Hacker Tradecraft Volume 4 — History III: The Modern Era, 2000s–Present

Contents

Section	Topic
1	About this volume
2	Professionalization — pentest consulting becomes an industry
3	The exploit market — full disclosure vs. coordinated disclosure vs. broker
4	Nation-state hacking — Stuxnet, APT naming, and Snowden
5	The bug-bounty economy
6	Ransomware-as-a-business
7	The tooling democratization — Kali, Metasploit, Hak5, SDR going cheap
8	The conference and CTF circuit — how the field trains and credentials socially
9	Where the hats stand today
10	Cheatsheet updates
11	Resources

---

1. About this volume

This volume closes the three-volume history cluster. Vol 2 covered the proto-hacking era from the late-1950s TMRC through phreaking, the AI Lab, and the Homebrew Computer Club. Vol 3 covered the 1980s–1990s — the BBS underground, the CFAA, the Morris Worm, the Mitnick saga, the founding of the EFF, the emergence of DEF CON and the first commercial security firms. Vol 4 picks up at the millennium and runs to 2026. Vol 5¹ traces the archaeology of the hat metaphor itself; the hat volumes (6–12) and the reference cluster (13–17) treat what each colour does in the present field.

The arc of this volume is what got built on the institutional skeleton Vol 3 left in place, and four developments dominate. First, hacking became a profession with formal credentialing and an industry — pentest consulting consolidated into recognizable firms with payrolls, the OSCP exam appeared, and “security researcher” stabilized as a job title with a salary range. Second, nation-state activity displaced lone-wolf and small-group acts as the load-bearing threat-actor type — Stuxnet (2010) crossed the digital-physical line under government direction; the Mandiant APT1 report (2013) made the previously-unspeakable “the Chinese military is doing this from a specific building in Shanghai” explicit and public; the Snowden disclosures (June 2013) exposed the US side of the same activity at industrial scale. Third, the criminal economy industrialized — ransomware ran the arc from the lone-PC AIDS Trojan (1989) through CryptoLocker’s asymmetric-crypto-plus-Bitcoin breakthrough (2013) to a multi-billion-dollar affiliate-and-initial-access-broker supply chain by the early 2020s, with state-actor adjacency (DPRK Lazarus, Russian-tolerated criminal groups) blurring the distinction between black-hat and grey-state-zone activity. Fourth, the open-source security toolchain matured to the point that a sixteen-year-old with a Raspberry Pi could replicate a 1990s-era pentest — Kali Linux, Metasploit, the Hak5 implant family, sub-twenty-dollar SDR, the Flipper Zero handheld. The first three developments are the threat picture the rest of the series operates inside. The fourth is the capability shift that lets a small actor — defensive or offensive — work at a scale that took a 1995 consulting firm.

The two preceding volumes’ framing carries forward. Black-hat and grey-zone figures are treated factually and historically from court records, indictments, government press releases, and established journalism — no glamorization, no operational walkthroughs. Where attribution is contested (Stuxnet to U.S.–Israel via “Operation Olympic Games”; specific APT groups to specific government agencies), the strength and source of the attribution claim are flagged in the footnotes rather than asserted as settled. The cast of public-record-confirmed names in this volume is large — Charlie Miller, Casey Ellis, Alex Rice, Mati Aharoni, HD Moore, Michael Ossmann, Aaron Swartz; the convicted ransomware operators of the late 2010s and early 2020s; the Mandiant analysts and the Snowden-disclosure journalists — and the citations carry the weight where claims are specific.

The cross-references back into Vol 3 are dense. Every CFAA discussion here builds on Vol 3 §4; every disclosure-norms thread is downstream of Phrack and 2600 (Vol 3 §6); every conference reference traces back to DEF CON 1 (Vol 3 §9.3); the criminal-economy thread starts from the 1980s BBS warez scene (Vol 3 §2.2) and the Russian organized-cybercrime baseline Vol 3 §9.4 closed on. The cross-references out of this series are also dense — Vol 4 is the volume where the named tools of the modern lineup first appear at scale, and the engineering depth on each tool lives in its respective deep dive rather than being re-derived here.

Year	Industry / threat-actor watershed	Tooling / cultural watershed
2000	@stake formed from L0pht (Jan); Mosaic-to-Netscape era closing	Bugtraq full-disclosure norm in force
2003	-	Metasploit Framework 1.0 (HD Moore, Oct)
2004	First Mozilla bug bounty (Aug); Symantec acquires @stake; McAfee acquires Foundstone; Mandiant founded	BackTrack predecessor in development
2005	RSA acquires Cyota; ZDI founded by TippingPoint	-
2006	IBM acquires ISS ($1.3 B)	OSCP exam launched; BackTrack 1
2007	-	Pwn2Own 1; Offensive Security incorporated
2008	First Verizon DBIR; Aurora-precursor activity	-
2009	”No More Free Bugs” at CanSecWest; Rapid7 acquires Metasploit	-
2010	Stuxnet disclosed (June); Operation Olympic Games attribution	Hak5 USB Rubber Ducky; Google Chromium VRP
2011	Facebook Whitehat; Bugcrowd founded; Aaron Swartz indicted	-
2012	HackerOne founded; Bugcrowd launches	rtl-sdr released (Mar; $20 SDR); CTFtime founded
2013	Mandiant APT1 report (Feb 19); Snowden disclosures (June); CryptoLocker (Sept); Synack founded	Kali Linux 1.0 (Mar 13); picoCTF 1
2014	Operation Tovar; DoJ indicts 5 PLA officers	HackRF One released; Google Project Zero
2015	OPM breach (APT29-aligned); Zerodium founded	USA FREEDOM Act
2016	Bangladesh Bank ($81 M, Lazarus); DNC hack	Mirai botnet (Sept-Oct); Pegasus first publicly documented
2017	WannaCry (May); NotPetya (June); Equifax breach	Shadow Brokers leaks EternalBlue
2018	Mandiant ASUS Plead; DoJ indicts Park Jin Hyok	-
2019	-	Apple Security Research Device program announced
2020	SolarWinds discovered (Dec; APT29/SVR); DoJ indicts 6 GRU officers	Flipper Zero Kickstarter; OFAC ransomware advisory
2021	Colonial Pipeline (May 7); Kaseya VSA (Jul 2); NSO Entity List	Executive Order 14028; JCDC stood up
2022	Conti chat leak; Lapsus$ campaigns; Russia-Ukraine cyber operations	DoJ CFAA prosecutorial-guidance revision (May); OFAC sanctions Tornado Cash (Aug)
2023	MOVEit mass-compromise (Cl0p); MGM / Caesars; Microsoft Storm-0558	Google acquires Mandiant; Microsoft Storm naming taxonomy
2024	Operation Cronos / LockBit (Feb 19); Change Healthcare (BlackCat)	CrowdStrike Falcon outage (Jul)
2025-26	- (history-in-progress)	-

Table 4.0 - A 2000-2025 timeline strip anchoring the era this volume covers. Bold entries are events called out in detail in subsequent sections; lighter entries provide chronological context. The 2017 Lazarus/Sandworm year (WannaCry + NotPetya) and the 2021 critical-infrastructure year (Colonial + Kaseya) are the two clusters in which multiple watershed events stack within a single calendar window.

---

2. Professionalization — pentest consulting becomes an industry

By 1999 — the closing snapshot of Vol 3 — the security industry existed, with maybe a dozen named firms operating at national scale. By 2010 it was a multi-billion-dollar industry with several hundred firms, established service categories (pentest, incident response, vulnerability assessment, managed detection and response, threat intelligence), formal credentials (OSCP, GSEC, CISSP, OSCE, OSEP, and dozens of others), and a recognizable career ladder. The decade-and-change between those two snapshots is where pentest consulting consolidated into something a 2026 reader would recognize as the modern industry. Vol 18² treats the modern career picture at full depth; this section is the historical narrative.

2.1 The 2000–2004 consolidation wave

The first thing that happened, structurally, was an acquisition wave. The independent firms Vol 3 §9.2 catalogued at end-of-decade — ISS, Foundstone, @stake, iDefense, the early Bishop Fox precursors, Cigital, and several others — were almost all either acquired or merged into larger firms between 2000 and 2008. Five named transactions anchor the wave:

• @stake’s formation from L0pht (January 2000). L0pht Heavy Industries — the Boston-area hacker collective whose Senate testimony in May 1998 (Vol 3 §9.2)³ had effectively credentialed the underground in front of a federal-policy audience — was merged into Cambridge Technology Partners’ security arm in early 2000 to form @stake, Inc.⁴ The merged firm took on most of the senior L0pht names as principals (Mudge / Peiter Zatko, Weld Pond / Chris Wysopal, Space Rogue / Cris Thomas, Kingpin / Joe Grand, Brian Oblivion, John Tan, Stefan Von Neumann) and positioned itself as the high-end pentest consultancy.
• Foundstone → McAfee (October 2004). Foundstone, founded 1999 by Stuart McClure and George Kurtz (both formerly of Ernst & Young’s eSecurity practice), was acquired by McAfee for approximately $86 million in October 2004⁵. Foundstone’s vulnerability-scanning product (the FoundScore engine) became McAfee’s foundation for what would become its enterprise-pentest portfolio.
• Symantec → @stake (September 2004). Symantec acquired @stake for approximately $49 million in October 2004⁶; the consultancy was absorbed into Symantec Global Services. Mudge and several other principals left the firm within twelve to eighteen months; the diaspora seeded a second generation of consultancies (notably Intrepidus Group in 2007 by Aaron Higbee and Bob Stratton, although Higbee had been at @stake; many others went in-house at Microsoft, Cisco, and the financial-services majors).
• RSA → Cyota (December 2005). RSA Security acquired Cyota, an Israeli online-fraud-detection firm, for $145 million⁷; while not a pure-pentest deal, it was an early indicator that the fraud-prevention and identity-management slices of the security industry were consolidating onto the same platform as the perimeter-and-pentest slice, and prefigured EMC’s acquisition of RSA itself the following year ($2.1 billion, September 2006).
• IBM → ISS (October 2006). IBM acquired Internet Security Systems (Atlanta; Christopher Klaus’s firm — see Vol 3 §9.2) for approximately $1.3 billion in October 2006⁸. The acquisition rolled ISS’s vulnerability-scanning and managed-security-services revenue into IBM Global Services and was, for many years, the largest acquisition in the consultancy-and-product side of the industry.

The pattern across the wave is that the boutique pentest firms of the late 1990s did not, by and large, scale to enterprise. They were absorbed into the larger software-and-services majors, where the cultural friction between former-hacker principals and corporate-governance structures produced predictable attrition. Most of the named L0pht / @stake / Foundstone principals are not, in 2026, at the firms that acquired them; they are at second- or third-generation firms they founded themselves (Mudge at Stripe, then Google ATAP, then Twitter security leadership, then DARPA’s Cyber Fast Track program, then a consulting practice; Kurtz at CrowdStrike, which he co-founded in 2011 — see §2.2; many others at IOActive, Bishop Fox, NCC Group, and a long list).

2.2 The second-generation consultancies

What rose to fill the boutique-pentest niche the 2000–2008 consolidation vacated was a second generation of consultancies, founded mostly between 2004 and 2012, with substantially different cultures from their predecessors — less L0pht-style underground-to-mainstream pipeline, more recruited-out-of-CS-programs-and-CTF-circuit pipeline (see §8 for the CTF role). The named firms of this second generation:

• Rapid7 (founded 2000 by Alan Matthews, Tas Giakouminakis, and Chad Loder; pivoted to vulnerability management in 2005). Acquired Metasploit in October 2009 (HD Moore’s project; see §7) for an undisclosed sum; subsequently went public in July 2015⁹. Rapid7 in 2026 is the most prominent example of the “tool-and-consulting” hybrid that defined the second generation — Metasploit on the offensive side, InsightVM/InsightIDR on the defensive side, plus a consulting practice that markets the tools.
• Bishop Fox (founded 2005, originally Stach & Liu; rebranded 2012). Founded by Vincent Liu and Erik Cabetas (and others); high-end pentest and red-team consultancy; one of the most-cited references for “where the senior pentesters now work.” Privately held; consistently ranked among the larger US pentest firms in 2026.
• NCC Group (UK-rooted; consolidated from multiple acquisitions through the 2000s — Matasano Security in 2012, iSEC Partners in 2010, Intrepidus Group in 2012, several others). NCC’s roll-up strategy is the closest the industry has to a “Big Four-equivalent” of pentest specifically. Listed on the London Stock Exchange.
• CrowdStrike (founded 2011 by George Kurtz, Dmitri Alperovitch, and Gregg Marston). Endpoint-protection product plus a managed-detection-and-response operation plus an incident-response consultancy. The 2010s’ answer to the L0pht-and-Foundstone consolidations of the 2000s — built specifically to scale, with the consulting practice subordinated to the product. Went public June 2019; market cap around $80–90 billion in 2026 (volatile through the July 2024 incident in which a faulty Falcon-sensor update bricked a substantial fraction of Windows installations globally, then partially recovered through the subsequent year).
• Mandiant (founded 2004 by Kevin Mandia; acquired by FireEye December 2013 for $1 billion; spun back out as standalone Mandiant in October 2021; acquired by Google March 2022 for $5.4 billion). The IR-and-threat-intelligence reference firm of the post-Aurora era (see §4.2 on the APT1 report).
• Trail of Bits (founded 2012 by Dan Guido, Alex Sotirov, and others). Smaller, research-heavy, with a notable line in symbolic-execution-and-formal-methods tooling alongside conventional pentest. Reference firm for crypto and protocol-analysis work in the 2020s.
• NCC’s competitor list also includes Synopsys’ Software Integrity Group (formerly Cigital + Coverity + others, rolled up 2014–2017), Praetorian, Optiv, GuidePoint, Sentinel Labs (later SentinelOne), and dozens of regional and specialist shops.

Firm	Founded	Founders	Acquired by / status	Notes
@stake	Jan 2000 (from L0pht)	L0pht principals	Symantec, 2004 ($49M)	The L0pht-to-mainstream pipeline
Foundstone	1999	Stuart McClure, George Kurtz	McAfee, 2004 ($86M)	Kurtz later co-founded CrowdStrike
Cyota	1999	Various Israeli founders	RSA, 2005 ($145M)	Online-fraud / identity-management
Internet Security Systems (ISS)	1994	Christopher Klaus	IBM, 2006 ($1.3B)	The largest 2000s pentest-and-vuln-mgmt deal
Mandiant	2004	Kevin Mandia	FireEye 2013 ($1B); Google 2022 ($5.4B)	The APT-discourse reference firm
Rapid7	2000	Matthews, Giakouminakis, Loder	IPO July 2015 (NASDAQ:RPD)	Acquired Metasploit 2009
Bishop Fox	2005 (as Stach & Liu)	Vincent Liu, Erik Cabetas, others	Private	High-end pentest reference
CrowdStrike	2011	Kurtz, Alperovitch, Marston	IPO June 2019 (NASDAQ:CRWD)	EDR-plus-IR scale play
NCC Group	UK-rooted; consolidation 2010s	Various acquisitions	LSE-listed	Roll-up strategy; Matasano, iSEC, Intrepidus
Trail of Bits	2012	Dan Guido, Alex Sotirov, others	Private	Research-heavy; formal-methods slant
Synopsys Software Integrity Group	2014–2017 (rolled up)	Cigital + Coverity + others	Part of Synopsys (NASDAQ:SNPS)	Application-security focus
Offensive Security	2007	Mati Aharoni + Devon Kearns	Acquired by Leeds Equity Partners October 2024; Ning Wang CEO	OSCP exam (rebranded OSCP+ Nov 2024 — see Vol 18), Kali Linux, BackTrack lineage

Table 4.1 — The named pentest-and-security consulting firms, with founding dates and acquisitions. The pattern: 1990s-founded firms acquired between 2004 and 2013; second-generation 2005–2012-founded firms either still independent or IPO’d; the third generation (founded post-2015) trends toward narrow specialization (cloud-native, application-security, ICS, automotive, embedded) rather than the broad pentest-shop model.

2.3 The OSCP exam and the credentialing question

The single most consequential credential in the modern pentest industry is the Offensive Security Certified Professional exam. The exam was created by Offensive Security — the company Mati Aharoni and Devon Kearns founded in 2007 to commercialize their volunteer work on the BackTrack Linux distribution (the predecessor to Kali Linux; see §7.1)¹⁰. OSCP launched in 2006 (predating the formal “Offensive Security” company name, which postdated it by a year)¹¹ and rapidly established itself as the de-facto baseline credential for working pentesters.

The OSCP exam’s significance is partly its structure and partly its timing. Structurally, the exam is a 24-hour hands-on practical: the candidate connects to a lab network, is given a set of target machines to compromise, and must achieve administrative-level shell access on a specified number of them (the passing threshold and machine count have varied over the years; the current 2026 form is approximately five machines in 24 hours, then 24 more hours to write the report). It does not test memorized terminology; it tests whether the candidate can actually break into things. The format set the standard for hands-on security credentialing — every subsequent practical exam (OSCE, OSEP, eCPPT, PNPT, CRTP, and many others) borrowed pieces of the structure. In timing, OSCP arrived at the precise moment the industry needed it. The 2006 timing meant that by 2010 — as the second-generation consultancies were hiring — there was a defensible, employer-recognized minimum-competency signal for entry-level pentest hires that hadn’t existed in 2000.

The flip side, articulated by every senior practitioner who’s been asked since: the OSCP is the floor, not the ceiling. It demonstrates that a candidate can run public exploits against intentionally vulnerable lab machines and document their work. It does not demonstrate that the candidate can develop novel exploits, do source-level vulnerability research, run a red-team engagement against a hardened environment, or write a coherent client-facing report on a real assessment. The post-OSCP career path — through the more advanced Offensive Security exams (OSCE, OSEP, OSEE) and the SANS GIAC family (GPEN, GXPN, GREM, GCIH, GSE) and the specific specializations (cloud, mobile, ICS, web) — is what fills in those gaps. Vol 18 walks the modern career ladder in detail.

The non-OSCP credential landscape in 2026 includes, roughly in industry-perception order for pentest specifically: OSCP (entry-to-mid), OSEP/OSCE/OSEE (advanced offensive), GPEN/GXPN (alternative to OSCP, more vendor-aligned), eCPPT/eWPTX (INE/eLearnSecurity; rising), PNPT (TCM Security), CRTP/CRTE (Red Team Professional, Pentester Academy), CISSP (managerial; not a hands-on cert — universally derided by working pentesters as such but widely required by corporate procurement), CEH (the EC-Council Certified Ethical Hacker — for many years considered the floor cert; in 2026 widely considered approximately useless by working pentesters but still required by federal-contracting language and DoD 8570). For DFIR / blue side specifically: GCFA, GCFE, GREM, GCIH, GCDA, CySA+. The credential market has more or less stabilized in 2026 at this approximate structure; the next decade’s change will probably be the rise of practical exams for cloud-native and AI-system-specific pentest (Vol 14 forward-references the Wi-Fi/BLE side; Vol 16 the BadUSB/HID side).

