Hacker Tradecraft · Volume 20
Hacker Tradecraft Volume 20 — Cheatsheet
Field-grade laminate-ready synthesis cards
Contents
1. About this cheatsheet
Each numbered card below is a self-contained one-pager. Print individual cards, laminate, carry. The cheatsheet is the synthesis of Vols 1-19 into field-grade reference artifacts — bullets per Vols 2/3/4/5 and the §8 “cheatsheet bullets” callouts in Vols 6-12 were authored with this volume as the explicit destination. Where a card asserts a load-bearing fact, the depth source is named in the card’s footer; consult the named volume for citations. Nothing here is legal advice — Vol 19 is the canonical legal reference and itself opens with that disclaimer. All cert / comp / pricing figures are early-2026; verify before relying.
| Use mode | What you do |
|---|---|
| Carry-into-engagement | Print Cards 3, 6, 8 (lifecycle, legal-line, disclosure). Three sheets cover scoping → ROE → out-of-scope → disclosure. |
| Bench reference | Pin Cards 2, 5, 7, 10 above the bench (hat spectrum, RF bands, certs, cross-tool map). |
| Mentoring / hiring conversations | Cards 2, 7, 11 (spectrum, cert ladder, starter kit). |
| Pre-engagement legal-readout | Card 6 (legal-line) is the laminate; read it back to the client at scope-signing. |
| Quick navigation | Card 9 maps any factual question to the volume that answers it. |
Density convention. Cards trade prose for tables and boxed ASCII. Prose paragraphs are ≤3 sentences anywhere in this volume. If a card looks empty it is because the table is the content.
2. Hat-spectrum card
╔══════════════════════════════════════════════════════════════════════════╗
║ THE SEVEN HATS — ONE ROW EACH ║
║ Read left-to-right. The hat is the paperwork. ║
╚══════════════════════════════════════════════════════════════════════════╝| Hat | Authorization stance | Engagement role | Legal exposure | ”If you are X, your goal is Y” |
|---|---|---|---|---|
| White | Authorized — written scope, signed SOW, ROE in hand | Offense (pentest / red-team-as-service) | Legal inside scope; out-of-scope work is unauthorized access | Find vulns the client agreed to let you find, document them, report them, retest after fix |
| Black | Unauthorized — by definition | Offense for personal / financial / ideological / destructive ends | Felony in essentially every jurisdiction (CFAA / CMA / Directive 2013/40/EU) | Get in, get value out, get out without being caught — and accept the consequences if caught |
| Grey | Unauthorized — but constructive intent, disclose afterward | Offense → disclosure | Same statutory exposure as black; good intentions are not a legal defence | Find a vuln in the wild, prove it, disclose responsibly. Modern path: route the same work through a bug-bounty program for safe harbor |
| Green | Sanctioned-lab only — CTF, HackTheBox, owned-hardware lab | Learner; not yet operational | Legal as long as practice stays in sanctioned environments | Build skill via build → break → understand → write up. Avoid the “I’ll just try it on a real site” failure mode |
| Blue | Authorized by employment role | Defense — SOC / IR / threat hunting / detection engineering | Legal by definition; “hack-back” is the edge case (don’t) | Detect, triage, respond, hunt; make “once” rare and contained when it happens |
| Red | Authorized adversary emulation (modern usage) | Offense — adversary emulation, longer scope than pentest | Legal under written authorization; vigilante sense is illegal everywhere | Emulate a named threat actor against a named objective, exercise the defender, hand off the detection-gap list |
| Purple | Authorized — both sides on same payroll | Synthesis — red+blue collaboration, real-time | Legal by construction | Close the loop: red executes TTP → blue observes → detection-engineering fills gap → red revalidates |
┌─ AXIS 1 — Motivation / Legality ─┐ ┌─ AXIS 2 — Engagement role ─┐
│ │ │ │
│ BLACK ── GREY GREEN WHITE │ │ RED ←──→ BLUE + PURPLE │
│ ─────────────────────────────────│ │ (atk side) (def side) │
│ unauthorized authorized │ │ (synthesis) │
│ illegal legal │ │ │
└──────────────────────────────────┘ └────────────────────────────┘
The hat = ethical stance. The team color = role this week.
A white-hat can play red, blue, or purple on different engagements.Load-bearing facts to memorize.
- The hat is the paperwork, not the gear. Same toolkit; the SOW determines color.
- Authorization is binary. No defense by intent, no defense by skill, no defense by “vulnerability was obvious.”
- “Red hat” has three senses (engagement-role / vigilante / Red Hat Inc.) — disambiguate from context.
- “Blue hat” has two live senses (defender / Microsoft BlueHat program) — disambiguate from context.
- “Purple is a verb.” A practice an organization does, not (mostly) a job title.
Source depth: Vol 1 §3-4, Vol 5 §6, Vols 6-12 §1 each.
3. Two-axis map card
The classic hats describe what side of the law an operator is on. The team colors describe what role an operator is playing in a structured exercise. The terms are routinely conflated; this card separates them.
═══════════════════════════════════════════════════════════════════════
AXIS 1 — Ethical stance / Legality
(the original "hat" axis)
unauthorized ◄──────────────────────────────────────► authorized
illegal neutral legal
│ │
▼ ▼ ▼ ▼
BLACK ──────── GREY ─────────── GREEN ────────────── WHITE
(criminal) (unauth research) (newcomer) (auth pentest)
═══════════════════════════════════════════════════════════════════════
AXIS 2 — Engagement role
(the "team color" axis)
┌──────────────────────────────────┐
│ PURPLE = the synthesis │
│ (red+blue in feedback loop) │
│ ┌──────────────────────┐ │
│ RED │ shared defenders' │ BLU│
│ atk │ visibility window │ def│
│ └──────────────────────┘ │
└──────────────────────────────────┘
"Red hat" = the team-color sense if context is engagement-role;
the vigilante sense if context is motivation/legality.
