for adding a security-research defense to the Computer Misuse Act 1990; gained government acknowledgment in December 2025 (Dan Jarvis signal). See Vol 19 §3.
CySA+ — CompTIA Cybersecurity Analyst+; intermediate defender cert; the canonical step between Security+ and the GIAC tier. See Vol 18 §3.
D
═══════════════════════════════════ D ═══════════════════════════════════Deauthentication frame — 802.11 management frame; un-encrypted in WPA2 (encrypted in WPA3 with PMF); aireplay-ng injects deauth to force handshake re-capture. See Vol 14 §2.
Defender (Microsoft) — Microsoft Defender for Endpoint (MDE); EDR/XDR product; integrated with Microsoft Sentinel SIEM. See Vol 10 §3.
DEF CON — Annual hacker conference in Las Vegas; founded 1993 by Jeff Moss (Dark Tangent); the canonical hacker-community gathering; Black Hat Briefings (1997) is the commercial sister event. See Vol 3 §9, Vol 4 §8.
Detection engineering — Sub-discipline of defender practice: writing, testing, tuning, and lifecycle-managing detection rules (Sigma, Splunk SPL, KQL, Suricata, YARA, custom). The 2020s defender career-track most strongly attached to the purple-team practice. See Vol 10 §3, Vol 12 §3.
DESFire / DESFire EV1/EV2/EV3 — NXP HF smart card family with full AES + 3DES + DES support and AID-based application multiplexing; the modern access-control HF baseline. See Vol 15 §3.
Deviant Ollam — Author + lockpicking instructor; member of TOOOL CORE Group; Practical Lock Picking (Syngress). See Vol 17 §6.
Digispark — ATtiny85-based USB development board commonly used as a low-cost HID-injection platform; predates Hak5 Rubber Ducky in the maker community. See Vol 16 §2.
Directive 2013/40/EU — EU cybercrime directive; Articles 3-7 set minimum penalties (2-/3-/5-year frames) for member-state implementation. See Vol 19 §3.
Disclosure (full / coordinated / sale-to-broker / sit-on-it) — The four canonical paths a researcher can take with a discovered vulnerability. See Vol 19 §5, Vol 4 §3.
DKIM — DomainKeys Identified Mail; RFC 6376; email-authentication standard; signs outbound mail with a domain-controlled key. See Vol 17 §7.
DMARC — Domain-based Message Authentication, Reporting and Conformance; RFC 7489; SPF + DKIM aggregation policy publishing. See Vol 17 §7.
DOJ CFAA Policy (May 19, 2022) — US Department of Justice prosecutorial-discretion update declaring “good-faith security research” generally not subject to CFAA prosecution; prosecutorial discretion only, not immunity; does not bind state law or civil liability. See Vol 19 §4.
Drop box — A pre-configured Linux box (typically Raspberry Pi 4 + Kali, or commercial PWN Plug) physically planted inside the target network for persistent access. See Vol 16 §4, Vol 11 §3.
Ducky Script — Hak5’s keystroke-injection payload language (DuckyScript 1.0 → 3.0); runs on USB Rubber Ducky, Bash Bunny, Key Croc, O.MG Cable. See Vol 16 §2, Ducky Script deep dive.
E
═══════════════════════════════════ E ═══════════════════════════════════EAPOL — Extensible Authentication Protocol over LAN; IEEE 802.1X carrier; the four-frame WPA2 handshake is EAPOL; capturing the four-way handshake (or a single M2 frame) feeds the offline PMK crack. See Vol 14 §4.
EAR (Export Administration Regulations) — US Department of Commerce / BIS export-control framework; relevant for selling exploits or intrusion tooling internationally. The Wassenaar Arrangement’s “intrusion software” controls flow through EAR. See Vol 19 §3.
EC-Council — Issuer of CEH, CHFI, ECSA, LPT, and the practical CPENT cert; founded 2001. See Vol 18 §3.
ECPA 1986 — Electronic Communications Privacy Act; 18 U.S.C. §§ 2510-2522 (Wiretap Act), 2701-2712 (Stored Communications Act), 3121-3127 (Pen-Trap); the foundational US electronic-surveillance privacy statute. Cellular monitoring was added in 1986 amendments. See Vol 19 §6.
EDR (Endpoint Detection and Response) — Endpoint security software class that records process / file / network / registry telemetry on hosts, applies behavioral detections, and provides response capability (kill process, quarantine, isolate host). CrowdStrike Falcon, Microsoft Defender for Endpoint, SentinelOne, Carbon Black are representative. See Vol 10 §3.
EDR evasion — Sub-discipline of red-team operations: defeating telemetry collection (hooking ETW, unhooking NTDLL, direct syscalls, AMSI bypass) or behavioral detection (custom shellcode loaders, in-memory execution). Brute Ratel and Sliver are designed with stronger EDR-evasion postures than Cobalt Strike. See Vol 11 §3.
EFF (Electronic Frontier Foundation) — Founded 1990 by John Gilmore + John Perry Barlow + Mitch Kapor; digital-rights advocacy; Coders’ Rights Project provides legal resources for security researchers. See Vol 19 §5.
eJPT — eLearnSecurity Junior Penetration Tester; INE-acquired (formerly eLearnSecurity); practical entry-level pentest cert with a 48-hour lab + write-up. See Vol 18 §3.
EM4100 / EM4102 — Common 125 kHz LF RFID transponder ICs (EM Microelectronic); read-only; the de facto standard for legacy access-control fobs. See Vol 15 §2, Vol 15 §3.
Empire (PowerShell Empire) — Open-source post-exploitation framework; PowerShell + Python agents; Will Schroeder + Justin Warner + Matt Nelson original release at BSides Las Vegas 2015; archived by maintainers 2019; community fork BC-SECURITY actively maintained. See Vol 11 §3.
Engagement lifecycle — The structured red-team / pentest workflow: scoping → reconnaissance → exploitation → post-exploitation / lateral movement / objective → cleanup → reporting. The “engagement” is the contract-bounded operation. See Vol 11 §4, Vol 6 §4.
ETW (Event Tracing for Windows) — Windows kernel-level tracing facility; EDR products subscribe to ETW providers to observe process / network / file behavior. ETW patching is an EDR-evasion technique. See Vol 11 §3.
Evasion (EDR) — See EDR evasion.
Evil-twin attack — Rogue access point that mimics a legitimate SSID + BSSID (potentially deauthing real clients to force reconnection); the canonical Wi-Fi credential-harvest attack. PineAP is its productized form. See Vol 14 §3, WiFi Pineapple deep dive.
Evilginx — Kuba Gretzky; April 2017 initial release; Go-rewrite Evilginx2 in 2018; reverse-proxy phishing framework that relays the full authentication including MFA challenge, capturing the resulting session cookie. The canonical AiTM phishing tool. See Vol 17 §5.
Exfiltration — Stealing data out of a compromised environment; covert channels (DNS, HTTPS to attacker C2, allowed cloud-storage services), staging, and timing are the operational concerns. ATT&CK tactic TA0010. See Vol 11 §4.
Exploit broker — Commercial intermediary buying and selling 0-day exploits; Zerodium (Chaouki Bekrar), Crowdfense, Azimuth Security (acquired by L3Harris 2018), the various government-customer-only houses. Per-target prices range $10k for low-impact through $2.5M+ for full-chain mobile RCEs. See Vol 4 §3.
Exposed services attack — Reaching internet-facing services (RDP, SSH, web admin panels, exposed databases) lacking authentication or with weak / leaked credentials. Shodan and Censys map this surface. See Vol 7 §4.
External pentest — Engagement type: testing from outside the perimeter (internet-facing). Sister to internal pentest (assumed-breach starting point). See Vol 6 §4.
F
═══════════════════════════════════ F ═══════════════════════════════════FCC Part 15 — Title 47 CFR Part 15; the US unlicensed-radio framework; covers the 2.4/5/5.8 GHz ISM bands, the 902-928 MHz / 433.05-434.79 MHz ISM bands, and most consumer wireless. §15.247 governs spread-spectrum at 2.4/5.8 GHz; §15.231 governs sub-GHz periodic devices. See Vol 13 §7, Vol 19 §6.
FCC Part 97 — Title 47 CFR Part 97; the US amateur-radio rules; covers operator privileges by license class, station ID requirements, encryption restrictions, and band plans. See Vol 13 §7, Vol 19 §6.
FCC §15.247 — Spread-spectrum and digital-modulation rules for the 902-928 MHz / 2.400-2.483 GHz / 5.725-5.850 GHz unlicensed bands; transmit-power limit 1 W; the rule the 2.4 GHz Wi-Fi PHY operates under. See Vol 13 §7.
FCC §15.231 — Sub-GHz periodic-transmitter rule; the rule under which most 315/433/868/915 MHz consumer remotes operate; field-strength limits set by frequency. See Vol 13 §7.
FCC §15.249 — Field-strength limits for general-purpose intentional radiators in the 902-928 MHz / 2.4 / 5.725-5.875 GHz bands. See Vol 13 §7.
FCC Marriott forfeiture (2014) — Marriott International accepted a $600,000 forfeiture (October 3, 2014) for de-authenticating guest Wi-Fi hotspots at the Gaylord Opryland Resort; the canonical 47 U.S.C. § 333 willful-interference enforcement precedent. See Vol 19 §6.
FIDO2 — Fast IDentity Online 2; WebAuthn + CTAP2; phishing-resistant authentication via origin-bound public-key credentials. The strongest defense against AiTM phishing. See Vol 17 §7.
FIN7 — Financially-motivated threat group (Mandiant tracking); active since ~2013; payment-card theft via spear-phishing campaigns; multiple arrests but persistent organization. See Vol 4 §4, Vol 7 §3.
Five Eyes — Intelligence-sharing alliance: US, UK, Canada, Australia, New Zealand; relevant background for cleared work in any of those nations. See Vol 18 §2.
Flipper Zero — Multi-tool RF/RFID/NFC/IR/BadUSB/GPIO front-end; STM32WB55 + CC1101 + sub-GHz + 125 kHz LF + 13.56 MHz HF NFC + IR TX/RX + GPIO + iButton. Owned by tjscientist (multiple units). See Vol 13 §6, Flipper Zero deep dive.
Florian Roth — Sigma rule co-creator with Thomas Patzke (Sigma initial release 2017); THOR APT scanner; YARA Forge; CTO at Nextron Systems as of early 2026. See Vol 10 §7.
FortiGate — Fortinet’s firewall + IPS appliance line; UTM-class device commonly in mid-market deployments. See Vol 10 §3.
Frans Rosén (STÖK) — Bug bounty content creator and educator; web-app focus; co-founded Detectify (acquired by Detectify alumni); high-visibility example of the public-content-creator-to-career arc. See Vol 9 §7.
Full disclosure — Disclosure path in which the researcher publishes the vulnerability publicly (typically with PoC) without prior vendor coordination, or after vendor non-response. The Full-Disclosure mailing list (1995-2010s) was the canonical venue. See Vol 19 §5, Vol 4 §3.
G
═══════════════════════════════════ G ═══════════════════════════════════Garmin / Garmin breach (July 2020) — Ransomware incident attributed to WastedLocker (Evil Corp); navigation + flight-services outage for ~5 days; reported ransom of ~$10M. See Vol 7 §3.
Get-out-of-jail letter (GOJL) — Engagement-bounded written authorization, signed by the customer’s authorized signatory, that the tester carries on-person during physical / network operations; functions as proof of consent if challenged by site security or law enforcement. See Vol 19 §4.
Ghost ESP — Open-source ESP32 Wi-Fi pentest firmware fork; complements ESP32 Marauder in the AWOK module ecosystem. See ESP32 Marauder Firmware deep dive.
GIAC — Global Information Assurance Certification; SANS Institute’s certification arm; the ~30-cert ladder (GCFA, GCFE, GCIH, GCDA, GMON, GREM, GNFA, GPEN, GXPN, GWAPT, GCSA, GCIP, GICSP, GCTI, etc.) is the practitioner-rigor reference in the defender + offensive space. See Vol 18 §3, Vol 10 §3.
GitHub — Source-control hosting; the canonical portfolio surface; CVE-credited contributions, tool authorship, write-ups, and Sigma/YARA rules are read by interviewers. See Vol 18 §4.
GNU Radio — Open-source SDR signal-processing framework; GNU Radio Companion is its graphical flowgraph editor; the de facto research-grade SDR toolchain. See Vol 13 §5, HackRF One deep dive.
Gonzalez (Albert) — Lead actor of the TJX / Heartland Payment Systems breaches (2005-2008); 130+ million card numbers stolen; 20-year federal sentence (2010); the canonical financially-motivated black-hat case of the late 2000s. See Vol 7 §7, Vol 4 §2.
GoPhish — Jordan Wright, 2013; open-source phishing-campaign framework; the canonical authorized-engagement phishing-simulation tool. See Vol 17 §5.
GPS spoofing — Transmitting forged GPS L1/L2 signals to deceive a receiver about its location and / or time; researched extensively (UT Austin yacht spoofing 2013). Civil GPS lacks authentication; military M-code is authenticated. See Vol 13 §3.
Grand Idea Studio — Joe Grand’s company; hardware security research and CAD/PCB consulting; runs DEF CON Hardware Hacking Village. See Vol 8 §7.
Grey hat — Researcher operating outside formal authorization but not for financial gain; the canonical grey-hat act is unsolicited vulnerability disclosure to a vendor (or public posting). The legal posture is variable; the operational reality is that grey-hat work routinely converts to white through bug-bounty platforms and safe-harbor language. See Vol 8 §1, Vol 19 §4.
H
═══════════════════════════════════ H ═══════════════════════════════════Hadnagy (Chris) — Founder Social-Engineer LLC (~2010); author Social Engineering: The Art of Human Hacking (Wiley 2010 / 2018 second edition retitled); created DEF CON Social Engineering Capture the Flag. See Vol 17 §1, Vol 17 §2.
Hak5 — Darren Kitchen, since ~2005; the canonical authorized-engagement HID-implant + Wi-Fi-audit-platform vendor; produces USB Rubber Ducky, Bash Bunny, Key Croc, O.MG Cable, WiFi Pineapple, Packet Squirrel, Shark Jack, LAN Turtle, Plunder Bug. See Vol 16 §5, Ducky Script deep dive, WiFi Pineapple deep dive.
HackerOne — Bug-bounty platform; founded 2012 by Jobert Abma + Michiel Prins + Alex Rice + Merijn Terheggen; the largest bug-bounty platform by program count and aggregate payouts; introduced standardized safe-harbor language. See Vol 4 §5, Vol 8 §6.
HackRF One — Michael Ossmann (Great Scott Gadgets); 1 MHz – 6 GHz half-duplex SDR, 20 MS/s, 8-bit; the canonical mid-range affordable transmit-capable SDR; ~$300. tjscientist owns the Clifford Heath modified variant + PortaPack H2+. See Vol 13 §6, HackRF One deep dive.
HackTheBox / TryHackMe — Online vulnerable-lab platforms; the canonical training environments for offensive practice; HTB rooms feed OSCP-style methodology, THM has structured learning paths. See Vol 9 §4, Vol 18 §4.
Hak5 Pineapple — See WiFi Pineapple.
Handshake (WPA2 four-way) — The four EAPOL frames exchanged between client and AP to derive the PTK from the PMK; capturable in monitor mode (deauth-triggered or passive); feeds the offline hashcat / aircrack-ng PMK crack. See Vol 14 §4.