2.4 The consultancy vs. in-house decision

A subsidiary structural development of the era is the rise of in-house security teams at large organizations as an alternative to engaging external consultancies for everything. Pre-2005, even large enterprises typically ran perimeter security through a network-operations team and engaged outside consultancies for everything else. Post-2010, large enterprises typically run multi-hundred-person internal security organizations with red-team, blue-team, threat-intel, application-security, and detection-engineering functions internally; outside consultancies are engaged for specific assessments, scarce specializations (mobile, ICS, automotive), and the “fresh eyes” benefit of an outside team.

The engineering trade-offs between consultancy and in-house work are worth understanding at a working level — Vol 18 expands; here is the executive summary.

Consultancy career mode. Variety of engagements (a different target every two-to-four weeks); broader exposure to industries and technologies than any single in-house role would provide; more travel; pay typically higher at senior levels (because the firm’s billing rate supports it); less ability to follow a single problem through to remediation (you assess, write the report, hand off, and rotate); a culture norm of accumulating credentials and conference talks because they directly drive your firm’s salability. Best fit for early-to-mid career, for people who like variety, and for the personalities who want to build a strong external public profile (the conference circuit, the blog, the GitHub portfolio).

In-house career mode. Single deep target (your employer’s stack); the ability to follow a vulnerability from discovery through remediation through detection-engineering integration to verification; pay typically lower at the same nominal seniority but compensated by equity at fast-growing firms; less variety but more depth; the political-and-organizational skill of working with internal engineering teams becomes the dominant secondary skill (Vol 12, purple-hat, treats this at length); the culture norm is much less external-public-profile, more internal-reputation-with-product-teams. Best fit for late-mid-to-senior career, for people who like seeing a problem through, and for the personalities who’d rather make the company’s stack better than make their resume better.

There’s a recognizable career pattern of consultancy → in-house → back to consultancy or independent, with the in-house stint serving as the “I want to live with the consequences of my recommendations once” sabbatical. The reverse pattern — in-house first, then consultancy — exists but is much less common.

2.5 The first Verizon DBIR (2008)

One artifact worth flagging because it anchors the empirical literature of the modern field: in 2008, Verizon’s RISK Team published the first Verizon Data Breach Investigations Report (DBIR), an annual statistical analysis of breach data drawn initially from Verizon’s incident-response practice and subsequently from a partnership with the U.S. Secret Service and other contributors¹². The DBIR is, in 2026, the canonical longitudinal data source on the actual distribution of breach causes, attack patterns, threat-actor types, and industry-vertical effects across the industry. Its taxonomic framework (the VERIS vocabulary — Vocabulary for Event Recording and Incident Sharing) and the annual statistical summaries are the empirical baseline against which any “what’s actually happening out there” question gets cross-checked. The DBIR’s first edition drew on approximately 500 cases handled by Verizon’s incident-response practice across 2004–2007 — small by today’s data-set standards, but unprecedented in 2008 as a pooled empirical baseline; the 2025 edition draws on tens of thousands of incidents annually (the methodological details have evolved considerably, so cross-year comparisons require care). For any factual claim in this volume about “ransomware now vs. 2010” or “the share of breaches caused by phishing,” the DBIR is the load-bearing source.

---

3. The exploit market — full disclosure vs. coordinated disclosure vs. broker

The question of what to do when you find a vulnerability is, at root, an economic and ethical question with technical infrastructure. The 2000s and 2010s saw three answers compete for legitimacy: full disclosure (publish the vulnerability and exploit immediately, the 1990s-and-earlier default), coordinated disclosure (report to the vendor, give them a specified window to patch, then publish), and broker (sell the vulnerability to a market participant — vendor bounty, third-party broker, or government). All three exist in 2026; the proportions have shifted dramatically.

3.1 The 1990s full-disclosure baseline

Through the 1990s, the dominant venue for vulnerability disclosure was the Bugtraq mailing list, founded in 1993 by Scott Chasin and managed for many years by Aleph One (Elias Levy, of “Smashing the Stack” fame — Vol 3 §6.2)¹³. Bugtraq’s editorial policy was full disclosure: post the vulnerability, post the proof-of-concept, let everyone — vendors and attackers alike — get the information at the same time. The rationale was that vendors who could keep an issue private indefinitely had no incentive to patch, and that defenders armed with the full information could at least take compensating action. The list was housed at SecurityFocus, which Aleph One sold to Symantec in 2002 for approximately $75 million; Symantec retired Bugtraq in 2021, ending the list after a 28-year run¹⁴.

The full-disclosure norm produced predictable second-order effects. Vendors hated it (and said so loudly). Defenders had patch-or-mitigate fire-drills every time a substantial advisory dropped. Attackers operationalized the proof-of-concepts within hours of publication. The vulnerability churn of the late 1990s — Code Red (July 2001, Microsoft IIS), Nimda (September 2001), SQL Slammer (January 2003), Blaster (August 2003), all of them exploiting bugs that had been publicly disclosed weeks or months earlier — is the empirical record of full-disclosure-meets-slow-patching. The lesson of those worms was not, as is sometimes claimed, that full disclosure failed; it was that patching infrastructure was inadequate to the volume of work the disclosure pace generated, which is a different problem with a different fix.

3.2 The “responsible disclosure” rebranding and the coordinated-disclosure norm

In late 2001, in the immediate aftermath of Code Red and Nimda, Microsoft’s Scott Culp published an essay titled “It’s Time to End Information Anarchy”¹⁵, arguing for what he called “responsible disclosure” — researchers should report vulnerabilities privately to vendors and give the vendor time to patch before publishing. The essay was a polemical document with a clear vendor self-interest, and the “responsible” framing was widely criticized as a PR move (the implication being that researchers who disclosed publicly were irresponsible). Within the research community, the term “responsible disclosure” never had universal uptake; “coordinated disclosure” emerged through the mid-2000s as the more neutral term and is the current standard vocabulary¹⁶.

Coordinated disclosure as practiced in 2026 works approximately as follows. A researcher identifies a vulnerability and contacts the affected vendor through a documented channel (a security@ email, a HackerOne or Bugcrowd program, a vendor’s PSIRT). The vendor acknowledges receipt within a target window (24–72 hours is the cultural expectation; some vendors enforce shorter or longer SLAs). The vendor investigates, develops and tests a patch, and ships it through their release-management process. The researcher publishes the technical details — sometimes simultaneously with the vendor’s advisory, sometimes after a coordinated delay (the typical disclosure window is 90 days from initial report, with Google’s Project Zero having pinned this number to industry norm through its public policy; see ¹⁷). The CVE-assignment process (MITRE / CNA programs) runs in parallel and pins a canonical identifier to the issue.

The structural tension in coordinated disclosure is that the vendor’s incentive is to delay the public disclosure as long as possible, and the researcher’s incentive (and the public’s interest) is to limit the window during which the vulnerability is privately known to the vendor and possibly to other parties but not to defenders generally. The 90-day window is the negotiated compromise: long enough that most vendors can ship a patch in good faith, short enough that vendors who slow-walk the response face public pressure. Project Zero, Google’s vulnerability-research team founded in July 2014 by Chris Evans, Ben Hawkes, and others, codified the 90-day policy publicly and applied it to its own external research; the policy has become a de-facto industry norm¹⁸. Project Zero has, on multiple occasions, allowed the disclosure window to expire and published technical detail on unpatched vulnerabilities — most controversially against Microsoft, Apple, and several smaller vendors — and the resulting friction has both hardened the 90-day expectation and exposed the residual political contest over disclosure timing.

The unstable case in coordinated disclosure is when the vendor doesn’t respond. A researcher reporting to a small vendor with no security@ contact, no documented PSIRT, and no bug-bounty program has, in practice, three options: (a) keep trying through informal channels (executive contacts, social-media call-outs), (b) escalate to a clearinghouse (CERT/CC, ICS-CERT, the relevant national CERT) for help reaching the vendor, or (c) eventually publish unilaterally. The third option recapitulates the full-disclosure era’s logic for cases where coordinated disclosure has structurally failed.

Approach	When researcher publishes	Vendor incentive	Researcher incentive	Defender position
Full disclosure (1990s baseline; some niche residents 2026)	Immediately, with PoC	Patch fast or face public exposure	Reputation; minimize private-knowledge window	Same information as attackers; can mitigate, but limited time
Responsible disclosure (Microsoft 2001 framing)	After vendor patches, no fixed deadline	Patch when convenient; deadline negotiable	”Responsible” reputation, but at vendor’s pace	Patches arrive when vendor ships; researchers can be slow-walked
Coordinated disclosure (90-day modal norm, 2026)	After fixed window (typically 90 days from initial report)	Patch within window or face public disclosure	Reputation + predictable timeline	Patches arrive within a known window; broad ecosystem patches together
Broker / bounty (commercial vendor programs; 2010+)	Vendor or platform decides; often never publicly	Pay for private receipt; control disclosure	Cash payout; no further obligation	Patches arrive when vendor ships; defenders see only the resulting advisory
Government / NSO / Zerodium broker	Often never publicly disclosed	N/A (vendor isn’t the buyer)	Substantial cash; exclusive sale; usually requires non-disclosure	Defenders generally don’t see the vulnerability until it’s burned in operational use

Table 4.2 — The four disclosure regimes in current use, with the incentive structures. Coordinated disclosure is the modal norm for most published research in 2026; bug bounties (see §5) are the dominant monetary channel for vulnerability monetization to the vendor itself; government and broker markets (§3.3) are the channel where the highest dollar values exchange hands but where the public disclosure record is most opaque.

3.3 The 0-day broker market industrializes

The third disclosure regime — selling the vulnerability rather than publishing it — was niche through the 1990s but industrialized sharply in the 2000s and 2010s. The named participants in 2026:

• iDefense Vulnerability Contributor Program (founded 1999, acquired by VeriSign 2005). The first organized commercial vulnerability-purchase program. Researchers reported to iDefense, which paid a fee (typically $100–$10,000 in the early years) and shared the technical detail with iDefense customers (large enterprises subscribing to early vulnerability intelligence). iDefense was acquired by VeriSign in 2005 and eventually folded into Accenture’s security practice.
• Zero Day Initiative (founded 2005 by 3Com’s TippingPoint; subsequently TippingPoint was acquired by HP and then by Trend Micro; ZDI now operates under Trend Micro). ZDI is the largest commercial vulnerability-purchase program in 2026, paying researchers for vulnerabilities and using the resulting intelligence to feed customer signatures and the Pwn2Own contest (founded 2007, the most-watched annual vulnerability-disclosure competition)¹⁹.
• VUPEN Security (founded 2004 by Chaouki Bekrar in Montpellier, France). Originally a vulnerability-research firm with public disclosures; pivoted by the late 2000s to selling exclusively to government customers. Notable for the 2012 incident in which VUPEN publicly auctioned a Chrome exploit at Pwn2Own and refused to share the technical detail with Google (despite ZDI’s normal practice of forwarding to the vendor)²⁰. VUPEN was effectively wound down in 2015 when Bekrar founded Zerodium.
• Zerodium (founded 2015 by Chaouki Bekrar, ex-VUPEN). Government-and-defense customer base; publishes a price list for vulnerability acquisitions (the most-cited single document in the broker market: $2.5 million for a full chain Android remote-no-click; $2 million for iOS equivalent; lower for older platforms and partial chains; the price list has been periodically revised upward through the 2010s and 2020s)²¹. Zerodium does not publish a customer list; the operational presumption is that it sells to government agencies in NATO-aligned countries, but the firm has been deliberately opaque.
• NSO Group (founded 2010 in Israel by Niv Carmi, Omri Lavie, and Shalev Hulio). Develops the Pegasus mobile-implant suite and sells to government customers. NSO has been at the center of multiple investigations into Pegasus’s use against journalists, dissidents, and political opposition figures across multiple countries²²; the U.S. Commerce Department placed NSO on its Entity List in November 2021²³. The Pegasus Project (a journalism consortium led by Forbidden Stories and Amnesty International, reporting starting July 2021) documented Pegasus deployments in dozens of countries against thousands of targets. NSO is the most consequential 0-day-and-implant broker of the 2010s; the most politically contested; and the principal case study for the question of whether the commercial 0-day market should exist at all.
• Crowdfense, Maltego, and a constellation of smaller firms operate at smaller scale. The market is opaque enough that estimating its total size is genuinely difficult; published academic studies put the total annual flow at low billions of dollars by 2024²⁴.

3.4 The “no more free bugs” inflection point

The cultural transition from full-disclosure-as-default to broker-or-bounty-as-default is most clearly marked by Charlie Miller’s “No More Free Bugs” talk at CanSecWest 2009²⁵. Miller (then at Independent Security Evaluators; subsequently at NSA, Twitter, Uber, and Cruise) argued that the research community had been giving vendors free vulnerability research for years, that the economic structure was unsustainable, and that researchers should stop reporting unpaid. The talk was deliberately provocative; the actual position Miller advanced was more nuanced (“I will continue to disclose, but I expect either payment or substantial vendor engagement”). The talk catalyzed the bug-bounty discussion (see §5 below) and is often pointed to as the cultural moment when the field collectively decided that somebody should pay for the research, even if the exact terms were still being negotiated.

The decade-and-a-half since “No More Free Bugs” has produced approximately the equilibrium the 2009 conversation pointed toward: vulnerabilities in commercial products are mostly disclosed through coordinated disclosure plus bug bounties (§5); vulnerabilities in defense-grade-targets are mostly sold to brokers (§3.3); a residual full-disclosure community persists in academia and in independent research not aligned with either of the first two paths. Bruce Schneier’s commentary across the 2010s — particularly his 2012 “The Vulnerabilities Market and the Future of Security” essay²⁶ — laid out the moral-and-policy frame; the actual market structure followed the economic gradient, not the moral argument.

Look-here cross-reference callout. The computer-hacking-implant family that emerges as the operational vehicle for the techniques discussed across this volume (and especially for the implant-and-HID-injection side of the broker market) is treated in full engineering detail in Vol 16 — Computer-hacking tradecraft, with the per-device walkthroughs in [the Ducky Script deep dive](../../Ducky Script/03-outputs/DuckyScript_Complete.html). The 0-day-into-implant pipeline that NSO Group and similar firms operate is the high-budget version; the open-source Hak5 family is the same idea at consumer cost.

---

4. Nation-state hacking — Stuxnet, APT naming, and Snowden

The single largest tectonic shift in this volume’s window is that nation-state activity displaced lone-wolf and small-group activity as the load-bearing threat-actor type. Through the late 1990s and into the early 2000s, the prevailing public-discourse model of “the hacker” was still substantially the 1990s underground figure of Vol 3 — an individual or small group, motivated variously by curiosity, ideology, or profit, operating with technical means within roughly an order of magnitude of what a working academic could replicate. By 2014 the prevailing model was the Advanced Persistent Threat — a state-resourced operation with tens to hundreds of personnel, multi-year campaign budgets, custom tooling unavailable on the open market, and the patience to maintain access against a target organization for years. Three events in the 2010–2013 window made the new model legible: Stuxnet’s disclosure in 2010, the Mandiant APT1 report in 2013, and the Snowden disclosures starting June 2013.

Figure 4.1 — Siemens SIMATIC S7-300 PLC, the target hardware family for Stuxnet’s industrial-control payload. File:S7300.JPG by Ulli1105. License: CC BY-SA 2.5 (https://creativecommons.org/licenses/by-sa/2.5). Via Wikimedia Commons (https://commons.wikimedia.org/wiki/File%3AS7300.JPG).

4.1 Stuxnet (discovered June 2010)

Stuxnet was first identified by Sergey Ulasen of the Belarusian antivirus firm VirusBlokAda on June 17, 2010, after a customer in Iran reported recurring system reboots on industrial systems²⁷. The investigation that followed — primarily by Symantec, Kaspersky Lab, and a small group of researchers at ESET — published its substantive technical analysis through the second half of 2010, with the definitive treatment being Symantec’s “W32.Stuxnet Dossier” by Nicolas Falliere, Liam O Murchu, and Eric Chien, released in three revisions through November 2010 and February 2011²⁸. The dossier is, in 2026, the load-bearing engineering reference on Stuxnet; everything else in the secondary literature traces back to it.

What Stuxnet was, technically, can be stated compactly. It was a Windows worm whose payload targeted Siemens SIMATIC S7-300 (specifically the S7-315-2) and S7-400 programmable logic controllers running the Siemens STEP 7 engineering software, when those PLCs were attached to specific configurations of variable-frequency drives from two manufacturers (Vacon, Finland; Fararo Paya, Iran) operating at the frequency range used by gas centrifuges for uranium enrichment²⁹. When all those conditions were met — the precise hardware, the precise drive configuration, the precise operational frequency band — Stuxnet injected modified ladder logic into the PLC that periodically varied the centrifuge motor speeds outside their normal operating envelope (briefly accelerating to 1410 Hz and decelerating to 2 Hz from a nominal 1064 Hz) while reporting fake-normal telemetry to the engineering workstation³⁰. The effect, deployed against the Natanz fuel enrichment facility’s centrifuge cascades, was to physically destroy centrifuges over a multi-month campaign — exact loss estimates vary, but the IAEA’s safeguards reports and subsequent ISIS analyses put it in the range of approximately 1,000 centrifuges damaged or destroyed across 2009–2010³¹.

The propagation side of Stuxnet was almost as remarkable as the payload. Iran’s Natanz facility was air-gapped from the public Internet; Stuxnet reached it via removable media (USB flash drives) and lateral propagation through the internal industrial-control network³². To accomplish this propagation it consumed an exceptional set of four previously unknown zero-day vulnerabilities in Microsoft Windows — a budget that, at then-prevailing 0-day prices in the broker market (§3.3), would have run into the millions of dollars and that no criminal or independent actor would have plausibly burned on a single operation:

Numeric callout — Stuxnet’s four Windows 0-days. The four vulnerabilities Stuxnet exploited in Microsoft Windows:

1. LNK / shortcut file vulnerability — CVE-2010-2568 (MS10-046, patched August 2, 2010). A flaw in Windows Shell that allowed a maliciously-crafted .lnk shortcut file to execute arbitrary code when the file was simply viewed by Windows Explorer (no double-click required); used for initial USB-based propagation.
2. Print Spooler vulnerability — CVE-2010-2729 (MS10-061, patched September 14, 2010). A flaw in the Windows Print Spooler service that allowed remote code execution via crafted print job submissions; used for network-share-based lateral propagation.
3. Win32k.sys local privilege escalation — CVE-2010-2743 (MS10-073, patched October 12, 2010). Allowed elevation from a low-privilege user to SYSTEM via a flaw in the Windows kernel’s keyboard-layout handling.
4. Task Scheduler local privilege escalation — CVE-2010-3338 (MS10-092, patched December 14, 2010). A second EoP path, allowing elevation via a CRC32-based integrity check on scheduled-task XML files that could be forged (CRC32 is not a cryptographic hash; the attacker modified the XML and recomputed the CRC32 to match, getting the modified task to execute under SYSTEM).

Stuxnet also exploited a previously-known but unpatched Siemens hard-coded password in the WinCC database (2WSXcder for user WinCCConnect — Siemens had been notified years earlier and had asked customers not to change it, citing software-compatibility concerns)³³. Total 0-day budget: four Windows kernel-grade vulnerabilities, one industrial-control vendor-grade authentication failure. Cost-equivalent at 2010 broker prices: well into seven figures. No commercial criminal operation in the public record before or since has burned four Windows 0-days in a single payload. The 0-day budget alone was — and remains — the strongest single circumstantial evidence pointing the attribution to a state actor.