═══════════════════════════════════════════════════════════════════════The composition table — Axis 1 × Axis 2:
| White-hat | Black-hat | Grey-hat | Green-hat | |
|---|---|---|---|---|
| Red team role | Authorized adversary emulation (modal industry usage) | Not a thing — unauthorized = crime | Fringe disclosure-activist framing; still unauthorized | Inapplicable |
| Blue team role | The modal in-house defender / SOC consultant | Insider-threat framing | Almost never overlaps | Common entry path — many green-hats start in SOC |
| Purple team role | Modal in mature SecOps shops | N/A | N/A | Rare — requires operational maturity on both sides |
The single sentence that disambiguates the language. The hat is your ethical stance; the team color is your engagement role this week. A white-hat operator can play red on Monday, blue on Tuesday, and purple on Wednesday — the hat doesn’t change.
Source depth: Vol 5 §6, §8, Vol 1 §4.
4. Engagement-lifecycle card
The authorized-engagement lifecycle, end to end, for a white-hat / red-team practitioner. Every box is a phase; every callout is a gate the engagement must clear before proceeding.
┌──────────────────────────────────────────────────────────────────────┐
│ AUTHORIZED-ENGAGEMENT LIFECYCLE │
└──────────────────────────────────────────────────────────────────────┘
┌─ SCOPING ──────┐ ┌─ AUTHORIZATION ─┐ ┌─ RECON ──────────┐
│ Define target │ ─► │ SOW signed │ ─► │ Passive recon │
│ Define window │ │ Scope final │ │ (OSINT, DNS, │
│ Define rules │ │ ROE signed │ │ cert transp.) │
│ │ │ GOJL in pocket │ │ Active recon │
└────────────────┘ └─────────────────┘ │ (Nmap, banners) │
└─────────┬────────┘
│
┌─ REPORT ──────┐ ┌─ POST-EX ────┐ ┌─ EXPLOIT / GAIN ─────┐
│ Findings doc │ ◄─ │ Lateral move │ ◄─ │ Initial access │
│ Risk ratings │ │ Priv esc │ │ Vuln chain → foothold│
│ Repro steps │ │ Persistence │ │ Stay in scope ←─ key │
│ Remediation │ │ (red-team) │ │ rule │
└───────┬───────┘ │ Objective │ └──────────────────────┘
│ └──────────────┘
▼
┌─ CLEANUP ─────┐ ┌─ RETEST ─────────┐
│ Remove tools │ ─► │ Verify fixes │
│ Remove persist│ │ Re-exploit those │
│ (white-hat) │ │ that aren't fixed│
└───────────────┘ └──────────────────┘Authorization stack — must all be present before the first packet:
| Document | What it does | Who signs |
|---|---|---|
| SOW (Statement of Work) | Defines deliverables, dates, fees | Client-side executive with budget authority + consultancy principal |
| Scope document | Lists targets (CIDR ranges / FQDNs / facility addresses / app URLs); enumerates what is in and what is out | Client-side IT + legal; pentest lead |
| ROE (Rules of Engagement) | Permitted actions, prohibited actions, test windows, emergency contacts, deconfliction protocol | Client-side IT-ops + security; pentest lead |
| GOJL (“Get Out Of Jail Letter”) | Authorization letter the operator carries during physical-entry / red-team engagements; states the bearer has authority to be there | Client-side senior executive (often C-suite) |
Fillable engagement-data slots:
┌─────────────────────────────────────────────────────────────────┐
│ CLIENT: ______________________ ENGAGEMENT ID: ____________ │
│ PRIMARY POC: ________________ PHONE: _____________________ │
│ ESCALATION POC: _____________ PHONE: _____________________ │
│ ENGAGEMENT WINDOW: ____________ to ____________ │
│ IN-SCOPE: __________________________________________________ │
│ OUT-OF-SCOPE: ______________________________________________ │
│ EMERGENCY-STOP SIGNAL: _____________________________________ │
│ REPORT DUE DATE: ___________ RETEST WINDOW: ______________ │
└─────────────────────────────────────────────────────────────────┘Red flags during engagement:
- Out-of-scope finding — stop, notify, document, do not pivot. (See Card 8.)
- Live-traffic risk — DoS-class technique against a target not pre-authorized for it.
- Client communication breakdown — POC unreachable >24h while engagement is hot.
- Scope drift — verbal authorization to test additional system without paperwork update. Get the paperwork first.
- Detection-evasion ambiguity — ROE doesn’t specify whether to evade EDR; assume not unless authorized.
Time-budget rule. ~50% of engagement time is reporting. Budget for it from day one. Cleanup is part of the engagement, not optional — persistence forgotten = access the consultant created without authorization.
Source depth: Vol 6 §4, Vol 11 §4, Vol 19 §4.
