Hacker Tradecraft · Volume 1
Hacker Tradecraft Volume 1 — Overview, the Hat Spectrum, and How to Read This Series
What 'tradecraft' means here, the seven hats at a glance, the two-axis problem, the decision graph, and how this series threads back into the rest of the Hack Tools hub
Contents
1. About this volume — and this series
This is Volume 1 of Hacker Tradecraft — a roughly 21-volume engineer-grade deep dive on hacking itself: its history, its culture, the seven “hat” colors the industry uses to talk about motivation and legality, and a dedicated technical reference cluster covering the tradecraft itself (heavily RF-weighted, with shorter treatments of computer-side implants and social engineering). It sits alongside the device-specific deep dives that make up the rest of this Hack Tools hub — Flipper Zero, HackRF One, WiFi Pineapple, Proxmark3, Ducky Script, and the rest — but its job is different. Those volumes answer “how does this specific board work and what can I do with it?” This one answers “what is the craft this board sits inside of, who practices it, where did it come from, and what is the boundary line on the other side of which it stops being craft and becomes a crime?”
The series is structured in three phases that the reader is free to mix at will: history (Vols 2–4, the three eras of hacking from 1950s phone-phreaking to the 2020s ransomware industry, plus Vol 5 on the “hat” metaphor itself), the seven hats (Vols 6–12, one volume each for white, black, grey, green, blue, red, purple), and a reference cluster (Vols 13–17, the actual RF / computer / social-engineering tradecraft, with cross-links into the device deep dives), closing with careers (Vol 18), the legal line (Vol 19), a laminate-ready cheatsheet (Vol 20), and a glossary plus the canonical anchor index (Vol 21). The intended reader is a working engineer who already knows what a USRP and a deauth frame are — not a beginner who needs the term “WPA handshake” defined. Vol 1’s job is to make the structure legible: what the series is, where each volume fits, and which one to read first.
2. What “tradecraft” means here
The word tradecraft is borrowed from the intelligence world, where it means the practical, learned, daily craft of operating — not the toolkit alone, not the manual, not the doctrine, but the lived combination of all three plus the judgment that connects them. A case officer’s tradecraft includes the cover identity, the brush pass, the dead drop, the surveillance-detection route, and — equally — the gut sense for when to abort. The toolkit is necessary but radically insufficient: a brush pass executed by someone with no tradecraft looks exactly like one person bumping into another, and is exactly as useful.
That framing fits the hacker world unreasonably well, which is why the term has crossed over. A hacker’s tools are the radios, the laptops, the implants, the scripts and exploits and frameworks — the things this hub’s other deep dives cover at depth. A hacker’s tradecraft is what determines whether those tools accomplish anything. Tradecraft is the methodology — the kill chain1, the recon-before-engagement reflex, the cleanup discipline. It’s the routine — the rhythm of a real engagement, what the day actually looks like for a white-hat consultant versus a SOC analyst versus a red-teamer. It’s the judgment — the call about whether the noisier exploit is worth the detection risk, when to break out of a constrained shell versus pivot, whether to file a bug report or wait. And it’s the posture — knowing where the legal line is in your jurisdiction, what your written authorization covers and doesn’t, what you do when the engagement uncovers something the client didn’t expect.
This series describes that craft. The volume map is therefore organized around people and choices and daily reality, not a tool list. Vol 6 on white-hat work isn’t “tools the white hats use”; it’s who a white hat is, how a real engagement is structured, how people actually get hired into the role, what the daily rhythm looks like, and which famous figures shaped the craft — with the tooling woven in (Burp, the Nessus and ZAP family, the OWASP web stack, Metasploit, the SDR and HID tools where relevant) and cross-linked into the dedicated reference cluster for the deep technical detail. The seven hat volumes share that template (per the design spec). The reference cluster (Vols 13–17) is where the tooling itself gets the engineer-grade treatment, but even there the framing is “what is the technique, when does a practitioner reach for it, what’s the limit” — not a vendor-catalogue read of the device datasheet.
The corollary, which the rest of this volume keeps coming back to: a list of hacking tools is not a deep dive on hacking. The tools matter, but they are the periphery of the craft, not its center. A reader who finishes this series should be able to walk past a bench full of unfamiliar gear and form a useful guess about what the operator is trying to accomplish, in what role, against what kind of target, under what legal posture — because the craft is recognizable across tools, eras, and hats. That is the working definition of tradecraft used throughout the series.