                       Stuxnet 2009-2010 infection chain (simplified)
                       ──────────────────────────────────────────────

   Outside Natanz (presumed; not publicly confirmed)
   ┌────────────────────────────────────────────────────────────┐
   │  Supply-chain or insider delivery of infected USB stick   │
   │  to a Natanz contractor's engineering workstation.        │
   └────────────────────────┬──────────────────────────────────┘
                            │ USB physical-media transfer
                            ▼
   Inside Natanz (air-gapped industrial control network)
   ┌────────────────────────────────────────────────────────────┐
   │  ENGINEERING WORKSTATION (Windows, running STEP 7)         │
   │  Stuxnet auto-runs via:                                    │
   │   (1) LNK shortcut zero-day (CVE-2010-2568, MS10-046)      │
   │       triggered by Explorer viewing the USB contents       │
   │  → Privilege escalation via either:                        │
   │   (3) Win32k.sys 0-day (CVE-2010-2743, MS10-073)           │
   │   (4) Task Scheduler 0-day (CVE-2010-3338, MS10-092)       │
   │  → Process injection into services.exe; persistence        │
   │  → Dropper installs kernel rootkit; signed (stolen certs   │
   │     from Realtek + JMicron — Taiwanese semiconductor       │
   │     vendors)                                               │
   └────────────────────────┬──────────────────────────────────┘
                            │ Lateral propagation through ICS LAN
                            ▼
   ┌────────────────────────────────────────────────────────────┐
   │  PROPAGATION across air-gapped LAN via three channels:     │
   │                                                            │
   │   (a) Print Spooler 0-day (CVE-2010-2729, MS10-061)        │
   │       via network-share printer connections                │
   │   (b) SMB / NETBIOS / RPC lateral movement                 │
   │   (c) WinCC database access using Siemens hard-coded       │
   │       password (`2WSXcder` / user WinCCConnect)            │
   │                                                            │
   │  Stuxnet identifies hosts running Siemens SIMATIC          │
   │  STEP 7 engineering software targeting an S7-300 or S7-400 │
   │  PLC controlling a specific Vacon NX or Fararo Paya        │
   │  variable-frequency drive at 807-1210 Hz operating         │
   │  frequency — the centrifuge band.                          │
   └────────────────────────┬──────────────────────────────────┘
                            │ STEP 7 → PLC programming protocol
                            ▼
   ┌────────────────────────────────────────────────────────────┐
   │  PLC PAYLOAD (Siemens SIMATIC S7-315-2 in Natanz)          │
   │   • Hides the malicious ladder-logic blocks from the       │
   │     engineering workstation's monitoring view              │
   │   • Records ~21 seconds of legitimate sensor data;         │
   │     replays it to the workstation as fake-normal           │
   │     telemetry while the sabotage runs                      │
   │   • Sabotage cycle (~50 min every 27 days):                │
   │       - accelerate centrifuge motors to 1410 Hz            │
   │       - decelerate to 2 Hz                                 │
   │       - back to nominal 1064 Hz                            │
   │     repeated → mechanical destruction of rotor bearings    │
   │     and aluminum tubes                                     │
   └────────────────────────┬──────────────────────────────────┘
                            │
                            ▼
              ┌─────────────────────────────┐
              │  Approx. 1,000 centrifuges   │
              │  destroyed or damaged at     │
              │  Natanz across 2009-2010     │
              │  (ISIS estimate; out of      │
              │  ~8,700 installed)           │
              └─────────────────────────────┘

Figure 4.1a - Stuxnet’s infection chain, from supply-chain delivery to centrifuge destruction at Natanz. The diagram is schematic-grade; many engineering details (the specific signed-certificate exfiltration, the WinCC database structure, the precise ladder-logic injection technique, the man-in-the-middle on STEP 7 communications) are elided. Falliere, O Murchu, and Chien’s W32.Stuxnet Dossier (Symantec 2011, Sections 5-7) is the load-bearing source for the actual technical detail.

Attribution. Stuxnet was officially never claimed by any government. The publicly-available attribution evidence converged through 2010–2012 on the United States and Israel, with the program reportedly designated “Operation Olympic Games” within the U.S. intelligence community and developed, reportedly, with NSA and Israeli Unit 8200 collaboration³⁴. The single most cited primary-source-grade attribution journalism is David Sanger’s June 1, 2012 New York Times front-page report and the subsequent book Confront and Conceal (2012)³⁵, based on interviews with multiple unnamed Obama-administration sources; Kim Zetter’s Countdown to Zero Day (2014) is the longest-form technical-and-political treatment³⁶; and Andy Greenberg’s Sandworm (2019) puts Stuxnet in the longer arc of cyber-physical operations including the subsequent Russian-attributed Ukrainian power-grid attacks (BlackEnergy 2015, Industroyer 2016, NotPetya 2017)³⁷. The U.S. and Israeli governments have never confirmed the attribution; multiple U.S. officials have privately spoken to journalists, but no official admission exists. Strength of attribution claim: very high, but rests on secondary-source journalism rather than primary admission. This volume reports the consensus attribution but flags the residual ambiguity.

Why Stuxnet matters to the lineage of the craft. Three reasons. First, it was the first widely-known computer attack that produced a physical-world destructive effect on critical infrastructure — the digital-physical crossover that had been theorized since the 1990s (and that the 1997 Eligible Receiver exercise had demonstrated against simulated infrastructure) became operational reality. Second, it established the nation-state-grade 0-day budget as a recognizable signature — four Windows 0-days plus hardware-specific industrial-control payload, multi-year development, no profit motive — that defenders learned to recognize as a tell. Third, it made the air-gap-is-not-sufficient lesson concrete. The 2010 disclosures effectively ended the era when “this system is not on the Internet” was a meaningful security boast.

4.2 The Mandiant APT1 report (February 19, 2013)

If Stuxnet was the disclosed-but-officially-unattributed event that put state-grade computer attacks on the map, the Mandiant APT1 report was the publicly-attributed event that named names. On February 19, 2013, Mandiant — at the time a privately-held incident-response firm; subsequently acquired by FireEye in December 2013; subsequently spun out and acquired by Google in 2022 — published APT1: Exposing One of China’s Cyber Espionage Units³⁸. The report, 76 pages, identified the People’s Liberation Army’s Unit 61398 (specifically, the 2nd Bureau of the PLA’s 3rd Department of the General Staff Department, headquartered at a specific building in the Pudong New Area of Shanghai) as the operational source of an espionage campaign against approximately 141 organizations in 20 industries since at least 2006, exfiltrating an estimated hundreds of terabytes of data. The report named individual operators by handle (UglyGorilla, DOTA, SuperHard), identified the specific building (Datong Road, Pudong; Mandiant published photographs), and laid out the technical infrastructure (command-and-control servers, custom malware families including BACKDOOR.WEBC2-AUSOV, GLOOXMAIL, and many others) in unprecedented public detail.

The significance of APT1 was less the underlying intelligence — much of which had been known privately within the IR community for years — than the public publication of state-level attribution at engineering specificity. Pre-2013, the convention had been to talk about “advanced persistent threats” in deliberately vague terms that left attribution to bilateral diplomatic channels. The APT1 report broke that convention; the U.S. Department of Justice followed up in May 2014 with criminal indictments against five named PLA officers in Unit 61398 on industrial-espionage charges³⁹. The indictments were never expected to lead to convictions (the defendants were in China and protected from extradition), but they established the public-attribution-and-indictment pattern that the U.S. has subsequently used against Russian GRU and SVR officers (the 2018 GRU Mueller indictments; 2018 Sandworm/Ukraine; 2020 LockerGoga / GRU 74455 indictment), Iranian IRGC personnel (multiple), and DPRK Lazarus Group operators (the 2018 Park Jin Hyok indictment around WannaCry / Sony / Bangladesh Bank).

The APT-naming taxonomy. APT1 also established the numbered-APT naming convention that has become the dominant taxonomy for tracking state-aligned threat actors. Mandiant has assigned APT numbers from APT1 forward; CrowdStrike has its own “Bear / Panda / Kitten / Chollima / Spider” mascot-by-country convention (Bear = Russia, Panda = China, Kitten = Iran, Chollima = DPRK, Spider = criminal); Microsoft uses a “Storm” (criminal) and “[Element]-[Place]” (state) convention since 2023; Dragos uses “ELECTRUM / CRASHOVERRIDE / etc.” for ICS-focused groups; PWC, Trend Micro, ESET, and Kaspersky have their own families. The same threat actor often has half a dozen names across the various trackers, which can be confusing — the MITRE ATT&CK framework’s Groups page (https://attack.mitre.org/groups/) is the canonical cross-reference for “this Mandiant APT-number is the same actor as this CrowdStrike mascot name”⁴⁰.

The reference list of state-level APT groups that are publicly documented at engineering depth in 2026 is large enough that this section treats only the most-cited; a fuller taxonomy lives in Vol 7 (the black-hat treatment, forthcoming) and in MITRE ATT&CK.

APT-ID	Common name(s)	Attributed origin	Signature operations	Era
APT1	Comment Crew, Byzantine Candor	PLA Unit 61398 (China; 2nd Bureau, 3rd Dept GSD)	Industrial espionage against US/Western firms; ~141 orgs / hundreds of TB	~2006–2014; activity dropped after Mandiant report and PLA reorg into SSF in 2015
APT28	Fancy Bear, Sofacy, Pawn Storm	GRU Unit 26165 (Russia; military intelligence)	DNC 2016, TV5Monde 2015, WADA 2016, OPCW 2018; election-interference profile	~2008–present
APT29	Cozy Bear, The Dukes, NOBELIUM, Midnight Blizzard	SVR (Russia; foreign intelligence service)	DNC 2015–16 (alongside APT28); SolarWinds 2020; Microsoft 2024	~2008–present
APT30	(Various)	Naikon group; China	Southeast Asian government/military targeting	~2004–present
APT33	Elfin, Refined Kitten, HOLMIUM	Iran (IRGC-aligned)	Oil & gas sector targeting; aerospace; Shamoon variants	~2013–present
APT34	OilRig, Helix Kitten, EUROPIUM	Iran (MOIS-aligned)	Middle East government targeting; financial sector	~2014–present
APT38	BeagleBoyz, Stardust Chollima	DPRK (RGB-aligned)	Bank heists (Bangladesh Bank $81M, 2016); SWIFT-network ops	~2014–present
APT40	Leviathan, MUDCARP, Bronze Mohawk, GADOLINIUM	China (MSS-aligned; Hainan State Security Department)	Maritime industries; healthcare; academia (publicly indicted July 2021)	~2009–present
APT41	Barium, Winnti, Wicked Panda	China (MSS-aligned; mixed contractor model)	Hybrid espionage + criminal monetization; 2020 DoJ indictment	~2012–present
Lazarus Group	HIDDEN COBRA, Zinc, Diamond Sleet	DPRK (RGB-aligned)	Sony 2014, Bangladesh Bank 2016, WannaCry 2017, $1B+ cryptocurrency theft 2020s	~2009–present
Sandworm	VOODOO BEAR, Telebots, ELECTRUM	GRU Unit 74455 (Russia)	Ukrainian power grid 2015/2016 (BlackEnergy / Industroyer); NotPetya 2017; Olympics 2018	~2009–present
Equation Group	Tilded Team	NSA (US; attributed via the 2016 Shadow Brokers leak and Kaspersky’s 2015 analysis)	Stuxnet’s authors; Flame, Duqu, Gauss families	~2001–2016+

Table 4.3 — A representative subset of the publicly-documented state-aligned APT groups. The full taxonomy in MITRE ATT&CK’s Groups page is much larger (well over 100 named groups in 2026). The attribution column reports the consensus public attribution; strength of attribution varies — APT1’s identification of a specific PLA building is among the strongest, the Equation Group’s attribution to NSA via the Shadow Brokers leak is essentially confirmed, the Sandworm-to-GRU-74455 attribution is supported by the 2020 DoJ indictment with named defendants, while several others rest on circumstantial-evidence consensus rather than formal indictment. For the operational specifics of any group, MITRE ATT&CK’s group page is the canonical reference.

4.3 The Snowden disclosures (June 2013)

The third event in the 2010–2013 window that reshaped the public model of who-does-this-kind-of-work was the Snowden disclosures. Edward Snowden, an NSA contractor (then employed by Booz Allen Hamilton) working at the NSA Threat Operations Center facility in Hawaii, copied a substantial classified document trove from internal NSA systems through early 2013 and provided it to journalists Glenn Greenwald, Laura Poitras, and Barton Gellman in Hong Kong in late May / early June 2013. The first reports — The Guardian’s Verizon-metadata-court-order story on June 5, 2013, and The Guardian / Washington Post’s parallel PRISM disclosures on June 6, 2013 — opened a year-plus of rolling disclosures from the document trove⁴¹.

Figure 4.2 — Edward Snowden in Hong Kong, June 2013. File:Edward Snowden-2.jpg by Laura Poitras / Praxis Films. License: CC BY 3.0 (https://creativecommons.org/licenses/by/3.0). Via Wikimedia Commons (https://commons.wikimedia.org/wiki/File%3AEdward%20Snowden-2.jpg).

The disclosures over the following two years documented, among other programs:

• PRISM — NSA’s Section-702-authorized collection of communications from major US Internet companies (Google, Microsoft, Yahoo, Facebook, Apple, etc.); the companies’ cooperation was compelled by FISA Court orders. The June 6, 2013 Washington Post and Guardian stories included slides from an internal NSA briefing deck. Microsoft’s join date listed in the slides was September 11, 2007.
• Section 215 metadata collection — NSA’s bulk-collection of telephony metadata from US telecommunications carriers under Section 215 of the USA PATRIOT Act, authorized by FISA Court orders. The Verizon order published June 5, 2013, was the first concrete documentation that the bulk-collection program existed (it had been long-rumored but always officially denied or non-answered).
• XKEYSCORE — a search-and-analysis interface over NSA’s collected intercept data, described in slides leaked through 2013–2014 as allowing analysts to retrieve email content, browsing history, chat logs, and other content with minimal supervisory friction.
• BULLRUN — NSA’s program to weaken cryptographic standards through partnerships with technology vendors and standards-body participation; the September 2013 NYT / Guardian / ProPublica report identified the Dual_EC_DRBG random-number generator (NIST SP 800-90A) as one of the standards involved.
• The NSA TAO ANT catalog — published December 29, 2013 by Der Spiegel (the document trove being separate from the Snowden materials per the publication, though substantially overlapping in subject matter); described the implant catalogue of the NSA’s Tailored Access Operations unit, including hardware implants (COTTONMOUTH-I/II/III, FIREWALK, IRONCHEF) and software implants (DROPOUTJEEP for iPhone, GOPHERSET for SIM, MONKEYCALENDAR for SMS).

The disclosures’ effect on the field was substantial and asymmetric. For the practitioner community, the documents confirmed that NSA’s operational capability was substantially what the more paranoid researchers had assumed plus a margin — the precise programs, the precise vendor relationships, the precise standards-weakening. For the cryptography community, the BULLRUN disclosures triggered an aggressive review of cryptographic standards (Dual_EC_DRBG was removed from NIST SP 800-90A in 2014; several other primitives received fresh scrutiny). For the platform-vendor community, the disclosures motivated end-to-end encryption deployments that had been on the roadmap but unprioritized — most notably Apple’s iMessage end-to-end encryption (already deployed) and the subsequent iOS encryption-by-default; Google’s HTTPS-everywhere push; and Signal’s launch in 2014 as the dedicated end-to-end encrypted messenger (Moxie Marlinspike, who had founded Open Whisper Systems’ predecessor TextSecure in 2010, accelerated Signal’s development substantially in the wake of the disclosures, citing them publicly as motivation). For the legal and policy community, the disclosures produced the USA FREEDOM Act of June 2015, which formally ended bulk telephony-metadata collection under Section 215 (replacing it with a system requiring specific selectors and case-by-case FISA Court approval), and a string of subsequent litigation around Section 702 surveillance.

The disclosures also had a chilling effect on US security research, though the magnitude is debated. The pattern through the late 2010s was that US-citizen researchers became measurably more cautious about handling NSA-equity-adjacent material (vulnerabilities that might be in use by US intelligence operations); some senior researchers relocated outside the US; the Russia / Eastern Europe / Israel concentration of high-end vulnerability researchers became more pronounced (though the underlying economic gradient was the larger factor). Snowden himself remained in Russia from August 2013 onward, where he was granted asylum and subsequently Russian citizenship in September 2022.

The lineage from Snowden through to the modern post-Snowden privacy-and-cryptography work is direct. Signal is the cleanest example — the protocol that became the standard end-to-end encryption baseline for billions of users (WhatsApp uses Signal Protocol; Facebook Messenger adopted it; Skype briefly used it; many others). The encryption-by-default normalization of iOS and Android. The HTTPS-everywhere of the modern web. Every one of these existed in some form pre-2013, but the deployment-and-default-on aggressiveness across the industry post-2013 is direct downstream of the Snowden moment.

---

5. The bug-bounty economy

If §3 covered the moral and structural debate about what to do with vulnerabilities, this section covers what the industry actually built: a working market in which vendors pay researchers for vulnerabilities reported through structured programs. The bug-bounty economy as it stands in 2026 is the single largest formalized cash channel between independent researchers and vendors — paying out somewhere in the high hundreds of millions of dollars per year cumulatively across HackerOne, Bugcrowd, Synack, vendor self-managed programs, and the smaller platforms.

5.1 The pre-platform programs

The first organized bug bounty was Netscape’s, announced October 10, 1995 — about a year after Netscape Navigator’s commercial launch — and offering $1,000 (cash plus a Netscape t-shirt) for valid security bugs in Navigator 2.0 beta⁴². The program is the historical first; it ran for the Navigator betas and then went dormant when Netscape’s strategic situation deteriorated through the late 1990s.

The modern era opens with Mozilla’s Security Bug Bounty, announced August 2, 2004 by Mike Shaver of the Mozilla Foundation and funded initially by Mark Cuban and Mark Shuttleworth with $5,000 each (totaling the $10,000 seed). The initial maximum payout was $500 per critical vulnerability⁴³; the program was the first bug-bounty program at sustained scale and is still operating in 2026, with substantially expanded payout tiers (the maximum for client-side critical vulnerabilities was $10,000 by 2015 and is higher in 2026). Mozilla’s program established the structural pattern: a published scope, a published payout table, a coordinated-disclosure expectation, a public credit listing for accepted reports.

Google’s Chromium Vulnerability Reward Program launched January 28, 2010, initially offering $500 per security bug in Chromium and Chrome⁴⁴. Google’s program is, in 2026, one of the largest by total payout — well into eight figures per year across Chrome, Android, Google services, and the broader Google Vulnerability Reward Program. The Android Security Rewards specifically launched June 16, 2015 with the largest published payouts in the industry at that time (up to $30,000 for a complete-chain remote exploit; raised to $1 million by 2017 for a TrustZone or Verified Boot exploit; further raised since).