5. RF-band quick card
╔══════════════════════════════════════════════════════════════════════════╗
║ THE SPECTRUM MAP — SECURITY-RELEVANT BANDS, ONE LINE EACH ║
║ Receive ≈ generally legal. Transmit ≈ license/Part-15 only. ║
╚══════════════════════════════════════════════════════════════════════════╝| Band | Frequency | Typical use | Typical tool | TX legality (US) |
|---|---|---|---|---|
| LF RFID | 125–134 kHz | EM4100 / HID Prox / Indala access cards | Proxmark3, Flipper Zero RFID | Inductive, very short range; unlicensed |
| AM broadcast | 530–1700 kHz | Commercial AM | RTL-SDR V4 (HF) | Licensed broadcaster only |
| HF amateur | 1.8–30 MHz | Amateur (160m–10m), SW broadcast | RTL-SDR V4 native HF | FCC Part 97 (amateur license) |
| NFC / HF RFID | 13.56 MHz | MIFARE / DESFire / FeliCa / payments / passports | Proxmark3, Flipper NFC, ACR122U | Inductive, very short range; unlicensed |
| FM broadcast | 88–108 MHz | Commercial FM | Any SDR (canonical first capture) | Licensed broadcaster only |
| VHF aviation | 108–137 MHz | ATC voice (AM), ACARS, VOR/ILS, ADS-B uplink | RTL-SDR — canonical aircraft tool | FAA/FCC licensed |
| VHF marine / AIS | 156–162 MHz | Marine VHF; AIS at 161.975 / 162.025 | RTL-SDR + rtl_ais | FCC Part 80 (license) |
| 2 m / 70 cm amateur | 144 / 420–450 MHz | Amateur VHF / UHF | RTL-SDR / HackRF | FCC Part 97 (license) |
| ISM 315 MHz | 315 MHz | TPMS (US), garage doors, key fobs | RTL-SDR, HackRF, Flipper sub-GHz | FCC Part 15 (low-power unlicensed) |
| ISM 433 MHz | 433.05–434.79 MHz | Garage doors, key fobs (EU+intl), sensors — the most populated sub-GHz band | RTL-SDR + rtl_433, Flipper | FCC Part 15 §15.231 / ETSI EN 300 220 |
| ISM 868 MHz | 863–870 MHz | LoRa EU, Z-Wave EU, smart-meter EU | HackRF, dedicated LoRa | ETSI EN 300 220 |
| ISM 915 MHz | 902–928 MHz | LoRa US, Z-Wave US, smart-meter US, 802.15.4 | HackRF | FCC Part 15.247 (FHSS) |
| GPS L1 | 1575.42 MHz | GPS civil signal | Active antenna + GPS receiver | Receive unrestricted; spoofing/jamming illegal (§ 333) |
| GSM legacy | 824–894 / 1800 / 1900 MHz | 2G (largely shut down in US) | gr-gsm, HackRF | Licensed cellular; interception barred by ECPA |
| LTE / 5G NR | 700 MHz – 3.5 GHz / 24–40 GHz | Cellular 4G/5G | Hard — specialty SDR / lab gear | Licensed cellular |
| ADS-B | 1090 MHz | Aircraft position broadcast (Mode-S) | RTL-SDR + dump1090 — canonical demo | Licensed transponder; RX unrestricted |
| 2.4 GHz ISM | 2400–2483.5 MHz | Wi-Fi 2.4 / BLE / Zigbee / drone control | Atheros / Realtek monitor-mode adapters, Ubertooth, HackRF (edge) | FCC Part 15 / ETSI |
| 5 GHz U-NII | 5150–5895 MHz | Wi-Fi 5/6 | 802.11 monitor-mode adapter | FCC Part 15.247 / §15.407 |
| 6 GHz Wi-Fi 6E/7 | 5925–7125 MHz | Wi-Fi 6E / 7 | 6E-capable adapter; HackRF cuts off at 6 GHz | FCC Part 15 (2020 expansion) |
Five facts that drive operator behavior:
- 433.92 MHz is the population center of sub-GHz consumer wireless. Any unknown-environment survey starts there.
- GPS L1 is −130 dBm below thermal noise — recovered only via CDMA correlation. Passive waterfall shows nothing usable; the receiver does the correlation.
- LoRa is CSS, not OOK/FSK — rtl_433 won’t decode it. Use
gr-lora/rpitx-LoRa/ dedicated LoRa gateway. - 47 U.S.C. § 333 prohibits willful interference with licensed radio. Marriott was fined $600,000 (Oct 3, 2014) for jamming guest Wi-Fi hotspots.
- ECPA 18 U.S.C. § 2510 et seq. bars interception of cellular voice — receive-only ≠ legal for cellular.
Source depth: Vol 13 §3 + §6, Vol 14, Vol 15 §2, Vol 19 §6.
6. Legal-line card
╔══════════════════════════════════════════════════════════════════════════╗
║ THE LEGAL LINE — CARRY THIS CARD ║
║ ║
║ "Good intentions are not a legal defence." ║
║ The line is paperwork. The line is binary. When in doubt — don't. ║
╚══════════════════════════════════════════════════════════════════════════╝United States — CFAA 18 U.S.C. § 1030.
| Subsection | What it criminalizes | Max penalty (first offense) |
|---|---|---|
| § 1030(a)(1) | Espionage — gathering national defense info | 10 yrs |
| § 1030(a)(2) | Access without authorization → obtain info from protected computer | 1 yr (misdemeanor); 5 yrs (felony if value > $5K / commercial gain / further crime) |
| § 1030(a)(3) | Access without authorization to nonpublic federal computer | 1 yr (misdemeanor) |
| § 1030(a)(4) | Access without authorization with intent to defraud + > $5K obtained | 5 yrs |
| § 1030(a)(5)(A) | Knowingly causing transmission that intentionally damages a computer | 10 yrs |
| § 1030(a)(5)(B) | Intentional access without authorization causing reckless damage | 5 yrs |
| § 1030(a)(5)(C) | Intentional access without authorization causing damage and loss | 1 yr |
| § 1030(a)(7) | Extortion via threat to damage / disclose / not repair | 5 yrs |
Penalty stacking is the geometry. CFAA + wire fraud (§ 1343) + conspiracy (§ 371) + aggravated identity theft (§ 1028A, mandatory 2-year consecutive) + money laundering (§ 1957) routinely sum to decades on indictment. The Swartz September 2012 superseding indictment was the canonical illustration; the Gonzalez 20-year sentence is the modal disposition for high-volume cases.