Hashcat — High-performance GPU-accelerated password / hash cracker; the canonical PMK / NTLM / Kerberos / bcrypt / etc. cracker. See Vol 14 §4.
Hat (taxonomy) — Color-based metaphor for offensive / defensive posture and authorization; originates from Western cinema (good guys wore white hats); migrated to security via OS/2 zine “Hacker’s Handbook” (~1985) and DEF CON 1 (1993); the modern taxonomy is white / black / grey / green / blue / red / purple. See Vol 5 §1.
HCE (Host Card Emulation) — Android NFC mode in which the device emulates a contactless smart card via software (no secure element required); the foundation of phone-as-card payment / transit. See Vol 15 §4.
Heartbleed — CVE-2014-0160; OpenSSL TLS heartbeat memory-read vulnerability; April 7, 2014; the canonical “branded vulnerability” with logo + dedicated website that reframed disclosure communications. See Vol 4 §3.
HF RFID — High-frequency RFID; 13.56 MHz; ISO 14443 (A/B); the modern smart-card and NFC frequency. MIFARE, DESFire, Legic, iCLASS, FeliCa all operate here. See Vol 15 §2.
Hitag2 — NXP automotive-immobilizer transponder (LF, 125 kHz); proprietary stream cipher; broken by Verdult, Garcia, Balasch (USENIX Security 2012). See Vol 13 §4.
HID injection — Attack class in which a device presenting as a USB HID keyboard issues machine-speed keystrokes to a host; defeats most software-level USB allow-lists because HIDs are universally trusted. See Vol 16 §2.
HID Prox — HID Global’s 125 kHz LF proximity-card product line (HID 1326, HID 1346 ProxIII, etc.); the legacy access-control workhorse; trivially cloned with a Proxmark or Flipper. See Vol 15 §3.
hiQ Labs v. LinkedIn — Ninth Circuit (2019); reaffirmed in light of Van Buren (2022); held that scraping publicly accessible LinkedIn data does not constitute “access without authorization” under the CFAA. See Vol 19 §2.
Hutchins (Marcus / MalwareTech) — WannaCry kill-switch researcher (May 12, 2017); subsequently arrested DEF CON 25 (August 2017) on unrelated charges relating to Kronos banking trojan; pled guilty to two counts in 2019, sentenced to time served plus supervised release. See Vol 6 §7, Vol 8 §7.
I
═══════════════════════════════════ I ═══════════════════════════════════Iceman firmware (Proxmark3) — Christian Herrmann’s Proxmark3 firmware fork (RfidResearchGroup / proxmark3); the canonical active-development Proxmark3 firmware as of early 2026; superset of the official firmware. See Vol 15 §6.
iCLASS / iCLASS SE / iCLASS Seos — HID Global’s HF (13.56 MHz) access-control product line; iCLASS (legacy) and iCLASS SE (modern, with Seos credentials) are common in enterprise deployments. See Vol 15 §3.
IC3 — FBI Internet Crime Complaint Center; the public-facing intake mechanism for US cybercrime reports; produces the annual IC3 report. 2025: $3.04 billion in reported BEC losses. See Vol 17 §5.
ICS (Industrial Control Systems) — Industrial protocols + PLCs + HMI / SCADA infrastructure; specialized pentest discipline; GIAC GICSP and GRID are the relevant certs. See Vol 18 §3.
IDS (Intrusion Detection System) / IPS (Intrusion Prevention System) — Network-traffic monitoring (IDS) or active-blocking (IPS) appliances; Snort + Suricata are the open-source canonical examples; commercial integrated into FortiGate, Palo Alto, Cisco. See Vol 10 §3.
IMSI catcher — Cellular interception device (Stingray, KingFish, Hailstorm); forces nearby phones to associate with a rogue base station to harvest IMSI / IMEI / location and (with active modes) intercept communications. See Vol 13 §3, Rayhunter.
Impacket — Python library for working with Windows network protocols (SMB, MSRPC, Kerberos, NTLM); secretsdump.py, psexec.py, wmiexec.py, GetUserSPNs.py are canonical red-team tools. Originally Core Security (Argentina); now maintained by Fortra. See Vol 11 §3.
Indala — Motorola Indala 125 kHz LF access-control format; common in legacy commercial deployments; trivially cloned. See Vol 15 §3.
Initial Access Broker (IAB) — Criminal-economy specialist who breaches an organization and sells access (typically RDP, VPN, or domain-admin credentials) to ransomware operators; access prices $1,000-$50,000+ depending on org size and access depth. See Vol 7 §3.
InfoSec Exchange — Mastodon instance (infosec.exchange); the major federated alternative venue to X for security-practitioner discourse post-2022. See Vol 18 §7.
Inspectrum — Open-source SDR signal-inspection tool; FFT + waterfall + per-sample I/Q view; complements URH in the analyze phase. See Vol 13 §5.
Insider threat — Employee or contractor abusing legitimate access; one of the four-or-five canonical threat-actor categories alongside external attackers, organized crime, hacktivists, and nation-state. See Vol 10 §1.
Intercept (radio communications) — Receive-side capture of transmissions intended for someone else; legality varies dramatically by jurisdiction (US is comparatively permissive for receive-only outside cellular and certain protected categories under ECPA + 47 U.S.C. § 605). See Vol 19 §6.
Internal pentest — Engagement type: testing from inside the perimeter (assumed-breach starting point or planted device). Sister to external pentest. See Vol 6 §4, Vol 11 §4.
IR (Incident Response) — The defender discipline of responding to confirmed breaches; NIST SP 800-61r2 is the canonical US framework. Phases: preparation / detection-and-analysis / containment-eradication-recovery / post-incident-activity. See Vol 10 §4.
IR (Infrared) — 850 / 940 nm consumer remote-control protocols; line-of-sight; Flipper Zero and M5StickS3 carry IR TX + RX. See Flipper Zero deep dive.
ISC² — (ISC)² — International Information System Security Certification Consortium; issuer of CISSP, CCSP, SSCP, CSSLP; established 1989. See Vol 18 §3.
ISO 14443 — Contactless smart-card standard for 13.56 MHz HF RFID; 14443-A (MIFARE, NTAG) and 14443-B (passport, some payment) sub-variants; ~10 cm range. See Vol 15 §4.
ISO 15693 — Contactless vicinity-card standard at 13.56 MHz; ~1 m range; library books, livestock tagging, healthcare. See Vol 15 §2.
ISO 7816 — Contact smart-card standard (the chip in a credit card); APDU command-response framework reused over the air for 14443. See Vol 15 §4.
J
═══════════════════════════════════ J ═══════════════════════════════════JA3 / JA4 fingerprinting — Methods for fingerprinting TLS clients (and now servers, MQTT, SSH) from observable handshake characteristics, allowing detection of malware-family C2 implants and unusual user-agent populations even inside encrypted traffic. See Vol 10 §3.
Jasager (KARMA + OpenWrt) — Robin Wood’s 2008 OpenWrt-based KARMA implementation that defined the modern rogue-AP form factor; the proximate ancestor of the WiFi Pineapple’s PineAP. See Vol 14 §3, WiFi Pineapple deep dive.
Jeff Moss (Dark Tangent) — Founded DEF CON (1993) and Black Hat Briefings (1997); both events foundational to the modern hacker conference circuit. See Vol 3 §9, Vol 5 §3.
Joe Grand (Kingpin) — L0pht alumnus (1990s); hardware-hacking instructor; runs Grand Idea Studio; DEF CON Hardware Hacking Village organizer. See Vol 8 §7.
John Lambert — Microsoft Threat Intelligence Center (MSTIC) founder; CTO of CISO organization + Security Fellow + Corporate VP at Microsoft as of early 2026. See Vol 10 §7.
JtR (John the Ripper) — Open-source password-cracker; older sibling to hashcat; still used for niche hash formats hashcat does not implement. See Vol 11 §3.
JTAG (Joint Test Action Group) — IEEE 1149.1; serial test interface ubiquitous on embedded processors; debug / boundary-scan / firmware extraction. Bus Pirate 6 + Black Magic Probe drive JTAG over SWD or the four-wire interface. See Vol 16 §3.
K
═══════════════════════════════════ K ═══════════════════════════════════Kali Linux — Offensive Security’s Debian-derived pentest distribution; the canonical pentest live / lab OS; ships with the working set (nmap, Metasploit, Burp Community, sqlmap, Hydra, John, hashcat, Aircrack-ng, Wireshark, Bloodhound, Impacket, Empire, etc.). See Vol 6 §3, Vol 11 §3.
Kamkar (Samy) — Samy Worm (MySpace XSS, 2005); RollJam (DEF CON 23, 2015) — the canonical sub-GHz rolling-code replay demonstration; researcher and content creator. See Vol 13 §4, Vol 4 §6.
KARMA — Dino Dai Zovi + Shane Macaulay rogue-AP attack technique (2004-2005); listens for client probe-requests, responds claiming to be every probed SSID, harvests associations. The foundation principle behind every modern rogue-AP platform. See Vol 14 §3.
Karsten Nohl — SRLabs founder; long history of RFID + cellular + payment-system research; co-broke MIFARE Classic Crypto-1 (2008), BadUSB (with Jakob Lell, Black Hat 2014). See Vol 16 §2, Vol 15 §3.
KAPE (Kroll Artifact Parser and Extractor) — Eric Zimmerman’s open-source forensic-collection and parsing tool; canonical Windows triage tool. See Vol 10 §3.
KeeLoq — Microchip rolling-code remote-keyless-entry IC family; broken by Bogdanov et al. (Eurocrypt 2007); subsequently augmented (and largely replaced) by AES-128 variants. See Vol 13 §4.
Kevin Mitnick — Ghost in the Wires (2011); Condor; convicted under federal hacking statutes (1995-2000); founded Mitnick Security Consulting; Chief Hacking Officer at KnowBe4 (2011-2023); the canonical reformed-black-to-white-hat trajectory of the field’s mass-public-awareness era. See Vol 3 §6, Vol 17 §2.
Key Croc — Hak5 in-line USB keylogger (2020); ARM Cortex-A7; passes through to host, captures keystrokes to internal storage, supports payload triggering on captured keystrokes. See Vol 16 §3, Vol 16 §5.
KEPserverEX — PTC’s industrial OPC server; common in ICS / OT environments; relevant for OT-pentest scope. See Vol 18 §3.
KnowBe4 — Founded August 2010 by Stu Sjouwerman; Kevin Mitnick joined as Chief Hacking Officer 2011-2023; the largest dedicated security-awareness-training platform. See Vol 17 §7.
KQL (Kusto Query Language) — Microsoft Sentinel’s SIEM query language; used heavily in detection engineering on the Microsoft stack. See Vol 10 §3.
L
═══════════════════════════════════ L ═══════════════════════════════════L0pht / L0pht Heavy Industries — 1990s Boston hacker collective (Mudge, Weld Pond, Dildog, Joe Grand, Brian Oblivion, Space Rogue, Stefan, Silicosis); congressional testimony May 1998 (“we could take down the internet in 30 minutes”); the canonical late-’90s grey-hat-collective-to-mainstream-credibility arc. See Vol 8 §7, Vol 3 §7.
L3Harris — Defense-industrial contractor; acquired Azimuth Security (Australia) in 2018; relevant for exploit-broker and mobile-exploitation tier. See Vol 18 §2.
LAN Turtle — Hak5 USB-Ethernet-form-factor implant; ARM Linux; OpenVPN reverse-shell / SSH callback / DNS spoof / autossh framework; July 2014. See Vol 16 §4, Vol 16 §5.
Lazarus Group — North Korea-attributed APT (also Hidden Cobra, APT38, Bluenoroff for the financially-motivated sub-cluster); Sony Pictures intrusion (2014), Bangladesh Bank SWIFT theft (2016), WannaCry (2017), multiple cryptocurrency exchange thefts. See Vol 4 §4, Vol 7 §7.
LEGIC — Kaba LEGIC HF (13.56 MHz) access-control product line; Swiss origin; common in European enterprise deployments. See Vol 15 §3.
Legal terms — See CFAA, ECPA, CMA, GDPR, Wassenaar, Budapest Convention, Van Buren, hiQ, Auernheimer, Aaron Swartz.
Lesley Carhart (hacks4pancakes) — Director of Incident Response for North America at Dragos (industrial / OT IR); long-running practitioner-advocate via blog and conference talks. See Vol 10 §7.
LF RFID — Low-frequency RFID; 125 / 134 kHz; EM4100 / EM4102 / Hitag2 / HID Prox / Indala / T5577; near-field-coupled ~10 cm range; the legacy access-control frequency. See Vol 15 §2.
libnfc — Open-source NFC library; backs many community NFC tools; works with ACR122U + PN532 + ChameleonUltra. See Vol 15 §4.
link_crossrefs.py — tools/link_crossrefs.py — the canonical Hack Tools cross-reference resolver; auto-detects orphaned and unresolved cross-volume / cross-deep-dive links and either reports (--check) or repairs (default) them. Used by the pre-commit hook + manually after multi-volume edits. See §4.
LimeSDR Mini 2.0 — Lime Microsystems SDR; 10 MHz – 3.5 GHz, 30.72 MS/s, 12-bit, FPGA-equipped; ~$250-300; the budget mid-range SDR. See Vol 13 §6.
Liking (Cialdini) — Cialdini’s fifth principle of influence; humans more readily comply with requests from people they like (or share affinity with). See Vol 17 §2.
LiveOverflow — Pseudonymous YouTuber (Fabian Faessler); long-running technical security content channel; canonical example of the self-taught content-creator-to-career arc. See Vol 9 §7.
LockBit — Ransomware-as-a-Service operation; one of the highest-volume RaaS programs of the early 2020s; disrupted in Operation Cronos (February 2024) by NCA + FBI + Europol joint action. See Vol 7 §3.
LoRaWAN — Sub-GHz long-range low-power WAN protocol; 868 MHz (EU), 915 MHz (US); AES-128 session-key authenticated. See Vol 13 §4.
M
═══════════════════════════════════ M ═══════════════════════════════════MAC randomization — Modern OS feature (iOS 8+, Android 8+, Windows 10+) that uses random MAC addresses in probe-requests and (configurably) per-SSID associations; defeats classic naive tracking. Bypassed by attacker-controlled SSID associations and various OS-specific leaks. See Vol 14 §2.
Maltego — Paterva, 2007; Roelof Temmingh; visual link-analysis OSINT tool; “transforms” map entities (people, domains, IPs) to related entities. Community + Pro tiers. See Vol 17 §3.
MANA toolkit — Sensepost’s improved KARMA implementation (2014); selective-replies and other refinements over the original Jasager rogue-AP model. See Vol 14 §3.
Mandiant — Founded 2004 by Kevin Mandia; acquired by FireEye 2013; spun back out and acquired by Google 2022; the canonical incident-response + threat-intelligence firm. APT1 report (2013) was a watershed for public APT attribution. See Vol 4 §4, Vol 18 §2.
MD5 — Message Digest 5; RFC 1321 (1992); broken cryptographic hash (collisions trivial since 2004, chosen-prefix attacks 2007); occasionally still encountered as legacy fingerprint format. See Vol 4 §3.
Menlo Report — Dittrich + Kenneally, US Department of Homeland Security S&T, August 2012; the Belmont Report’s biomedical-research ethics framework (respect for persons, beneficence, justice) adapted for ICT-research ethics. See Vol 19 §7.