Facebook’s Whitehat Program launched July 29, 2011, offering a minimum $500 payout per valid report with no specified maximum⁴⁵. Facebook’s program was the third major-vendor program and is notable for being the program Alex Rice built before founding HackerOne (see §5.2 immediately below).

5.2 The platforms — HackerOne and Bugcrowd

The bug-bounty economy industrialized when HackerOne and Bugcrowd launched as platform companies in 2012, both within roughly six months of each other, both addressing the same structural problem: most companies wanted to run bug-bounty programs but didn’t have the internal infrastructure (the triage team, the legal framework, the payment-and-1099 plumbing, the disclosure-management workflow) to do so cleanly.

HackerOne was founded in 2012 by Alex Rice (then Facebook’s product-security lead), Merijn Terheggen, Michiel Prins, and Jobert Abma⁴⁶. The Dutch principals (Prins and Abma) had previously run Hack-Net, a Dutch-language hacking-tutorial site, and had been doing freelance security research; Rice brought the program-management expertise from Facebook. The company launched in San Francisco in 2012; raised initial Series A funding from Benchmark in 2014; subsequently raised through Series E by 2019 (Valor Equity Partners-led, $36 million). HackerOne in 2026 is the largest of the bounty platforms by both program count and payout volume, with several thousand active programs and cumulative payouts north of $300 million as of late-2024 (the most recent published figure).

Bugcrowd was founded in 2011 (incorporated; product launch 2012) by Casey Ellis, an Australian engineer with a security-consulting background⁴⁷. The company launched in San Francisco in 2012 (concurrent with HackerOne) and has occupied the same market segment with somewhat different go-to-market emphasis (Bugcrowd historically more crowdsourced-pentest-as-a-service oriented; HackerOne historically more managed-program-as-a-service oriented; the segmentation has blurred since). Bugcrowd raised its Series E in 2020 ($30 million, Rally Ventures-led).

Synack was founded in 2013 by Jay Kaplan and Mark Kuhr (both NSA alumni)⁴⁸ and occupies a slightly distinct market position — a more vetted, smaller researcher pool (the “Synack Red Team,” screened and ID-verified researchers) running under more constrained scope agreements than the broad-public HackerOne or Bugcrowd programs. Synack pitches to government and high-regulated-industry customers; its researcher pool is in the low thousands, vs. the open registration of HackerOne and Bugcrowd which is in the hundreds of thousands.

Platform	Founded	Founders	HQ	Researcher pool model	Notable customers (public)
Mozilla self-managed	2004	Mike Shaver / Mozilla Foundation	(Mozilla-internal)	Open	Mozilla products only
Google self-managed	2010 (Chromium)	Google Security Team	(Google-internal)	Open	All Google products + a broad VRP
HackerOne	2012	Alex Rice, Merijn Terheggen, Michiel Prins, Jobert Abma	San Francisco	Open + invite-only programs	DoD, Goldman Sachs, GitHub, Shopify, Uber, Spotify, hundreds more
Bugcrowd	2011/2012	Casey Ellis	San Francisco	Open + invite-only	Tesla, Indeed, Pinterest, Mastercard, hundreds more
Synack	2013	Jay Kaplan, Mark Kuhr	Redwood City, CA	Vetted-and-cleared red team	Federal government heavy; Fortune 500 financial
Apple Security Research Device program	2019	Apple Product Security	Cupertino	Invite-only researchers	Apple platforms only; specialized iOS dev devices
YesWeHack	2013	Manuel Dorne, Romain Lecoeuvre	Paris	Open	European concentration; broad scope
Intigriti	2016	Stijn Jans	Antwerp	Open	European concentration
Federacy / Open Bug Bounty / others	various	various	various	Mixed	Smaller programs, niche customers

Table 4.4 — The bug-bounty platforms in 2026. HackerOne and Bugcrowd are the dominant platforms by program count and payout volume in the US market; YesWeHack and Intigriti hold equivalent positions in Europe; Synack occupies the high-vetted niche. The major-vendor self-managed programs (Mozilla, Google, Apple, Microsoft, Facebook/Meta) are bilateral to the platforms — many vendors run on both their own program and on a platform program, with different scopes and tiers.

5.3 The CFAA safe-harbor evolution

The bug-bounty programs created a structural problem that the CFAA (Vol 3 §4) had no clean answer for: the researcher’s activity, by hypothesis, is unauthorized access until the program’s terms of service authorize it. A researcher running an in-scope test against a vendor’s production system is, strictly, accessing that system. The Vol 3 §4 treatment of “without authorization or exceeds authorized access” suggests this is a CFAA violation; the only thing standing between the researcher and prosecution is the vendor’s contractual authorization, which exists for the duration of the bounty-program engagement.

The chilling effect on independent research was, through the mid-2010s, the most consistent complaint from the researcher side. The Aaron Swartz case — the prosecution of Aaron Swartz (the open-internet activist, RSS-spec co-author, Reddit founder) for downloading approximately 4 million articles from JSTOR via the MIT campus network in 2010–2011; he was charged with 13 federal counts, faced a theoretical maximum of 35 years and $1 million in fines, and died by suicide on January 11, 2013 amid the prosecution — became the high-profile pressure point⁴⁹. The CFAA-reform discourse intensified through the mid-2010s without producing significant statutory changes; reform legislation in Congress (Aaron’s Law, introduced 2013 by Reps. Lofgren and Issa) did not pass.

What did happen, eventually, was that the Department of Justice published revised CFAA prosecutorial guidance in May 2022⁵⁰. The May 19, 2022 policy directed federal prosecutors to decline CFAA prosecutions where the only allegedly-unauthorized conduct was “good-faith security research” — defined as accessing a computer “solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability” where the activity was conducted “in a manner designed to avoid any harm to individuals or the public” and the information derived was “used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services.”

The 2022 DoJ policy is not a statutory amendment to the CFAA — the statute still reads as it did, and Van Buren (2021) is the most recent significant judicial gloss (Vol 3 §4.3). What the 2022 policy does is direct federal prosecutorial discretion: it tells prosecutors not to bring cases against good-faith researchers. The policy is revocable by a subsequent administration; it provides no civil-liability protection (researchers can still be sued by the vendor); and it does not bind state-level prosecutors who could still bring state computer-crime charges. The protection is real but limited. The owned-hardware-or-written-authorization line drawn in Vol 3 §4 is still the safe baseline; the DoJ policy is a softer second line that working researchers have learned to rely on but not to count on.

5.4 Apple’s Security Research Device program

One specific 2019 development worth flagging because it changed the iOS-research economy: Apple’s Security Research Device Program (announced December 2019; first devices shipped to participants in mid-2020)⁵¹. The program provides screened researchers with specially-configured iPhones running developer-fused firmware that allows attaching a debugger to system processes — capability that’s not available on retail iOS hardware. Acceptance is by application; the screened-researcher pool is in the low hundreds; participation requires a non-disclosure-and-coordinated-disclosure agreement with Apple. The program addressed Apple’s long-running tension between (a) its security posture preventing the kind of debugger-level research that improves the security of iOS for everyone, and (b) the vulnerabilities-being-found-anyway-by-the-broker-market (NSO Pegasus iOS implants being the canonical case). The program is, in 2026, the closest the field has to a working model for “vendor-permitted research access to systems that would otherwise be off-limits.” It’s narrow (iOS-specific, screened-pool-only) and substantially under-imitated by other vendors; whether the pattern generalizes is one of the open questions of the 2026 field.

---

6. Ransomware-as-a-business

Ransomware in 2026 is a multi-billion-dollar criminal industry with a recognizable organizational chart, established supplier-and-affiliate relationships, dedicated money-laundering infrastructure, and state-actor adjacency. The arc from there to its 1989 origin is one of the cleaner case studies in this volume of how a niche technical phenomenon professionalizes into an industry — and how the same economic gradient that produced the bug-bounty platforms (§5) on the legal side produced the affiliate-and-initial-access-broker pyramid on the criminal side.

Danger callout — the legal posture around ransomware-as-a-service. The treatments in this section are entirely historical and factual, drawn from FBI / CISA / Treasury releases, DoJ indictments, and established journalism (principally Brian Krebs at Krebs on Security, the Bleeping Computer reporting line, and Andy Greenberg’s Sandworm). Engaging with ransomware operations on the offensive side — even as a “researcher” — sits squarely on the felony side of the CFAA (Vol 3 §4), the federal wire-fraud and extortion statutes (18 U.S.C. § 1343, § 1951), and the OFAC sanctions regime (which now lists multiple ransomware groups, making any payment to them a separate sanctions violation). Defensive engagement — running an in-house IR practice, working with FBI / CISA, doing post-event forensics under privileged authorization — sits cleanly on the white-hat side and is treated at depth in Vol 10 (blue hat) and Vol 11 (red hat). The line is the same line everywhere in this series: authorization, owned hardware, or sanctioned engagement. Nothing in this section is operational guidance for the offensive side; it is industry analysis of the offensive side from the defender’s perspective.

Figure 4.3 — A ransomware ransom-note screen. The structural signature of the genre. File:Ransomware-pic.jpg by screenshot of Motormille2. License: Public domain. Via Wikimedia Commons (https://commons.wikimedia.org/wiki/File%3ARansomware-pic.jpg).

6.1 The lineage: AIDS Trojan (1989) → CryptoLocker (2013) → industrial RaaS (2018+)

The first computer program in the public record that demanded ransom for restoration of access was the AIDS Trojan (also called the PC Cyborg trojan), distributed via floppy disk to attendees of the December 1989 WHO AIDS Conference by Dr. Joseph Popp, a Harvard-trained evolutionary biologist with what the subsequent legal proceedings characterized as significant mental-health complications⁵². The trojan counted system reboots, encrypted (weakly) file names after the 90th boot, and displayed a screen demanding $189 or $378 (depending on license type) be mailed to a post-office box in Panama, restoring decryption upon receipt. Popp was arrested in Britain in early 1990, extradited to the US, and found unfit to stand trial; he was released and subsequently active in evolutionary biology until his death in 2007. The AIDS Trojan is interesting historically but is not a meaningful operational ancestor of modern ransomware — the encryption was weak, the distribution mechanism (physical floppy) was not scalable, and there was no plausible profit model.

The mid-2000s saw a series of ransomware-precursor families using symmetric encryption with weak or recoverable keys (GPCoder 2005, Krotten 2006, Cryzip 2006, Archiveus 2006). The technical floor of these families was low; defenders could typically extract or compute the decryption key, and the criminals could not credibly extort because the key was extractable. The economics didn’t work.

The watershed was CryptoLocker, first observed September 5, 2013, distributed via the Gameover Zeus botnet and (later) malicious email attachments⁵³. CryptoLocker’s technical innovations were the two that defined every subsequent profitable ransomware family:

1. Asymmetric cryptography done correctly. CryptoLocker generated a unique 2048-bit RSA key pair per victim on a command-and-control server, sent only the public key to the victim, and used it to wrap a per-file AES symmetric key. The private RSA key never touched the victim’s machine; defenders could not recover it without breaking the server. The encryption was, for practical purposes, irreversible without the criminal’s cooperation.
2. Bitcoin payment. CryptoLocker demanded payment in Bitcoin (and, briefly, also accepted MoneyPak prepaid cards). Bitcoin’s appearance in late 2008 / January 2009 had created the first practical pseudonymous-at-arm’s-length value-transfer rail; CryptoLocker was the first widely-deployed ransomware to use it. Subsequent ransomware families went Bitcoin-only and then increasingly Monero-only (the more privacy-focused cryptocurrency).

CryptoLocker ran from September 2013 through May 2014, when Operation Tovar (a multi-national takedown of the Gameover Zeus botnet, led by the FBI in cooperation with international law enforcement) disrupted its infrastructure⁵⁴. Total extortion through CryptoLocker has been estimated at approximately $27 million across an estimated 250,000+ infections; the FBI’s Operation Tovar recovered the private-key database from the seized C2 servers and worked with Fox-IT and FireEye on the DecryptCryptoLocker site (decryptcryptolocker.com) to provide free key recovery to affected victims through 2014.

CryptoLocker’s success — both the criminal success of the original campaign and the public-and-press attention to it — produced an immediate fast-follower wave: CryptoWall (October 2013 onward; multiple variants; total extortion estimated $325 million+ by mid-2015⁵⁵), Locky (February 2016), TeslaCrypt (2015–2016; notable for the operators releasing the master key to MalwareBytes in May 2016), Cerber (2016, first ransomware-as-a-service operation at scale), Petya / NotPetya (NotPetya in June 2017 was attributed to Russian GRU Unit 74455 / Sandworm and was a destructive operation masquerading as ransomware, not a profit-motive operation; see ⁵⁶), WannaCry (May 12, 2017, attributed to DPRK Lazarus Group; the EternalBlue SMB exploit allowed worm-grade propagation that infected an estimated 200,000+ systems across 150+ countries within a week, with $4 billion-plus in estimated global damage⁵⁷).

6.2 The RaaS / IAB pipeline (2018+)

By 2018, the criminal economy had organized into the ransomware-as-a-service (RaaS) plus initial-access-broker (IAB) pipeline that defines the modern ecosystem. The pipeline has four distinct roles, run by distinct criminal organizations, communicating via established underground forums (the Russian-language XSS / Exploit / RAMP forums most prominently), and operating with substantial division of labor.

                     The 2018-2026 ransomware criminal economy
                     ────────────────────────────────────────

   ┌────────────────────────────────────────────────────────────────┐
   │                                                                │
   │  INITIAL ACCESS BROKERS (IABs)                                 │
   │  ───────────────────────────                                   │
   │  - Buy / develop ways to get into target organizations:        │
   │     · Phishing campaigns + credential harvesting               │
   │     · Exploiting RDP / VPN / Citrix exposure                   │
   │     · Buying credentials from infostealer-malware-as-a-service │
   │       operators (Raccoon, Vidar, RedLine, Lumma)               │
   │     · Buying exposed RDP from Russian-market.cc and clones     │
   │  - Validate the access (it works; sufficient privilege)        │
   │  - Sell the access on XSS / Exploit / RAMP forums              │
   │     · Typical price: $500 to $50,000+ depending on target      │
   │       (revenue, sector, AD privileges)                         │
   │     · Buyer is typically a RaaS affiliate                      │
   │                                                                │
   └──────────────────────────────┬─────────────────────────────────┘
                                  │  access listing for
                                  │  Target Corp, AD admin,
                                  │  $25,000 in BTC
                                  ▼
   ┌────────────────────────────────────────────────────────────────┐
   │                                                                │
   │  RANSOMWARE OPERATORS (the "RaaS" platform)                    │
   │  ─────────────────────────────────────────                     │
   │  - Develop and maintain the ransomware payload (the encryptor) │
   │  - Run the dark-web "leak site" used for double-extortion      │
   │  - Provide the negotiation chat infrastructure                 │
   │  - Operate the payment-and-decryption-key release system       │
   │  - Recruit and vet affiliates                                  │
   │  - Set the affiliate cut: typically 70-80% to affiliate,       │
   │    20-30% retained by operator                                 │
   │                                                                │
   │  Named operations 2018-2026:                                   │
   │   · GandCrab (2018-2019; retired claiming $2B extorted)        │
   │   · REvil/Sodinokibi (2019-2021; Kaseya VSA, JBS Foods)        │
   │   · Conti (2020-2022; Healthcare-sector campaign; leaked       │
   │     internal chats Feb 2022 in protest of Russia/Ukraine war)  │
   │   · LockBit (2019-2024; the most-prolific by victim count;     │
   │     taken down by Operation Cronos Feb 19, 2024)               │
   │   · BlackCat / ALPHV (2021-2024; Rust-based; Change Healthcare │
   │     attack Feb 2024)                                           │
   │   · Royal / Black Suit (2022-present)                          │
   │   · Hunters International (2023-present; Hive successor)       │
   │                                                                │
   └──────────────────────────────┬─────────────────────────────────┘
                                  │  affiliate is licensed
                                  │  to use the encryptor +
                                  │  the leak-site
                                  ▼
   ┌────────────────────────────────────────────────────────────────┐
   │                                                                │
   │  AFFILIATES (the operators in the bilateral RaaS sense)        │
   │  ──────────────────────────────────────────────                │
   │  - Take the IAB-purchased access; pivot from initial foothold  │
   │  - Run reconnaissance inside the target environment            │
   │  - Identify and exfiltrate the most-sensitive data (the        │
   │    second pressure point alongside encryption)                 │
   │  - Reach the file servers, the backup systems, the AD          │
   │    domain-controller, the hypervisor layer                     │
   │  - Stage and deploy the encryptor across the environment       │
   │  - Negotiate ransom with the victim                            │
   │  - Pay operator's cut; pocket the rest                         │
   │                                                                │
   │  Affiliates are typically 1-5 person teams; some affiliates    │
   │  work across multiple RaaS operations simultaneously (the      │
   │  same crew may affiliate with both REvil and LockBit at        │
   │  different times); the affiliate pool is in the low hundreds   │
   │  for any given RaaS at any given time.                         │
   │                                                                │
   └──────────────────────────────┬─────────────────────────────────┘
                                  │  victim pays in BTC / XMR
                                  │  (or refuses; then leak)
                                  ▼
   ┌────────────────────────────────────────────────────────────────┐
   │                                                                │
   │  CRYPTOCURRENCY LAUNDERING PIPELINE                            │
   │  ──────────────────────────────────                            │
   │  - Mixers / tumblers (Tornado Cash, ChipMixer, BestMixer.io)   │
   │  - Chain-hopping through privacy coins (Monero) and back       │
   │  - Cashout via cooperative exchanges (Russian, Eastern         │
   │    European, Hong Kong, Dubai counterparties)                  │
   │  - Cryptocurrency-to-fiat via OTC desks                        │
   │  - Eventual delivery to operator and affiliate "wages"         │
   │                                                                │
   │  OFAC sanctions enforcement against laundering infrastructure: │
   │   · Suex (Sept 2021; first OFAC sanction of a crypto exchange) │
   │   · Tornado Cash (Aug 2022; sanctioned as an entity)           │
   │   · Sinbad / Blender (2023; Hydra Market 2022)                 │
   │   · Hydra Market takedown (April 2022; Germany)                │
   │                                                                │
   └────────────────────────────────────────────────────────────────┘

Figure 4.4 — The ransomware criminal-economy structure, 2018-2026. The diagram is generic; specific operations have variations (some operators run their own initial access; some IABs run their own ransomware; some affiliates also moonlight as IABs). The four-tier structure with separate-organizations-per-tier is the modal pattern and is the structure FBI and CISA describe in their public guidance.

6.3 The named incidents

The history of the RaaS era is best told through its specific named incidents — each of which became a watershed in some specific way.