The Van Buren narrowing. Van Buren v. United States 593 U.S. 374 (2021), No. 19-783, 141 S. Ct. 1648 — 6-3 (Barrett majority joined by Breyer, Sotomayor, Kagan, Gorsuch, Kavanaugh; Thomas dissent joined by Roberts, Alito). Gates-up-or-down: “exceeds authorized access” applies only when an operator accesses files / folders / databases the system rules say they can’t, not to misuse of files they were permitted to access. Critical: Van Buren narrowed the “exceeds authorized access” prong; the “without authorization” prong remains broad. Most grey-hat exposure is still under the “without authorization” prong, which Van Buren did not touch.
DOJ May 19, 2022 charging policy narrowed federal prosecutorial discretion: “good-faith security research” is defined and presumptively not charged. Not a defense, not immunity: it is internal DOJ guidance, doesn’t bind state prosecutors, doesn’t affect § 1030(g) civil liability (uncapped).
International equivalents.
| Jurisdiction | Statute | Max penalty (basic offense) |
|---|---|---|
| UK | Computer Misuse Act 1990, § 1/2/3/3ZA/3A | 12 mos summary / 2-10 yrs indictment; § 1 = 2 yrs; § 3A = 2 yrs |
| EU | Directive 2013/40/EU, Articles 3-7 | 2 / 3 / 5 yr minimums per offense class |
| Canada | Criminal Code s. 342.1 | 10 yrs (indictment) |
| Australia | Cybercrime Act 2001, Part 10.7 | 10 yrs |
| Germany | StGB §§ 202a / 202b / 202c | 3 yrs (§ 202a) / 2 yrs (§ 202b) / 1 yr (§ 202c — “Hackerparagraph”; BVerfG 2 BvR 2233/07 (2009) requires specific intent) |
| Japan | Act 128/1999 (eff. Feb 13 2000) | 3 yrs / ¥1M |
| Russia / China | Broad statutes; jurisdictional reach matters | Variable |
| Multilateral | Budapest Convention (~70 ratifying states; not Russia or China) | Sets baseline |
Authorization checklist (Card 4 has the lifecycle context):
- SOW signed by client executive with budget authority
- Scope document final, listing in-scope and out-of-scope targets
- ROE signed, permitted actions enumerated, deconfliction defined
- GOJL in operator’s pocket for physical-entry / red-team work
- Bug-bounty work: published program scope + explicit safe-harbor language
Out-of-scope discovery protocol — the four-step:
1. STOP — halt the current action immediately
2. NOTIFY — call the client POC; document the time
3. DOCUMENT — record the discovery; do not pivot
4. DISCLOSE — finding goes into the report as out-of-scope observationRF-specific quick reference.
- Receive is generally legal in the US (47 U.S.C. § 605 has narrow disclosure restrictions). Transmit requires license or Part 15-compliant device.
- ECPA § 2510 bars interception of cellular voice — even passive receive.
- 47 U.S.C. § 333 bars willful interference. Marriott $600K (Oct 3 2014) is the precedent.
- Replay against systems you don’t own → CFAA + state law overlap, regardless of how the captured packet got into your possession.
International / cross-border — your jurisdiction is not the only one that applies. Engaging a UK target from US soil exposes the operator to both CMA and CFAA. The Budapest Convention’s MLAT framework makes cross-border evidence-sharing routine.
The single load-bearing rule. No paperwork → no engagement. The line is binary. Owning the hardware is not authorization. Believing the target’s security is bad is not authorization. “I was just looking” is not authorization. When in doubt: don’t. Consult an attorney (EFF Coders’ Rights Project, Open Rights Group UK, CCC legal-aid Germany are starting points).
Source depth: Vol 19 §2-7. This card is not legal advice — Vol 19 itself isn’t either.
7. Cert-ladder card
╔══════════════════════════════════════════════════════════════════════════╗
║ THE CERT LADDER — APPROXIMATE COSTS AS OF EARLY 2026 ║
║ The certs open the door. The portfolio decides what's behind it. ║
╚══════════════════════════════════════════════════════════════════════════╝Tier 1 — Entry / HR filter. Required by procurement, not by practitioners.
| Cert | Provider | ~Cost | Format | Signal | When useful |
|---|---|---|---|---|---|
| Security+ | CompTIA | $390 | MC + perf-based | Foundational; DoD 8140 baseline | Entry HR filter; required for cleared roles |
| CySA+ | CompTIA | $404 | MC + perf-based | SOC-focused | SOC tier-1 / tier-2 HR pass |
| PenTest+ | CompTIA | $404 | MC + perf-based | Pentest-adjacent | Entry pentest HR pass |
| CEH | EC-Council | $1,200 | MC (+ optional practical) | Low with practitioners; high for DoD 8140 procurement | Federal-contractor procurement; resume bullet |
| eJPT | INE | $200 | 48-hr practical | Rising (practitioner-respected) | First hands-on cert; cheap practical signal |
Tier 2 — Practitioner / hands-on. What the field actually respects.