3. The hat spectrum at a glance
The “hat” taxonomy is industry shorthand for motivation and legality — what a hacker is trying to do, and on which side of the law they’re doing it. It’s not the only axis (see §4 — engagement-role colors are a separate axis that the term unfortunately reuses), but it’s the one most people mean when they say “what color hat is that?” The seven colors below are the modern industry set; this series gives each one a full volume.
| Hat | One-line definition | Vol | The legal line |
|---|---|---|---|
| White | Authorized security researcher / penetration tester. Hacks with permission — written scope, signed contract, defined targets. The default model for paid security work. | Vol 6 | Legal when scope and authorization are in writing. Out-of-scope work, even if benign, can still be unauthorized access. |
| Black | Unauthorized intrusion for personal, financial, ideological, or destructive ends. The criminal end of the spectrum — fraud, extortion, espionage, sabotage. | Vol 7 | Illegal in essentially every jurisdiction. CFAA in the US2; Computer Misuse Act in the UK3; equivalents nearly everywhere. |
| Grey | Operates without authorization, but not for criminal gain — independent vulnerability research, “I found this and disclosed it” cases, full-disclosure activists. Intent is constructive; the legal status is still unauthorized. | Vol 8 | Almost always illegal as conducted, even where intent is defensible. Coordinated-disclosure programs (CVD, bug-bounty platforms) are the legalized path to the same work. |
| Green | The newcomer / on-ramp. Learning the craft — CTFs, HackTheBox, training labs, the first cert. Definitionally not yet operational at scale. | Vol 9 | Legal as long as practice stays in sanctioned environments (lab, CTF, bug-bounty scope). The mistake mode is “I’ll just try it on a real site” — that crosses immediately into grey/black. |
| Blue | The defender. SOC analyst, incident responder, threat hunter, detection engineer. The engagement-role “blue team.” (Also a separate Microsoft-event sense — the vendor-invited internal red team — that is a different meaning of the same word.) | Vol 10 | Legal by definition — defends infrastructure they’re employed to defend. The edge case is active defense / “hack-back,” which is legally fraught. |
| Red | Two senses: (a) the engagement-role “red team” — authorized adversary emulation against a real org with full-spectrum scope; (b) the vigilante / aggressor framing — unauthorized offensive action ostensibly against bad actors. The industry mostly means (a); the term originally meant (b). | Vol 11 | (a) Legal under authorization. (b) Illegal essentially everywhere — vigilantism is unauthorized access regardless of who the victim is. |
| Purple | The synthesis of red and blue — collaborative red-and-blue working together to improve detections in real time, rather than a periodic adversarial assessment. A practice more than a role. | Vol 12 | Legal — the work is internal to the organization, with both sides authorized. |
Volume links in the Vol column resolve once the corresponding volume is authored (Phase 2).
This is the centerpiece reference table for the entire series. Every hat volume returns to its row above and unpacks the one-liner; Vol 5 is where the metaphor itself gets archeologically dug into (Western-film origin, migration into infosec discourse, the Black Hat / DEF CON inflection points, and the messy fact that the taxonomy has never been fully stable).
The seven colors are not equally well-defined. White, black, and grey are the classic three and the most stable; everyone in the industry agrees roughly what they mean. Green is well-defined as “newcomer” but the boundary with white is fuzzy — there’s no certification ceremony. The team colors (blue, red, purple) are the most actively contested terminology, because the word team drags in an organizational framing the hat metaphor was never built to carry. §4 unpacks that conflation.
4. The two axes — motivation/legality vs. engagement role
The “hat” terminology has been overloaded onto a problem it was never designed for. The classic hats (white, black, grey) describe motivation and legality — what is this person trying to do, and on which side of the law are they doing it? The team colors (red, blue, purple) describe engagement role in a structured exercise — during this specific assessment, who is the simulated attacker, who is the defender, and are they collaborating? These are different axes and they don’t compose cleanly.
The team-color framing is borrowed from military exercises and from cybersecurity-exercise practice that hardened in the 2000s. “Red team” originally meant the war-game adversary; “blue team” meant the home force. The synthesis “purple team” was coined later (mid-2010s onward) to describe an explicit collaboration mode rather than a separate role4. None of these were ever ethical-stance descriptors — a red-teamer is authorized, by construction, or the engagement is a crime. Yet because the industry reused the word hat, the terms are routinely smushed together: people will refer to “a red-hat hacker” meaning either a red-team operator (authorized) or a vigilante (unauthorized), and the listener has to disambiguate from context.