Metasploit — H.D. Moore, 2003; Ruby-based exploitation framework; acquired by Rapid7 2009; Community + Pro tiers; the canonical entry-level exploitation framework. See Vol 6 §3, Vol 11 §3.
MFCUK / MFOC — mfcuk and mfoc — open-source MIFARE Classic crackers (Crypto-1 dark-side attack and offline nested attack respectively); historical tools, mostly subsumed by Proxmark + Chameleon firmware-integrated attacks. See Vol 15 §3.
MIFARE Classic — NXP HF 13.56 MHz product line; Crypto-1 stream cipher (proprietary, broken multiple times since 2008); the dominant legacy HF transit-and-access-control card; trivially cloned with Proxmark or Chameleon. See Vol 15 §3.
MIFARE DESFire — NXP HF DESFire EV1 / EV2 / EV3; AES-128 + 3DES + DES support; AID-based application multiplexing; the modern access-control HF baseline. See Vol 15 §3.
MIFARE Plus — NXP HF transition product (between Classic and DESFire); AES + Crypto-1 backwards-compatibility mode; intended migration target for legacy MIFARE Classic deployments. See Vol 15 §3.
MIFARE Ultralight — NXP HF low-cost ticketing variant; no proprietary crypto on early variants (C variant adds 3DES); used for transit single-use and small-stored-value applications. See Vol 15 §3.
Mimikatz — Benjamin Delpy (gentilkiwi), 2011; Windows credential dumper; extracts plaintext passwords, hashes, and Kerberos tickets from LSASS memory; ubiquitously detected by EDR but still the canonical AD-credential-theft tool. See Vol 11 §3.
MISP — Malware Information Sharing Platform; open-source threat-intelligence-sharing platform; STIX / TAXII interchange; the defender-side canonical IoC-sharing tool. See Vol 10 §3.
Mitnick (Kevin) — See Kevin Mitnick.
MITM (Man-in-the-Middle) — Generic class of attack in which the attacker positions between two endpoints and observes / modifies traffic; reverse-proxy phishing (Evilginx), rogue APs (PineAP), ARP spoofing on a LAN, BGP hijack at the WAN level are all variants. AiTM (Adversary-in-the-Middle) is the modern preferred term for the phishing-specific case. See Vol 17 §5.
MITRE ATT&CK — See ATT&CK.
Modlishka — Polish researcher Piotr Duszyński’s reverse-proxy phishing framework (2018); contemporary with Evilginx2. See Vol 17 §5.
Moloch — See Arkime.
Morris (Robert Tappan) — Author of the Morris Worm (November 2, 1988); first person convicted under the CFAA (1990); his 928 F.2d 504 (2d Cir. 1991) conviction is the canonical “intent attaches to access not damage” precedent. Now a professor at MIT. See Vol 3 §5, Vol 19 §2.
Morris Worm — November 2, 1988; ~6,000 of the ~60,000 then-internet hosts disrupted; the watershed event that catalyzed CERT/CC’s founding (November 1988); led directly to the Morris CFAA prosecution. See Vol 3 §5.
MTTD (Mean Time to Detect) — Defender metric: median time between initial compromise and defender detection; M-Trends 2011 reported 416 days global median; M-Trends 2024 reports 10 days global median (compressed substantially through the 2010s). See Vol 10 §4.
Mudge (Peiter Zatko) — L0pht alumnus; co-author L0phtcrack; DARPA cyber-program-manager (Cyber Fast Track, 2010-2013); Stripe security; Twitter CSO (2020-2022, blew the whistle on data-handling practices). See Vol 8 §7, Vol 11 §7.
Muraena — Open-source reverse-proxy phishing framework; Python-based; contemporary with Evilginx2 + Modlishka. See Vol 17 §5.
Mythic — Cody Thomas’s open-source post-exploitation C2 framework; multi-agent multi-language; emphasis on instrumentation and extensibility. See Vol 11 §3.
N
═══════════════════════════════════ N ═══════════════════════════════════Nation-state — Threat-actor category encompassing intelligence agencies + sponsored offensive groups; APT taxonomy (Mandiant, CrowdStrike weather-and-animal, Microsoft typhoon-and-spiders, government-numeric) tracks them. See Vol 4 §4.
NDEF (NFC Data Exchange Format) — Standardized record format for NFC tags + cards; URL records, vCard records, BT pairing handover; the format a smartphone reads from an NTAG-tagged sticker. See Vol 15 §4.
Network sniffing — Passive capture of network traffic (on a SPAN port, on monitor-mode wireless, via ARP-spoofed LAN); Wireshark + tcpdump are the canonical tools. See Vol 10 §3.
Nextron Systems — Florian Roth’s company; commercial THOR scanner + Sigma + Aurora EDR; defender-side enterprise tooling. See Vol 10 §3, Vol 10 §7.
NFC — Near Field Communication; 13.56 MHz HF subset; ISO 14443 + ISO 18092; Type 1/2/3/4 tag definitions; modern phones + payment cards + transit. See Vol 15 §4.
NIST SP 800-53 — National Institute of Standards and Technology Special Publication 800-53; the canonical US federal control catalog; ~1000 controls organized by family; the structural basis for FedRAMP, FISMA, and most regulated-industry compliance schemas. See Vol 18 §3.
NIST SP 800-61r2 — NIST Computer Security Incident Handling Guide; the canonical US IR-process framework (preparation / detection-and-analysis / containment-eradication-recovery / post-incident). See Vol 10 §4.
NIST SP 800-115 — NIST Technical Guide to Information Security Testing and Assessment; the canonical US federal pentest-methodology reference. See Vol 6 §4.
Nmap — Gordon “Fyodor” Lyon, 1997; the canonical network-mapper + port-scanner + service-fingerprinter; Nmap Scripting Engine (NSE) extends to limited vulnerability assessment. See Vol 6 §3.
NSE (Nmap Scripting Engine) — Lua extension framework inside Nmap; ~600 published scripts cover service-version-detection, default-credential-checking, and light vulnerability assessment. See Vol 6 §3.
NSO Group — Israeli commercial-spyware vendor; Pegasus mobile-implant product; the canonical example of the unaccountable-commercial-offensive-tool tier. US Commerce Department Entity List addition (November 2021). See Vol 4 §3, Vol 19 §7.
NTAG — NXP NFC tag IC family (NTAG203, NTAG213, NTAG215, NTAG216); Type 2 tag; the canonical “URL-on-sticker” tag silicon. See Vol 15 §3.
NTLM — Windows challenge-response authentication protocol (NTLMv1 + NTLMv2); offline-crackable from captured hashes; legacy but widely still present. See Vol 11 §3.
Nuclei — ProjectDiscovery’s YAML-template-driven vulnerability scanner; rapidly extensible; modern alternative to legacy scanner architectures. See Vol 6 §3.
Nyan Box — Aspirational Hack Tools entry (Nyan Devices): ESP32-WROOM-32U + triple NRF24L01+ + 0.96″ OLED + 2500 mAh; covers drone Remote-ID + hidden-camera detection. See comparison.md.
Nyquist (Nyquist-Shannon) — Sampling theorem: faithful reconstruction of a bandlimited signal requires sampling at greater than 2× the highest frequency. Violating Nyquist produces silent aliasing. See Vol 13 §2.
O
═══════════════════════════════════ O ═══════════════════════════════════OAuth (OAuth 2.0 / OIDC) — Authorization framework + OpenID Connect identity layer; the modern SSO + delegated-authorization standard; phishing campaigns abuse OAuth consent-grant flows (“illicit consent grant” attacks) to obtain persistent tokens without credentials. See Vol 17 §5.
OffSec (Offensive Security) — Issuer of OSCP, OSEP, OSWE, OSED, OSWP, OSDA, OSMR, OSEE; produces Kali Linux; the most-cited practical-cert provider in the offensive space. See Vol 18 §3.
O.MG Cable — Mischief Gadgets / Hak5 weaponized USB-A or USB-C charging cable; embedded ESP32-S3-class implant with web-based payload management; the canonical modern “innocuous-looking-cable-but-actually-HID-keyboard” implant. See Vol 16 §3, Vol 16 §5.
Operation Cronos — February 2024 international law-enforcement action (NCA + FBI + Europol + 11 other nations) against the LockBit ransomware operation; seized infrastructure + decryption tools + identified affiliates. See Vol 7 §3.
Operation Tovar — June 2014 international takedown of the Gameover ZeuS botnet + Cryptolocker; FBI + Europol + multiple national agencies + private partners. See Vol 7 §3.
OPSEC — Operational Security; the discipline of avoiding leaks that compromise operations or attribute attackers; relevant on both sides (attacker and defender). See Vol 11 §4, Vol 17 §3.
OSCE / OSCE3 — OffSec Certified Expert 3 — composite cert requiring OSEP + OSWE + OSED; the OffSec apex outside OSEE. See Vol 18 §3.
OSCP — Offensive Security Certified Professional; 24-hour practical lab exam + 24-hour report; the canonical practical pentest cert and the most-recognized entry-tier offensive credential. See Vol 18 §3, Vol 6 §6.
OSED — Offensive Security Exploit Developer; OffSec Windows-exploit-development cert (EXP-301); intermediate-tier; covers stack-based + heap-based + ASLR/DEP-bypass exploitation. See Vol 18 §3.
OSEE — Offensive Security Exploitation Expert; OffSec advanced Windows-exploit-development cert (EXP-401); the apex OffSec course; in-person delivery historically. See Vol 18 §3.
OSEP — Offensive Security Experienced Penetration Tester; OffSec evasion + AD + Windows cert (PEN-300); intermediate-tier; pairs naturally with OSCP. See Vol 18 §3.
OSINT (Open-Source Intelligence) — Collection from publicly-available sources; the modern OSINT discipline includes public records, social media, technical footprint (DNS, certificates, BGP, breach data), human network (LinkedIn, conference circuit), and geolocation. Bellingcat is the canonical modern methodology lineage. See Vol 17 §3.
OT (Operational Technology) — Industrial environments — PLCs, SCADA, DCS, building-management systems; the IT/OT convergence is the modern attack-surface story. See Vol 18 §3.
OWASP — Open Web Application Security Project; the canonical web-app security community + standards body; OWASP Top 10 + ASVS + ZAP scanner. See Vol 6 §3.
OWASP ZAP — See ZAP.
P
═══════════════════════════════════ P ═══════════════════════════════════P4wnP1 — Marcus Mengs’ Raspberry Pi Zero W BadUSB + HID-injection + USB-OTG framework; predates and overlaps with Bash Bunny’s design. See Vol 16 §2.
Packet Squirrel — Hak5 in-line Ethernet-MITM implant; ARM Linux; passive capture + scripted active actions; March 2018. See Vol 16 §4, Vol 16 §5.
Pandoc — John MacFarlane’s open-source document converter; markdown → HTML pipeline used by the Hack Tools deep-dive builder. See §4.
Park Jin Hyok — DPRK Lazarus Group operative; September 6, 2018 US DOJ indictment (Sony Pictures + Bangladesh Bank + WannaCry); Korea Expo (Chosun Expo Joint Venture) named cover front-company; the first US criminal indictment naming a DPRK intelligence operative. See Vol 7 §7, Vol 4 §4.
Patch Tuesday — Microsoft’s second-Tuesday-of-the-month security-update cadence (since October 2003); the canonical defensive-disclosure rhythm; also drives the offensive “Exploit Wednesday” rhythm. See Vol 19 §5.
Pentesting — Penetration testing; structured authorized testing of an organization’s systems to identify exploitable weaknesses; modern variants include web-app, network (internal + external), wireless, physical, social-engineering, cloud, ICS/OT, mobile. See Vol 6 §1, Vol 4 §2.
Phishing — Email-or-message-based credential-theft / payload-delivery attack; bulk (low-quality high-volume), spear (targeted), whaling (executive-targeted); the canonical initial-access vector reported in DBIR 2025 (16% of breaches). See Vol 17 §5.
PineAP — Hak5 WiFi Pineapple’s productized rogue-AP / KARMA / Evil-Twin / recon engine; the structural successor of Robin Wood’s Jasager and Sensepost’s MANA. See WiFi Pineapple deep dive, Vol 14 §3.
PMK (Pairwise Master Key) — WPA2 / WPA3 derived shared secret per-session-per-client; PMK = PBKDF2(passphrase, SSID, 4096, 256) for PSK networks; the crack target in offline WPA2 attacks. See Vol 14 §4.
PMKID — Single-frame PMK identifier captured from the first EAPOL frame from the AP (M1); broken by Steube of Hashcat (August 2018); allows offline PMK crack without observing a full four-way handshake. See Vol 14 §4.
PortaPack — ShareBrained / Furrtek HackRF One companion board adding LCD, navigation, battery, audio, real-time spectrum + waterfall + multiple tx/rx modes via Mayhem firmware. The H2+ variant (2026) is the current generation tjscientist owns on porta. See Vol 13 §6, HackRF One deep dive.
PortaRF — OpenSourceSDRLab’s commercial handheld SDR — Clifford Heath modified HackRF silicon + integrated display + keyboard + battery; aspirational Hack Tools entry. See OpenSourceSDRLab PortaRF deep dive.
Pretexting — Social-engineering technique of constructing and inhabiting a cover identity (IT support, vendor, executive, auditor); the prerequisite skill underneath every non-bulk phishing / vishing operation. See Vol 17 §4.
Project Zero (Google) — Google’s 0-day-research team founded 2014; 90-day-disclosure-policy popularizer; researcher roster includes Tavis Ormandy, James Forshaw, Ian Beer, Natalie Silvanovich. See Vol 18 §2, Vol 8 §7.
Proxmark3 RDV4 — RFID Research Group lab-grade RFID / NFC research tool; LF + HF; both Iceman and official firmware lines. Aspirational Hack Tools entry. See Vol 15 §6.
Purple team — Integrated offensive-defensive exercise mode (atomic-test loops, exercise scenarios, BAS-driven continuous testing, detection-engineering feedback). “Purple” is a verb (the practice of integrating red and blue) rather than a fixed team designation. See Vol 12 §1, Vol 12 §4.
Pwn2Own — Annual exploit-development competition; runs at CanSecWest (Vancouver) since 2007, Tokyo since 2008, Toronto since 2019; ZDI (Trend Micro) runs the modern incarnation. Prizes range from $50k to $500k+ per category. See Vol 6 §3.
Q
═══════════════════════════════════ Q ═══════════════════════════════════Quishing — QR-code phishing; emerging delivery channel (mid-2020s) since QR codes route through phone OS (less email-gateway intermediation) and the rendered URL is less visible to the user pre-tap. See Vol 17 §5.
R
═══════════════════════════════════ R ═══════════════════════════════════RaaS (Ransomware-as-a-Service) — Criminal-economy operating model: operators provide ransomware platform + payment infrastructure + (often) leak-site; affiliates conduct intrusions and run encryption; revenue split typically 70/30 to 80/20 affiliate-favored. LockBit, ALPHV/BlackCat, Cl0p, Hive, Conti are canonical examples. See Vol 7 §3.
Ransomware — Malware that encrypts victim files and / or threatens data publication unless ransom is paid. Modern double-extortion model (encrypt + exfil-and-threaten-leak) since ~2019. See Vol 7 §3, Vol 4 §4.