| Cert | Provider | ~Cost | Format | Signal | When useful |
|---|---|---|---|---|---|
| OSCP / OSCP+ | Offensive Security | ~$1,749 (standard PEN-200 bundle) | 24-hr practical + report | High — industry baseline | Entry-to-mid pentest hires; canonical hands-on. Rebranded OSCP+ Nov 1, 2024 with 3-year expiration; pre-Nov-1 OSCP grandfathered lifetime. See Vol 18 §3.2. |
| PNPT | TCM Security | $399–$599 | 5-day practical, AD-focused | Rising | Accessible OSCP alternative; AD-focused |
| CRTO | Zero-Point Security | $500 | Practical lab | High in red-team circles | Mid-to-senior red-team operator |
| CRTP | Altered Security | $300 | Practical lab | Mid-high (AD-specialization) | Mid-level AD red-team |
| OSDA (SOC-200) | OffSec | $1,999 | Practical + report | Rising (defender track) | Defender-track practical |
Tier 3 — Specialized / senior. Earned after demonstrated work.
| Cert | Provider | ~Cost | Signal | Role |
|---|---|---|---|---|
| OSEP (PEN-300) | OffSec | $2,499 | High | Senior offensive / evasion |
| OSWE (WEB-300) | OffSec | $2,499 | High | Senior web-app |
| OSED (EXP-301) | OffSec | $2,499 | High | Senior exploit-dev |
| OSEE (EXP-401) | OffSec | Varies (on-site) | Elite (small holder pool) | Windows kernel exploit-dev |
| CRTL | Zero-Point Security | $1,200 | High | Senior red-team lead |
| CRTE | Altered Security | $500 | High | Senior AD red-team |
| GPEN / GXPN / GWAPT | SANS GIAC | ~$8,000+ each (course bundle) | High enterprise/gov | Enterprise pentest / advanced exploit / web |
| GCIH | SANS GIAC | ~$8,000+ | High (canonical IR) | Mid-senior IR |
| GCFA / GREM | SANS GIAC | ~$8,000+ each | High (DFIR / malware) | Senior DFIR / malware analyst |
| GCDA / GDAT | SANS GIAC | ~$8,000+ each | Rising (DE / purple) | Detection-engineering / purple-team |
| MAD ATT&CK | MAD20 | $499/yr (sub) | Mid (ATT&CK fluency) | ATT&CK-framework practical |
Tier 4 — Managerial / governance. Procurement gold; practitioner skepticism.
| Cert | Provider | ~Cost | Signal | Role |
|---|---|---|---|---|
| CISSP | (ISC)² | $749 + maintenance | High (managerial) | Manager / architect / CISO |
| CISM | ISACA | $760 | High (managerial) | Security manager / CISO |
| CISA | ISACA | $760 | High (audit) | Audit / compliance |
| CCSP | (ISC)² | $599 | High (cloud-architect) | Vendor-agnostic cloud architect |
Cloud-specialist add-ons — AWS Security Specialty ($300), Microsoft SC-100 ($165), Google PCSE ($200). High in cloud-aligned roles.
Reading the ladder.
- Entry-into-the-field: Security+ → eJPT → OSCP is the canonical 12-18 month progression.
- Pentest career: OSCP floor → CRTO / OSEP → senior. The portfolio (CVEs, CTFs, conference talks) is the differentiator above the floor.
- Defender career: Security+ → CySA+ → GCIH → GCFA. SANS GIAC is the canonical defender ladder; course bundles are expensive but employer-paid is the norm.
- Red-team career: pentest experience (3-5 yrs) → CRTO → CRTL. Entry-level direct-to-red-team is rare.
- Purple-team career: come from red or blue first; SANS GDAT + MAD as the ATT&CK fluency credential.
- Managerial pivot: CISSP at the 5-10 year mark; CISM for the security-program-management track.
The pricing qualifier. All figures are early-2026. SANS bundles have trended up consistently 5 yrs running. OffSec restructured PEN-200 pricing multiple times. CompTIA vouchers are routinely discounted via academic / bulk / promotional channels. Verify against the issuing organization’s current site before any budget decision.
Source depth: Vol 18 §3. Per-hat cert ladders: Vols 6/8-12 §6 each.
8. Disclosure-decision card
╔══════════════════════════════════════════════════════════════════════════╗
║ YOU FOUND A VULN. WHAT NOW? ║
║ The decision tree below covers the modal cases. ║
╚══════════════════════════════════════════════════════════════════════════╝ ┌─────────────────────────┐
│ YOU FOUND A VULN │
└────────────┬────────────┘
│
┌───────────────────▼─────────────────────┐
│ Q1: Authorized engagement / bug bounty? │
└───────────────────┬─────────────────────┘
│
┌─────────────────┼─────────────────┐
YES NO
│ │
▼ ▼
┌─────────────────┐ ┌──────────────────────┐
│ Follow the ROE │ │ Q2: VDP / coordinated│
│ Report to client│ │ disclosure published │
│ Patch + retest │ │ by vendor? │
└─────────────────┘ └─────────┬────────────┘
│
┌─────────────────┼─────────────┐
YES NO
│ │
▼ ▼
┌─────────────────────┐ ┌─────────────────────────┐
│ Submit via VDP │ │ Q3: Identifiable PSIRT │
│ (HackerOne / │ │ contact / security@? │
│ Bugcrowd / vendor) │ └─────────┬───────────────┘
│ 90-day default │ │
│ deadline │ ┌────────┼────────┐
└─────────────────────┘ YES NO
│ │
▼ ▼
┌──────────────────┐ ┌─────────────────────┐
│ Notify privately │ │ CERT/CC as │
│ Set deadline │ │ intermediary — │
│ (90-day default) │ │ kb.cert.org/vuls │
│ Plan release │ └─────────┬───────────┘
└────────┬─────────┘ │
│ │
└───────────┬───────────┘
│
┌───────────────▼───────────────┐
│ Q4: Vendor responds + patches │
│ within deadline? │
└───────────────┬───────────────┘
│
┌─────────────────┼─────────────────┐
YES NO
│ │
▼ ▼
┌───────────────────────┐ ┌───────────────────────────┐
│ Coordinated public │ │ Q5: Critical infra / │
│ disclosure post-patch │ │ life-safety? │
└───────────────────────┘ └───────────┬───────────────┘
│
┌───────────────┼──────────────┐
YES NO
│ │
▼ ▼
┌───────────────────────┐ ┌────────────────────────┐
│ Notify CISA / NCSC / │ │ Consider full disclosure│
│ sector-ISAC first; │ │ (Bugtraq lineage) — or │
│ extend deadline │ │ withhold (legitimate │
└───────────────────────┘ │ choice) │
└────────────────────────┘The four canonical paths:
| Path | What you do | When it’s right | When it’s wrong |
