SEC565 · RED TEAM OPS · REV 1.0

THE RED TEAM
BLUEPRINT

28 lab posters. Every phase of an adversary emulation, mapped like engineering schematics. Free. Printable. Yours to keep.

PDF · 8.8 MB · 30 pages · print-ready
28
Lab Posters
05
Sections
06
Day Course
Print-Ready
Section 01 · Contents

A preview of what you're getting.

Each poster breaks down one lab — workflows, tools, key commands, OPSEC notes. Pin them on your wall. Hand them to juniors. Use them as a reference when you've been staring at a krbtgt hash for six hours and forgot which direction a trust flows.

Lab 1.1
Consuming Threat Intelligence
Consuming Threat Intelligence
Lab 2.1
C2 Introduction with Empire
C2 Introduction with Empire
Lab 3.1
Creating and Testing Payloads
Creating and Testing Payloads
Lab 4.1
Active Directory Enumeration
Active Directory Enumeration
Lab 5.1
Kerberoasting & Unconstrained Delegation
Kerberoasting & Unconstrained Delegation
Lab 5.4
Hopping the Trust: Parent-Child
Hopping the Trust: Parent-Child
Lab 5.8
Red Team Closure & Reporting
Red Team Closure & Reporting
+21
Inside the pack
↓ Grab the PDF
Section 02 · Attack Chain

Five sections. One mission.

The posters follow the real shape of an engagement — intel in, dominance out.

§ 01
Planning & Intel
Target research, threat actor profiles, TTP extraction, adversary emulation planning.
§ 02
Initial Access
C2 infrastructure, listeners, pivoting, redirection, domain fronting.
§ 03
Payloads & Execution
Stager crafting, AV/EDR evasion, NTLM capture, lateral movement, persistence.
§ 04
Discovery
Active Directory enumeration, GPO abuse, trust mapping, policy recon.
§ 05
Privilege & Domain
Kerberoasting, delegation abuse, trust hopping, golden tickets, closure.

I teach SEC565 for SANS. Every time a class wraps, a student asks if there's a cheat sheet for a lab — something they can pin up and actually use. So I made these.

They're not a replacement for the course. They're what you wish you had while you were taking it, and what you'll want on your wall after.

Share them, print them, hand them to your blue team so they know what's coming. Whatever works.

— JF MAES · SANS INSTRUCTOR · CEO, OFFENSIVE GUARDIAN
The Real Thing

The posters map a course.
The course is SEC565.

Six days. Hands-on. You build an adversary emulation from threat intel all the way to domain compromise. Same labs, same tools, same fight — with an instructor in the room.

SEE UPCOMING RUNS
↗ sans.org · free cancellation on most runs
  • 28 hands-on labs Every poster you just downloaded, done live in a cyber range.
  • End-to-end engagement From consuming CTI reports to writing the final red team report.
  • Earn the GRTP Certification (GPEN / GXPN adjacent) Prepares you for the operator side of red team work, not just pentesting.
  • In-person or OnDemand Conferences, online live, or self-paced — your schedule, your call.
SEC565Red Team Ops & Adversary Emulation
6 DaysFull hands-on cyber range
28 LabsCTI → C2 → AD → domain
GIAC trackOperator-grade skill set

The posters are the map. SEC565 is the territory.

Runs sell out. Pick a date, lock in cancellation-friendly terms from SANS, and show up ready.

See upcoming SEC565 runs
JF MAES
Red Team Operator · Instructor · Builder

SANS Certified Instructor for SEC565. CEO of Offensive Guardian. Spent years breaking into networks for a living before deciding other people should learn to do it properly too.

jfmaes.me redteamer.tips

If your org needs a red team that does the work end to end — planning, emulation, reporting, debrief — that's what Offensive Guardian does. No fluff, no 400-page reports nobody reads. Just operators who've been in the trenches.