This series treats the two axes separately:
AXIS 1 — Motivation / Legality
(the original "hat" axis)
unauthorized authorized
illegal neutral legal
◄──────────────────┼────────────────────────►
BLACK ── GREY GREEN WHITE
(criminal)(unauth (new- (auth
research) comer) pentest)
AXIS 2 — Engagement role
(the "team color" axis)
┌───────────────────────────┐
│ PURPLE = synthesis │
│ ┌────────────┐ │
│ RED │ shared │ BLUE │
│ atk │ defenders' │ def │
│ side │ visibility│ side │
│ └────────────┘ │
└───────────────────────────┘
"Red hat" = the team-color sense if context is engagement role;
the vigilante sense if context is motivation/legality.
The industry uses both; you have to read the context.The two axes compose like this:
| White-hat (auth) | Black-hat (unauth/criminal) | Grey-hat (unauth/constructive) | Green-hat (newcomer) | |
|---|---|---|---|---|
| Red team role | Authorized adversary emulation — the dominant industry usage of “red team.” | Not a thing — a red-team engagement without authorization is just a crime. | Conceivable in fringe disclosure-activist framing, but legally still unauthorized. | Inapplicable — newcomers don’t operate red-team engagements. |
| Blue team role | The default for in-house defenders and SOC consultants. | The “insider threat” frame — black operator inside a blue role. | Almost never overlaps. | Common entry path — many green-hats start in SOC/blue work. |
| Purple team role | Both white-hat red and white-hat blue collaborating; the dominant mode in mature SecOps shops. | N/A. | N/A. | Rarely — purple-team work assumes both sides are at operational maturity. |
The hat volumes in this series use the motivation/legality framing as their primary spine — that’s what most readers mean by “what kind of hacker is this?” The team-color discipline (red as adversary emulation, blue as defense, purple as collaboration) gets its full treatment inside the corresponding hat volumes (Vols 10–12), with explicit callouts to the fact that the words have two meanings and the reader has to disambiguate from context every time.
The summary the rest of the series builds on:
| Axis | What it answers | This series’ primary frame |
|---|---|---|
| Motivation / Legality | Is the operator authorized? Are they working for, against, or around the law? What is their intent? | The seven hat volumes (6–12) use this axis as their spine — definition, origin, legal line. |
| Engagement role | During a specific exercise, what role is this person playing — attacker, defender, both? | Treated inside Vols 10 (blue), 11 (red), 12 (purple). The hat volumes carry the role discipline; the role is not a hat in its own right. |
5. How this series is organized
Three phases, then four supporting volumes (career, legal, cheatsheet, glossary). Each phase is independently useful — a reader interested only in the history of phreaking can read Vols 2–5 and stop; a reader hired into a green-hat junior role can read Vol 9 and Vol 18 and stop; an engineer building a wardrive rig can read Vols 13–14 and the linked device deep dives and stop. The volumes are nodes in a graph, not chapters in a book.
The volume map below mirrors the canonical one in this project’s CLAUDE.md exactly:
| Vol | Topic | Phase |
|---|---|---|
| 1 | Overview — what tradecraft means, how to read the series, the decision graph | (this volume) |
| 2 | History I — proto-hacking, 1950s–70s (phreaking, MIT/TMRC, hacker ethic, Homebrew Computer Club) | Phase 1 — History |
| 3 | History II — golden age & criminalization, 1980s–90s (BBS, 414s, CFAA, Morris worm, Mitnick, Phrack/2600) | Phase 1 — History |
| 4 | History III — modern era, 2000s–now (pentest industry, APTs, bug-bounty economy, ransomware-as-a-business) | Phase 1 — History |
| 5 | The “hat” metaphor — origin, migration into infosec culture, Black Hat/DEF CON, how the taxonomy evolved | Phase 1 — History |
| 6 | White hat | Phase 2 — Hats |
| 7 | Black hat | Phase 2 — Hats |
| 8 | Grey hat | Phase 2 — Hats |
| 9 | Green hat | Phase 2 — Hats |
| 10 | Blue hat | Phase 2 — Hats |
| 11 | Red hat | Phase 2 — Hats |
| 12 | Purple hat | Phase 2 — Hats |
| 13 | RF tradecraft I — SDR & sub-GHz | Phase 3 — Reference |
| 14 | RF tradecraft II — Wi-Fi & BLE | Phase 3 — Reference |
| 15 | RF tradecraft III — RFID, NFC & access control | Phase 3 — Reference |
| 16 | Computer-hacking tradecraft (keyloggers, BadUSB, the Hak5 implant family) | Phase 3 — Reference |
| 17 | Social engineering tradecraft (pretexting, OSINT, phishing, physical entry) | Phase 3 — Reference |
| 18 | Careers — how the ethical hats get hired | Phase 3 — Reference |
| 19 | The legal line & ethics | Phase 3 — Reference |
| 20 | Cheatsheet — laminate-ready | Phase 3 — Reference |
| 21 | Glossary & canonical anchor index | Phase 3 — Reference |
The phases are pedagogical, not gated. A reader is free to skip to the hat volumes without the history, or read the reference cluster first and circle back. The Vol 21 anchor index makes any individual section addressable by stable URL fragment for cross-deep-dive linking — see §7 below for the link form and the README’s Anchor convention section for the underlying rule.