|---|---|---|---|
| Coordinated | Notify vendor privately; agree on disclosure date; publish post-patch | Modal path; default unless vendor is unresponsive | Vendor consistently unresponsive; bug actively exploited in wild |
| Full disclosure | Publish details (Bugtraq lineage) without vendor coordination | Vendor unresponsive 90+ days; public safety case for forcing patch | When vendor is responsive; when no PoC pressure to fix is needed |
| Sale to broker | Sell to ZDI / Zerodium / vendor program | Legal pathway for commercial researcher | NSO / sovereign-customer brokers — ethically contested; map to your personal line |
| Sit on it | Don’t disclose; archive privately | Personal data-protection cases; thesis-period research | When bug is actively exploited; when you’ve signaled disclosure publicly |
The 90-day default. Google Project Zero (founded July 2014) established the 90-day deadline + 14-day grace period for imminent patch norm. Modern bug-bounty programs (HackerOne, Bugcrowd, Intigriti, YesWeHack) inherit it.
Bug-bounty safe-harbor language — the load-bearing legal layer:
- Published program scope must enumerate in-scope targets and prohibited actions.
- Explicit safe-harbor clause confirming the program is the operator’s authorization.
- “Good faith” research definition matching the DOJ May 2022 framework.
- Caveat: safe-harbor is between researcher and vendor — does not bind third parties, does not affect ECPA-class violations.
Vendor-unresponsive failure-mode — the 6-step:
1. Resubmit through alternate channel (security@ → CISO → exec → CEO)
2. Document every contact attempt with timestamp + medium
3. Engage CERT/CC as intermediary if vendor is unreachable for 60+ days
4. Notify CISA (or national CERT) if critical-infra / life-safety
5. Set hard public-disclosure deadline; communicate it
6. Engage counsel (EFF Coders' Rights Project) before publishing“Good intentions are not a legal defence.” Grey-hat exposure is identical to black-hat exposure under the CFAA “without authorization” prong. Van Buren narrowed only “exceeds authorized access.” The 2022 DoJ charging policy provides discretion, not immunity. The disclosure tree above is for people who have already done the technical work — the legal exposure was incurred at the moment of unauthorized access, not at the moment of disclosure.
Source depth: Vol 8 §4, Vol 19 §5, Vol 4 §3.
9. Which volume answers X — index card
A practitioner’s question → the volume + section that answers it. Top entries by question density; the complete machine-readable anchor catalog is Vol 21 §3.
| Question | Volume | Section |
|---|---|---|
| What does CFAA § 1030(a)(2) actually say? | Vol 19 | CFAA in depth |
| What did Van Buren narrow? What did it not narrow? | Vol 19 | CFAA in depth §2.3 |
| What’s the difference between SOW / scope / ROE / GOJL? | Vol 19 | Authorization in practice |
| How do I run the disclosure-decision tree? | Vol 19 | Disclosure ethics §5.2 |
| What’s the receive-vs-transmit rule for RF? | Vol 19 | RF-specific law |
| What is the engagement lifecycle for a white-hat? | Vol 6 | Methods and tradecraft |
| What’s the black-hat criminal economy look like? | Vol 7 | The criminal economy |
| What’s the grey-hat disclosure decision point? | Vol 8 | Methods and tradecraft |
| What’s the canonical green-hat learning loop? | Vol 9 | §3 (RF starter kit) + §4 (learning platforms) |
| Where does the defender start? (SOC stack) | Vol 10 | Tools of the trade |
| Red-team vs pentest — what’s the difference? | Vol 11 | Methods and tradecraft |
| What’s purple-team actually? | Vol 12 | §1 + Methods and tradecraft |
| What’s the SDR receive chain look like? | Vol 13 | SDR fundamentals |
| Which SDR should I buy? | Vol 13 | The gear |
| What’s the rogue-AP family of techniques? | Vol 14 | The rogue-AP family |
| How do I capture and crack a WPA2 handshake? | Vol 14 | Handshake-capture pipeline |
| How do I clone an HID Prox card? | Vol 15 | Access-control attacks |
| LF vs HF RFID — what’s the physics? | Vol 15 | LF vs HF RFID |
| What’s the Hak5 implant family? | Vol 16 | The Hak5 implant family |
| BadUSB / HID injection — how does it work? | Vol 16 | HID injection |
| What are Cialdini’s six (seven) principles? | Vol 17 | The psychology |
| What’s the AiTM phishing setup (Evilginx)? | Vol 17 | Phishing, vishing, smishing |
| Career paths — what are my options? | Vol 18 | The paths |
| What cert should I take next? | Vol 18 | Certs decoded |
| What’s the comp band for SOC tier-1? | Vol 18 | Leveling and compensation |
| How do I build a portfolio / home lab? | Vol 18 | The portfolio and home lab |
| Where did “white hat” / “black hat” come from? | Vol 5 | Western trope + Migration into computing |
| Why is the metaphor still useful (or not)? | Vol 5 | Criticisms of the metaphor |
| What’s the two-axis problem? | Vol 5 | Two-axis problem |
| How did phreaking start? | Vol 2 | The phone network |
| What was the Morris worm? | Vol 3 | Morris worm |
| What’s the ransomware-as-a-business model? | Vol 4 | Ransomware-as-a-business |
| What’s the full anchor index for cross-deep-dive links? | Vol 21 | Canonical anchor index |
The decision graph in compact form:
What are you trying to do? Read
───────────────────────────── ─────────────────────
Understand the field Vols 1, 5, 20
Read the history of how we got here Vols 2, 3, 4
Learn one specific hat Vol 6/7/8/9/10/11/12
Reference the technique Vols 13-17 + linked tool deep dives
Career / hiring / cert decisions Vols 18, 9 (green), 6 (white)
Legal line Vol 19 + every hat's §1 callout
Cross-deep-dive anchor lookup Vol 21Source depth: Vol 1 §6, Vol 21.