Raphael Mudge — Author of Cobalt Strike (released 2012); sold his company Strategic Cyber LLC to HelpSystems (now Fortra) in 2020; the canonical commercial-red-team-platform founder of the modern era. See Vol 11 §3, Vol 11 §7.
Rayhunter — Electronic Frontier Foundation’s open-source IMSI-catcher / Stingray-detector firmware running on Verizon Orbic Speed RC400L hotspots. Aspirational Hack Tools entry. See Vol 13 §3.
Reciprocity (Cialdini) — Cialdini’s first principle of influence; humans return favors. The basis of many low-touch SE moves (free coffee → request a moment of your time). See Vol 17 §2.
Recon-ng — Tim Tomes’s Python-based OSINT reconnaissance framework; modular-workflow design; complementary to theHarvester + Maltego. See Vol 17 §3.
Red team — Offensive team in red-vs-blue; modern “red team” implies long-engagement objective-based operations (vs. point-in-time pentest); adversary-emulation discipline is the canonical modern frame. See Vol 11 §1.
Replay attack — Recording and re-transmitting an RF transmission to spoof the original sender; defeated by rolling-code + AES + nonce-bound protocols, succeeds against fixed-code remotes and many legacy RFID. See Vol 13 §4.
Reproducibility (build) — In the deep-dive build context: every consolidated HTML is regenerable from 02-inputs/volume_sources/vol*.md via _shared/build/build_single_html.py; outputs are append-only via Git; anchors are append-only by discipline. See §4.
Responsible disclosure — The older (contested, somewhat-deprecated) term for coordinated disclosure; “responsible” carries normative weight that the researcher community has pushed back on. Dan Kaminsky’s 2008 DNS-vulnerability coordinated disclosure is the canonical exemplar. See Vol 19 §5.
REvil (Sodinokibi) — Russian ransomware-as-a-service operation; active 2019-2022; Kaseya VSA supply-chain attack July 2021; servers seized + members arrested January 2022 (Russian FSB action, before the war disrupted such cooperation). See Vol 7 §3.
RF (Radio Frequency) — Generic term for radio-band signals (~3 kHz - 300 GHz); RF tradecraft in this series covers ~30 kHz - 7 GHz (the practically-accessible range with consumer-tier gear). See Vol 13 §3.
RFID — Radio Frequency Identification; passive (powered by reader-field) tag and active reader; LF (125-134 kHz), HF (13.56 MHz), UHF (860-960 MHz) are the practical bands. See Vol 15 §1, Vol 15 §2.
ROE (Rules of Engagement) — Written constraints on a sanctioned engagement: in-scope and out-of-scope hosts, test-window times, prohibited-actions list (DoS, social-engineering, production-data-touch), notification requirements, communication channels. See Vol 19 §4.
Rogue access point — Generic class: an AP placed in or near a target environment to harvest associations / credentials / probe-requests; KARMA-derivative platforms (WiFi Pineapple, ESP32 Marauder) productize this. See Vol 14 §3.
Rolling code — RF remote-control protocol family in which each transmission carries an incrementing counter, validated by the receiver to a sliding window; defeats simple replay. Broken in KeeLoq (2007), bypassed by Kamkar’s RollJam jamming attack (DEF CON 23, 2015). See Vol 13 §4.
RollJam — Samy Kamkar’s DEF CON 23 (2015) rolling-code RF replay attack via simultaneous-jam-and-capture; the canonical demonstration that rolling-code protocols are not replay-immune at the practical attack level. See Vol 13 §4.
RTL-SDR — Realtek RTL2832U DVB-T USB dongle repurposed as a wide-band software-defined receiver (~24 MHz - 1.7 GHz, 8-bit, 2.4 MS/s stable); the $30 universal receive-side SDR; the Blog V4 is the canonical 2026 unit. See Vol 13 §6.
rtl_433 — Open-source RTL-SDR-based decoder for hundreds of consumer 315/433/868/915 MHz protocols (weather stations, TPMS, door sensors); a canonical receive-side SDR demo. See Vol 13 §5.
Ruckus Game Over — Third-party Flipper module (Ruckus): ESP32-S3 + OLED + joystick + microSD + CC1101/NRF24 daughter slot. Owned by tjscientist on game-over-host. See Vol 14 §6.
S
═══════════════════════════════════ S ═══════════════════════════════════Safe harbor — Bug-bounty program clause publicly committing the program owner to not pursue legal action against good-faith researchers operating inside scope. HackerOne’s Disclose.io initiative standardized the language; the legal posture is statement-not-contract until activated by participation. See Vol 8 §6, Vol 19 §4.
SAML — Security Assertion Markup Language; XML-based SSO standard; predates OAuth/OIDC; common in enterprise federation. Attack surface: XML-signature wrapping, golden-SAML attacks, federated-trust abuse. See Vol 11 §3.
SANS — SANS Institute; founded 1989 by Alan Paller; the largest commercial training-and-certification provider in security; courses cost ~$8,500 per course as of early 2026; GIAC is its cert arm. See Vol 18 §3.
Sarah Edwards — SANS FOR518 (Mac and iOS Forensic Analysis and Incident Response) author / instructor since 2014; APOLLO Apple Pattern of Life Lazy Output’er tool; Head of DFIR at IsMyPhoneHacked as of early 2026. See Vol 10 §7.
Scarcity (Cialdini) — Cialdini’s sixth principle of influence; humans value things that appear limited in availability or time. The “this opportunity expires in 24 hours” lever. See Vol 17 §2.
Schroeder (Will) — SpecterOps co-founder; co-author BloodHound + Empire (with Justin Warner and Matt Nelson); the AD-attack-path methodology lineage. See Vol 11 §3, Vol 11 §7.
SDR (Software-Defined Radio) — Radio in which signal-processing chain is software (running on CPU / DSP / FPGA) rather than fixed silicon; receive-only ($30 RTL-SDR) through transmit-capable ($300 HackRF) through professional-grade ($1000+ USRP). See Vol 13 §2, Vol 13 §6.
SE (Social Engineering) — The discipline of manipulating people into performing actions or disclosing information; the canonical applied-Cialdini-and-Kahneman discipline; encompasses pretexting, phishing, vishing, smishing, physical entry, tailgating. See Vol 17 §1.
SET (Social Engineer Toolkit) — Dave Kennedy / TrustedSec, 2011; open-source Python SE-attack toolkit; harvester / spear-phishing / website-cloning / wireless-AP modules. See Vol 17 §5.
ShareBrained / Furrtek — Producers of the PortaPack H1 / H2 / H2+ HackRF companion boards. See HackRF One deep dive.
Shark Jack — Hak5 portable Ethernet-attack-from-implant; ARM Linux + USB-A + Ethernet; July 2020. See Vol 16 §5.
SharpHound — BloodHound’s C# collector for Active Directory; enumerates users, groups, computers, sessions, ACLs to produce JSON for BloodHound graph import. See Vol 11 §3.
Sherlock — Open-source OSINT tool (Sherlock Project); given a username, queries hundreds of sites for matching profiles. See Vol 17 §3.
Shodan — John Matherly, 2009; internet-connected-device search engine; canonical reconnaissance tool for exposed services + ICS + IoT. See Vol 17 §3.
SIEM (Security Information and Event Management) — Log aggregation + search + correlation + alerting platform; Splunk (acquired by Cisco for $28B in 2024), Microsoft Sentinel, Elastic Security, Chronicle/Google, IBM QRadar are representative. See Vol 10 §3.
Sigma rules — Florian Roth + Thomas Patzke, 2017; vendor-neutral YAML detection-rule format; converts to Splunk SPL / KQL / Elastic / many others; the canonical detection-engineering interchange format. See Vol 10 §3.
Skid (script kiddie) — Pejorative for someone running tools without underlying understanding; historically applied liberally, contemporarily reduced as the toolchain has commoditized for everyone. See Vol 9 §1.
Sliver — BishopFox open-source Go-based C2 framework; positioned as a Cobalt Strike alternative with stronger anti-EDR posture; released 2019. See Vol 11 §3.
Smishing — SMS-based phishing; bypasses corporate email gateway controls; common pretexts include package delivery, bank fraud alert, government tax communication. See Vol 17 §5.
Snort — Sourcefire (now Cisco) network IDS; the canonical open-source IDS; supplanted in many deployments by Suricata for performance. See Vol 10 §3.
SOAR (Security Orchestration, Automation, and Response) — Workflow-automation layer for SOC operations; Tines, Splunk SOAR (ex-Phantom), Microsoft Sentinel Logic Apps are representative. Addresses alert-fatigue and response-consistency. See Vol 10 §3.
Social proof (Cialdini) — Cialdini’s third principle of influence; humans look to others’ behavior for guidance, especially under uncertainty. “Everyone else has approved this.” See Vol 17 §2.
SOC (Security Operations Center) — Operating team running SIEM + EDR + IR; tier-1 (initial triage) / tier-2 (investigation) / tier-3 (threat hunting, escalation, complex IR) is the canonical staffing pattern. See Vol 10 §4, Vol 18 §6.
SOW (Statement of Work) — Contractually-binding scope-and-deliverables document; the foundation of every commercial pentest engagement; SOW + Scope + ROE + GOJL is the canonical authorization stack. See Vol 19 §4.
Spear phishing — Targeted phishing; the attacker has researched the target and crafts a believable-to-this-individual pretext; routinely the initial-access vector in targeted intrusions. See Vol 17 §5.
SpecterOps — David McGuire + Will Schroeder + Andy Robbins (~2017); red-team consultancy + BloodHound Enterprise + GhostPack tooling lineage; adversary-emulation focus. See Vol 11 §3.
SpiderFoot — Steve Micallef, ~2012-2013; OSINT automation framework; acquired by Intel 471 November 2022. See Vol 17 §3.
SPF (Sender Policy Framework) — RFC 7208; email-authentication standard; DNS-published list of authorized sending IPs per domain. See Vol 17 §7.
Splunk — Splunk Inc.; SIEM market leader; acquired by Cisco for ~$28 billion (closed March 2024); SPL (Search Processing Language) is its query syntax. See Vol 10 §3.
SQL injection — Web-app vulnerability class; attacker-controlled input concatenated into SQL queries; one of the OWASP Top 10 perennials despite being known since 1998. sqlmap is the canonical exploitation tool. See Vol 6 §3.
SSID — Service Set Identifier; Wi-Fi network name; advertised in beacon frames, requested in probe-request frames. The KARMA attack exploits probe-request behavior. See Vol 14 §2.
STIX / TAXII — Structured Threat Information Expression (STIX) data format + Trusted Automated Exchange of Intelligence Information (TAXII) transport; the canonical CTI interchange standards. See Vol 10 §3.
Stingray — See IMSI catcher.
STÖK — See Frans Rosén.
Stuxnet — June 2010; first publicly-documented offensive cyberweapon targeting industrial control systems (Natanz Iranian uranium enrichment); attributed to US-Israeli “Olympic Games” program. The watershed for understanding nation-state offensive capability. See Vol 4 §4.
Sub-GHz — Radio frequencies below 1 GHz; in the security context primarily the 315/433/868/915 MHz ISM bands; consumer remotes, RKE, garage doors, weather stations, LoRa, Z-Wave operate here. See Vol 13 §4.
Sullivan / Uber 2022 — Joseph Sullivan (Uber CSO) convicted October 2022 of obstruction of justice + misprision of a felony for concealing a 2016 data breach from FTC investigators; sentenced May 2023 to three years probation. The canonical cautionary case for security-leadership-disclosure-failure liability. See Vol 19 §7.
Suricata — OISF open-source network IDS / IPS; modern successor in many deployments to Snort; multi-threaded; Lua-extensible. See Vol 10 §3.
SWG (Secure Web Gateway) — Inline web-traffic-filtering security product; HTTPS-inspecting; common in enterprise. See Vol 10 §3.
T
═══════════════════════════════════ T ═══════════════════════════════════T5577 — Atmel (now Microchip) writable LF 125 kHz RFID transponder IC; commonly used to clone HID Prox / EM4100 / Indala by writing a duplicate UID. See Vol 15 §3.
Tailgating — Physical-entry technique: following an authorized person through an access-controlled door, exploiting social pressure to not challenge or close the door. The canonical non-credential physical attack. See Vol 17 §6.
Tamper-evident — Physical-security property: any manipulation of a device leaves visible / measurable evidence; tamper-evident bag-seals, tamper-evident screws, RFID-tagged seal containers. The defender posture against pre-shipment supply-chain compromise. See Vol 16 §7.
Tavis Ormandy — Google Project Zero senior researcher; long-running prolific 0-day-discovery track record across AV/EDR products, browser engines, JavaScript runtimes. See Vol 8 §7.
TCP RST — TCP reset segment; defensive use: terminate observed-malicious TCP connections from a sensor-inline IPS or response tool (Snort/Suricata inline mode). See Vol 10 §3.
Telephony fraud / phreaking — Phone-system manipulation; the 1960s-1980s pre-internet hacker substrate; Captain Crunch (John Draper) + 2600 Hz tone + blue boxes. See Vol 2 §3, Vol 3 §3.
theHarvester — Christian Martorella; open-source OSINT email + subdomain + employee-name reconnaissance tool; canonical entry-tier OSINT discovery. See Vol 17 §3.
THC Hydra — Online network-service password-cracking tool; supports ~50 protocols (SSH, FTP, HTTP, RDP, SMB, MySQL, etc.). See Vol 11 §3.
Threat intel — See CTI.
Threat hunting — Hypothesis-driven proactive search for compromise inside the environment, independent of detection-rule alerts. SOC tier-3 / specialist function. See Vol 10 §4.
TOOOL (The Open Organisation Of Lockpickers) — International lockpicking education community; The CORE Group (Deviant Ollam et al.) runs the canonical DEF CON / BSides / regional teaching presence. See Vol 17 §6.
Tornado Cash — Cryptocurrency mixer (Ethereum); August 2022 US OFAC sanctioning (designation reversed by Fifth Circuit August 2024); the canonical sanctioned-mixer case. See Vol 7 §3.
TPMS — Tire Pressure Monitoring System; mandated by US TREAD Act 2007; transmits per-tire sensor IDs on 315 MHz (US) / 433 MHz (EU). Rouf et al. USENIX 2010 demonstrated tracking-by-sensor-ID and spoofing. See Vol 13 §3, Vol 13 §4.
TryHackMe — See HackTheBox / TryHackMe.
TTP (Tactic, Technique, Procedure) — MITRE ATT&CK’s three-layer descriptive vocabulary for adversary behavior; the lingua franca of detection engineering and adversary emulation. See Vol 11 §3, Vol 12 §3.
U
═══════════════════════════════════ U ═══════════════════════════════════Ubertooth One — Michael Ossmann (Great Scott Gadgets); open-source Bluetooth BR/EDR + BLE-classic-mode capture board (~2010); historical reference platform for BLE research, partly superseded by software defined approaches and integrated ESP32 BLE-sniffer tooling. See Vol 14 §6.
UEFI — Unified Extensible Firmware Interface; replacement for legacy BIOS; UEFI-firmware-implant research (LoJax, MosaicRegressor, BlackLotus) is a high-end persistence-research subfield. See Vol 16 §4.
UHF RFID — Ultra-High-Frequency RFID; 860-960 MHz; EPC Class 1 Generation 2; passive long-read-range (meters); supply-chain and retail rather than access-control. See Vol 15 §2.