The woven-plus-reference tooling model. This is worth explaining because the series uses it heavily. Each hat volume (6–12) carries its own contextualized tool detail — what tools that hat actually reaches for, framed inside the hat’s daily routine and intent. The same Wi-Fi capture rig that the white-hat consultant uses in an authorized engagement (Vol 6) shows up again in the grey-hat researcher’s home lab (Vol 8) and again in the black-hat criminal’s wardrive setup (Vol 7), but each time framed by why this hat reaches for it and what changes about the operation under that intent. The deep technical detail — what’s actually inside an SX1276, why CC1101’s CRC has gotchas, how the WiFi Pineapple’s PineAP suite works at the 802.11 protocol layer — lives in the reference cluster (Vols 13–17), and the hat volumes cross-link in with [see Vol 14 on the Wi-Fi attack surface](vol14.md)-style anchors rather than re-deriving. The anchor is the slugified heading text (lowercase, spaces become hyphens, certain punctuation stripped) — not a section number. The author writes the bare slug without a volume prefix; the builder prepends vol{NN}- at render time, so the above example renders as #vol14-the-802-11-attack-surface in the consolidated HTML. That keeps the hat volumes readable as the story of that hat without bloating, and keeps the reference cluster authoritative as the engineering manual of the technique without the narrative drag.
The corollary discipline: the reference-cluster headings (Vols 13–17) and the hat-volume headings (Vols 6–12) are frozen once committed — they generate the vol{NN}-<slug> anchors that other Hack Tools deep dives bookmark into, and renaming a heading silently breaks those incoming links. The anchor is derived from the H2 heading text by pandoc’s slug rule (lowercase, spaces become hyphens, certain punctuation is stripped or preserved). Authors write the bare slug — the builder prepends vol{NN}- at render time. See 02-inputs/volume_sources/README.md (Anchor convention) for the full rule. Vol 1 (this volume) is the overview and pre-dates Phase 2, so its headings aren’t yet on the frozen list — but they should still be authored carefully because they end up in the canonical anchor index in Vol 21.
6. The decision graph — “I want to learn about X → read Vol Y”
What are you trying to do?
│
┌────────────┼─────────────────────────────────────────────┐
│ │ │
│ ┌─────┴──────────────────────────────────────────┐ │
│ │ │ │
▼ ▼ ▼ ▼ ▼ ▼
understand know what technical get a job / legal
the field each kind reference change role line
(history) of hacker on the in the
actually does craft itself industry
│ │ │ │ │
│ │ │ │ │
▼ ▼ ▼ ▼ ▼
Vols 2-4 Vols 6-12 Vols 13-17 Vol 18 Vol 19
+ Vol 5 (one each │ + linked + Vol 9 (green + every
(hat for white, │ device + Vol 6 (white- hat's
metaphor black, grey, │ deep for the §1
origin) green, blue, │ dives in on-ramp legal-
red, purple) │ the hub) path) line
│ callout
┌──────┼────────┬─────────┐
│ │ │ │
▼ ▼ ▼ ▼
SDR & Wi-Fi & RFID Computer +
sub-GHz BLE / NFC SE side
Vol 13 Vol 14 Vol 15 Vols 16-17
│ │ │
│ │ └─► Proxmark3, Flipper
│ └─► WiFi Pineapple, Marauder, AWOK,
│ Nyan Box, Ruckus Game Over
└─► HackRF One, PortaRF, RTL-SDR, Flipper
sub-GHzA handful of specific use-cases worth calling out, because they cross more than one phase:
- “I want to understand how the industry actually got to where it is.” Read the history cluster end-to-end: Vol 2 → 3 → 4 → 5. About four hours of reading.