WannaCry — May 12, 2017. WannaCry was the most globally-disruptive ransomware event of the 2010s, infecting an estimated 200,000–300,000 systems across 150+ countries in approximately 4 days. The propagation was driven by the EternalBlue SMBv1 exploit (CVE-2017-0144 / MS17-010), an NSA-developed exploit that had been published by the Shadow Brokers in April 2017 as part of their fifth document dump. Microsoft had patched the underlying vulnerability in March 2017 (MS17-010), but enterprise patching cycles meant tens of thousands of systems remained vulnerable in May. The most-cited victim was the UK National Health Service, where approximately 80 NHS trust networks were affected and an estimated 19,000 medical appointments were cancelled. The propagation was halted on May 12 when Marcus Hutchins (handle: MalwareTech), then 22 years old, registered the kill-switch domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com) that the malware was checking — the registration caused the malware to short-circuit before encrypting. Hutchins was arrested in August 2017 at DEF CON 25 on unrelated Kronos-banking-malware charges from 2014–2015, pled guilty in 2019, and was sentenced to time-served plus supervised release; he is in 2026 a working security researcher with Kryptos Logic. WannaCry was attributed to DPRK’s Lazarus Group in late 2017 by the UK NCSC, the US Department of Homeland Security, and Canada’s CSE; the September 2018 DoJ indictment of Park Jin Hyok (⁵⁸) named a specific RGB officer as a Lazarus operative responsible for WannaCry, the Sony Pictures hack, and the Bangladesh Bank heist. Estimated global financial damage: $4 billion+.

NotPetya — June 27, 2017. NotPetya appeared one month later. The malware was distributed via a malicious update to M.E.Doc, a Ukrainian tax-accounting software widely used in Ukrainian businesses; from there it spread laterally using EternalBlue (same exploit as WannaCry) plus Mimikatz-based credential harvesting. NotPetya was not actually ransomware — the encryption was irreversible, the payment infrastructure was minimal, and the “ransom note” was decorative. The operation was a destructive cyberweapon disguised as ransomware. The June 2017 timing aligned with the third anniversary of the 2014 Russian annexation of Crimea; the primary impact was on Ukrainian businesses (an estimated 80% of all systems in Ukraine were affected); secondary impact landed on global firms with Ukrainian operations (Maersk, Merck, Mondelez, FedEx/TNT, Reckitt Benckiser) with damages running to the tens of billions of dollars globally. NotPetya was attributed in February 2018 by the UK, US, and Five Eyes to the Russian GRU’s Sandworm unit (Unit 74455); the October 2020 DoJ indictment named six GRU officers (⁵⁹). NotPetya is the most-cited example of a state-actor using ransomware-shaped tooling for non-financial purposes — the line between criminal ransomware and state-actor destructive operations is, on the technical surface, very thin. Estimated global financial damage: $10 billion+.

Colonial Pipeline — May 7, 2021. Colonial Pipeline, the largest fuel pipeline on the US East Coast (5,500 miles, supplying approximately 45% of East Coast fuel), was attacked on May 7, 2021 by the DarkSide RaaS group⁶⁰. The initial access was via a single compromised VPN account whose password had been exposed in an unrelated breach and which lacked multi-factor authentication. The attackers exfiltrated approximately 100 GB of data and deployed the DarkSide encryptor against billing-and-IT systems; Colonial shut down the actual pipeline operations preemptively on May 7 to prevent the attack spreading to operational technology. The pipeline remained shut for six days. Colonial paid approximately $4.4 million in Bitcoin ransom on May 8; the FBI subsequently recovered approximately $2.3 million of that payment in June 2021 by obtaining the private key to the destination wallet (the technical specifics of the recovery were not publicly disclosed; the FBI affidavit cited the existence of a “private key” for the relevant wallet). Colonial Pipeline became the trigger event for substantial US federal-policy response: TSA pipeline-security directives, the May 12, 2021 Executive Order 14028 (“Improving the Nation’s Cybersecurity”) with software-supply-chain and SBOM requirements, and the establishment of the Joint Cyber Defense Collaborative (JCDC) at CISA. DarkSide announced its shutdown approximately a week after the Colonial event, citing law-enforcement pressure; the operators (and presumably much of the affiliate pool) regrouped as BlackMatter (mid-2021), which itself wound down in November 2021, with substantial continuity into BlackCat / ALPHV (late 2021).

Kaseya VSA — July 2, 2021. The REvil group exploited a zero-day vulnerability (CVE-2021-30116) in Kaseya VSA, a managed-service-provider remote-management tool, to push ransomware to approximately 60 MSP customers, which in turn pushed it to an estimated 1,500–2,000 of their downstream customers — a single-incident multi-tenant compromise⁶¹. REvil initially demanded $70 million for a universal decryption key; Kaseya eventually obtained the decryptor through “a trusted third party” (publicly unclear but reportedly via the FBI, which had access to the decryptor for some weeks before the public release on July 22). REvil’s infrastructure went offline two weeks after Kaseya, on July 13, in what was widely interpreted as Russian-government pressure following US-Russia diplomatic discussions about ransomware (the June 16, 2021 Biden-Putin Geneva summit had explicitly raised the issue). REvil partially reconstituted in September 2021; the FSB announced an REvil takedown operation in Russia in January 2022 (claiming 14 members arrested) which most Western analysts treated as a one-time goodwill gesture before the February 2022 invasion of Ukraine. REvil’s operational continuity is unclear in 2026.

Operation Cronos / LockBit — February 19, 2024. LockBit was the most prolific RaaS group by victim count from 2019 through early 2024 — by various counts, between 1,400 and 2,500 confirmed victim organizations across the period, more than any other single RaaS family. On February 19, 2024, the UK National Crime Agency, in cooperation with the FBI and Europol and law enforcement across 11 countries, executed Operation Cronos: seizure of LockBit’s infrastructure (the leak site, the affiliate panel, the data archives), publication of the seized infrastructure under NCA control with a defacement page on the LockBit leak site, indictment of two Russian nationals (Mikhail Vasiliev and Ruslan Magomedovich Astamirov), and release of a free decryptor for victims⁶². LockBit’s operators attempted to relaunch on a new infrastructure within a week, but the operational continuity was substantially impaired. Operation Cronos is the most successful RaaS takedown to date by the duration of disruption produced; whether the disruption persists is a 2024-and-forward question.

Incident	Year	Operator / affiliate	Paid?	Outcome
AIDS Trojan	1989	Joseph Popp (lone-PC era)	~No (poor distribution)	Popp arrested; found unfit to stand trial
CryptoLocker	Sept 2013 – May 2014	Slavik / Bogachev (Gameover Zeus)	~$27 M extorted	Operation Tovar takedown May 2014; FBI recovered key db
WannaCry	May 2017	DPRK Lazarus Group	Minimal (~$140 K paid)	Kill-switch killed propagation; $4 B+ global damage; Park Jin Hyok indicted 2018
NotPetya	June 2017	Russian GRU Sandworm (74455)	N/A (not actually ransomware)	$10 B+ global damage; 6 GRU officers indicted Oct 2020
Colonial Pipeline	May 7, 2021	DarkSide RaaS / affiliate	$4.4 M paid; FBI recovered ~$2.3 M	EO 14028; TSA directives; DarkSide shutdown
Kaseya VSA	July 2, 2021	REvil RaaS / affiliate	Not paid (decryptor obtained other route)	REvil infrastructure offline July 13; partial reconstitution; FSB arrest theatre Jan 2022
JBS Foods	May 30, 2021	REvil	$11 M paid	World’s largest meat processor; 5-day operations halt across North America + Australia
Change Healthcare	Feb 2024	BlackCat / ALPHV	Reportedly $22 M paid	Largest US healthcare data breach; 100+ M people affected; UnitedHealth Group losses ~$2.5 B
LockBit (Operation Cronos)	Feb 19, 2024	LockBit RaaS	(Takedown event)	UK NCA + FBI + Europol seizure; free decryptor; partial relaunch but impaired

Table 4.5 — Major ransomware-and-ransomware-shaped incidents from 1989 to 2024. The pattern across the 2017–2024 window is approximately one watershed incident per year; the policy and law-enforcement response has accelerated correspondingly, with each incident producing some specific structural change (EternalBlue patching urgency; OFAC sanctions; FBI cryptocurrency-recovery capability; CISA JCDC; Operation Cronos).

6.4 The OFAC and Treasury enforcement layer

A specific development worth flagging because it changed the legal calculus of ransom payment: in September 2020, OFAC (the US Treasury’s Office of Foreign Assets Control) published an advisory clarifying that ransomware payments to sanctioned individuals or entities — including ransomware groups that had been designated, like Evil Corp (December 2019) — could themselves be sanctions violations⁶³. The advisory was updated in September 2021 with stronger language. The practical effect was that paying ransom to a sanctioned group became a second, separate legal exposure for the victim organization (and its insurance carrier); cyber-insurance underwriting changed substantially through 2021–2022 as a result; and many victim organizations now conduct sanctions-compliance review before any payment decision. The OFAC sanctioning of Tornado Cash (August 8, 2022) — the Ethereum mixer used in significant ransomware laundering — extended this to the cryptocurrency-laundering infrastructure itself; sanctioning a protocol (rather than a person or entity) was a novel application of the sanctions authority and remains controversial. The Tornado Cash sanctions were partially lifted in March 2025 following litigation.

The OFAC layer is, in 2026, one of the load-bearing pressure points on the ransomware ecosystem; the criminal operators have responded by attempting to maintain operational separation from sanctioned individuals and groups (which is non-trivial when the same operators rebrand across multiple RaaS storefronts), and by increasing reliance on Monero (the privacy-coin alternative to Bitcoin) and on jurisdictional arbitrage to keep the laundering pipeline operational.

---

7. The tooling democratization — Kali, Metasploit, Hak5, SDR going cheap

If the threat picture (§§3–6) is the demand-side of the modern field, the toolchain is the supply-side — and the structural change in the supply-side across the volume’s window is that the cost-of-entry for capable security tooling has collapsed by approximately two orders of magnitude. A 1995-era pentest required a Sun workstation, specialized commercial tools (ISS Internet Scanner at thousands of dollars per seat, sniffers at five-figure list prices), and a fast academic-or-corporate network connection. A 2026 pentest can be run from a Raspberry Pi 5 with Kali Linux, Metasploit, and a $20 RTL-SDR dongle for the RF side — total budget under $200. The capability is not identical (high-end commercial tools still cover ground the free toolchain doesn’t), but it is genuinely overlapping. This section traces how that compression happened.

Figure 4.5 — Kali Linux 2021.2, Xfce desktop. File:Kali Linux 2021.2.png by Purpurreiher. License: GPL (http://www.gnu.org/licenses/gpl.html). Via Wikimedia Commons (https://commons.wikimedia.org/wiki/File%3AKali%20Linux%202021.2.png).

7.1 Kali Linux (March 2013) and the BackTrack lineage

The single-distribution starting point of the modern free pentest toolchain is Kali Linux, released March 13, 2013 by Mati Aharoni and Devon Kearns of Offensive Security (Vol 4 §2.3)⁶⁴. Kali is a Debian-derived Linux distribution preconfigured with several hundred security tools, designed to boot from removable media (USB stick) or run in a virtual machine for portable pentest engagements. Kali in 2026 is on its rolling-release model, with monthly point releases, and is the canonical pentest distribution by an order of magnitude over its nearest competitor (Parrot Security OS, ~10% market share by Wireshark-pcap-public-survey methodology).

Kali’s lineage is several generations deep. The direct predecessor was BackTrack, released in 2006 from the merger of WHAX (Mati Aharoni’s distribution, itself a successor to Whoppix, a Knoppix-based pentest distribution Aharoni had released in 2004) and Auditor Security Collection (a German distribution maintained by Max Moser since 2005). BackTrack ran from 2006 (BackTrack 1) through 2012 (BackTrack 5 R3); the 2013 rebuild from BackTrack to Kali was driven by the architectural decision to move from a Slackware-and-Ubuntu hybrid base to a clean Debian base, which substantially simplified the package-and-dependency management. Kali 1.0 (March 13, 2013) carried over the BackTrack tool set in updated form; subsequent Kali releases (2.0 in August 2015, the rolling-release transition in January 2016, and the steady release cadence since) have evolved the distribution while keeping the canonical-pentest-distribution position.

The economic effect of Kali is that the assemble-your-own-toolchain step disappeared from the pentester’s setup time. Every commonly-used security tool (Metasploit, Burp Suite Community, Wireshark, Nmap, sqlmap, John the Ripper, Hashcat, Aircrack-ng, Hydra, Nikto, gobuster, ffuf, BloodHound, the AD-attack tooling, the cloud-pentest tooling, and many more) is preinstalled, preconfigured, and tested against the same kernel and library versions. A fresh installation is operational within minutes; a pentest engagement that would have taken two weeks of toolchain setup in 1998 takes an hour of Kali ISO download in 2026. Compounding this is that Kali is free — no license fees, no per-seat costs, no node-locked installation.

7.2 Metasploit (2003) — HD Moore and the modular exploit framework

The single most consequential offensive-tooling project of the 2000s is Metasploit, released by H D Moore (then with the security research firm Digital Defense) in October 2003 as a perl-based framework for organizing exploit code, payloads, and post-exploitation modules⁶⁵. The original framework was a substantial reorganization of what had previously been a chaotic mess of one-off exploit code shared on Bugtraq and similar venues; Metasploit imposed a consistent module structure, a clean exploit-payload separation, and a centralized configuration-and-target-selection interface.

Metasploit’s structural innovations were several. First, the modular architecture: an exploit module described how to deliver a payload to a vulnerable target, and a payload module described what to do once execution was achieved; the two were composed at run-time. This let researchers write exploits once and reuse payloads across them, and write payloads once and reuse them across exploits. Second, Meterpreter: a custom payload that ran in-memory on the compromised system and provided a rich post-exploitation environment (file operations, network pivoting, credential extraction, screenshot capture, keystroke logging) without writing tools to disk. Third, the port to Ruby (Metasploit 3.0, released 2007) which substantially expanded the contributor base. Fourth, the integration with Nmap for target discovery, with John the Ripper and Hashcat for credential cracking, with Mimikatz for Windows credential extraction, and with everything else in the pentest workflow.

In October 2009, Rapid7 acquired Metasploit and HD Moore became Rapid7’s Chief Security Officer⁶⁶. The acquisition preserved the open-source Metasploit Framework while adding the commercial Metasploit Pro product on top. Moore left Rapid7 in 2016 and subsequently founded Rumble (network-asset-discovery; later runZero); Metasploit Framework remains an active open-source project maintained by Rapid7 with substantial community contribution. By module count, Metasploit Framework in 2026 carries on the order of 4,000+ exploit modules, 2,000+ auxiliary modules, and 1,500+ payload modules.

The cultural and operational significance of Metasploit is that it normalized exploitation as engineering discipline. Pre-Metasploit, running an exploit was a craft activity involving porting old C code to your target architecture, debugging the shellcode, and improvising. Post-Metasploit, running an exploit was a matter of selecting use exploit/..., setting RHOST and LHOST, and typing exploit — closer to invoking a debugger than to authoring an exploit. The exploit-authorship craft moved up one level (write new modules, not new exploits-from-scratch); the consumption of exploits became routine.

7.3 The Hak5 family — USB Rubber Ducky onward

The democratization on the physical-implant side was driven by Hak5, founded in 2005 by Darren Kitchen as a hacker-podcast operation and pivoted through the late 2000s into a hardware product business. The first product was the USB Rubber Ducky, released in 2010⁶⁷ — a small USB device shaped like a flash drive that registered to the host computer as a USB keyboard and typed pre-programmed keystrokes at machine speed. The HID-injection attack (“BadUSB” — although the BadUSB term in the formal sense was coined by Karsten Nohl in 2014 for the broader USB-firmware-rewriting attack class) had been understood as a concept since the early 2000s; the Rubber Ducky was the first widely-available physical implementation of it at consumer price points.

The Rubber Ducky’s significance to the lineage of the craft is substantial enough that it has its own dedicated deep dive in this hub — see [the Ducky Script deep dive](../../Ducky Script/03-outputs/DuckyScript_Complete.html) for the per-device hardware walkthroughs and the language reference. The short version: the Rubber Ducky established a product category that subsequently expanded into the Bash Bunny (2017, a multi-payload USB device with active Linux-shell capability), the Key Croc (2020, a hardware keylogger with active payload capability that sits inline on a keyboard cable), the O.MG Cable family (separately developed by Mike Grover; a malicious USB cable that does everything the Rubber Ducky does plus Wi-Fi exfiltration plus active control, in a form-factor visually indistinguishable from a standard USB cable), and the Shark Jack / Plunder Bug / Packet Squirrel family on the network-side. The Hak5 line in 2026 is the standard reference for “physical-access keystroke-injection-and-implant tooling” at consumer price points (the Rubber Ducky in 2026 is approximately $80; the higher-capability units run $130–$200). The closest counterpart on the Wi-Fi side is the WiFi Pineapple, which is also Hak5 and which has its own dedicated deep dive — see [the WiFi Pineapple deep dive](../../WiFi Pineapple/03-outputs/WiFiPineapple_Complete.html).

The structural effect of the Hak5 line is that physical-implant tradecraft, which had previously required substantial custom-hardware development, became a $200 catalog purchase. A 2010-era physical-implant engagement required building or commissioning the hardware; a 2026 engagement uses Hak5 hardware off-the-shelf and focuses the work on payload development and delivery. The same compression that Kali achieved for software tooling, Hak5 achieved for physical-implant hardware.

7.4 RTL-SDR (2012) and the wideband-SDR-going-cheap moment

The single most consequential RF-tooling development in the volume’s window is the RTL-SDR repurposing of 2012. The story: Realtek’s RTL2832U was a mass-produced chipset for low-cost USB DVB-T (digital television) receivers, sold for around $20 retail through 2008–2011. In late 2010, Antti Palosaari discovered that the RTL2832U could be put into a mode where it streamed the raw I/Q samples from its tuner front-end over USB to the host, rather than performing the DVB-T demodulation in-chip; in March 2012, Eric Fry and the Osmocom project (the same group that maintained the GSM-modem-research tooling for the OpenBTS project) released rtl-sdr, a Linux driver and userspace library that turned the RTL2832U + R820T or R828D tuner combination into a usable wideband software-defined radio with approximately 24 MHz – 1.7 GHz tuning range and 3.2 MS/s of usable sample rate⁶⁸.

Figure 4.6 — RTL-SDR V3 dongle. File:Rtl-sdr.jpg by Joeceads. License: CC BY-SA 4.0 (https://creativecommons.org/licenses/by-sa/4.0). Via Wikimedia Commons (https://commons.wikimedia.org/wiki/File%3ARtl-sdr.jpg).

The RTL-SDR’s significance is the same as Kali’s and the Rubber Ducky’s: a previously-expensive capability became a consumer-price-point catalog purchase. A 2010-era SDR setup required a USRP at $1,000–$5,000 or an Ettus B-series at similar prices; the RTL-SDR delivered a substantial fraction of the receive-only capability at 1% of the cost. The community that organized around the RTL-SDR — substantially built around the Osmocom project, the rtl-sdr.com blog (https://www.rtl-sdr.com, the de-facto news-and-tutorial hub since 2013), and the SDR# (SDRSharp) and GQRX user-interface projects — produced applications spanning every consumer and amateur-radio band: ADS-B aircraft tracking, AIS ship tracking, weather-satellite reception, ham-radio digital modes, FM/AM broadcast, NOAA weather radio, pager-message reception, and (controversially, in some jurisdictions) GSM IMSI sniffing. The RTL-SDR is, in 2026, the universal entry-level SDR; full engineering depth is in Vol 13 — RF I: SDR & sub-GHz and the RTL-SDR deep dive (link to CLAUDE.md placeholder until authored).