10. Cross-tool quick reference card
╔══════════════════════════════════════════════════════════════════════════╗
║ THE HACK TOOLS HUB — DEVICES + WHEN TO REACH FOR EACH ║
║ Each row links to the device's full deep dive in this hub. ║
╚══════════════════════════════════════════════════════════════════════════╝| Tool deep dive | Band / capability | When to reach for it |
|---|---|---|
| HackRF One | 1 MHz – 6 GHz wideband SDR transmit + receive; 20 MS/s; 8-bit; ~$300 | RF capture and replay at engineer depth; portable RF research bench; sub-GHz through 5 GHz Wi-Fi (edge) |
| OpenSourceSDRLab PortaRF | HackRF-class handheld with integrated display + keyboard + battery | The “HackRF as a handheld” use case; tjscientist’s porta already combines HackRF + PortaPack H2+ as the separate-board alternative |
| RTL-SDR | 500 kHz – 1.766 GHz receive-only; 2.4 MS/s; ~$30 | The entry SDR; ADS-B, FM, AIS, sub-GHz receive, rtl_433 decoder |
| Flipper Zero | Sub-GHz (300–928 MHz CC1101) + LF/HF RFID + NFC + IR + BadUSB + GPIO | Multi-tool front-end; field-friendly form factor; everyday-carry RF/RFID/NFC swiss-army knife |
| Proxmark3 RDV4 | LF (125 kHz) + HF (13.56 MHz) RFID; lab-grade with antennas | Serious RFID/NFC work — MIFARE Classic / DESFire / iCLASS / HID Prox; the access-control research bench |
| WiFi Pineapple | Hak5 purpose-built Wi-Fi auditing — PineAP / rogue-AP / KARMA / evil-twin / Cloud C2 | Wi-Fi auditing engagements; the rogue-AP toolkit; highest legal-posture device alongside Ducky Script |
| ESP32 Marauder Firmware | Open-source Wi-Fi / BLE pentest firmware (runs on AWOK Dual Touch V3, Flipper devboard, Marauder hardware) | Open-source Pineapple-adjacent alternative; ESP32-based; cheap; modify the firmware |
| Ducky Script | Hak5 keystroke-injection language; Rubber Ducky / Bash Bunny / Key Croc / O.MG family | BadUSB / HID injection; physical-entry payload staging; highest legal-posture alongside WiFi Pineapple |
| AWOK Dual Touch V3 | Dual ESP32-WROOM + resistive touch + GPS; Flipper module | Wardriving with GPS; ESP32-based Wi-Fi audit; mounted on tjscientist’s AWOKflip |
| Ruckus Game Over | ESP32-S3 + OLED + joystick + CC1101/NRF24 daughter slot | Multi-radio handheld (Wi-Fi + BLE + sub-GHz + 2.4 NRF24); mounted on tjscientist’s game-over-host |
| Nyan Box | ESP32 + 3× NRF24L01+ + OLED; education-first | Triple-NRF24 parallel-channel sniffing; drone RemoteID; hidden-camera detection (features unique in the lineup) |
| Rayhunter | EFF IMSI-catcher detector on Verizon Orbic RC400L | Defensive RF — passive IMSI-catcher / Stingray detection; no overlap with the rest of the lineup |
| Bus Pirate 6 | UART / I²C / SPI / JTAG / SWD / 1-Wire / smart-card / DDR5-SPD on 8 buffered I/O pins | Embedded-protocol Swiss-army knife; the “follow-along logic analyzer” via 74LVC8T245 look-behind buffer |
| M5Stack Cardputer ADV | ESP32-S3 handheld + QWERTY + 1.14” IPS + IR + Grove + EXT bus + Cap LoRa-1262 option | Field handheld for ESP32-S3 work; Cardputer ADV is the platform reference |
| Clockwork PicoCalc | RP2040/RP2350 handheld + QWERTY + 320×320 IPS | RP2040/2350 development platform; pico-sdk apps |
| GL-iNet GL-BE3600 | Beryl AX Pro Wi-Fi 7 travel router | Networking half of the travel kit; portable OpenWrt platform |
Capability-quick-pick by question:
| “I need to…” | Reach for |
|---|---|
| Capture a sub-GHz signal of unknown origin | RTL-SDR (receive) → HackRF (capture + replay) |
| Clone an HID Prox card | Flipper Zero (field) or Proxmark3 (lab) |
| Audit a Wi-Fi network | WiFi Pineapple (purpose-built) or AWOK + Marauder firmware (DIY) |
| Drop a BadUSB payload | O.MG Cable (covert) or Bash Bunny (capability) or Rubber Ducky (price) |
| Capture WPA2 handshakes | WiFi Pineapple, or any Atheros/Realtek 802.11 monitor-mode adapter |
| Find rogue base stations | Rayhunter (defensive IMSI-catcher detection) |
| Decode a custom 433 MHz remote | RTL-SDR + URH + rtl_433 |
| Probe a UART/JTAG header on a board | Bus Pirate 6 |
| Sniff drone RemoteID | Nyan Box (triple-NRF24) |
| Build a portable RF research bench | HackRF One + PortaPack H2+ (current setup) or PortaRF (integrated alternative) |
Higher-resolution: _shared/capability_matrix.html — 16 scored axes, 50+ capability detail cells, weights panel for per-decision tuning.