Unauthorized access — The conduct CFAA § 1030(a)(2) prohibits — accessing a protected computer without authorization or in excess of authorization; Van Buren v. United States (2021) narrowed the “exceeds authorized access” prong to access of areas the user is not entitled to access (gates-up-or-down). The “without authorization” prong remains broad. See Vol 19 §2.
URH (Universal Radio Hacker) — Johannes Pohl, USENIX WOOT 2018; open-source signal-analysis tool with bit-level decoding / protocol-inference assistance; the canonical capture-analyze SDR centerpiece for protocol reverse engineering. See Vol 13 §5.
URL rewriting — Email gateway security feature: replace links in inbound mail with sandbox-proxied versions that detonate / scan the destination at click time. See Vol 17 §7.
USB Rubber Ducky — Hak5’s original HID-injection platform (Mark V, 2010; subsequent generations through Mark IV plus DuckyScript 3.0 hardware ~2022); the “BadUSB-as-a-product” canonical implement; the namesake of Ducky Script. See Vol 16 §2, Ducky Script deep dive.
USRP B205mini-i — Ettus Research / NI USRP; 70 MHz – 6 GHz, 56 MHz instantaneous, 12-bit; the canonical professional-tier SDR; ~$1,500. See Vol 13 §6.
V
═══════════════════════════════════ V ═══════════════════════════════════Van Buren v. United States — 593 U.S. 374 (2021); No. 19-783; 141 S. Ct. 1648; 6-3 Barrett majority (joined by Breyer, Sotomayor, Kagan, Gorsuch, Kavanaugh); Thomas dissent (joined by Roberts, Alito); held that the CFAA’s “exceeds authorized access” prong does not cover misuse-of-otherwise-permitted access (“gates-up-or-down” rule); did NOT narrow the “without authorization” prong. See Vol 19 §2.
VECTR — SCYTHE’s open-source purple-team-exercise-tracking platform; structured logging of red-team actions + blue-team detection responses for retrospective analysis. See Vol 12 §3.
Velociraptor — Rapid7-now-Microsoft open-source DFIR / endpoint-visibility tool; the canonical free DFIR-collection platform. See Vol 10 §3.
Verizon DBIR — Verizon Data Breach Investigations Report; annual since 2008; the canonical public breach-statistics dataset; DBIR 2025 reported phishing-initiated as 16% of all breaches and 21% trained / 5% untrained report-rates. See Vol 17 §2.
VirusTotal — Google-owned malware-sample + URL-scanning aggregator (acquired 2012); ~70 AV-vendor integration; community + premium tiers. See Vol 10 §3.
Vishing — Voice-call-based phishing; emerging variant: AI voice-cloning for executive-impersonation; 2024-2025 BEC cases routinely include voice-call components. See Vol 17 §5.
VPN — Virtual Private Network; encrypted tunnel; consumer VPNs primarily for circumvention / privacy, enterprise VPNs for remote-access; VPN-appliance vulnerabilities (Pulse Secure, Fortinet, Cisco ASA, Citrix NetScaler) are persistent ransomware initial-access vectors. See Vol 7 §3.
W
═══════════════════════════════════ W ═══════════════════════════════════WannaCry — May 12, 2017; ransomware worm using EternalBlue (NSA-developed SMB exploit leaked by Shadow Brokers); spread to ~230,000 systems in 150 countries; kill-switch domain registered by Marcus Hutchins (MalwareTech) halted spread. Attributed to DPRK Lazarus Group. See Vol 7 §3, Vol 6 §7.
WarGames (1983) — John Badham film; first mass-cultural depiction of “hacker”; popularized “war dialing”; appears in retrospective accounts as inspiration for an entire cohort entering the field. See Vol 5 §3.
Wardriving — Surveying Wi-Fi networks by mobile reception (literally driving with a Wi-Fi-equipped laptop / phone); coined ~2001 by Pete Shipley; WiGLE.net aggregates submitted observations. See Vol 14 §2.
Wassenaar Arrangement — 1996 multilateral export-control framework; 2013 “intrusion software” controls revision created chilling effects on legitimate security research; subsequent 2017 narrowing. See Vol 19 §3.
WIDS (Wireless IDS) — Defender-side passive Wi-Fi monitoring tool; identifies rogue APs, deauth-flood attacks, KARMA-style probe-response abuse. Kismet is the canonical open-source WIDS. See Vol 10 §3, Vol 14 §2.
WiFi Pineapple — Hak5’s purpose-built wireless-auditing platform (since 2008); modified-OpenWrt base; PineAP rogue-AP / KARMA / evil-twin engine; modules + Campaigns + Cloud C2; Mark VII / Mark VII + AC Tactical / Pager / Enterprise are the current 2026 model line. See WiFi Pineapple deep dive, Vol 14 §3.
Wireshark — Gerald Combs (originally Ethereal, 1998; renamed Wireshark 2006); the canonical packet-capture-and-analysis tool; the GUI complement to tcpdump. See Vol 10 §3, Vol 6 §3.
Without authorization (CFAA) — One of the two CFAA mental-state predicates (the other is “exceeds authorized access”); covers access where the user has no permission at all (vs. the narrower “exceeds” prong, post-Van Buren); the broader of the two prongs. See Vol 19 §2.
WPA / WPA2 / WPA3 — Wi-Fi Protected Access generations; WPA (TKIP, 2003) → WPA2 (AES-CCMP, 2004) → WPA3 (SAE / Dragonfly handshake, 2018). WPA2-PSK is the canonical handshake-capture-and-crack target. See Vol 14 §4.
WPS (Wi-Fi Protected Setup) — 2006 simplified-pairing protocol; broken by Stefan Viehböck (December 2011) for online PIN-brute-force; routers commonly ship with WPS enabled by default despite the documented weakness. See Vol 14 §2.
X
═══════════════════════════════════ X ═══════════════════════════════════XDR (Extended Detection and Response) — Marketing-tier-up from EDR; correlates endpoint + email + network + cloud telemetry inside a single vendor stack. The marketing distinction from EDR is often thin. See Vol 10 §3.
XKEYSCORE — NSA mass-surveillance program disclosed by Edward Snowden (Guardian, 2013); searchable database of internet-traffic-metadata-and-content. Historical context, not an operationally-relevant tool for practitioners. See Vol 4 §4.
XSS (Cross-Site Scripting) — Web-app vulnerability class; attacker-controlled content rendered as executable script in victim browser context; stored / reflected / DOM-based variants. OWASP Top 10 perennial. See Vol 6 §3.
Y
═══════════════════════════════════ Y ═══════════════════════════════════YARA — Victor Manuel Alvarez (Virustotal), 2007; pattern-matching rule language for malware identification / classification; ubiquitous in defender + threat-intel + IR workflows. See Vol 10 §3.
YARA Forge — Florian Roth / Nextron community-curated YARA-rule aggregator; combines reputation-weighted public rule sources into a single deployable bundle. See Vol 10 §3.
YubiKey — Yubico hardware security key product line; FIDO2 / WebAuthn / U2F / OTP / PIV / OpenPGP; the canonical phishing-resistant MFA token. See Vol 17 §7.
Z
═══════════════════════════════════ Z ═══════════════════════════════════ZAP (OWASP ZAP) — Zed Attack Proxy; OWASP-stewarded open-source web-app proxy + scanner; Burp’s free / OSS competitor. See Vol 6 §3.
Zeek — Vern Paxson (Lawrence Berkeley Lab); originally Bro (1995), renamed Zeek 2018; the canonical network-traffic-analysis framework; protocol-decoder library + scripting language; defender-side instrumentation. See Vol 10 §3.
Zerodium — Chaouki Bekrar’s exploit-acquisition broker (founded 2015); per-target prices range $50k for low-impact to $2.5M+ for full-chain mobile RCE; primarily government-customer-facing. See Vol 4 §3.
Z-Wave — Sub-GHz mesh home-automation protocol (Silicon Labs; ~900 MHz region per-country); S2 security framework added in 2017 with AES-128 + PKE pairing. See Vol 13 §4.
3. The canonical anchor index
Every H2 across Vols 6-19 — the hat cluster, reference cluster, and synthesis cluster — appears here with its frozen vol{NN}-<slug> anchor and a short descriptor. Sibling Hack Tools deep dives write HackerTradecraft_Complete.html#<anchor> to link in. Vols 20 and 21 themselves are not generally inbound-linked from external deep dives (cheatsheet and this volume), and are omitted from the catalog.
Heading text in these volumes is FROZEN APPEND-ONLY. Renaming any of these H2 headings silently breaks every inbound link. Add new sections rather than renaming old ones; if a heading must change, leave a
> Moved to [§X.X](#new-anchor)redirect stub under the old heading so the inbound link still lands somewhere informative. The discipline is the contract.
Quick stats. 14 volumes × 9 H2s typical = 126 frozen anchors total as of 2026-05-16. The per-volume tables follow.
Vol 6 — The white hat: authorized professional
| Anchor | Full link | Covers |
|---|---|---|
vol06-a-day-in-the-life | HackerTradecraft_Complete.html#vol06-a-day-in-the-life | Three composites: consultancy pentester / in-house red teamer / bug-bounty researcher |
vol06-callouts-and-cross-references | HackerTradecraft_Complete.html#vol06-callouts-and-cross-references | Vol 6 callouts and cross-references to sibling volumes |
vol06-definition-and-boundary | HackerTradecraft_Complete.html#vol06-definition-and-boundary | White-hat as authorized professional; the paperwork stack is the hat |
vol06-famous-figures | HackerTradecraft_Complete.html#vol06-famous-figures | Moussouris, Kaminsky, HD Moore, Charlie Miller, Hutchins — five white-hat profiles |
vol06-how-they-get-hired | HackerTradecraft_Complete.html#vol06-how-they-get-hired | Cert ladder (OSCP / OSEP / CRTO / SANS GIAC / CEH-as-HR-filter); first-job pathways |
vol06-methods-and-tradecraft-the-engagement-lifecycle | HackerTradecraft_Complete.html#vol06-methods-and-tradecraft-the-engagement-lifecycle | Scoping → recon → exploitation → post-ex → cleanup; the canonical engagement workflow |
vol06-origin-and-how-the-term-is-actually-used | HackerTradecraft_Complete.html#vol06-origin-and-how-the-term-is-actually-used | Western-cinema origin; 1990s commercial adoption; modern usage in 2026 |
vol06-resources | HackerTradecraft_Complete.html#vol06-resources | Vol 6 footnotes and external resources |
vol06-tools-of-the-trade | HackerTradecraft_Complete.html#vol06-tools-of-the-trade | Kali / Burp / Metasploit / Nmap / Nuclei / Wireshark / BloodHound / Cobalt Strike / OWASP ZAP — the working set |
Vol 7 — The black hat: criminal practitioner
| Anchor | Full link | Covers |
|---|---|---|
vol07-a-day-in-the-life-reconstructed-from-court-records | HackerTradecraft_Complete.html#vol07-a-day-in-the-life-reconstructed-from-court-records | A day in the life — reconstructed from court records |
vol07-callouts-and-cross-references | HackerTradecraft_Complete.html#vol07-callouts-and-cross-references | Vol 7 callouts and cross-references (incl. mandatory danger callout) |
vol07-definition-and-boundary | HackerTradecraft_Complete.html#vol07-definition-and-boundary | Black-hat as criminal practitioner; the legal-line treatment |
vol07-famous-figures | HackerTradecraft_Complete.html#vol07-famous-figures | Gonzalez, Butler, Bogachev, Park Jin Hyok, Yakubets — five black-hat profiles |
vol07-methods-and-tradecraft-the-intrusion-lifecycle-as-crime | HackerTradecraft_Complete.html#vol07-methods-and-tradecraft-the-intrusion-lifecycle-as-crime | Intrusion-lifecycle-as-crime — recon → initial access → escalation → exfil → ransom |
vol07-origin-and-how-the-term-is-actually-used | HackerTradecraft_Complete.html#vol07-origin-and-how-the-term-is-actually-used | Black-hat term origin; threat-actor categories; APT vs criminal-economy distinction |
vol07-resources | HackerTradecraft_Complete.html#vol07-resources | Vol 7 footnotes and external resources |
vol07-the-criminal-economy | HackerTradecraft_Complete.html#vol07-the-criminal-economy | IAB → RaaS → affiliate → launderer — the criminal-economy pipeline; pricing tiers |
vol07-tools-of-the-trade | HackerTradecraft_Complete.html#vol07-tools-of-the-trade | Criminal-economy toolchain — initial-access brokers, malware-as-a-service, ransomware platforms |
Vol 8 — The grey hat: outside the rules but not for profit
| Anchor | Full link | Covers |
|---|---|---|
vol08-a-day-in-the-life-the-independent-researcher | HackerTradecraft_Complete.html#vol08-a-day-in-the-life-the-independent-researcher | A day in the life — the independent researcher |
vol08-callouts-and-cross-references | HackerTradecraft_Complete.html#vol08-callouts-and-cross-references | Vol 8 callouts and cross-references |
vol08-definition-and-boundary | HackerTradecraft_Complete.html#vol08-definition-and-boundary | Grey-hat as outside-the-rules-but-not-for-profit; the legal posture |
vol08-famous-figures | HackerTradecraft_Complete.html#vol08-famous-figures | L0pht collective, Bunnie Huang, Mark Dowd, weev, Tavis Ormandy — five grey-hat profiles |
vol08-how-they-get-hired-the-grey-to-white-conversion-pathway | HackerTradecraft_Complete.html#vol08-how-they-get-hired-the-grey-to-white-conversion-pathway | The grey-to-white conversion pathway via bug bounty + safe harbor |
vol08-methods-and-tradecraft-the-disclosure-decision-point | HackerTradecraft_Complete.html#vol08-methods-and-tradecraft-the-disclosure-decision-point | The disclosure decision — the canonical grey-hat tradecraft moment |
vol08-origin-and-how-the-term-is-actually-used | HackerTradecraft_Complete.html#vol08-origin-and-how-the-term-is-actually-used | Grey-hat term origin; 1990s L0pht / Cult of the Dead Cow lineage |
vol08-resources | HackerTradecraft_Complete.html#vol08-resources | Vol 8 footnotes and external resources |
vol08-tools-of-the-trade | HackerTradecraft_Complete.html#vol08-tools-of-the-trade | Independent-researcher working set; tooling overlaps with white-hat |
Vol 9 — The green hat: the learner
| Anchor | Full link | Covers |
|---|---|---|
vol09-a-day-in-the-life | HackerTradecraft_Complete.html#vol09-a-day-in-the-life | Three composite green-hat day-in-the-life sketches |
vol09-callouts-and-cross-references | HackerTradecraft_Complete.html#vol09-callouts-and-cross-references | Vol 9 callouts and cross-references |
vol09-definition-and-boundary | HackerTradecraft_Complete.html#vol09-definition-and-boundary | Green-hat as the learner; the on-ramp into the field |
vol09-famous-figures-five-self-taught-arcs | HackerTradecraft_Complete.html#vol09-famous-figures-five-self-taught-arcs | Five self-taught arcs — Hammond, STÖK, NahamSec, InsiderPhD, LiveOverflow |
vol09-how-they-get-hired-entry-level-reality | HackerTradecraft_Complete.html#vol09-how-they-get-hired-entry-level-reality | Entry-level reality — SOC tier-1 / junior pentest / IT-pivot pathways; US 2026 compensation bands |