The corresponding transmit-capable platform is the HackRF One, designed by Michael Ossmann of Great Scott Gadgets and released in 2014 via Kickstarter funding⁶⁹. HackRF is a half-duplex 1 MHz – 6 GHz SDR with 20 MS/s sample rate and integrated transmit capability; it brought transmit-capable wideband SDR to the $300 price point (vs. the USRP at ~$2,000+ for the equivalent capability at that time). HackRF is the canonical wideband-SDR-on-a-budget platform in 2026, with substantial community tooling (the PortaPack firmware projects, Mayhem firmware fork, GNU Radio Companion flowgraphs, the Universal Radio Hacker / URH GUI). Full engineering depth on HackRF is in [the HackRF One deep dive](../../HackRF One/03-outputs/HackRF_One_Complete.html); the Vol 1 cross-reference call-out is to that deep dive’s Vol 2 block-diagram treatment.

The Flipper Zero, released in 2020 by Pavel Zhovner and the Flipper team via Kickstarter, is a different category but the same democratization story — an integrated multi-radio handheld (sub-GHz CC1101 plus 125 kHz RFID plus 13.56 MHz NFC plus IR plus iButton plus BadUSB plus GPIO) at the $169 retail price point. The Flipper consolidated five or six separate single-function devices into one consumer-priced unit. Full engineering depth on the Flipper Zero is in [the Flipper Zero deep dive](../../Flipper Zero/03-outputs/Flipper_Zero_Complete.html).

The cumulative effect across Kali, Metasploit, the Hak5 line, the RTL-SDR / HackRF / Flipper progression, and the parallel developments in the Wi-Fi/BLE pentest-firmware space (ESP32 Marauder, Bruce, GhostESP — see [the ESP32 Marauder Firmware deep dive](../../ESP32 Marauder Firmware/03-outputs/ESP32_Marauder_Firmware_Complete.html)) is the capability compression this section’s introduction described. A 2026 high-school student with $500 of equipment and a working internet connection can replicate the operational toolset of a 1995 commercial pentest firm. The non-tooling parts of the craft (experience, judgment, scope-and-authorization discipline, report-writing) have not compressed — they require apprenticeship, mentorship, and time. But the tooling-side barrier-to-entry has collapsed, and the consequences for both the offensive and defensive sides of the field are substantial.

The forward-reference to Vol 16 — Computer-hacking tradecraft covers the implant family in the depth this section’s overview can’t; the per-device walkthroughs in the Ducky Script deep dive carry the device-specific detail. The RF side cross-references into Vols 13–15 of this series and into the per-tool deep dives in the same way.

---

8. The conference and CTF circuit — how the field trains and credentials socially

The institutional venues at which the modern security field organizes itself — at which practitioners meet, recruit, evaluate each other, exchange technique, and credential socially — are the conference circuit and the CTF circuit. Both have their roots in the late-1990s era covered in Vol 3 (DEF CON 1 in 1993; the first DEF CON CTF in 1996; Black Hat Briefings in 1997). Both have expanded by approximately two orders of magnitude in the volume’s window — DEF CON has gone from ~100 attendees in 1993 to over 30,000 by 2023⁷⁰; the CTF circuit has gone from “DEF CON CTF” as a single annual event to several hundred CTF events per year listed on CTFtime.org.

8.1 The conference ecosystem

DEF CON’s growth through the volume’s window is the cleanest single trajectory. From the ~100-person Las Vegas gathering at DEF CON 1 (June 9–11, 1993; the Sands Hotel — Vol 3 §9.3), DEF CON ran through approximately 1,000 attendees by DEF CON 5 (1997), 5,000 by DEF CON 10 (2002), 10,000 by DEF CON 15 (2007), 20,000 by DEF CON 20 (2012), and was at or above 30,000 from DEF CON 27 (2019) onward. The 2020 pandemic year was virtual (DEF CON Safe Mode); the in-person event resumed in 2021 at substantially reduced attendance and recovered to ~30,000 by 2023. The Caesars Forum / Flamingo / Harrah’s complex (since 2022) is the current venue.

DEF CON’s organizational character has evolved as the size has grown. The single-track talk programming of the 1990s gave way to multi-track programming in the early 2000s; the village ecosystem (the loosely-affiliated topical sub-conferences within DEF CON — Lock Picking Village, Social Engineering Village, Car Hacking Village, ICS Village, Aerospace Village, Hardware Hacking Village, Recon Village, Bio Hacking Village, Voting Village, AI Village, Red Team Village, Quantum Village, and many more) emerged in the 2010s and is now the dominant organizational pattern. The village structure is, in retrospect, the right architectural answer to a 30,000-person conference — you cannot organize a single conference at that scale, but you can host fifteen specialist mini-conferences under one umbrella.

Black Hat Briefings, founded by Jeff Moss in 1997 (Vol 3 §9.3), occupies the week before DEF CON in Las Vegas with a substantially more commercial / training / executive-briefing emphasis. Black Hat USA in 2026 is approximately 20,000–25,000 attendees. The Asia (Singapore, since 2014), Europe (London, since 2010), and Middle East-and-Africa (Riyadh, since 2023) regional editions extend the brand internationally. Black Hat sold to CMP Media in 2005, then UBM, now Informa; the talk-content review is run by an independent Review Board of senior practitioners (the same names who have, on average, multi-decade affiliations across the L0pht / @stake / Foundstone / Bishop Fox / Trail of Bits / Mandiant trajectory).

The BSides family of regional conferences started in 2009 with BSides Las Vegas, founded by Mike Dahn, Jack Daniel, Chris Nickerson, and others as the “Security B-Sides” — explicitly a free, community-organized, talks-rejected-from-other-conferences-welcome venue, named after the B-side of a 45 rpm record (the less-commercial track). BSides Las Vegas runs in parallel with Black Hat / DEF CON week and is, by 2026, the third leg of the “Hacker Summer Camp” Las Vegas-week tradition. The BSides format has been replicated across approximately 100+ cities globally; the BSides events are independently organized but share a loose brand-and-CFP-coordination through the Security BSides nonprofit. BSides San Francisco runs the week before RSA Conference; BSides Berlin, BSides London, BSides Singapore, BSides Tampa, BSides Manchester, and many others run at various points through the year. BSides is the most consequential regional / volunteer-organized / community-rooted conference layer in the field in 2026.

Other named conferences in the modern field: Shmoocon (DC, since 2005 — Bruce Potter et al.; community-organized; consistently fills its 2,000-seat cap), ToorCon (San Diego, since 1999), Hackers on Planet Earth (HOPE) (NYC, run by 2600 magazine since 1994; biannual), Source Boston (since 2008), CCC Congress (Chaos Communication Congress) (Hamburg, since 1984 — but extensively rebooted in the 2010s; ~17,000 attendees pre-pandemic), Hack.lu (Luxembourg, since 2005), NULLCON (Goa / Bangalore / Berlin, since 2010), Ekoparty (Buenos Aires, since 2001), NorthSec (Montreal, since 2013), OFFENSIVECON (Berlin, since 2018 — pure exploit-development focus), POC (Power of Community, Seoul, since 2006), Hack In The Box (Kuala Lumpur / Amsterdam / Dubai, since 2003). The conference circuit is, in aggregate, the load-bearing social infrastructure of the field — a working practitioner attends 3–8 conferences per year across the various scales, builds professional relationships across them, and refreshes technique through the talks.

8.2 The CTF circuit and CTF as pedagogy

The other half of the social-credentialing-and-training infrastructure is the Capture The Flag (CTF) circuit. CTFs are competitions where participants (individually or in teams of 4–10) solve security challenges across categories — typically web, binary exploitation, reverse engineering, cryptography, forensics, and “misc” — within a time-bounded event (most commonly 24–48 hours, though some run for a week). Each solved challenge produces a “flag” string that’s submitted for points; the team with the most points wins. The format has been remarkably stable since the late 1990s.

DEF CON CTF is the oldest continuously-running CTF and is, by reputation, the championship event of the calendar. It launched at DEF CON 4 in 1996, organized by Myles Connick; subsequently organized by Caezar (Sean Henneberger) and ddtek through the 2000s; by Legitimate Business Syndicate (LBS) from 2013 to 2017; by the Order of the Overflow (OOO) from 2018 to 2022; and by Nautilus Institute from 2023 onward. The event runs over three days at DEF CON, qualifies its ~12–16 finalist teams through a separate qualifier round each spring, and is the most-watched single CTF of the year. Teams that have reached DEF CON CTF Finals include Plaid Parliament of Pwning (PPP, Carnegie Mellon-affiliated), DEFKOR (Korea-based), Tea Deliverers (China-based), Samurai (Japan-affiliated), Shellphish (UC Santa Barbara-affiliated), HITCON CTF Team (Taiwan), and many others.

The CTFtime.org project (founded 2011 by Igor Bulatenko) aggregates CTF events across the calendar, tracks team rankings via a weighted-by-difficulty point system, and is the canonical reference for “what CTFs are running this weekend” and “how good is this team really.” CTFtime in 2026 lists several hundred CTFs per year (some online-only, some on-site at conferences) and tracks several thousand active teams globally.

picoCTF is the canonical educational-entry CTF. Founded in 2013 by Carnegie Mellon University’s CyLab⁷¹, picoCTF is an annual two-week CTF targeted at middle-school and high-school students with progressively-harder challenges across the standard categories. Approximately 18,000 students participated in picoCTF 2013; by picoCTF 2024 the number was over 100,000 globally. The picoCTF year-round practice archive (https://play.picoctf.org) is, in 2026, the most-used single learning resource for green-hat-on-ramp CTF practice; substantial fractions of the modern entry-level pentest workforce trace their first exposure to the field to picoCTF or a similar event.

CCDC — the Collegiate Cyber Defense Competition — is the dominant blue-team-focused CTF in the US college market⁷². Founded in 2005 at the University of Texas San Antonio, CCDC runs regional qualifying competitions (around ten regions) feeding into a national finals each spring. The format is different from offensive CTFs: each student team operates a (vulnerable) production network for two days, responding to attacks from a professional red-team while continuing to service simulated business operations (changing user passwords, configuring DNS, running web applications) under a graded score. CCDC produced the Cyber Patriot (high-school analog, run by the Air Force Association since 2009) and the NCL — National Cyber League (intercollegiate skills league, since 2011) descendants. The “build-and-defend” format that CCDC pioneered is the dominant pattern for blue-team-focused CTF.

Other named CTF series: Google CTF (annual since 2017; high-difficulty individual format), Hack The Box (https://www.hackthebox.com; a persistent CTF-style platform with thousands of challenges and a substantial freemium business model; founded 2017), TryHackMe (similar; founded 2018; more pedagogical / beginner-friendly), HackTheBox Pro Labs (longer-form red-team scenarios), CTFd (the open-source CTF-platform framework most CTFs are run on), PicoGym (year-round picoCTF practice). The CTF-platform-and-content market in 2026 is substantial enough that “CTF” is a recognizable software category.

The pedagogical function of CTFs is that they produce calibrated practice at the actual skills the pentest profession uses. Reading academic security textbooks does not teach a candidate to break things; running CTFs does. The major employers in 2026 (Google, Microsoft, Apple, Amazon, the consultancies, the federal-government contractors) all evaluate candidate CTF performance as a hiring signal, in some cases formally (with CTF as a phase of the interview process) and in nearly all cases informally (with CTF reputation as a tiebreaker). The social-credentialing function of CTFs is that the CTF reputation is portable: a candidate who has placed at DEF CON CTF finals or who runs a respected team on CTFtime carries that credential into any job application across the field. The CTF circuit is, in this sense, the social-credentialing layer that the formal-credential layer (OSCP and its successors) doesn’t reach.

8.3 The pipeline from conference-and-CTF to working profession

The career pipeline this section describes is the dominant pipeline into the modern field. The pattern: a candidate gets first exposure through a picoCTF event in high school or early college; participates in a college CTF team (or a self-organized team if not in a CS program); develops technique through CTF practice on Hack The Box / TryHackMe; attends a regional BSides or Shmoocon to get exposure to the conference circuit; targets the OSCP exam (or equivalent practical) as the first formal credential; gets first job through some combination of CTF reputation, internship-via-conference-networking, and the formal credential. The pipeline produces a working pentester with two-to-five years of total elapsed time from first exposure to first paid engagement.

The pipeline is not the only way into the field. Many senior practitioners came up through different routes — through systems administration (the classical “I was the sysadmin and started looking at how things break” route, which dominated the 1990s), through software engineering (writing buggy code makes you better at finding it), through law enforcement (the FBI’s cyber division, the Secret Service’s electronic-crime task forces), through the military (US Cyber Command, NSA’s training pipelines, equivalent in other countries). The CTF-and-conference pipeline coexists with these older routes; in 2026 it is the most prominent on-ramp specifically for the offensive-research-and-pentest segment, but the blue-side / DFIR / detection-engineering segment continues to draw substantially from sysadmin and software-engineering backgrounds.

---

9. Where the hats stand today

The hat taxonomy that Vol 5 will trace archaeologically gets a quick disposition here — a mapping table of where each colour sits in the modern institutional landscape, with each entry’s full engineering treatment carried in its own dedicated volume.

Hat	Modern home	Typical career path	Cert credentials	Where this series covers it
White	Pentest consultancy + in-house security teams + bug-bounty hunting full-time	CS degree or sysadmin → CTF → OSCP → consultancy → in-house or back to consultancy	OSCP (entry), GPEN/GXPN, OSCE/OSEP/OSEE (advanced), CISSP (managerial)	Vol 6 (the day-to-day), Vol 18 (career arc)
Black	Criminal economy (§6): RaaS operators, IABs, infostealer crews, BEC crews, carders, state-tolerated criminal groups in non-extradition jurisdictions	Various — substantial fraction enter via online forums and informal mentorship; substantial fraction adjacent to or alongside legitimate work	None (formal); reputation accrues via forum identity	Vol 7 (full criminal-economy treatment); Vol 19 (legal line)
Grey	Independent researchers operating outside formal bug-bounty programs; some academic; some “vigilante” patching crews; some unaffiliated researchers who reject coordinated disclosure	Often comes out of long-running white-hat career with growing frustration at vendor disclosure friction	None (formal); credibility via public research record	Vol 8 (full grey-hat treatment)
Green	Entry-level: CTF circuit + Hack The Box / TryHackMe + home lab + first OSCP attempt	High school / college → picoCTF → CTF team → first cert → first job	Pre-OSCP; CTF reputation more relevant than any cert	Vol 9 (the on-ramp)
Blue	SOC / DFIR / threat hunting / detection engineering at enterprise security operations centers + MSSPs (managed security service providers) + MDR (managed detection and response) vendors + IR consultancies	CS degree or sysadmin → SOC tier-1 → tier-2 → senior analyst → detection engineering or IR consulting	GCIH, GCFA, GCFE, GREM, GCDA, CySA+, BTL1/2	Vol 10 (the defender’s craft)
Red	Red-team operations — distinct from pentest; long-engagement, goal-oriented, multi-week-to-multi-month adversarial simulation against hardened environments; structured under MITRE ATT&CK + the Red Team Operations Attack Lifecycle	Senior pentester → red-team specialization → red-team lead → red-team architecture	OSEP, CRTP / CRTE, CRTO, OSED, OSEE	Vol 11 (red-team distinct from pentest)
Purple	The integration practice that emerged from red-blue feedback loops; in-house at large security organizations; the function that takes red-team findings and operationalizes them into detection content for the blue team	Senior practitioner with red OR blue background → purple-team role	None hat-specific; cross-cutting fluency in both sides	Vol 12 (the integration role)

Table 4.6 — The seven hats in their 2026 institutional homes. The career paths are modal, not exclusive; many practitioners cross between hats over a career (the blue-to-purple-to-red trajectory is particularly common). The credential lists are the most-recognized in 2026; the credential market evolves and the exact set will shift over the next decade. The series-coverage column points to where each hat gets its full treatment.

The mapping in Table 4.6 is the steady-state taxonomy the modern field operates with. It is not the taxonomy a 1990s-era practitioner would recognize — the blue / red / purple distinctions are post-2000 institutional inventions, the green hat as an entry-level designation is post-2010, and the grey hat’s meaning has shifted (in the 1990s grey-hat usually meant a black-hat-with-day-job; in 2026 it usually means a vigilante-or-outside-program researcher). Vol 5 traces the archeology; Vols 6–12 treat each hat at full depth.

---

10. Cheatsheet updates

The one-liners destined for Vol 20’s cheatsheet, distilled from this volume:

Dates worth memorizing.

• 1995 (Oct 10) — First bug bounty: Netscape’s Navigator 2.0 beta program.
• 2003 (Oct) — Metasploit Framework released by HD Moore.
• 2004 (Aug 2) — Mozilla Security Bug Bounty announced.
• 2004 (Oct) — Foundstone acquired by McAfee ($86 M); @stake acquired by Symantec ($49 M).
• 2005 — Zero Day Initiative (ZDI) founded by 3Com TippingPoint.
• 2006 — OSCP exam launched by Offensive Security (Mati Aharoni + Devon Kearns).
• 2006 (Oct) — IBM acquires ISS ($1.3 B).
• 2008 — First Verizon DBIR published.
• 2009 (Mar) — Charlie Miller “No More Free Bugs” at CanSecWest.
• 2009 (Oct) — Rapid7 acquires Metasploit.
• 2010 (Jan) — Google Chromium Vulnerability Reward Program launched.
• 2010 (June 17) — Stuxnet first identified by Sergey Ulasen / VirusBlokAda.
• 2010 — Hak5 USB Rubber Ducky released.
• 2010 (Nov) — Symantec’s W32.Stuxnet Dossier (Falliere, O Murchu, Chien).
• 2011 (Jul 29) — Facebook Whitehat Program launched.
• 2012 (Mar) — Osmocom releases rtl-sdr; $20 wideband SDR.
• 2012 — HackerOne founded (Alex Rice, Merijn Terheggen, Michiel Prins, Jobert Abma); Bugcrowd founded (Casey Ellis).
• 2013 (Feb 19) — Mandiant APT1 report identifies PLA Unit 61398.
• 2013 (Mar 13) — Kali Linux 1.0 released; BackTrack succeeded.
• 2013 (June 5-6) — First Snowden disclosures: Verizon order, then PRISM.
• 2013 (Sept 5) — CryptoLocker first observed.
• 2013 (Oct) — Synack founded (Jay Kaplan, Mark Kuhr).
• 2014 — Operation Tovar takes down CryptoLocker / Gameover Zeus.
• 2014 (July) — Google Project Zero founded.
• 2014 — HackRF One released by Michael Ossmann; $300 wideband SDR-TX.
• 2014 (May) — DoJ indicts five PLA officers (Unit 61398).
• 2015 (Feb) — Zerodium founded by Chaouki Bekrar (ex-VUPEN).
• 2015 (June) — USA FREEDOM Act ends bulk Section 215 metadata collection.
• 2017 (May 12) — WannaCry; ~$4 B+ global damage; Lazarus / DPRK.
• 2017 (June 27) — NotPetya; ~$10 B+ global damage; GRU / Sandworm.
• 2018 (Sept) — DoJ indicts Park Jin Hyok (Lazarus).
• 2019 (Dec) — Apple Security Research Device program announced.
• 2020 (Sept) — OFAC advisory: ransomware payments to sanctioned groups are sanctions violations.
• 2020 (Dec) — SolarWinds compromise discovered (APT29 / SVR).
• 2020 (Oct) — DoJ indicts six GRU officers (Sandworm).
• 2021 (May 7) — Colonial Pipeline attacked by DarkSide affiliate; $4.4 M paid; FBI recovered ~$2.3 M.
• 2021 (May 12) — Executive Order 14028 issued.
• 2021 (Jul 2) — Kaseya VSA supply-chain attack by REvil.
• 2021 (Nov) — NSO Group placed on US Commerce Entity List.
• 2022 (May) — DoJ revises CFAA prosecutorial guidance: security-research safe harbor.
• 2022 (Aug) — OFAC sanctions Tornado Cash.
• 2024 (Feb 19) — Operation Cronos: UK NCA + FBI + Europol seize LockBit infrastructure.
• 2024 (Jul) — CrowdStrike Falcon-sensor update bricks Windows installations globally.

