Security Playbooks Index

Purpose

This index is the root entry point for the security-playbooks branch of the cybersecurity atlas.

Use it to: - navigate reusable offensive and defensive workflows - connect concept notes to repeatable procedures - turn theory into testable checklists - create a personal operator manual for security work

Use Reference Registry — Playbooks as the source of truth for references in this branch. Return to Cybersecurity Index for root navigation across branches.

Before this branch: - Foundations (Phase 0). - Whatever concept branch the playbook operationalizes (named in each playbook's Related notes).

First playbooks

Access control and auth

1. exploit-idor
2. inspect-session-handling
3. break-jwt-validation

Server-side and proxy-aware

4. investigate-ssrf
5. reverse-proxy-misconfig-checklist
6. test-client-ip-spoofing
7. trace-metadata-endpoint-reachability

Input and file handling

8. exploit-sqli
9. test-path-traversal
10. test-cors-behavior
11. inspect-file-upload-surface

Recon and scan engineering

12. run-scan-pipeline — offense
13. detect-external-scan-pipeline — defender mirror of #12, paired note-by-note
14. Scan Anomaly Detection and Fingerprint Analysis

Identity and Active Directory

15. detect-kerberoasting-and-as-rep-roasting — defender mirror for the Kerberoasting / AS-REP Roasting offense pair
16. detect-dcsync-and-ntdsdit-access — defender mirror for the DCSync / ntds.dit extraction endgame attack

Why playbooks matter

Concept notes teach: - what a vulnerability is - why it matters - what mitigation should look like

Playbooks teach: - how to test for it - what sequence to follow - what artifacts to observe - how to validate impact - how to move from suspicion to evidence

Cross-links to concept branches

Networking

• reverse-proxies
• client-ip-trust
• metadata-endpoints
• packet-analysis
• http-messages

Web security

• broken-access-control
• session-management
• sql-injection
• ssrf
• request-smuggling
• cors-misconfiguration
• file-upload-abuse
• path-traversal

API security

• Broken Object Level Authorization
• JWT Attacks
• API Rate Limiting

Detection engineering

• Network Telemetry Sources and Visibility
• IDS/IPS and Behavioral Detection Pipelines
• Zeek, Suricata, and NetFlow Analysis
• EDR Network Observability and Process Correlation

Identity and Active Directory

• Identity and Active Directory — full branch (10 atomic notes covering BloodHound, roasting attacks, DCSync, PtH, ticket forgery, Tier 0 administration, and krbtgt recovery)

Playbook template

Each playbook should prefer: - goal - assumptions - prerequisites - recon steps - exploit / test steps - validation clues - mitigation - logging / detection - related notes - commands / payloads - gotchas

Suggested future playbooks

• enumerate-admin-interfaces
• map-public-attack-surface
• test-rate-limit-bypass
• inspect-cache-behavior
• test-auth-recovery-flow

References

• Foundational: OWASP WSTG — https://owasp.org/www-project-web-security-testing-guide/latest/
• Testing / Lab: PortSwigger Web Security Academy — https://portswigger.net/web-security