- “I just got hired into a SOC role, what is this craft I’m now part of?” Vol 10 (blue) is the spine. Vol 18 (careers) supports it. Vol 19 (legal line) is the boundary. Skim Vols 2–4 (history) for context. Skip the RF cluster unless your SOC handles wireless. About a working day’s reading.
- “I’m assembling a wireless audit kit and want to know what each piece is for.” Vols 13 + 14 + 15 are the spine. Each section cross-links into the device deep dives (HackRF One, Flipper Zero, WiFi Pineapple, Proxmark3, etc.) — read those for the engineering depth. Vol 8 (grey) and Vol 6 (white) are the framing for why you want this kit. About a weekend.
- “I’m doing a vulnerability disclosure and want to know the legal landscape.” Vol 19 is the spine, Vol 8 (grey hat) is the cultural history of disclosure norms, Vol 18’s bug-bounty section covers the platform-legalized path. About an evening.
- “I want to write the post-mortem of an actual breach my org just had.” Vol 7 (black hat) for the actor framing, Vol 10 (blue) for the defender framing, Vol 12 (purple) for what the post-mortem retrospective should look like, Vol 4 (modern history) for industry-wide context. About a day.
A separate axis: depth. Some readers want the survey, others want the engineering manual. §9 gives reading paths by time budget.
7. Where this sits in the Hack Tools hub
This series is the connective tissue over the device-specific deep dives in this hub. The map below shows which existing deep dives this series cross-links into — these are the targets of the [see X Vol N §Y]-style references throughout Vols 6–17. Every link uses the device’s consolidated <Tool>_Complete.html as its target (the entire deep dive collapsed to one HTML), with a stable anchor of the form #vol{NN}-<heading-slug> per the project’s anchor convention5.
| Device deep dive | What it covers | Linked from |
|---|---|---|
| HackRF One | Wideband SDR transmit + receive (1 MHz – 6 GHz); the host-side SDR workflow; PortaPack H2+ companion | Vol 13 (SDR fundamentals), Vols 6/7/8 (the radio everyone reaches for) |
| RTL-SDR | $30 receive-only SDR; the entry-point dongle, the universal recon hardware (deep dive: not yet authored — links to CLAUDE.md placeholder) | Vol 13 (SDR receive), Vol 9 (green-hat on-ramp into RF) |
| Flipper Zero | Sub-GHz / RFID / NFC / IR / BadUSB / GPIO front-end | Vols 13, 15 (RFID/NFC), Vol 16 (BadUSB), Vols 6/7/8/9 (the swiss-army knife) |
| Proxmark3 RDV4 | Lab-grade RFID/NFC research platform (deep dive: not yet authored — links to CLAUDE.md placeholder) | Vol 15 (LF + HF RFID, MIFARE, access control), Vols 6/7/8 (the access-control side) |
| WiFi Pineapple | Hak5’s purpose-built Wi-Fi audit platform — PineAP, rogue-AP, four current models | Vol 14 (Wi-Fi tradecraft), Vols 6/7/8 (the rogue-AP technique), Vol 19 (highest-posture tool) |
| ESP32 Marauder Firmware | Open-source Wi-Fi/BLE pentest firmware (runs on AWOK, Flipper devboard, dedicated boards) | Vol 14 (Wi-Fi/BLE attacks), Vols 8/9 (the open-source side of the field) |
| Nyan Box | Education-first multi-radio handheld (ESP32 + 3× NRF24L01+ + drone RemoteID + camera detection) | Vol 14 (multi-radio sniffing), Vol 9 (education-first design) |
| AWOK Dual Touch V3 | Dual-ESP32 Flipper module with GPS — wardriving and recon | Vol 14 (wardriving), Vols 6/8 (the recon side) |
| Ruckus Game Over | ESP32-S3 multi-radio Flipper module (CC1101 / NRF24 daughter slot) | Vol 14 (multi-radio handheld), Vol 13 (sub-GHz) |
| OpenSourceSDRLab PortaRF | HackRF-class handheld SDR with integrated PortaPack-class display | Vol 13 (handheld SDR), Vol 11 (red-team field kit) |
| Ducky Script | Hak5’s keystroke-injection language + the Rubber Ducky / Bash Bunny / Key Croc / O.MG family | Vol 16 (BadUSB / HID injection — the core of computer-hacking tradecraft), Vols 6/7/11 (physical-access workflows), Vol 19 (highest-posture tool alongside Pineapple) |
| Rayhunter | EFF’s open-source IMSI catcher / Stingray detector firmware (Orbic Speed RC400L) (deep dive: not yet authored — links to CLAUDE.md placeholder) | Vol 10 (blue-hat defensive RF), Vol 13 (cellular awareness) |
The convention is that this series cross-links out to those device deep dives (using the relative paths above) and exposes stable anchors so those deep dives can link back in — Vol 21 will be the canonical anchor index for the inbound direction.