vol09-methods-and-tradecraft-the-lab-loop | HackerTradecraft_Complete.html#vol09-methods-and-tradecraft-the-lab-loop | The lab loop — HackTheBox / TryHackMe / CTF / homelab |
vol09-origin-and-how-the-term-is-actually-used | HackerTradecraft_Complete.html#vol09-origin-and-how-the-term-is-actually-used | Green-hat term origin and modern usage |
vol09-resources | HackerTradecraft_Complete.html#vol09-resources | Vol 9 footnotes and external resources |
vol09-tools-of-the-trade-the-learners-starter-kit | HackerTradecraft_Complete.html#vol09-tools-of-the-trade-the-learners-starter-kit | The learner’s starter kit — beginner-tier toolchain and lab-platform onboarding |
Vol 10 — The blue hat: the defender
| Anchor | Full link | Covers |
|---|---|---|
vol10-a-day-in-the-life | HackerTradecraft_Complete.html#vol10-a-day-in-the-life | Three composites — SOC tier-1 / DFIR specialist / detection engineer |
vol10-callouts-and-cross-references | HackerTradecraft_Complete.html#vol10-callouts-and-cross-references | Vol 10 callouts (asymmetric-disadvantage / no-hack-back); cross-references |
vol10-definition-and-boundary | HackerTradecraft_Complete.html#vol10-definition-and-boundary | Blue-hat as defender (primary modern sense); the two-live-meanings disambiguation |
vol10-famous-figures | HackerTradecraft_Complete.html#vol10-famous-figures | Krebs, Lambert, Sarah Edwards, Florian Roth, Lesley Carhart — five defender profiles |
vol10-how-they-get-hired | HackerTradecraft_Complete.html#vol10-how-they-get-hired | Defender cert ladder (Security+ / CySA+ / SANS GIAC family / CISSP); 5 specialization paths |
vol10-methods-and-tradecraft-the-detect-triage-respond-hunt-loop | HackerTradecraft_Complete.html#vol10-methods-and-tradecraft-the-detect-triage-respond-hunt-loop | The four-phase loop with detection-engineering feedback as centerpiece |
vol10-origin-and-how-the-term-is-actually-used | HackerTradecraft_Complete.html#vol10-origin-and-how-the-term-is-actually-used | Military red-team/blue-team lineage; Microsoft BlueHat 2005; the 2026 collision |
vol10-resources | HackerTradecraft_Complete.html#vol10-resources | Vol 10 footnotes and external resources |
vol10-tools-of-the-trade | HackerTradecraft_Complete.html#vol10-tools-of-the-trade | Defender toolchain — SIEM / EDR / network monitoring / threat-intel / detection-engineering / IR / RF-defensive |
Vol 11 — The red hat: sanctioned aggressor
| Anchor | Full link | Covers |
|---|---|---|
vol11-a-day-in-the-life | HackerTradecraft_Complete.html#vol11-a-day-in-the-life | Three composites — opening day / mid-engagement / report-out |
vol11-callouts-and-cross-references | HackerTradecraft_Complete.html#vol11-callouts-and-cross-references | Vol 11 callouts and cross-references |
vol11-definition-and-boundary | HackerTradecraft_Complete.html#vol11-definition-and-boundary | Red-hat as sanctioned aggressor; distinct from pentest by objective-based long engagement |
vol11-famous-figures | HackerTradecraft_Complete.html#vol11-famous-figures | Mudge, Schroeder, Owens, Williams, Nayak — five red-team profiles |
vol11-how-they-get-hired | HackerTradecraft_Complete.html#vol11-how-they-get-hired | Red-team cert ladder (CRTO / CRTL / OSEP / SANS); typical career trajectory from pentester |
vol11-methods-and-tradecraft-the-engagement-lifecycle | HackerTradecraft_Complete.html#vol11-methods-and-tradecraft-the-engagement-lifecycle | The red-team engagement lifecycle — recon → initial → escalation → lateral → objective → exfil → reporting |
vol11-origin-and-how-the-term-is-actually-used | HackerTradecraft_Complete.html#vol11-origin-and-how-the-term-is-actually-used | Military red-team lineage; adversary-emulation discipline; modern usage |
vol11-resources | HackerTradecraft_Complete.html#vol11-resources | Vol 11 footnotes and external resources |
vol11-tools-of-the-trade | HackerTradecraft_Complete.html#vol11-tools-of-the-trade | C2 frameworks (Cobalt Strike / Sliver / Mythic / Brute Ratel / Havoc); ATT&CK; physical-entry staging |
Vol 12 — The purple hat: red-blue integration
| Anchor | Full link | Covers |
|---|---|---|
vol12-a-day-in-the-life | HackerTradecraft_Complete.html#vol12-a-day-in-the-life | Day-in-the-life composites for purple-team practitioner |
vol12-callouts-and-cross-references | HackerTradecraft_Complete.html#vol12-callouts-and-cross-references | Vol 12 callouts and cross-references |
vol12-definition-and-boundary | HackerTradecraft_Complete.html#vol12-definition-and-boundary | Purple-as-verb (the practice) vs purple-as-noun (the team); integration discipline |
vol12-famous-figures | HackerTradecraft_Complete.html#vol12-famous-figures | Van Buggenhout, Bohannon, Peacock, Smith+Haag, Henderson — five purple-team profiles |
vol12-how-they-get-hired | HackerTradecraft_Complete.html#vol12-how-they-get-hired | Purple-team cert path (SANS SEC599 / GIAC GDAT); typical from-red or from-blue trajectory |
vol12-methods-and-tradecraft-the-purple-team-exercise-loop | HackerTradecraft_Complete.html#vol12-methods-and-tradecraft-the-purple-team-exercise-loop | The exercise loop — atomic / scenario / BAS / continuous purple |
vol12-origin-and-how-the-term-is-actually-used | HackerTradecraft_Complete.html#vol12-origin-and-how-the-term-is-actually-used | Purple-team origin; SANS SEC599 (2016); the 2020s mainstreaming |
vol12-resources | HackerTradecraft_Complete.html#vol12-resources | Vol 12 footnotes and external resources |
vol12-tools-of-the-trade | HackerTradecraft_Complete.html#vol12-tools-of-the-trade | Atomic Red Team / CALDERA / VECTR / BAS platforms (AttackIQ / SafeBreach / Cymulate / Picus) |
Vol 13 — RF tradecraft I: SDR and sub-GHz
| Anchor | Full link | Covers |
|---|---|---|
vol13-about-this-volume | HackerTradecraft_Complete.html#vol13-about-this-volume | Vol 13 framing — engineer-grade RF tradecraft I; the reference cluster opens |
vol13-cross-reference-index | HackerTradecraft_Complete.html#vol13-cross-reference-index | Vol 13 cross-reference index — inbound/outbound links and frozen H2 anchors |
vol13-legal-and-regulatory | HackerTradecraft_Complete.html#vol13-legal-and-regulatory | Receive-vs-transmit; FCC Parts 15 (§15.231 / §15.247 / §15.249) and 97; ECPA + 47 USC § 605; CFAA replay overlay |
vol13-resources | HackerTradecraft_Complete.html#vol13-resources | Vol 13 footnotes and external resources |
vol13-sdr-fundamentals | HackerTradecraft_Complete.html#vol13-sdr-fundamentals | I/Q theory, sample rate vs bandwidth, the canonical SDR receive chain, the four numbers |
vol13-sub-ghz-in-practice | HackerTradecraft_Complete.html#vol13-sub-ghz-in-practice | Sub-GHz attack surface — 315/433/868/915 MHz ISM, three-branch protocol taxonomy, replay-defeats table |
vol13-the-capture-analyze-replay-workflow | HackerTradecraft_Complete.html#vol13-the-capture-analyze-replay-workflow | Capture-analyze-replay — rtl_sdr / hackrf_transfer / URH / Inspectrum / GNU Radio / rtl_433 |
vol13-the-gear-sdr-hardware-comparison | HackerTradecraft_Complete.html#vol13-the-gear-sdr-hardware-comparison | 9-row SDR hardware comparison — RTL-SDR / HackRF / PortaPack / PortaRF / Flipper / Pluto / BladeRF / LimeSDR / USRP |
vol13-the-rf-spectrum-map | HackerTradecraft_Complete.html#vol13-the-rf-spectrum-map | 26-row spectrum table — LF RFID 125 kHz through Wi-Fi 6E 7 GHz, with regulatory class and capture-difficulty |
Vol 14 — RF tradecraft II: Wi-Fi and BLE
| Anchor | Full link | Covers |
|---|---|---|
vol14-about-this-volume | HackerTradecraft_Complete.html#vol14-about-this-volume | Vol 14 framing — RF tradecraft II; Wi-Fi and BLE |
vol14-ble-the-protocol-and-the-attack-surface | HackerTradecraft_Complete.html#vol14-ble-the-protocol-and-the-attack-surface | BLE — protocol stack, advertising/connected/extended, pairing observation, BLE-spam, BLE-relay |
vol14-cross-reference-index | HackerTradecraft_Complete.html#vol14-cross-reference-index | Vol 14 cross-reference index — inbound/outbound links and frozen H2 anchors |
vol14-legal-and-regulatory | HackerTradecraft_Complete.html#vol14-legal-and-regulatory | Vol 14 legal-and-regulatory — Part 15 + Part 90 + ECPA + CFAA for active Wi-Fi attacks |
vol14-resources | HackerTradecraft_Complete.html#vol14-resources | Vol 14 footnotes and external resources |
vol14-the-802.11-attack-surface | HackerTradecraft_Complete.html#vol14-the-802.11-attack-surface | The 802.11 attack surface — management/control/data frames, deauth, MAC randomization, WPS |
vol14-the-gear-wi-fi-and-ble-platform-comparison | HackerTradecraft_Complete.html#vol14-the-gear-wi-fi-and-ble-platform-comparison | Wi-Fi and BLE platform comparison — Alfa AWUS family, ESP32 Marauder modules, WiFi Pineapple, Ubertooth |
vol14-the-handshake-capture-and-offline-crack-pipeline | HackerTradecraft_Complete.html#vol14-the-handshake-capture-and-offline-crack-pipeline | Handshake capture and offline crack — Aircrack-ng suite, EAPOL, PMK, PMKID, hashcat |
vol14-the-rogue-ap-family-techniques-and-lineage | HackerTradecraft_Complete.html#vol14-the-rogue-ap-family-techniques-and-lineage | Rogue-AP family lineage — KARMA → Jasager → MANA → PineAP |
Vol 15 — RF tradecraft III: RFID, NFC, and access control
| Anchor | Full link | Covers |
|---|---|---|
vol15-about-this-volume | HackerTradecraft_Complete.html#vol15-about-this-volume | Vol 15 framing — RF tradecraft III; RFID, NFC, and access control |
vol15-access-control-attacks-capability-level-catalog | HackerTradecraft_Complete.html#vol15-access-control-attacks-capability-level-catalog | Access-control attacks catalog — by capability level: passive read → clone → emulate → relay |
vol15-cross-reference-index | HackerTradecraft_Complete.html#vol15-cross-reference-index | Vol 15 cross-reference index — inbound/outbound links and frozen H2 anchors |
vol15-legal-and-regulatory | HackerTradecraft_Complete.html#vol15-legal-and-regulatory | Vol 15 legal-and-regulatory — RFID-specific regulatory frame, burglary-tools statutes |
vol15-lf-vs-hf-rfid-the-physics-and-the-operational-differences | HackerTradecraft_Complete.html#vol15-lf-vs-hf-rfid-the-physics-and-the-operational-differences | LF (125 kHz) vs HF (13.56 MHz) RFID — physics, range, attack-surface differences |
vol15-nfc-the-protocol-stack-and-the-attack-surface | HackerTradecraft_Complete.html#vol15-nfc-the-protocol-stack-and-the-attack-surface | NFC protocol stack — ISO 14443/15693/18092, NDEF, APDU, HCE; the modern smartphone-NFC attack surface |
vol15-resources | HackerTradecraft_Complete.html#vol15-resources | Vol 15 footnotes and external resources |
vol15-the-card-families-reference-catalog | HackerTradecraft_Complete.html#vol15-the-card-families-reference-catalog | Card families catalog — EM4100/4102, HID Prox, Indala, Hitag2, MIFARE Classic/Plus/DESFire/Ultralight, iCLASS, NTAG, LEGIC |
vol15-the-gear-rfid-and-nfc-hardware-comparison | HackerTradecraft_Complete.html#vol15-the-gear-rfid-and-nfc-hardware-comparison | RFID/NFC hardware comparison — ACR122U / PN532 / ChameleonUltra / Proxmark3 RDV4 / Flipper Zero |
Vol 16 — Computer-hacking tradecraft
| Anchor | Full link | Covers |
|---|---|---|
vol16-about-this-volume | HackerTradecraft_Complete.html#vol16-about-this-volume | Vol 16 framing — computer-hacking tradecraft (BadUSB / keyloggers / network implants / Hak5 family) |
vol16-combined-workflows-rf-plus-physical-implant-staging | HackerTradecraft_Complete.html#vol16-combined-workflows-rf-plus-physical-implant-staging | Combined workflows — RF + physical implant staging (badge clone → drop box; Pineapple staging) |
vol16-cross-reference-index | HackerTradecraft_Complete.html#vol16-cross-reference-index | Vol 16 cross-reference index — inbound/outbound links and frozen H2 anchors |
vol16-defense-and-detection | HackerTradecraft_Complete.html#vol16-defense-and-detection | Defense and detection — USB filtering, in-band keystroke-injection detection, tamper-evident enclosures |
vol16-hid-injection-and-badusb-the-keystroke-injection-principle | HackerTradecraft_Complete.html#vol16-hid-injection-and-badusb-the-keystroke-injection-principle | HID injection and BadUSB — Nohl + Lell Black Hat 2014; the keystroke-injection principle |
vol16-keyloggers-hardware-versus-software | HackerTradecraft_Complete.html#vol16-keyloggers-hardware-versus-software | Keyloggers — hardware (in-line, Key Croc) vs software; detection and defense |
vol16-network-implants-drop-boxes-and-persistence-devices | HackerTradecraft_Complete.html#vol16-network-implants-drop-boxes-and-persistence-devices | Network implants — LAN Turtle, Packet Squirrel, Shark Jack, drop boxes (Raspberry Pi + Kali) |
vol16-resources | HackerTradecraft_Complete.html#vol16-resources | Vol 16 footnotes and external resources |
vol16-the-hak5-implant-family-mapped-catalog | HackerTradecraft_Complete.html#vol16-the-hak5-implant-family-mapped-catalog | The Hak5 implant family — Rubber Ducky, Bash Bunny, Key Croc, O.MG Cable, LAN Turtle, Packet Squirrel, Shark Jack, Plunder Bug |
Vol 17 — Social engineering tradecraft
| Anchor | Full link | Covers |
|---|---|---|
vol17-about-this-volume | HackerTradecraft_Complete.html#vol17-about-this-volume | Vol 17 framing — social engineering tradecraft; the applied end of a deep academic literature |
vol17-cross-reference-index | HackerTradecraft_Complete.html#vol17-cross-reference-index | Vol 17 cross-reference index — inbound/outbound links and frozen H2 anchors |
vol17-defense-awareness-programs-technical-controls-the-human-firewall-reality | HackerTradecraft_Complete.html#vol17-defense-awareness-programs-technical-controls-the-human-firewall-reality | Defense — awareness programs (KnowBe4 / Cofense) + technical controls (SPF/DKIM/DMARC/FIDO2) + human-firewall reality |
vol17-osint-the-reconnaissance-phase | HackerTradecraft_Complete.html#vol17-osint-the-reconnaissance-phase | OSINT reconnaissance — public records / social media / technical footprint / breach data / Bellingcat methodology |
vol17-phishing-vishing-smishing-the-delivery-channels | HackerTradecraft_Complete.html#vol17-phishing-vishing-smishing-the-delivery-channels | Phishing / vishing / smishing — the three delivery channels; AiTM via Evilginx + Modlishka + Muraena |
vol17-physical-entry-tailgating-badge-clone-the-se-physical-chain | HackerTradecraft_Complete.html#vol17-physical-entry-tailgating-badge-clone-the-se-physical-chain | Physical entry — tailgating + badge clone; the SE-physical chain through TOOOL |