Industry skeleton, one paragraph.

The 2026 industry has a recognizable shape: the pentest consultancy layer (Rapid7, Bishop Fox, NCC Group, Trail of Bits, Mandiant/Google, dozens of regionals) supplies external assessment-and-research capacity; the in-house security organizations at large enterprises (hundreds of people each at the biggest names) supply continuous defensive engineering; the bug-bounty platforms (HackerOne, Bugcrowd, Synack, YesWeHack, Intigriti) supply the structured-disclosure economic channel between researchers and vendors; the broker market (ZDI, Zerodium, NSO and the smaller firms) supplies the channel where state and high-budget customers buy what the bounties can’t reach; the conference circuit (DEF CON / Black Hat / BSides / regional) supplies the training-and-credentialing-and-recruiting layer; the CTF circuit (DEF CON CTF / picoCTF / Hack The Box / TryHackMe / CTFtime) supplies the on-ramp. The credential ladder runs OSCP → OSCE/OSEP → senior practical → CISSP for management. The federal-government layer (CISA / NSA Cybersecurity Collaboration Center / FBI Cyber Division / US Cyber Command) sits adjacent to the commercial industry with substantial personnel rotation across the boundary.

Threat picture, one paragraph.

State-actor activity dominates the high-value-target threat landscape: Chinese (PLA SSF descendant + MSS-aligned operators including APT1/41 lineage), Russian (GRU’s Sandworm; SVR’s APT29; FSB-tolerated criminal groups), Iranian (IRGC + MOIS-aligned operators), and DPRK (RGB-aligned Lazarus family with cryptocurrency-theft profile). The criminal economy is industrialized into the IAB→affiliate→operator→launderer pipeline, with RaaS storefronts (LockBit-and-successors, BlackCat-and-successors, the current ones in 2026 are different but the structure is stable) running affiliate programs and the cryptocurrency-laundering rails routing payment through mixers and chain-hopping into cooperative jurisdictions. The defender-side response runs through CISA’s collaborative-engagement model, FBI’s cryptocurrency-recovery capability (proved out on Colonial Pipeline and improved since), OFAC sanctions enforcement against laundering infrastructure, and the public-attribution-and-indictment pattern that Mandiant APT1 established in 2013.

Toolchain summary, one paragraph.

Kali Linux + Metasploit Framework + Burp Suite + Wireshark + Nmap is the software baseline of any modern pentest; the Hak5 implant family (Rubber Ducky, Bash Bunny, Key Croc, O.MG cable) and the WiFi Pineapple are the physical-implant baseline; the RTL-SDR + HackRF One + Flipper Zero progression is the RF baseline. A $500 hardware budget plus a Raspberry Pi or modest laptop running Kali covers the operational toolset; the residual gap with high-end commercial tooling (Cobalt Strike for red-team operations at $5,950+/year, the various ICS / mobile / cloud-specialty tools) is a budget question rather than a capability question. The capability compression across the volume’s window is the structural feature that defines the modern field as different from its 1990s ancestors.

---

11. Resources

The footnotes below cite every factual claim in this volume. The principal book-length sources for the era:

• Zetter 2014³⁶ — Countdown to Zero Day. The technical-and-political treatment of Stuxnet.
• Sanger 2012³⁵ — Confront and Conceal. The Olympic Games / Stuxnet attribution journalism.
• Greenberg 2019³⁷ — Sandworm. The Russian GRU cyber-physical operations through NotPetya.
• Perlroth 2021⁷³ — This Is How They Tell Me the World Ends. The 0-day market’s longest-form treatment.
• Harris 2014⁷⁴ — @War: The Rise of the Military-Internet Complex. The US-government cyber-operations side.
• Krebs 2014⁷⁵ — Spam Nation. The Russian criminal-spam-and-pharma ecosystem that prefigured the IAB / RaaS economy.
• Greenwald 2014⁷⁶ — No Place to Hide. The Snowden disclosure journalist’s account.
• Stoll 1989⁷⁷ — The Cuckoo’s Egg. The 1986–87 LBL intrusion case; the bridge from Vol 3 §5 era to the modern incident-response craft.

Primary-document repositories: the Mandiant APT1 report (https://www.mandiant.com/sites/default/files/2021-09/mandiant-apt1-report.pdf); the Symantec W32.Stuxnet Dossier (Falliere et al. 2011; widely mirrored); the MITRE ATT&CK Groups page (https://attack.mitre.org/groups/); the CISA Known Exploited Vulnerabilities catalog (https://www.cisa.gov/known-exploited-vulnerabilities-catalog); the Verizon DBIR annual series (https://www.verizon.com/business/resources/reports/dbir/); the CFAA at 18 U.S.C. § 1030 (https://www.law.cornell.edu/uscode/text/18/1030); the DoJ May 2022 CFAA prosecutorial-guidance memo (https://www.justice.gov/opa/press-release/file/1507126/download); the Phrack archive (http://phrack.org/issues/); the OFAC sanctions list (https://sanctionssearch.ofac.treas.gov); the HackerOne and Bugcrowd public program directories.

---

This is Volume 4 of the Hacker Tradecraft series, and the close of the three-volume history cluster. Next: Vol 5 — the archeology of the hat metaphor itself — picks up the cultural-vocabulary thread that the history volumes have mostly left implicit. From Vol 5 onward the series turns from history to per-hat treatment (Vols 6–12), the RF and computer-hacking reference cluster (Vols 13–17), and the careers / legal / cheatsheet / glossary close (Vols 18–21).

Footnotes

1. See Vol 5 — The “hat” metaphor: origin, migration into infosec culture, and how the taxonomy evolved for the archeological treatment of the hat vocabulary. The metaphor postdates most of the historical events traced through Vols 2–4; tracing it as its own object is a separate exercise. ↩

2. See Vol 18 — Careers in security for the full career-arc treatment, including the consultancy-vs-in-house decision, the credential ladder, salary ranges in 2026, and the offensive-vs-defensive specialization choices. ↩

3. U.S. Senate Committee on Governmental Affairs hearing, “Weak Computer Security in Government: Is the Public at Risk?” May 19, 1998. Already cited in Vol 3 §9.2 (Vol 3 footnote l0pht-testimony carries the seven-name testifier roster and the “take down the Internet in 30 minutes” BGP-vulnerability quote in full). ↩

4. @stake, Inc. was formed in January 2000 from the merger of the L0pht Heavy Industries collective with Cambridge Technology Partners’ security practice. The merger was structured as @stake acquiring L0pht’s assets and bringing the principals on as employees. The firm’s first office was in Cambridge, Massachusetts, near MIT, where most of the L0pht principals were based. See Joel Brenner, America the Vulnerable (Penguin Press, 2011), Chapter 4, for a contemporaneous account. ↩

5. McAfee announced the acquisition of Foundstone on October 1, 2004 for approximately $86 million in cash. The press release is preserved in McAfee’s investor-relations archive and was widely reported in the trade press (eWeek, ComputerWorld, NetworkWorld). Foundstone had been founded in 1999 by Stuart McClure and George Kurtz, both formerly Ernst & Young’s eSecurity practice. ↩

6. Symantec announced the acquisition of @stake on September 16, 2004 for approximately $49 million. The transaction closed in October 2004. @stake was absorbed into Symantec Global Services and rebranded as Symantec Information Security Services within 12-18 months; most of the senior @stake / L0pht principals left within that window. ↩

7. RSA Security acquired Cyota, an Israeli online-fraud-detection firm, for approximately $145 million in December 2005. The transaction was a precursor to EMC’s subsequent acquisition of RSA itself in September 2006 for $2.1 billion. Cyota’s anti-fraud / anti-phishing technology became RSA’s Adaptive Authentication and FraudAction product lines. ↩

8. IBM announced the acquisition of Internet Security Systems on October 12, 2006 for approximately $1.3 billion in cash. The transaction closed in December 2006. ISS was absorbed into IBM Global Services as the foundation of IBM’s Managed Security Services practice; the X-Force threat-intelligence team continued operating under IBM and is now (2026) IBM X-Force Threat Intelligence. ↩

9. Rapid7, Inc. IPO’d on the Nasdaq Global Select Market on July 17, 2015 under the ticker RPD. The IPO raised approximately $103 million at $16/share; the share price closed up substantially on first-day trading. Rapid7’s S-1 filing (March 2015) is the primary source for the firm’s financial history and includes the October 2009 Metasploit acquisition disclosure. ↩

10. Offensive Security, LLC was incorporated in 2007 in Delaware by Mati Aharoni and Devon Kearns. The company commercialized the BackTrack distribution work Aharoni and Kearns had been doing on a volunteer basis since 2006; the first commercial product was the Pentesting with BackTrack (PWB) training course, of which the OSCP exam was the final assessment. The current corporate name is “OffSec Services Limited,” following a 2018 rebrand. Acquired by Leeds Equity Partners in October 2024 (private-equity ownership; Ning Wang serves as CEO); Mati Aharoni remains listed as founder. The OSCP certification was rebranded OSCP+ on November 1, 2024 with a 3-year expiration (see Vol 18 §3.2 for the canonical OSCP+ treatment). ↩

11. The OSCP exam launched in 2006 as part of the original Pentesting with BackTrack (PWB) course, predating the formal incorporation of Offensive Security by approximately one year. The 24-hour practical-exam format was novel at the time; the closest prior practical-exam credentials were the SANS GIAC certifications (which used multiple-choice format), the CEH (also multiple-choice), and the CISSP (essay/multiple-choice). The OSCP’s hands-on practical format established the precedent that subsequent practical-exam credentials borrowed. ↩

12. The first Verizon Data Breach Investigations Report was published in June 2008, authored by Wade Baker, Alex Hutton, and the Verizon RISK Team. The report was originally drawn from 500 forensic cases handled by Verizon’s incident-response practice in 2007–2008. The 2009 edition expanded the contributing-organization set to include the US Secret Service; subsequent editions have grown the partner base to 90+ organizations across multiple countries. The DBIR is now (2026) on its 18th annual edition. ↩

13. Bugtraq mailing list. Founded by Scott Chasin on the NetSpace server in November 1993 as a vendor-independent vulnerability-disclosure mailing list. Aleph One (Elias Levy) took over moderation in May 1996. The list moved to SecurityFocus when Aleph One founded that firm in 1999; SecurityFocus was acquired by Symantec in August 2002 for $75 million. Bugtraq was retired by Symantec on January 15, 2021, after a 28-year run. Archive at https://seclists.org/bugtraq/. ↩

14. Symantec announced the retirement of the Bugtraq mailing list in a January 15, 2021 statement. The list’s final post was on January 15, 2021; the archives were preserved at the Sec Lists mirror at https://seclists.org/. ↩

15. Culp, Scott. “It’s Time to End Information Anarchy.” Microsoft TechNet, October 16, 2001. The essay argued that researchers publishing vulnerability proof-of-concept code “lacked responsibility” and was widely criticized by the research community for its self-serving framing. Culp was at the time the manager of Microsoft’s Security Response Center; the essay’s reception was hostile enough that Microsoft subsequently distanced itself from the “information anarchy” framing while keeping the underlying coordinated-disclosure ask. Original URL no longer live; archives accessible via Internet Archive. ↩

16. The Coordinated Vulnerability Disclosure (CVD) model is documented in CERT/CC’s Guide to Coordinated Vulnerability Disclosure (Allen D. Householder, Garret Wassermann, Art Manion, Christopher King; Software Engineering Institute, August 2017; CMU/SEI-2017-SR-022). The guide is the canonical reference for the modern coordinated-disclosure process and is at https://insights.sei.cmu.edu/library/the-cert-guide-to-coordinated-vulnerability-disclosure/. ↩

17. Project Zero’s vulnerability-disclosure policy is documented at https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-policy.html. The 90-day disclosure window has been Project Zero’s default since 2014, with a 14-day grace period if a patch is imminent. Project Zero has applied the policy uniformly, including to Google’s own products. ↩

18. Google Project Zero was announced July 15, 2014, on the Google Security Blog by Chris Evans. The original team included Tavis Ormandy, Ben Hawkes, George Hotz (briefly), Ian Beer, Matt Tait, and several others. The team’s mission was vulnerability research with public disclosure on a fixed timeline. Hawkes succeeded Evans as team lead; the team has continued under Google Threat Analysis Group’s umbrella. ↩

19. Zero Day Initiative, founded 2005 by 3Com’s TippingPoint subsidiary. TippingPoint was acquired by HP in 2010 ($300M+); HP spun off TippingPoint to Trend Micro in November 2015 ($300M). ZDI now operates as a Trend Micro program. The Pwn2Own contest, first held at CanSecWest 2007, is ZDI’s annual vulnerability-acquisition competition with cash prizes; the 2024 Vancouver edition paid out approximately $1.1 million across the contest categories. ↩

20. VUPEN at Pwn2Own 2012 demonstrated a Chrome sandbox escape and full system compromise, then refused to share the technical details with Google (despite ZDI’s normal practice of forwarding to the vendor) on the grounds that VUPEN’s customers — i.e., government agencies — had purchased exclusive access to the exploit. The incident was extensively reported in the trade press at the time and is a frequently-cited example of the broker-market vs. coordinated-disclosure tension. ↩

21. Zerodium’s published price list (https://zerodium.com/program.html) lists payouts for various vulnerability classes. The most-cited single line item is the $2.5 million payout for a full-chain Android remote-code-execution exploit with no user interaction (“FCP RCE/LPE Chain”); the iOS equivalent is at $2.0 million. The list has been periodically revised upward. Zerodium operates substantially in the open about its prices but not about its customer base. ↩

22. NSO Group’s Pegasus mobile-implant suite was first publicly documented in detail by Citizen Lab (University of Toronto Munk School) in August 2016, in their report on the targeting of UAE dissident Ahmed Mansoor. Subsequent Citizen Lab reports have documented Pegasus deployments against journalists, dissidents, and political opposition figures in Mexico, Saudi Arabia, UAE, Bahrain, Morocco, India, Israel, El Salvador, Mexico, Spain, Thailand, and others. The “Pegasus Project” journalism consortium (Forbidden Stories + Amnesty International + multiple publishing partners) released a series of reports starting July 18, 2021, based on a leaked list of approximately 50,000 phone numbers reportedly targeted by NSO customers. ↩

23. NSO Group was added to the US Department of Commerce Bureau of Industry and Security Entity List on November 3, 2021. The Entity List addition restricts US persons from exporting items to NSO without a license; the rationale cited NSO’s role in supplying surveillance tools used to target journalists, activists, and government officials. ↩

24. Stevens, Tim, and Charles Reis. “The Vulnerability Marketplace.” Crime Science 8:7 (2019). Provides a survey-based estimate of the commercial vulnerability market at low billions of dollars per year. Nicole Perlroth’s This Is How They Tell Me the World Ends (Bloomsbury 2021) ⁷³ provides the long-form journalism on the same market. Both sources agree the market is opaque enough that precise estimates carry substantial uncertainty. ↩

25. Miller, Charlie. “No More Free Bugs.” CanSecWest 2009, Vancouver, March 2009. The talk was given jointly with Alex Sotirov and Dino Dai Zovi; the slogan “No More Free Bugs” was applied collectively but is most commonly attributed to Miller. The slides are widely mirrored; one preserved copy is at https://hackerinmate.com/talks/no-more-free-bugs/. ↩

26. Schneier, Bruce. “The Vulnerabilities Market and the Future of Security.” Schneier on Security, June 1, 2012. https://www.schneier.com/blog/archives/2012/06/the_vulnerabili.html. Schneier’s analysis of the market structure and its second-order effects on the security ecosystem; widely cited. ↩

27. Sergey Ulasen of VirusBlokAda (a Belarusian antivirus firm) is credited with the first identification of Stuxnet as a novel malware family on June 17, 2010, after a customer in Iran reported recurring system reboots on Siemens-based industrial control systems. Ulasen contacted Microsoft and various antivirus vendors; Symantec, Kaspersky, and ESET subsequently produced the first substantive analyses. The discovery account is in Kim Zetter’s Countdown to Zero Day ³⁶, chapter 1. ↩

28. Falliere, Nicolas, Liam O Murchu, and Eric Chien. W32.Stuxnet Dossier. Symantec Security Response, Version 1.0 (September 2010), Version 1.1 (October 2010), Version 1.4 (February 2011). The Symantec dossier is the load-bearing engineering reference on Stuxnet’s behavior; the analysis was conducted by reverse-engineering captured Stuxnet samples and is documented in the dossier at the level of specific functions, registry keys, file paths, and PLC ladder-logic modifications. The dossier is widely mirrored; one preserved copy is at https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en. ↩

29. The target-specificity analysis is in Falliere et al. 2011 §§5.2-5.4. The S7-315-2 and S7-417 PLC targeting is documented; the Vacon NX (Finland) and Fararo Paya (Iran) variable-frequency drives are named; the operating-frequency band targeted (807 Hz–1210 Hz, with sabotage at 1410 Hz and 2 Hz) is the band used by gas centrifuges for uranium enrichment (specifically the Pakistani-derived P-1 centrifuges that Iran’s Natanz facility used). The cumulative target-specificity is what makes the attribution-to-Iran’s-Natanz-program essentially unambiguous from the malware analysis alone. ↩

30. Falliere et al. 2011 §6 describes the PLC payload mechanics. The injected ladder logic ran a sabotage cycle that lasted approximately 50 minutes every 27 days, varying the centrifuge speeds outside the normal operating envelope while reporting fake-normal telemetry to the Siemens STEP 7 engineering workstation (so the operators saw normal readings while the centrifuges were actually being destroyed). The fake-telemetry mechanism is documented in detail; it was the most engineering-sophisticated piece of the payload. ↩