Example link forms used throughout Vols 6–17:
[see Vol 13 on SDR fundamentals](vol13.md#sdr-fundamentals)
[see the HackRF One Volume 2 block diagram](../../HackRF One/03-outputs/HackRF_One_Complete.html#vol02-the-block-diagram)The builder rewrites vol13.md#sdr-fundamentals references inside this series to internal #vol13-sdr-fundamentals anchors in the consolidated HTML — the vol13- prefix is added by the builder, not the author. Cross-deep-dive references stay external — they point at the other deep dive’s consolidated HTML at the matching anchor (which already includes the vol{NN}- prefix from that deep dive’s own build).
Vol 5 traces how the hat metaphor migrated into infosec culture; DEF CON and the sibling Black Hat conference (both Moss-founded) are the inflection points where the terminology took its modern shape — see Vol 5 for the full archeology.
8. The one-paragraph posture warning
This series describes capability and history. It does not provide operational how-to for unauthorized acts. The legal line for nearly every technique discussed in this series sits at authorization: in the United States the Computer Fraud and Abuse Act criminalizes accessing a computer “without authorization” or “exceeding authorized access”2; the UK Computer Misuse Act, the EU Cybercrime Convention6, and equivalents in every developed jurisdiction draw broadly the same line. Owning the hardware is not authorization. Believing the target’s security is bad is not authorization. “I was just looking” is not authorization. Authorization is, in practical terms, a written, signed, scoped engagement letter, a bug-bounty program’s published scope page, your own owned hardware and your own network, or a sanctioned lab environment. Everything in this series — every tool described, every technique catalogued, every famous figure profiled — sits on one side of that line or the other, and which side determines whether the work is craft or crime. Vol 19 draws the line in legal detail with cross-references into the Hack Tools legal/ethics baseline; every hat volume’s §1 restates the line for that specific hat; the WiFi Pineapple and Ducky Script deep dives carry their own posture sections because those tools are the most legally consequential in this hub. Read Vol 19 before any of the technique sections in Vols 13–17, and read the legal line in any specific hat volume before that hat’s tooling section. The line is not advisory — it is the difference between a career and an indictment.
9. How to read this series — depth indices
The volumes are nodes in a graph, but readers come with a finite time budget. The paths below are the recommended reading orders by time available:
| Time budget | Reading path | What you walk away knowing |
|---|---|---|
| One hour | Vol 1 (this volume) → Vol 5 (the hat metaphor) → Vol 20 (cheatsheet) | The shape of the field, why the terminology is the way it is, the laminate-ready reference card. |
| An afternoon (~4 h) | Add the history cluster (Vols 2–4) | The lineage of the field — how 1950s phreakers became 2020s ransomware crews and ethical pentest consultancies. |
| A working day (~8 h) | Add the hat the reader most identifies with (one of Vols 6–12) plus Vol 19 (legal line) | Deep understanding of one role plus the boundary line. The most common path for a reader picking up the series. |
| A weekend (~16 h) | Add the relevant reference cluster volumes (13–15 for RF; 16 for computer-side; 17 for SE) and the linked device deep dives | Engineer-grade depth on the tradecraft in the reader’s area, with the hardware framing already in place from the device deep dives. |
| Read in full | Vol 1 → 2 → 3 → 4 → 5 → 6 → 7 → 8 → 9 → 10 → 11 → 12 → 13 → 14 → 15 → 16 → 17 → 18 → 19 → 20 → 21 | The complete picture. Reasonable target over a few months for a working engineer reading in evenings. |
A handful of focused depth indices for specific intents:
- For a hat-specific deep dive: read its volume (Vols 6–12) plus Vol 19 (legal line). The hat volume’s §1 will restate the legal line in that hat’s context; Vol 19 expands it.
- For RF tradecraft specifically: dive into Vols 13–15 and follow the cross-links into the relevant hardware deep dives (HackRF One, Flipper Zero, WiFi Pineapple, Proxmark3, RTL-SDR, PortaRF, ESP32 Marauder Firmware, AWOK, Nyan Box, Ruckus Game Over, Rayhunter). Each section in Vols 13–15 has a “see the Vol N of <device>” cross-link to the engineering-depth treatment.