vol17-pretexting-building-and-running-a-cover | HackerTradecraft_Complete.html#vol17-pretexting-building-and-running-a-cover | Pretexting — building and running a cover; pretext families (authority/familiarity/urgency) |
vol17-resources | HackerTradecraft_Complete.html#vol17-resources | Vol 17 footnotes and external resources |
vol17-the-psychology-principles-se-exploits | HackerTradecraft_Complete.html#vol17-the-psychology-principles-se-exploits | Cialdini’s six (reciprocity/commitment/social-proof/authority/liking/scarcity) + Unity 7th + urgency/cognitive-load meta |
Vol 18 — Careers
| Anchor | Full link | Covers |
|---|---|---|
vol18-about-this-volume | HackerTradecraft_Complete.html#vol18-about-this-volume | Vol 18 framing — careers synthesis cluster opens; pulling together per-hat §6 sections |
vol18-building-a-reputation-the-long-form-play | HackerTradecraft_Complete.html#vol18-building-a-reputation-the-long-form-play | Reputation — conference talks (BSides → DEF CON → specialty) + blog + tool authorship + bug-bounty visibility |
vol18-certs-decoded-the-full-landscape | HackerTradecraft_Complete.html#vol18-certs-decoded-the-full-landscape | Cert landscape — Security+ / OffSec ladder / SANS GIAC / red-team specialty / cloud / managerial tier |
vol18-leveling-and-compensation-reality-us-2026 | HackerTradecraft_Complete.html#vol18-leveling-and-compensation-reality-us-2026 | Leveling and US 2026 compensation reality — ~30+ role/level bands; geographic + clearance premiums |
vol18-resources | HackerTradecraft_Complete.html#vol18-resources | Vol 18 footnotes and external resources |
vol18-the-interview | HackerTradecraft_Complete.html#vol18-the-interview | Interview — recruiter screen / technical screen / practical exam / scenario / system-design / behavioral / red-flags |
vol18-the-path-map-green-hat-to-destination | HackerTradecraft_Complete.html#vol18-the-path-map-green-hat-to-destination | The path map — entry points → mid-career branches → senior destinations |
vol18-the-paths-career-destinations-and-trade-offs | HackerTradecraft_Complete.html#vol18-the-paths-career-destinations-and-trade-offs | Eight career destinations — consulting / in-house / bug bounty / research / govt-defense / vendor / education / training |
vol18-the-portfolio-and-home-lab | HackerTradecraft_Complete.html#vol18-the-portfolio-and-home-lab | Portfolio — home lab / CTF writeups / CVE pipeline / open-source contributions / talks / bug-bounty reputation |
Vol 19 — The legal line and ethics
| Anchor | Full link | Covers |
|---|---|---|
vol19-about-this-volume | HackerTradecraft_Complete.html#vol19-about-this-volume | Vol 19 framing — the canonical legal reference; 30+ inbound references from every cluster |
vol19-authorization-in-practice | HackerTradecraft_Complete.html#vol19-authorization-in-practice | SOW + Scope + ROE + GOJL + bug-bounty safe-harbor; DOJ May 2022 CFAA charging policy |
vol19-cfaa-in-depth | HackerTradecraft_Complete.html#vol19-cfaa-in-depth | CFAA 18 USC § 1030 — seven subsections, protected-computer reach, Van Buren 2021, mens rea, penalty structure, Swartz |
vol19-cross-reference-index | HackerTradecraft_Complete.html#vol19-cross-reference-index | Vol 19 cross-reference index — 30+ inbound references catalogued |
vol19-disclosure-ethics | HackerTradecraft_Complete.html#vol19-disclosure-ethics | Four disclosure paths (full / coordinated / sale-to-broker / sit-on-it); disclosure-decision-tree |
vol19-ethical-frameworks | HackerTradecraft_Complete.html#vol19-ethical-frameworks | Professional codes (ISC²/EC-Council/ISACA/SANS/OffSec); Belmont/Menlo Report; bug-bounty community norms; the personal ethical line |
vol19-international-equivalents | HackerTradecraft_Complete.html#vol19-international-equivalents | UK CMA / EU 2013/40/EU / Canada s.342.1 / Australia Cybercrime Act / German StGB §§ 202a-c / Japan / Budapest Convention |
vol19-resources | HackerTradecraft_Complete.html#vol19-resources | Vol 19 footnotes and external resources |
vol19-rf-specific-law | HackerTradecraft_Complete.html#vol19-rf-specific-law | RF-specific law — ECPA + 47 USC § 605 + FCC Parts 15/90/95/97 + § 333 willful-interference (Marriott) |
4. How to link into this deep dive — worked example
Other Hack Tools deep dives (HackRF One, Flipper Zero, WiFi Pineapple, Proxmark3, RTL-SDR, Ducky Script, the per-tool inventories) routinely link into this series for the canonical treatment of a term, a piece of legal frame, a hat-taxonomy boundary, or a hiring discussion. This section is the practical guide for those sibling-deep-dive authors.
4.1 The canonical link form
The consolidated deliverable lives at:
Hack Tools/Hacker Tradecraft/03-outputs/HackerTradecraft_Complete.htmlEvery H2 section in Vols 6-19 carries an auto-generated stable ID of the form vol{NN}-<slug> where <slug> is the heading text lowercased, hyphenated, with leading section numbers stripped. The canonical link form is:
HackerTradecraft_Complete.html#vol{NN}-<heading-slug>For example, the H2 heading “Authorization in practice” in Vol 19 renders as:
<h2 id="vol19-authorization-in-practice">Authorization in practice</h2>…and is linked as HackerTradecraft_Complete.html#vol19-authorization-in-practice. The complete frozen-anchor catalog is §3 above.
4.2 Relative paths from sibling deep dives
A sibling deep dive at Hack Tools/<Tool>/03-outputs/<Tool>_Complete.html reaches this one via two ../ steps (out of 03-outputs/, out of the tool directory) plus the path back in. Spaces in directory names must be URL-encoded as %20:
../Hacker%20Tradecraft/03-outputs/HackerTradecraft_Complete.html#vol13-the-rf-spectrum-mapThe most common patterns in markdown:
For the CFAA treatment, see
[Hacker Tradecraft Vol 19 §2](../Hacker%20Tradecraft/03-outputs/HackerTradecraft_Complete.html#vol19-cfaa-in-depth).
For the SDR fundamentals + spectrum map, see
[Hacker Tradecraft Vol 13](../Hacker%20Tradecraft/03-outputs/HackerTradecraft_Complete.html#vol13-sdr-fundamentals)
and the [spectrum map](../Hacker%20Tradecraft/03-outputs/HackerTradecraft_Complete.html#vol13-the-rf-spectrum-map).
The white-hat / black-hat / grey-hat boundaries are defined in
[Vol 6](../Hacker%20Tradecraft/03-outputs/HackerTradecraft_Complete.html#vol06-definition-and-boundary),
[Vol 7](../Hacker%20Tradecraft/03-outputs/HackerTradecraft_Complete.html#vol07-definition-and-boundary),
and [Vol 8](../Hacker%20Tradecraft/03-outputs/HackerTradecraft_Complete.html#vol08-definition-and-boundary).4.3 The stability guarantee
The anchor catalog in §3 is the frozen-append-only contract. The implications:
-
Heading text in Vols 6-19 will not be renamed. Once published, the H2 heading text — and therefore the auto-generated anchor — is the contract.
-
New H2 headings are added freely. Appending is permitted because it does not change any existing anchor. The anchor catalog is regenerated and grows.
-
If a heading absolutely must change (because it became misleading, not just because someone preferred a different phrasing), the discipline is to leave the old heading in place as a redirect stub rather than rename it:
## Old heading text > Moved to [§X.X New heading text](#new-anchor-slug).…so inbound traffic still lands somewhere informative.
-
tools/link_crossrefs.pyis the verification. Runningpython3 tools/link_crossrefs.py --checkfrom the Hack Tools repository root scans every markdown source for cross-deep-diveComplete.html#vol{NN}-<slug>references and reports any that no longer resolve in the rendered HTML. The pre-commit hook runs it automatically; manual invocation is the recommended check after editing any cross-referencing volume.
4.4 Worked round-trip example
Suppose an author of the WiFi Pineapple deep dive (WiFi Pineapple deep dive) wants to point at the rogue-AP family lineage treatment in Vol 14 §3. The full procedure:
-
Look up the anchor in §3 — find the row for the Rogue-AP family heading under “Vol 14 — RF tradecraft II”. The anchor is
vol14-the-rogue-ap-family-techniques-and-lineage. -
Construct the relative path. WiFi Pineapple’s deliverable is at
Hack Tools/WiFi Pineapple/03-outputs/WiFiPineapple_Complete.html. Hacker Tradecraft’s is atHack Tools/Hacker Tradecraft/03-outputs/HackerTradecraft_Complete.html. The relative path is../Hacker%20Tradecraft/03-outputs/HackerTradecraft_Complete.html. -
Write the link.
The Pineapple's PineAP engine descends from the KARMA → Jasager → MANA → PineAP lineage; see the [Hacker Tradecraft Vol 14 §3 treatment](../Hacker%20Tradecraft/03-outputs/HackerTradecraft_Complete.html#vol14-the-rogue-ap-family-techniques-and-lineage) for the protocol-level walk-through. -
Rebuild and verify. Rebuild the WiFi Pineapple deliverable from its source markdown (
bash WiFi\ Pineapple/02-inputs/volume_sources/build/rebuild_complete.shor equivalent). Open the deliverable in a browser, click the link, confirm it lands on the right H2 heading in the Hacker Tradecraft deliverable. -
Run the cross-reference checker before committing:
python3 tools/link_crossrefs.py --check…which scans every markdown source in the repo for
Complete.html#vol{NN}-<slug>references and reports any that don’t resolve.
4.5 Anti-patterns to avoid
- Don’t link to footnote anchors (
#vol19-fn7). Footnote numbers are not stable across re-builds; they renumber if any footnote is added or removed earlier in the volume. - Don’t link to in-table-cell anchors or code-block anchors. Only the H2 heading anchors carry the stability guarantee.
- Don’t write absolute paths or
file://URIs. The repository must be portable across machines; relative paths from03-outputs/are the only correct form. - Don’t omit the
%20URL-encoding for spaces in “Hacker Tradecraft” or “WiFi Pineapple” or “Bus Pirate 6” or other multi-word tool directories. Bare spaces in markdown links work in some renderers and silently break in others; the URL-encoded form works universally. - Don’t deep-link to H3 anchors. They are auto-generated but not formally frozen by the discipline above; H3 headings inside a section are more often refactored. The H2 level is the contract surface.
5. Volume-by-volume summary
A one-paragraph navigation aid for readers who want the meta-view of the entire series. For depth, jump to the volume linked at the head of each paragraph; for the canonical anchor catalog inside each, see §3.
Vol 1 — Overview
The series prologue: what “tradecraft” means in the engineer-grade sense used throughout, who the intended reader is, the decision graph (a quick “I want to learn about X → read Vol Y” map), the hat spectrum at a glance, and the cross-cutting reading orders (chronological vs hat-cluster vs reference-cluster vs synthesis-cluster). Read first; the rest of the series assumes the framing established here.
Vol 2 — History I: 1950s-1970s
Proto-hacking and the pre-internet substrate: phreaking and the AT&T monopoly era; MIT TMRC and the early MIT-AI-Lab hacker culture; the hacker ethic as formalized by Levy; Homebrew Computer Club and the homebrew-PC genesis; the cultural pump that fed the field’s first generation. Establishes the lineage that later volumes reference when discussing why specific people / institutions matter (the L0pht traces back here, as does Mitnick, as does much of the original DEF CON cohort).
Vol 3 — History II: 1980s-1990s
Golden age and criminalization. BBS culture and the 414s (the 1983 Milwaukee group’s intrusions that triggered House hearings); the criminalization wave (CFAA 1986; the Morris Worm 1988 and CERT/CC’s founding); Kevin Mitnick’s 1995 arrest as the field’s mass-media debut; the rise of the hacker zines (2600, Phrack); DEF CON’s 1993 founding (Jeff Moss / Dark Tangent) and the conference-circuit’s birth; Aaron Swartz’s JSTOR-download case (2010-2013) as the modern criminalization arc’s terminal moment. Heavy structural reading for Vols 6-12 (the hat cluster, which uses the history as scaffolding).
Vol 4 — History III: 2000s-now
Modern era. The pentest industry’s emergence; the bug-bounty economy (HackerOne 2012; the safe-harbor standardization that converted grey-to-white); the nation-state cyberweapon era (Stuxnet 2010 as the watershed; APT naming and the Mandiant 2013 APT1 report; Snowden’s 2013 disclosures); ransomware-as-a-business and the criminal-economy maturation (REvil, LockBit, Operation Cronos); the conference + CTF circuit as the field’s social credentialing layer; the modern public-figure ecosystem.
Vol 5 — The “hat” metaphor
The cultural-history volume centered on the hat metaphor itself: Western-cinema origins (1900s-1940s good-guy / bad-guy color convention); migration into infosec via the 1980s-1990s zine + BBS culture; DEF CON’s 1993 founding and Black Hat 1997’s spinoff as the moment “black hat” / “white hat” entered industry usage at scale; the taxonomy’s expansion (grey, green, the team-color cluster blue/red/purple); the two-axis problem of authorization-and-intent that the taxonomy approximates. The reader-orientation volume for the seven-volume hat cluster that follows.
Vol 6 — White hat
The authorized professional. Definition (authorized + lawful + accountable); the paperwork-is-the-hat principle; toolchain (Kali, Burp, Metasploit, Nmap, BloodHound, Cobalt Strike under license); engagement lifecycle (scoping → recon → exploitation → post-ex → cleanup); three day-in-the-life composites (consultancy pentester, in-house red-teamer, bug-bounty researcher); cert ladder (OSCP / OSEP / SANS GIAC / CRTO); five famous-figures profiles (Moussouris, Kaminsky, HD Moore, Charlie Miller, Hutchins). The hat cluster’s longest volume and the lineage for Vols 11 (red) and Vol 18 (careers).
Vol 7 — Black hat
The criminal practitioner. Definition + the legal-line treatment (cross-ref to Vol 19); origin and modern usage; criminal-economy toolchain (initial-access brokers, malware-as-a-service, ransomware platforms); intrusion-lifecycle-as-crime; a day in the life reconstructed from court records; the criminal-economy pipeline (IAB → RaaS → affiliate → launderer with pricing tiers); five profiles (Gonzalez, Butler, Bogachev, Park Jin Hyok, Yakubets); mandatory danger callout. Black-hat content is sourced strictly from public record; no operational how-to-commit-a-crime detail.
