sunilgentyala

kerberoasting

Kerberoasting expert methodology — request TGS tickets for SPN-registered service accounts, extract, and crack offline. Covers enumeration, targeted attacks, AS-REP roasting, and detection evasion.

pass-the-hash

Pass-the-Hash (PtH) and Pass-the-Ticket (PtT) attack methodology for Windows environments. Covers hash extraction, lateral movement, credential reuse, and over-pass-the-hash (PTK).

jailbreaking

Expert methodology for testing constitutional AI safeguards through roleplay personas, fictional framing, and behavioral boundary probing. For authorized red team assessments of LLM deployments.

model-extraction

Query-based model extraction and intellectual property theft methodology for authorized assessments. Covers functional extraction, architecture inference, and training data reconstruction.

prompt-injection

Expert methodology for testing direct and indirect prompt injection vulnerabilities in LLM-powered applications, agents, and pipelines. Covers payload construction, context manipulation, cross-agent propagation, and exfiltration triggers.

system-prompt-extraction

Methodology for recovering hidden system prompts from LLM-based products. Covers direct extraction, differential probing, and reconstruction from partial leaks. Relevant for competitive intelligence assessments and prompt confidentiality evaluations.

oauth

OAuth 2.0 attack methodology. Covers redirect_uri manipulation, state CSRF bypass, authorization code interception, implicit flow token theft, open redirect chaining, and PKCE bypass.

session-attacks

Session management attack methodology. Covers session fixation, CSRF, cookie theft, session prediction, concurrent session abuse, and logout bypass.

container-escape

Container escape methodology for Docker and Kubernetes. Covers privileged container breakout, mounted socket exploitation, capabilities abuse, cgroup v1 escape, and K8s node compromise.

iam-privesc

Cloud IAM privilege escalation methodology for AWS, Azure, and GCP. Covers misconfigured roles, policy enumeration, assume-role chaining, and escalation to admin/root equivalent access.

edr-evasion

EDR/AV evasion methodology for authorized red team operations. Covers process injection, AMSI bypass, ETW patching, LOLBins, reflective loading, and obfuscation techniques for testing endpoint detection coverage.

initial-access

Initial access methodology for authorized red team engagements. Covers phishing, payload delivery, drive-by compromise, supply chain entry points, and living-off-the-land initial access techniques.

embedding-attacks

Adversarial embedding manipulation techniques for attacking vector search, semantic similarity systems, and embedding-based security controls. Covers nearest-neighbour poisoning, semantic collision, and bypass of embedding-based filters.

rag-poisoning

Expert methodology for attacking Retrieval-Augmented Generation (RAG) pipelines through document poisoning, index corruption, adversarial queries, and retrieval manipulation. For authorized red team assessments of AI search and Q&A systems.

mcp-context-injection

Methodology for injecting malicious content into MCP tool return values and resource outputs to manipulate connected LLM agent behaviour. Covers cross-server propagation and multi-agent pipeline compromise.

mcp-rug-pull

Methodology for testing rug pull attacks against MCP servers — capability changes after initial attestation that the connected LLM cannot detect. Covers detection, reproduction, and impact assessment.

mcp-tool-poisoning

Expert methodology for testing Model Context Protocol tool poisoning vulnerabilities. Covers malicious tool description injection, cross-server propagation, and detection evasion. Developed alongside ContextGuard (ICCBI 2026) MCP security research.

osint

Open Source Intelligence expert methodology for pre-engagement reconnaissance. Covers target profiling, email harvesting, subdomain enumeration, technology fingerprinting, employee reconnaissance, and dark web monitoring.

subdomain-enum

Subdomain enumeration expert methodology combining passive, active, and permutation techniques. Includes subdomain takeover detection and live host filtering.

model-tampering

AI model supply chain attack methodology covering weight tampering, malicious fine-tuning backdoor insertion, plugin/extension hijacking, and model provenance verification bypass. For authorized assessments of AI deployment pipelines.

cvss4-scoring

CVSS v4.0 scoring guide for red team findings. Covers all metric groups (Base, Threat, Environmental, Supplemental), AI/LLM-specific scoring considerations, and OWASP LLM Top 10 to CVSS mapping.

report-writing

Red team and penetration test report writing methodology. Covers executive summary, technical findings format, CVSS4 scoring, remediation guidance, and evidence documentation standards.

graphql

GraphQL security testing methodology covering introspection abuse, IDOR via query manipulation, batching attacks, injection via arguments, and subscription abuse.

rce

Remote Code Execution methodology covering command injection, deserialization, file upload RCE, and code injection in web applications. Includes reverse shell payloads and post-exploitation pivoting.

sqli

SQL injection expert methodology covering UNION-based, blind (boolean/time), error-based, and second-order injection. Includes WAF bypass, out-of-band exfiltration, and post-exploitation DB pivoting.

ssrf

Server-Side Request Forgery expert methodology covering basic SSRF, blind SSRF, cloud metadata endpoint attacks, DNS rebinding, and protocol smuggling. Includes filter bypass and post-exploitation pivoting.

waf-bypass

Web Application Firewall bypass methodology applicable to all injection types. Covers encoding, obfuscation, chunked encoding, HTTP header manipulation, and protocol-level WAF bypass.

xss

Cross-Site Scripting expert methodology covering reflected, stored, DOM-based, and mutation XSS. Includes CSP bypass, filter evasion, and post-exploitation (session hijacking, keyloggers, BeEF integration).

dcsync

DCSync attack methodology — replicate AD credentials from Domain Controllers without touching LSASS. Covers privilege requirements, execution, and credential extraction for all domain accounts including krbtgt.

jwt

JWT (JSON Web Token) attack methodology. Covers algorithm confusion (RS256→HS256), none algorithm, weak secret cracking, kid injection, JKU header forgery, and claims manipulation.

s3-enum

AWS S3 and cloud storage enumeration methodology. Covers bucket discovery, access control testing, public data exposure, and cross-cloud (GCS, Azure Blob) equivalents.

idor

Insecure Direct Object Reference (IDOR) methodology. Covers horizontal and vertical privilege escalation, GUID bypass, mass assignment, and multi-step IDOR chains.

ssti

Server-Side Template Injection expert methodology. Detection across Jinja2, Twig, Freemarker, Velocity, Mako, Smarty. Exploitation path from SSTI to RCE and data exfiltration.

xxe

XML External Entity injection expert methodology. Covers classic XXE, blind OOB XXE, XXE via file upload, XXE to SSRF, and XXE in PDF/DOCX parsers.