- For computer-side tradecraft: Vol 16 plus the Ducky Script deep dive plus Vol 7 (black hat — the threat-actor framing) plus Vol 10 (blue hat — the defender framing).
- For social engineering tradecraft: Vol 17. SE is the lightest-coverage cluster in this series — it gets one volume rather than three — because it overlaps less with the RF-and-device focus of the rest of the hub. The volume is self-contained.
- For career path / hiring: Vol 18, Vol 9 (green hat — the on-ramp), and Vol 6 (white hat — the dominant ethical-hire role).
- For the canonical anchor index (when linking into this series from another deep dive): Vol 21. That’s the authoritative table of every
vol{NN}-<slug>link target the series exposes.
The series rewards re-reading: once a reader has the framing from Vols 1, 5, and 19, the hat volumes become much more useful, and the cross-link structure starts paying off.
10. Resources
Foundational reading. Steven Levy’s Hackers: Heroes of the Computer Revolution (1984)7 is the canonical popular history of the early hacker era — the MIT Tech Model Railroad Club, Homebrew Computer Club, the original hacker ethic. It is the source most history-of-hacking treatments lean on, and Vol 2 of this series leans on it explicitly. Bruce Sterling’s The Hacker Crackdown (1992)8 covers the late-1980s / early-1990s criminalization era and the Operation Sundevil raids; Vol 3 leans on it. Andy Greenberg’s Sandworm (2019)9 and Kim Zetter’s Countdown to Zero Day (2014)10 are the closest analogs for the modern-era treatment in Vol 4.
The infrastructure of the hacker culture.
- The Electronic Frontier Foundation (https://eff.org) — digital civil-liberties advocacy, legal defense for security researchers, the canonical legal-position publisher on disclosure and the CFAA. Founded 1990 by Mitch Kapor, John Perry Barlow, and John Gilmore11.
- DEF CON (https://defcon.org) — the largest annual hacker conference. Founded 1993 by Jeff Moss in Las Vegas12. Vol 5 treats the conference (and its sibling Black Hat) as inflection points in how the field organized itself.
- Black Hat Briefings (https://blackhat.com) — the corporate-aligned security conference, also founded by Moss (1997)13. The professionalized counterpart to DEF CON.
- 2600: The Hacker Quarterly (https://2600.com) — the foundational hacker magazine, published continuously since 198414. The cultural artifact most representative of the grey-and-white hat reading public.
- Phrack (http://phrack.org) — the foundational hacker e-zine, published since 198515. The technical counterpart to 2600 — the home of seminal articles like Aleph One’s “Smashing the Stack for Fun and Profit” (1996).
Series infrastructure.
- The Hack Tools deep-dive protocol (
../../../_shared/deep_dive_protocol.md) — the project-wide protocol this series follows. Volume conventions, the visual-density requirement, the build pipeline. - This series’ design spec (
../../../docs/superpowers/specs/2026-05-14-hacker-tradecraft-design.md) — the brainstormed structure that produced the 21-volume map. - The Hack Tools legal/ethics baseline (
../../../_shared/legal_ethics.md) — the cross-tool legal posture rules. Vol 19 expands on these; every hat volume’s §1 restates the relevant subset. - The Hack Tools comparison matrix (
../../../_shared/comparison.md) — the cross-tool decision matrix. The reference cluster (Vols 13–17) cross-links into it heavily.
This is Volume 1 of a ~21-volume series. Next: Vol 2 traces the proto-hacking era — phone phreaking from the 1950s blue boxes through Captain Crunch, the MIT Tech Model Railroad Club and the origin of the hacker ethic, the Homebrew Computer Club, and the 1970s ARPANET research-lab culture out of which the modern field grew.