31. Albright, David, Paul Brannan, and Christina Walrond. Did Stuxnet Take Out 1,000 Centrifuges at the Natanz Enrichment Plant? Institute for Science and International Security (ISIS), December 22, 2010. The ISIS analysis, based on IAEA safeguards inspection data, estimated approximately 1,000 of approximately 8,700 centrifuges were destroyed or damaged during the 2009-2010 Stuxnet operation. The exact figure is the subject of subsequent debate; lower estimates (e.g., 200-300) appear in some accounts; higher estimates (up to 2,000) appear in others. The 1,000 figure is the most-cited. ↩

32. Stuxnet’s propagation methods are documented in Falliere et al. 2011 §§7-9. The malware spread via removable USB drives (Channel 1, LNK vulnerability), via network shares (Channel 2, Print Spooler), via WinCC database connections (using the hard-coded Siemens password), and via SMB / RPC / scheduled tasks for lateral movement. The “air gap was reached via USB” pattern is the dominant attribution narrative; the specific path into Natanz is not publicly documented but is widely assumed to have involved a contractor or supply-chain compromise. ↩

33. The Siemens WinCC hard-coded password (2WSXcder for user WinCCConnect) had been documented years before Stuxnet’s deployment; Siemens had warned customers not to change it because it was hard-coded into multiple Siemens software components. Stuxnet used this password to access the WinCC database. Siemens issued an advisory in July 2010 (SIMATIC PCS 7 / WinCC: Vulnerability handling) after Stuxnet’s discovery, and the password has since been removed. ↩

34. Sanger, David E. “Obama Order Sped Up Wave of Cyberattacks Against Iran.” The New York Times, June 1, 2012. The first major journalism asserting the US-and-Israel attribution of Stuxnet and naming “Operation Olympic Games” as the US codename. Sanger’s reporting was based on interviews with multiple unnamed administration sources. The article was published as Sanger’s book Confront and Conceal was reaching final-stage publication; the book extends the account at length. ↩

35. Sanger, David E. Confront and Conceal: Obama’s Secret Wars and Surprising Use of American Power. Crown, 2012. ISBN 978-0-307-71802-5. Chapters on Stuxnet / Olympic Games and on the broader Obama-era cyberwar policy. ↩ ↩²

36. Zetter, Kim. Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon. Crown, 2014. ISBN 978-0-7704-3617-9. The longest-form journalism on Stuxnet’s technical-and-political life; written by Zetter (then at Wired) on the basis of Symantec/Kaspersky/ESET source interviews and extensive document review. The single most engineering-grade book-length treatment of Stuxnet. ↩ ↩² ↩³

37. Greenberg, Andy. Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers. Doubleday, 2019. ISBN 978-0-385-54440-5. The full Russian GRU Sandworm operation arc through NotPetya. The most-cited single source on the cyber-physical operations against Ukrainian critical infrastructure. ↩ ↩²

38. Mandiant. APT1: Exposing One of China’s Cyber Espionage Units. Mandiant Threat Intelligence, February 19, 2013. 76 pages. The publication is preserved at https://www.mandiant.com/sites/default/files/2021-09/mandiant-apt1-report.pdf. The report’s authors are not named individually on the cover; Kevin Mandia (Mandiant CEO) is the masthead. The report’s identification of PLA Unit 61398 and the specific Pudong building is widely accepted; the precise organizational chart of the 2nd Bureau / 3rd Department / General Staff Department was confirmed independently by subsequent published analyses. ↩

39. United States v. Wang Dong et al., indictment filed May 1, 2014, Western District of Pennsylvania. The indictment named five named PLA officers (Wang Dong, Sun Kailiang, Wen Xinyu, Huang Zhenyu, Gu Chunhui) on 31 counts including computer fraud, economic espionage, theft of trade secrets, and identity theft. The DoJ press release and the indictment are at https://www.justice.gov/opa/pr/us-charges-five-chinese-military-hackers-cyber-espionage-against-us-corporations-and-labor. ↩

40. MITRE ATT&CK Groups page: https://attack.mitre.org/groups/. The canonical cross-reference between vendor-specific group names and the underlying threat actors. The Groups page enumerates 100+ named groups in 2026, each with cross-references to vendor naming conventions (Mandiant APT-N, CrowdStrike mascot, Microsoft Storm/Element, ESET, Kaspersky, etc.). ↩

41. Greenwald, Glenn. “NSA collecting phone records of millions of Verizon customers daily.” The Guardian, June 5, 2013. The first published story from the Snowden documents. Followed June 6, 2013 by Glenn Greenwald and Ewen MacAskill’s “NSA Prism program taps in to user data of Apple, Google and others” (The Guardian) and Barton Gellman and Laura Poitras’s “U.S., British intelligence mining data from nine U.S. Internet companies in broad secret program” (The Washington Post). Snowden’s identity was publicly disclosed June 9, 2013 in The Guardian video interview by Greenwald and Poitras. ↩

42. Netscape Communications Corp. announced the Netscape Bugs Bounty on October 10, 1995, offering $1,000 (cash + Netscape t-shirt) for valid security bugs in Navigator 2.0 beta. The program is the first commercially-run bug-bounty program in the public record. Netscape’s announcement is preserved in various Internet-history archives. ↩

43. Mozilla’s Security Bug Bounty Program was announced August 2, 2004 by Mike Shaver of the Mozilla Foundation. Initial funding was $5,000 each from Mark Cuban and Mark Shuttleworth (totaling the $10,000 seed). Initial maximum payout was $500 per critical vulnerability; the maximum has been raised periodically since. Program details at https://www.mozilla.org/en-US/security/bug-bounty/. ↩

44. Google Chromium Vulnerability Reward Program announced January 28, 2010 on the Chromium Blog. Initial payout was $500 per security bug. The program subsequently expanded to include all of Google (Google Vulnerability Reward Program), Android (Android Security Rewards, 2015), and various special-rate categories for full-chain exploits. The Android Security Rewards top tier was $1 million for a complete-chain remote exploit with no user interaction by 2017. ↩

45. Facebook Whitehat Program announced July 29, 2011. Initial minimum payout was $500 per valid report; no specified maximum. The program was managed by Alex Rice (then Facebook product-security lead) before he co-founded HackerOne in 2012. ↩

46. HackerOne, Inc. was founded in 2012 in San Francisco. The founders were Alex Rice (Facebook), Merijn Terheggen, Michiel Prins, and Jobert Abma. The Prins-and-Abma duo had previously run Hack-Net (a Dutch-language hacking-tutorial site) and had been doing freelance security research. The firm’s founding history is at https://www.hackerone.com/company/about-us and is consistent with the founding accounts in the trade press. ↩

47. Bugcrowd, Inc. was incorporated in 2011 and launched its product in 2012 in San Francisco. Founder Casey Ellis, an Australian engineer with a security-consulting background at NSC Group. The firm’s founding history is at https://www.bugcrowd.com/about/. ↩

48. Synack, Inc. was founded in 2013 in Redwood City, California by Jay Kaplan and Mark Kuhr, both former NSA. The firm’s “Synack Red Team” vetted-researcher model differentiates it from the open-registration HackerOne and Bugcrowd. Funding history at https://www.synack.com/about/. ↩

49. For Aaron Swartz: the case file is United States v. Swartz, indictment filed July 14, 2011, District of Massachusetts. The principal book-length treatment is Justin Peters, The Idealist: Aaron Swartz and the Rise of Free Culture on the Internet (Scribner, 2016, ISBN 978-1-4767-6772-1). The Aaron’s Law reform legislation was introduced by Representatives Zoe Lofgren and Darrell Issa in June 2013; it did not pass. Swartz died by suicide on January 11, 2013 during the pendency of the case. ↩

50. U.S. Department of Justice, “Department of Justice Announces New Policy for Charging Cases under the Computer Fraud and Abuse Act,” press release May 19, 2022. The policy memo is at https://www.justice.gov/opa/press-release/file/1507126/download. The memo’s directive to decline prosecution of “good faith security research” is the principal substantive change. ↩

51. Apple Security Research Device Program announced December 19, 2019 on the Apple Security Bounty page. First devices began shipping to participants in mid-2020. Program details at https://security.apple.com/research-device/. Acceptance is by application and screened; the participant pool is in the low hundreds. ↩

52. For the AIDS Trojan (PC Cyborg): the case is documented in Joseph Popp’s trial record (England, 1990) and in subsequent academic treatments. Popp distributed approximately 20,000 floppy disks at the December 1989 WHO AIDS conference; the trojan counted reboots, encrypted file names after the 90th boot, and demanded $189 or $378 be mailed to PO Box 87-17-44, Panama. Popp was arrested in early 1990, found unfit to stand trial on mental-health grounds, and released. He returned to evolutionary biology research and died in 2007. ↩

53. For CryptoLocker: the canonical engineering treatment is the FireEye-Fox-IT analysis published August 2014, “Operation Tovar: The Latest Attempt to Eliminate Key Botnets.” CryptoLocker was first observed September 5, 2013, distributed via the Gameover Zeus botnet operated by Evgeniy Bogachev (handle: Slavik). Operation Tovar (a multi-national takedown of Gameover Zeus, led by FBI and including UK NCA, Europol, and several others) ran May-June 2014; FBI subsequently indicted Bogachev (still at large, $3 million FBI reward as of 2026). Krebs at https://krebsonsecurity.com/2014/06/operation-tovar-targets-gameover-zeus-botnet-cryptolocker-scourge/ is the contemporaneous reporting source. ↩

54. Operation Tovar: multi-national law-enforcement action May-June 2014 targeting Gameover Zeus and CryptoLocker. FBI announcement at https://www.fbi.gov/news/press-releases/us-leads-multi-national-action-against-gameover-zeus-botnet-and-cryptolocker-ransomware-charges-botnet-administrator. ↩

55. For CryptoWall: the FBI’s June 2015 estimate was $325 million in extortion through CryptoWall variants since October 2013, across an estimated several hundred thousand infections. CryptoWall ran in multiple variants through approximately 2016 before being superseded by newer ransomware families. ↩

56. NotPetya was attributed to Russian GRU Unit 74455 (Sandworm) by the UK, US, Five Eyes governments in joint statements in February 2018; further detail was added in the October 2020 DoJ indictment of six GRU officers. The attribution is supported by malware-code linkage to other Sandworm operations (BlackEnergy 2015, Industroyer 2016) and by signals-intelligence evidence cited in unclassified versions of the DoJ indictment. ↩

57. WannaCry attribution: UK NCSC and US DHS jointly attributed WannaCry to DPRK Lazarus Group in December 2017. The September 2018 DoJ indictment of Park Jin Hyok (⁵⁸) named a specific RGB officer as a Lazarus operative responsible for WannaCry, the 2014 Sony Pictures attack, the 2016 Bangladesh Bank heist, and other Lazarus operations. ↩

58. United States v. Park Jin Hyok, criminal complaint filed June 8, 2018 (under seal); unsealed and publicly announced September 6, 2018, Central District of California. The indictment names Park as an RGB operative working under the cover of Chosun Expo Joint Venture; charges include wire fraud, computer fraud, and conspiracy in connection with Sony Pictures (2014), Bangladesh Bank (2016), and WannaCry (2017). At https://www.justice.gov/opa/press-release/file/1092091/download. ↩ ↩²

59. United States v. Yuriy Sergeyevich Andrienko et al., indictment filed October 15, 2020, Western District of Pennsylvania. Names six GRU Unit 74455 officers in connection with NotPetya (2017), the 2018 Olympic Destroyer attack, the 2017 French elections interference, and the 2015-2016 Ukrainian power-grid attacks. At https://www.justice.gov/opa/press-release/file/1328521/download. ↩

60. For Colonial Pipeline: the FBI’s June 7, 2021 announcement of the $2.3 million recovery (FBI press release) and the May 13, 2021 Colonial Pipeline CEO testimony to Congress are the principal primary sources. The initial-access vector (a single compromised VPN account password exposed in an unrelated breach, with no MFA) was disclosed in Colonial’s own statements. The May 12, 2021 Executive Order 14028 followed; the TSA pipeline-security directives followed July 20, 2021. Press release at https://www.fbi.gov/contact-us/field-offices/sanfrancisco/news/press-releases/department-of-justice-seizes-23-million-in-cryptocurrency-paid-to-the-ransomware-extortionists-darkside. ↩

61. For Kaseya VSA: REvil exploited CVE-2021-30116 (a SQL injection in Kaseya VSA’s REST API leading to authentication bypass) starting July 2, 2021. The MSP-and-downstream-customer compromise count is variously estimated at 50-60 MSPs and 1,500-2,000 downstream customers. REvil demanded $70 million for a universal decryptor; Kaseya obtained the decryptor “from a trusted third party” on July 21, 2021 (publicly understood to be FBI-mediated). REvil’s infrastructure went offline July 13, 2021. See Kaseya’s July 22 press release. ↩

62. Operation Cronos: UK NCA, FBI, Europol, and 11-country task force; February 19, 2024 seizure of LockBit infrastructure. NCA press release at https://www.nationalcrimeagency.gov.uk/news/nca-and-international-partners-take-down-lockbit-cybercrime-gang. The seizure included LockBit’s Tor leak site (which was defaced with NCA branding), the affiliate panel, source code, decryption keys, and victim data. Free decryptor released through No More Ransom (https://www.nomoreransom.org/). Two Russian nationals (Mikhail Vasiliev and Ruslan Astamirov) were indicted in connection with LockBit operations. ↩

63. OFAC advisory October 1, 2020: “Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments.” The advisory clarifies that ransomware payments to sanctioned individuals or entities are sanctions violations. Updated September 21, 2021 with stronger language. At https://ofac.treasury.gov/media/912981/download. ↩

64. Kali Linux 1.0 was released March 13, 2013, replacing BackTrack as the canonical pentest Linux distribution. Mati Aharoni and Devon Kearns (both of Offensive Security) led the development. Kali is based on Debian (BackTrack had been based on a Slackware-Ubuntu hybrid). Kali 2.0 was released August 11, 2015; the rolling-release transition was January 21, 2016 with Kali 2016.1. ↩

65. Metasploit Framework 1.0 was released October 2003 by H D Moore. Initial language was Perl; ported to Ruby with Metasploit 3.0 in 2007. Rapid7 acquired Metasploit on October 21, 2009; HD Moore became Rapid7’s Chief Security Officer until 2016. The Metasploit Framework remains open-source (BSD-style license); Metasploit Pro is the commercial product. ↩

66. Rapid7’s acquisition of Metasploit was announced October 21, 2009. Terms were not disclosed publicly. HD Moore joined Rapid7 as Chief Security Officer; the Metasploit Framework continued as open-source under Rapid7’s stewardship. Moore left Rapid7 in 2016 and subsequently founded Rumble (subsequently renamed runZero) for network-asset discovery. ↩

67. Hak5 USB Rubber Ducky first released 2010 by Darren Kitchen of Hak5. The device registered to the host as a USB HID keyboard and typed pre-programmed keystrokes at machine speed via the DuckyScript language. The hardware has evolved through multiple revisions (the current generation is the Mark III Plus, with Bluetooth and other capabilities); the language has evolved correspondingly (DuckyScript 3.0 is the current). See the Ducky Script deep dive in this hub for full hardware and language detail. ↩

68. The rtl-sdr project history: Antti Palosaari documented the RTL2832U I/Q mode in late 2010 / early 2011; Steve Markgraf adapted the chipset’s Linux driver to expose the I/Q mode through a userspace library in early 2012; Eric Fry packaged the result as rtl-sdr (release March 2012). The Osmocom (Open Source Mobile Communications) project, which had been doing GSM-related software since 2008, hosted the rtl-sdr project. The rtl-sdr.com blog (founded 2013 by an Australian engineer using the handle “rtlsdrblog”) is the de-facto news-and-tutorial hub. See https://osmocom.org/projects/rtl-sdr/wiki/Rtl-sdr. ↩

69. HackRF One released 2014 by Michael Ossmann via Kickstarter. Full hardware specifications and history at the HackRF One deep dive in this hub. The Kickstarter campaign launched October 2013 and successfully funded; production units began shipping in 2014. HackRF is an open-hardware project; PCB design, schematics, firmware, and software are all open-source. ↩

70. DEF CON attendance figures: DEF CON 1 (1993) ~100 attendees; DEF CON 5 (1997) ~1,000; DEF CON 10 (2002) ~5,000; DEF CON 15 (2007) ~10,000; DEF CON 20 (2012) ~20,000; DEF CON 27 (2019) and DEF CON 30 (2022) and DEF CON 31 (2023) reportedly over 30,000. DEF CON 28 (2020) was virtual (“Safe Mode”) due to pandemic. Figures from Jeff Moss interviews and conference-official press releases; the conference does not publish attendance figures formally for some years. ↩

71. picoCTF founded 2013 by Carnegie Mellon University’s CyLab and Plaid Parliament of Pwning (PPP, CMU’s CTF team). David Brumley (PPP faculty advisor; subsequently founded ForAllSecure) and the CyLab team are credited as principal architects. picoCTF 2013 had approximately 18,000 student participants; picoCTF 2024 (the most recent before this writing) had over 100,000 globally. Year-round practice at https://play.picoctf.org. ↩

72. For CCDC: National CCDC organized by the Center for Infrastructure Assurance and Security at the University of Texas San Antonio since 2005. Approximately 10 regional qualifying competitions feed the spring national finals. CCDC’s “build-and-defend” format (students operate a vulnerable production network against a professional red team while servicing simulated business operations) is the template for collegiate blue-team competitions globally. https://www.nationalccdc.org/. ↩

73. Perlroth, Nicole. This Is How They Tell Me the World Ends: The Cyberweapons Arms Race. Bloomsbury, 2021. ISBN 978-1-63557-606-0. The longest-form journalism on the 0-day market, written by Perlroth (then of The New York Times) on the basis of interviews with broker-market participants, researchers, and government officials. The book’s title is a quote from a researcher Perlroth interviewed about the asymmetry of the offensive-defensive balance. ↩ ↩²

74. Harris, Shane. @War: The Rise of the Military-Internet Complex. Eamon Dolan / Houghton Mifflin Harcourt, 2014. ISBN 978-0-544-25179-3. The US-government side of the early cyber-operations era, with detailed treatment of the NSA / Cyber Command organization and the contractor ecosystem. ↩

75. Krebs, Brian. Spam Nation: The Inside Story of Organized Cybercrime — from Global Epidemic to Your Front Door. Sourcebooks, 2014. ISBN 978-1-4022-9561-4. The Russian-spam-and-pharma criminal economy of the 2000s and early 2010s, written by Krebs on the basis of years of investigative reporting at his blog Krebs on Security (https://krebsonsecurity.com). The book is the foundational long-form treatment of the criminal-business-model layer that the later RaaS economy built on. ↩

76. Greenwald, Glenn. No Place to Hide: Edward Snowden, the NSA, and the U.S. Surveillance State. Metropolitan Books / Henry Holt, 2014. ISBN 978-1-62779-073-4. Greenwald’s first-person account of the Snowden disclosure logistics and editorial process. ↩

77. Stoll, Clifford. The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage. Doubleday, 1989. ISBN 978-0-385-24946-1. Already cited in Vol 3 as the canonical popular account of 1986-87 era computer-intrusion forensics, the Lawrence Berkeley Laboratory case, and the Hess / Chaos Computer Club / KGB threads. Stoll’s book is the late-1980s bridge between Vol 3 §5 era and the modern incident-response craft documented in this volume. ↩