Security Playbooks Index Purpose This index is the root entry point for the security-playbooks branch of the cybersecurity vault. Use it to: - navigate reusable offensive and defensive workflows - connect concept notes to repeatable procedures - turn theory into testable checklists - create a personal operator manual for security work Use Reference Registry — Playbooks as the source of truth for references in this branch. Return to Cybersecurity Index for root navigation across branches. Before this branch: - Foundations (Phase 0). - Whatever concept branch the playbook operationalizes (named in each playbook's Related notes). First playbooks Access control and auth exploit-idor inspect-session-handling break-jwt-validation Server-side and proxy-aware investigate-ssrf reverse-proxy-misconfig-checklist test-client-ip-spoofing trace-metadata-endpoint-reachability Input and file handling exploit-sqli test-path-traversal test-cors-behavior inspect-file-upload-surface Recon and scan engineering run-scan-pipeline — offense detect-external-scan-pipeline — defender mirror of #12, paired note-by-note Scan Anomaly Detection and Fingerprint Analysis Identity and Active Directory detect-kerberoasting-and-as-rep-roasting — defender mirror for the Kerberoasting / AS-REP Roasting offense pair detect-dcsync-and-ntdsdit-access — defender mirror for the DCSync / ntds.dit extraction endgame attack Why playbooks matter Concept notes teach: - what a vulnerability is - why it matters - what mitigation should look like Playbooks teach: - how to test for it - what sequence to follow - what artifacts to observe - how to validate impact - how to move from suspicion to evidence Cross-links to concept branches Networking reverse-proxies client-ip-trust metadata-endpoints packet-analysis http-messages Web security broken-access-control session-management sql-injection ssrf request-smuggling cors-misconfiguration file-upload-abuse path-traversal API security Broken Object Level Authorization JWT Attacks API Rate Limiting Detection engineering Network Telemetry Sources and Visibility IDS/IPS and Behavioral Detection Pipelines Zeek, Suricata, and NetFlow Analysis EDR Network Observability and Process Correlation Identity and Active Directory Identity and Active Directory — full branch (10 atomic notes covering BloodHound, roasting attacks, DCSync, PtH, ticket forgery, Tier 0 administration, and krbtgt recovery) Playbook template Each playbook should prefer: - goal - assumptions - prerequisites - recon steps - exploit / test steps - validation clues - mitigation - logging / detection - related notes - commands / payloads - gotchas Suggested future playbooks enumerate-admin-interfaces map-public-attack-surface test-rate-limit-bypass inspect-cache-behavior test-auth-recovery-flow References Foundational: OWASP WSTG — https://owasp.org/www-project-web-security-testing-guide/latest/ Testing / Lab: PortSwigger Web Security Academy — https://portswigger.net/web-security