Footnotes
-
The “kill chain” model — recon → weaponization → delivery → exploitation → installation → command-and-control → actions-on-objectives — was formalized by Lockheed Martin researchers Eric Hutchins, Michael Cloppert, and Rohan Amin in their 2011 paper Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains. It is the dominant framing in modern defensive doctrine; the MITRE ATT&CK framework (2013–present) is the granular taxonomy underneath the kill-chain abstraction. Vol 10 (blue hat) and Vol 4 (modern history) treat both in depth. ↩
-
The Computer Fraud and Abuse Act, 18 U.S.C. § 1030, enacted 1986 with significant amendments through 2008. The act criminalizes “access without authorization” and “exceeding authorized access” — terms whose interpretation has shifted considerably over time, most recently in Van Buren v. United States, 593 U.S. ___ (2021), which narrowed the “exceeds authorized access” prong. Vol 19 covers the act’s structure and current interpretation in detail. ↩ ↩2
-
The UK Computer Misuse Act 1990, amended 2006 and 2015. Criminalizes “unauthorised access” (§1), unauthorised access with intent to commit further offences (§2), and unauthorised acts impairing operation of a computer (§3). Functionally analogous to CFAA §1030(a)(2) and (a)(5). ↩
-
The term “purple team” appears in published security literature from the mid-2010s onward as the synthesis of red and blue. The genealogy of the term is contested; see Vol 12 for a detailed treatment. ↩
-
The anchor convention is documented in
Hacker Tradecraft/02-inputs/volume_sources/README.md— the build pipeline auto-generates every section’s HTML id asvol{NN}-<heading-slug>, where the slug is the lowercase-hyphenated form of the heading text. Reference-cluster (13–17) and hat-volume (6–12) headings are frozen append-only once committed; this volume is the overview and is not on the frozen list, but downstream readers may still bookmark its anchors. ↩ -
The Convention on Cybercrime of the Council of Europe (the Budapest Convention), opened for signature 2001. As of 2024 it has 68 state parties including non-Council-of-Europe signatories such as the United States, Canada, Japan, and Australia. Establishes broadly harmonized criminalization of unauthorized access (Article 2), data interference (Article 4), and related acts. ↩
-
Levy, Steven. Hackers: Heroes of the Computer Revolution. Doubleday, 1984. 25th-anniversary edition O’Reilly Media, 2010. The canonical popular history of the MIT-AI-Lab / Tech Model Railroad Club / Homebrew Computer Club era. Articulated the six-point “hacker ethic” that became the lodestar of subsequent hacker culture. ↩
-
Sterling, Bruce. The Hacker Crackdown: Law and Disorder on the Electronic Frontier. Bantam Books, 1992. Freely available via Project Gutenberg at https://www.gutenberg.org/ebooks/101. Covers the 1990 Operation Sundevil raids, the prosecution of Craig Neidorf over the E911 document, and the founding of the EFF. ↩
-
Greenberg, Andy. Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers. Doubleday, 2019. The authoritative reported history of the Russian GRU’s Unit 74455, including the NotPetya attack of 2017 — the most economically damaging cyberattack on record. ↩
-
Zetter, Kim. Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon. Crown, 2014. The reconstruction of the Stuxnet operation against Iranian uranium-enrichment infrastructure (discovered 2010) and the first sustained mainstream account of nation-state digital sabotage. ↩
-
Electronic Frontier Foundation, founded 1990. Per the EFF’s own founding history (https://eff.org/about/history): “EFF was founded in July of 1990 in response to a basic threat to speech and privacy” — the U.S. Secret Service’s Operation Sundevil raids and the prosecution of Steve Jackson Games. Founders: Mitch Kapor (Lotus founder), John Perry Barlow (Grateful Dead lyricist and essayist), John Gilmore (Sun Microsystems engineer). ↩
-
DEF CON, founded 1993 by Jeff Moss (online handle: The Dark Tangent) in Las Vegas. Per DEF CON’s own history page (https://defcon.org/html/links/dc-about.html), DEF CON 1 ran in 1993 with approximately 100 attendees; by 2023 (DEF CON 31) attendance exceeded 30,000. The conference is the largest sustained gathering of the hacker community. ↩
-
Black Hat Briefings, founded 1997 by Jeff Moss as the corporate-aligned counterpart to DEF CON. Acquired by CMP Media in 2005, subsequently UBM and now Informa. Held annually in Las Vegas (the week before DEF CON), with additional regional events in Asia, Europe, and the Middle East. ↩
-
2600: The Hacker Quarterly, founded 1984 by Eric Corley (online handle: Emmanuel Goldstein). Continuously published since. The name derives from the 2600 Hz tone Captain Crunch used to seize phone-network trunks — see Vol 2 for the phreaking history. The magazine has been continuously published in print since 1984, an unusual longevity for any independent publication, let alone one in a fast-moving technical field. ↩
-
Phrack (a portmanteau of “phreak” and “hack”), founded 1985 by Taran King and Knight Lightning. Published in irregular volumes (the gaps between issues run from months to years); seminal articles include “Smashing the Stack for Fun and Profit” by Aleph One in issue 49 (1996), which formalized the buffer-overflow exploitation technique that defined the late-1990s and 2000s exploitation era. Vol 3 of this series treats Phrack as a primary historical source. ↩