Vol 8 — Grey hat
Outside the rules but not for profit. The most-legally-precarious hat; researcher-disclosure-without-authorization as the canonical grey-hat act; the legal posture varies dramatically by jurisdiction; the grey-to-white conversion pathway via bug-bounty + safe-harbor (HackerOne’s standardization); five profiles (L0pht collective, Bunnie Huang, Mark Dowd, weev, Tavis Ormandy). The L0pht’s 1998 Senate testimony is the canonical late-’90s grey-hat-to-mainstream-credibility moment.
Vol 9 — Green hat
The learner. Definition and the on-ramp framing; the learner’s starter kit (HackTheBox / TryHackMe / homelab + a beginner-tier RF starter-kit progression RTL-SDR → Flipper → HackRF → Proxmark3); the lab loop; entry-level reality (SOC tier-1 / junior pentest / IT-pivot pathways with US 2026 compensation bands); five self-taught arcs (Hammond, STÖK, NahamSec, InsiderPhD, LiveOverflow). The volume that the modal “how do I break in?” question routes to.
Vol 10 — Blue hat
The defender. Two-meanings disambiguation up front (defender as primary modern sense; Microsoft BlueHat as the secondary historical sense); seven-layer defender toolchain (SIEM + EDR + network monitoring + threat-intel + detection-engineering + IR + RF-defensive); detect-triage-respond-hunt loop with detection-engineering feedback as centerpiece; three day-in-the-life composites (SOC tier-1, DFIR specialist, detection engineer); defender cert ladder (Security+ / CySA+ / SANS GIAC family / CISSP); five profiles (Krebs, Lambert, Sarah Edwards, Florian Roth, Lesley Carhart). The asymmetric-disadvantage callout is the volume’s structural anchor.
Vol 11 — Red hat
Sanctioned aggressor. Distinct from pentest by objective-based long engagement; military red-team lineage; adversary-emulation discipline; C2 framework working-set (Cobalt Strike / Sliver / Mythic / Brute Ratel / Havoc); the engagement lifecycle at depth; physical-entry / RF+HID staging layer as the bridge to the Hack Tools hub; five profiles (Mudge, Schroeder, Owens, Williams, Nayak). The volume that links most heavily out to sibling deep dives (HackRF / Flipper / Proxmark / Ducky Script / WiFi Pineapple).
Vol 12 — Purple hat
Red-blue integration. Purple-as-verb-not-noun framing; SANS SEC599 (2016) as the discipline’s structural birth; Atomic Red Team / CALDERA / VECTR / BAS platforms (AttackIQ / SafeBreach / Cymulate / Picus); the exercise loop (atomic / scenario / BAS / continuous-purple); five profiles (Van Buggenhout, Bohannon, Peacock, Smith+Haag, Henderson). The volume that closes the hat cluster and feeds Vol 18 careers on detection-engineering as a destination career track.
Vol 13 — RF tradecraft I: SDR and sub-GHz
The reference-cluster opener. I/Q theory + Nyquist + the canonical SDR receive chain at schematic depth (the four numbers that bound capability — sample rate, instantaneous bandwidth, ADC resolution, frequency coverage); the 26-row RF spectrum map (LF RFID 125 kHz through Wi-Fi 6E 7 GHz, with regulatory class and capture-difficulty); sub-GHz attack surface (315/433/868/915 MHz ISM, three-branch protocol taxonomy, replay-defeats table covering KeeLoq / AES-128 / Hitag2 / LoRaWAN / Z-Wave S2); capture-analyze-replay workflow (rtl_sdr / hackrf_transfer / URH / Inspectrum / GNU Radio / rtl_433); 9-row SDR hardware comparison; FCC Parts 15 + 97 + ECPA + 47 USC § 605 + CFAA replay overlay. The volume HackRF, RTL-SDR, Flipper Zero, and PortaRF deep dives all link in to.
Vol 14 — RF tradecraft II: Wi-Fi and BLE
The 802.11 attack surface (management/control/data frames, deauth, MAC randomization, WPS); the rogue-AP family lineage (KARMA → Jasager → MANA → PineAP); the handshake-capture-and-offline-crack pipeline (Aircrack-ng suite, EAPOL, PMK, PMKID, hashcat); BLE protocol and attack surface (advertising/connected/extended, pairing observation, BLE-spam, BLE-relay); Wi-Fi + BLE platform comparison (Alfa AWUS family, ESP32 Marauder modules, WiFi Pineapple, Ubertooth). The volume the WiFi Pineapple deep dive and ESP32 Marauder Firmware deep dive both link into.
Vol 15 — RF tradecraft III: RFID, NFC, and access control
LF (125 kHz) vs HF (13.56 MHz) physics + operational differences; card-families catalog (EM4100/4102, HID Prox, Indala, Hitag2, MIFARE Classic/Plus/DESFire/Ultralight, iCLASS / iCLASS SE / iCLASS Seos, NTAG, LEGIC); the NFC protocol stack (ISO 14443/15693/18092, NDEF, APDU, HCE); access-control attacks by capability level (passive read → clone → emulate → relay); 6-row RFID/NFC hardware comparison (ACR122U / PN532 / ChameleonUltra / Proxmark3 RDV4 / Flipper Zero); burglary-tools-statutes overlay. The volume the Proxmark3 RDV4 and Flipper Zero deep dives both link into.
Vol 16 — Computer-hacking tradecraft
HID injection and BadUSB (Nohl + Lell, Black Hat 2014, the keystroke-injection principle); keyloggers — hardware (in-line, Key Croc) vs software, with detection and defense; network implants (LAN Turtle, Packet Squirrel, Shark Jack) and drop boxes (Raspberry Pi + Kali, commercial PWN Plug); the Hak5 implant family fully mapped (Rubber Ducky / Bash Bunny / Key Croc / O.MG Cable / LAN Turtle / Packet Squirrel / Shark Jack / Plunder Bug with release dates and form factors); combined workflows (RF + physical implant staging — badge clone → drop box; Pineapple staging); defense + detection (USB filtering, in-band keystroke-injection detection, tamper-evident enclosures). The volume the Ducky Script deep dive links into.
Vol 17 — Social engineering tradecraft
The applied end of a deep academic literature. Cialdini’s six (+ Unity 7th + urgency / cognitive-load meta-layer); OSINT reconnaissance (Bellingcat lineage; Maltego / SpiderFoot / Recon-ng / theHarvester / Sherlock / HIBP / Shodan / Censys); pretexting (building and running a cover; the cover-construction four-layer checklist); phishing / vishing / smishing delivery channels (the six-phase campaign lifecycle; AiTM via Evilginx + Modlishka + Muraena trinity); physical-entry / tailgating / badge-clone chain (TOOOL / Deviant Ollam); defense (KnowBe4 / Cofense awareness programs + SPF/DKIM/DMARC/FIDO2 technical controls + the human-firewall reality with DBIR 2025 statistics). The reference-cluster’s social-engineering bookend.
Vol 18 — Careers
The synthesis-cluster opener. Eight career destinations walked (consulting / in-house / bug bounty / research / government-defense / vendor / education / training); cert landscape (Security+ / OffSec ladder / SANS GIAC family / red-team specialty / cloud / managerial tier — ~36 certs catalogued); portfolio and home-lab (CTF writeups / CVE pipeline / open-source contributions / talks / bug-bounty reputation); the interview at depth (recruiter screen / technical screen / practical exam / scenario / system-design / behavioral / red-flags); leveling and US 2026 compensation reality (~30+ role/level bands; geographic + clearance premiums); reputation as the long-form play (conference talks + blog + tool authorship + bug-bounty visibility + practitioner social-media discipline); the path map (entry-points → mid-career branches → senior destinations). The volume that pulls together the per-hat §6 “how they get hired” sections into a single synthesis map.
Vol 19 — The legal line and ethics
The most-cross-referenced single volume in the series. CFAA 18 USC § 1030 at depth (seven subsections, protected-computer reach, Van Buren v. United States 2021 narrowing of “exceeds authorized access”, mens rea, penalty structure, Swartz stacked-charges geometry); international equivalents (UK CMA 1990 + EU Directive 2013/40/EU + Canada s.342.1 + Australia Cybercrime Act 2001 + German StGB §§ 202a-c + Japan Act 128/1999 + Budapest Convention); authorization in practice (SOW + Scope + ROE + GOJL + bug-bounty safe-harbor; DOJ May 2022 charging policy; common scope-failure modes); disclosure ethics (the four canonical paths + disclosure-decision tree); RF-specific law (ECPA + 47 USC § 605 + FCC Parts 15/90/95/97 + § 333 willful-interference with the Marriott $600k forfeiture precedent); ethical frameworks (ISC² / EC-Council / ISACA / SANS / OffSec codes + Belmont/Menlo Report + bug-bounty community norms + the personal ethical line). The connective legal tissue every other volume references.
Vol 20 — Cheatsheet
The laminate-ready quick-reference card. Compressed cheatsheets pulled from each of Vols 6-19: the per-hat working-toolchain bullets, the engagement-lifecycle phases, the CFAA + international-equivalents at-a-glance, the authorization-stack checklist, the disclosure-decision flowchart, the RF spectrum + legal class, the SE Cialdini-principles + delivery-channels table, the careers cert-ladder summary. Designed to be readable as a single-volume reference at engagement time; depth lookups route back to the appropriate full volume.
Vol 21 — Glossary and the canonical anchor index
This volume. The A-Z glossary of every term of art used in the series (~250 entries through Z); the canonical anchor index (§3) of every frozen H2 across Vols 6-19; the worked link-in example (§4) for sibling-deep-dive authors; this volume-by-volume summary (§5); the resources pointers (§6). The reader uses this volume non-sequentially: as a glossary it answers “what does Hack Tools mean by X?”; as an anchor index it answers “where is the canonical treatment of Y, and what link form do I write from a sibling deep dive?“.
6. Resources
Pointers to project-level cross-cutting documents and to every sibling deep dive that cross-references this series.
6.1 Project-wide references
- Deep-dive protocol:
../../_shared/deep_dive_protocol.md— the canonical workflow for producing a Hack Tools deep-dive series (volume-source markdown → consolidated HTML via_shared/build/build_single_html.py; figure/photo policy via Photo Helper; scroll-spy + Start Here registration). - Cross-tool comparison:
../../_shared/comparison.md— the prose-form “which tool wins for which job” decision matrix across every owned + aspirational tool in the Hack Tools collection. - Sortable capability matrix:
../../_shared/capability_matrix.html— the interactive sortable version of the comparison; 16-axis scored matrix, weights panel for per-decision tuning. - Legal / ethics baseline:
../../_shared/legal_ethics.md— the lab-discipline rules that apply to every tool (own hardware or written authorization, regional RF rules, etc.). Vol 19 is its engineer-grade depth treatment. - Top-level project context:
../../CLAUDE.md— the Hack Tools project hub overview.
6.2 Sibling Hack Tools deep dives this series cross-references
The reference cluster (Vols 13-17) deliberately does not re-derive material that the sibling tool deep dives already cover at depth; it links to them. The reverse traffic — sibling deep dives linking into this series via the §3 anchor catalog — is the load-bearing protocol pattern.
- HackRF One deep dive — the wideband SDR transmit + receive companion to Vol 13.
- Flipper Zero deep dive — the multi-tool RF / RFID / NFC / IR / BadUSB / GPIO front-end; cross-references with Vols 13 (sub-GHz), 15 (RFID/NFC), 16 (HID injection).
- WiFi Pineapple deep dive — Hak5’s wireless-auditing platform; the operational companion to Vol 14 (Wi-Fi/BLE) and Vol 17 (SE delivery via rogue AP / captive portal).
- ESP32 Marauder Firmware deep dive — JustCallMeKoko’s open-source Wi-Fi/BLE pentest firmware; the firmware-side companion to Vol 14.
- OpenSourceSDRLab PortaRF deep dive — handheld SDR; cross-references with Vol 13.
- Ducky Script deep dive — Hak5 keystroke-injection payload language and the four owned device families (USB Rubber Ducky, Bash Bunny, Key Croc, O.MG Cable); the language-and-implant companion to Vol 16.
- HackTools sibling deep dives not yet linked from this series, but candidates for future link-in: M5Stack Cardputer ADV, M5Stack Cardputer Zero, M5Stick S3, Nyan Box, Wired Hatters Banshee, Bus Pirate 6, Clockwork PicoCalc, Clockwork uConsole — each carries its own per-tool legal + tradecraft framing that may benefit from a back-anchor to Vol 19 / Vol 16 / Vol 17 as their own deep-dive authoring progresses.
6.3 Build pipeline
The consolidated deliverable HackerTradecraft_Complete.html is regenerated by:
bash "Hacker Tradecraft/02-inputs/volume_sources/build/rebuild_complete.sh"The script invokes _shared/build/build_single_html.py to concatenate the per-volume markdown sources, render via pandoc, inject the scroll-spy sidebar, and write the consolidated HTML. After any volume-source edit, rebuild + open in a browser to verify; the pre-commit hook runs the validators (tools/validate_all.py) before allowing a commit.
6.4 External primary sources
The series cites publicly-available primary sources throughout each volume’s ## Resources footnote section. The headline external resources that recur most across the series:
- EFF (Electronic Frontier Foundation) — https://eff.org — digital-rights advocacy; Coders’ Rights Project for legal research; recurring reference in Vols 3/8/19.
- DEF CON — https://defcon.org — annual hacker conference (Las Vegas, founded 1993); recurring reference across Vols 3/4/5/6/9/18.
- MITRE ATT&CK — https://attack.mitre.org — public taxonomy of adversary tactics + techniques + procedures; recurring reference across Vols 10/11/12.
- NIST Computer Security Resource Center — https://csrc.nist.gov — SP 800-53 / 800-61 / 800-115 are the canonical US federal frameworks; recurring reference in Vols 6/10/18/19.
- CISA (Cybersecurity and Infrastructure Security Agency) — https://cisa.gov — US federal coordinated-disclosure resource; reference in Vol 19.
- HackerOne and Bugcrowd disclose.io — https://disclose.io — bug-bounty safe-harbor standardization; reference in Vols 8/19.
- Phrack magazine (1985-present) — http://phrack.org — historical hacker e-zine; reference in Vols 3/8.
- 2600: The Hacker Quarterly — https://2600.com — historical hacker zine; reference in Vols 3/8.
6.5 Acknowledgments
This deep dive draws on the published record (court documents, researcher publications, vendor documentation, journalism) and the public conference + zine corpus. Every load-bearing factual claim is footnoted in the source volume; this volume’s §3 anchor catalog and §5 summary are the navigation surface over that depth. The 21-volume series totals ~2.5 MB of source markdown and ~4 MB of consolidated HTML as of 2026-05-16 — the largest single deliverable in the Hack Tools project.
The 21-volume Hacker Tradecraft series is complete. Vol 1 framed the territory; Vols 2-5 walked the history and hat-metaphor lineage; Vols 6-12 authored each hat at engineer-grade depth; Vols 13-17 constructed the reference cluster (SDR + Wi-Fi/BLE + RFID/NFC + computer-hacking + social engineering); Vols 18-21 closed with the synthesis cluster (careers + legal + cheatsheet + this anchor-index volume). The 126 frozen H2 anchors catalogued in §3 above are the contract the rest of the Hack Tools project links into. The series is append-only from here.