Source depth: Vol 1 §7. Sortable matrix: _shared/capability_matrix.html. Cross-tool prose: _shared/comparison.md.
11. Starter-kit card
╔══════════════════════════════════════════════════════════════════════════╗
║ "IF YOU'RE STARTING TOMORROW, DO THIS" ║
║ The minimum viable green-hat kit, learning path, and portfolio. ║
╚══════════════════════════════════════════════════════════════════════════╝Hardware — the green-hat RF starter kit (~$330 floor):
| Order | Tool | Cost | What it teaches |
|---|---|---|---|
| 1 | RTL-SDR Blog V4 | $30 | Receive-only SDR; FM, ADS-B, AIS, sub-GHz decode; canonical first capture |
| 2 | Flipper Zero | $170 | Sub-GHz capture/replay; LF + HF RFID; NFC; IR; the field-friendly form factor |
| 3 | HackRF One | $300–340 | Wideband TX+RX; the SDR career bench |
| 4 | Proxmark3 RDV4 | $400 | Lab-grade RFID/NFC; MIFARE, DESFire, iCLASS, HID Prox |
Total ~$900 over 12-24 months; first $200 covers the first 6 months of learning.
Computer / lab — the minimum software setup:
- Kali Linux (USB or VM) — Metasploit + Burp Suite + Wireshark + Nmap baseline
- A second box for the defender side — Wazuh / Velociraptor / Sysmon home-lab instrumentation
- A vulnerable-target stack — DVWA, HackTheBox VPN, TryHackMe rooms
- An AD home lab — 1 DC + 1 client; misconfigure intentionally to practice escalation
- A cheap router for Wi-Fi practice (test against your own networks only)
Learning path — the 24-month progression:
Month 0-3 Month 3-6 Month 6-12 Month 12-18 Month 18-24
────────── ────────── ────────── ────────── ──────────
TryHackMe HackTheBox PortSwigger OSCP prep OSCP exam
guided paths Starting Point Web Academy (PEN-200 + + first
+ easy boxes + first CVE attempt Try Harder mindset) bug bounty
picoCTF + first + Security+ exam eJPT or PNPT + first
beginner writeup blog + GitHub portfolio conference
published CFP submissionThe learning loop — the discipline that compounds:
build ───► break ───► understand ───► write up ───► (back to build)
│ │ │ │
│ │ │ └─ this step compounds into a career
│ │ │
│ │ └─ this step is what separates the practitioner
│ │ from the script-user
│ │
│ └─ this step is the technique
│
└─ this step (homelab, CTF box, owned hardware) is the legal-safe foundationPortfolio — what hiring managers actually look at:
| Element | Why it matters | Bare-minimum quantity |
|---|---|---|
| CTF writeups | Shows you can explain technique, not just execute | 5-10 published |
| GitHub | Shows you can ship code; pinned repos are read | 3+ pinned projects |
| First CVE | Shows you can find a real bug + responsibly disclose | 1, ideally |
| Conference talk | Shows you can teach (BSides is the lowest-barrier first stop) | 1 BSides talk |
| Bug bounty profile | Shows you can find real vulns in real software | Some reputation on HackerOne / Bugcrowd |
| Sigma rules / detections | Defender-track equivalent of the CVE | Several published |
First-job targets:
| Role | Cert floor | Comp band (US, early 2026) | Common pre-job path |
|---|---|---|---|
| SOC tier-1 | Security+ | $55-75k | Bootcamp / IT support / self-taught + Security+ |
| IT-to-security | Security+ + CySA+ | $70-90k | 2-3 yrs sysadmin → security pivot |
| Junior pentest | OSCP (or PNPT) | $70-95k | Portfolio + CTF history + OSCP |
| AppSec dev | (any web cert) | $90-130k | 2-3 yrs dev experience + secure-coding interest |
| DFIR junior | Security+ + CHFI | $65-85k | SOC tier-1 → tier-2 → DFIR |
The non-linear path is the modal path. The field absorbs IT support, sysadmins, developers, RF engineers, network engineers, military, self-taught — every entry point ends up at the same mid-career destination. Entry-point matters less than sustained work. The single load-bearing decision is to start writing publicly about the work you’re doing; everything else compounds from there.
The first 90-day program — concrete actions:
Days 1-7 Set up Kali VM. Complete TryHackMe "Intro to Cyber Security."
Days 8-30 Work through TryHackMe paths daily. Start a writeup blog.
Days 31-60 Move to HackTheBox Starting Point. Buy the RTL-SDR.
Days 61-90 Schedule Security+ exam. Start picoCTF challenges. Publish
first writeup. Open a GitHub. Post your first technical
thread on Mastodon / Bluesky / X.Source depth: Vol 9 §3-4, Vol 18 §3-6.
This is Volume 20 of the Hacker Tradecraft series. Next: Vol 21 — Glossary and canonical anchor index — closes the series with the A-Z glossary and the cross-deep-dive anchor catalog that other Hack Tools deep dives use to link into this one.