Part 7: Modern Threats and Operations
"A penetration test tells you what is vulnerable today. A red team engagement tells you whether your organization can survive a determined adversary tomorrow."
By this point in the book, your technical toolkit is deep. You can exploit systems, attack web applications, escalate privileges, pivot through networks, evade defenses, and test specialized domains from cloud to containers to AI. You have the skills to find vulnerabilities. Part 7 is about something broader: understanding how those skills operate within the larger security landscape, from the supply chains that underpin modern software to the full-spectrum red team operations that simulate advanced persistent threats.
This part also marks a shift in perspective. In earlier parts, we largely focused on individual techniques -- how to exploit a single vulnerability, how to escalate privileges on one system, how to test one application. Part 7 zooms out. Supply chain attacks exploit trust relationships across entire ecosystems. Red team operations simulate multi-week campaigns with the sophistication and patience of nation-state actors. Bug bounty hunting demands a unique combination of broad reconnaissance and deep technical skill, applied at scale across programs with varied scopes. And incident response asks the mirror-image question: given that an attacker used the techniques we have been teaching, how do you detect, contain, and investigate the compromise?
Understanding all four of these dimensions makes you not just a better hacker, but a better security professional. You will see the full lifecycle of security -- from the attacker's preparation through the defender's response -- and your perspective will be richer for it.
What You Will Learn
Chapter 34: Supply Chain Security examines what happens when the tools, libraries, and infrastructure you depend on become vectors of attack. The SolarWinds compromise, the Codecov breach, the Log4Shell vulnerability, the XZ Utils backdoor -- these incidents demonstrated that supply chain attacks can bypass every perimeter defense because they compromise the trusted software that sits inside the perimeter. You will learn the anatomy of software supply chain attacks, dependency confusion and typosquatting techniques that trick build systems into pulling malicious packages, CI/CD pipeline attacks that compromise software before it reaches production, code signing and integrity verification mechanisms and their limitations, third-party risk assessment methodologies, and emerging frameworks like SLSA and SBOM that attempt to restore trust. In our ShopStack scenario, we demonstrate how a compromised npm dependency could give an attacker persistent access to every deployment of the application. Supply chain attacks are not just a threat to defend against -- they are a domain that offensive security professionals must understand to test for effectively.
Chapter 35: Red Team Operations takes you from individual penetration testing to coordinated adversary simulation. Red teaming is not just "harder pentesting" -- it is a fundamentally different discipline with different objectives, different rules of engagement, and different success criteria. We cover the distinction between red teaming and penetration testing, red team planning and threat modeling, MITRE ATT&CK as an operational framework for adversary emulation, the design and execution of adversary simulation campaigns, physical security testing as a component of red team operations, and purple teaming -- the collaborative model where red and blue teams work together to improve detection and response. Against MedSecure, we design a complete red team campaign: initial access through a phishing campaign targeting the radiology department, lateral movement through the clinical network, privilege escalation to domain dominance, and simulated data exfiltration of patient records -- all while evading the security operations center and testing the incident response team's detection capabilities.
Chapter 36: Bug Bounty Hunting covers the freelance side of offensive security. Bug bounty programs have created a parallel ecosystem where independent researchers can legally test production systems for real organizations, get paid for their findings, and build reputations that open doors to full-time roles and consulting engagements. But bug bounty hunting is not just running automated scanners against a target -- it is a discipline that demands methodology, persistence, and the ability to find vulnerabilities that thousands of other hunters have missed. You will learn the bug bounty ecosystem and major platforms including HackerOne, Bugcrowd, and Intigriti, how to choose programs and read scope documents, a systematic methodology for bug bounty hunting, the art of writing effective bug reports that maximize acceptance and reward, advanced techniques used by experienced hunters, and strategies for building a sustainable bug bounty career. The ShopStack case study shows how to approach a typical web application bounty program, from initial reconnaissance through vulnerability discovery to report submission.
Chapter 37: Incident Response and Digital Forensics flips the script entirely. After spending the entire book learning to attack, this chapter asks: what does the defender see? How do they detect, contain, investigate, and recover from the attacks you have been performing? We cover incident response frameworks including NIST, SANS, and PICERL, digital forensics fundamentals and evidence handling, memory forensics with Volatility, disk and file system forensics, network forensics and log analysis, and malware analysis fundamentals. This is not a comprehensive incident response textbook -- that would require its own volume -- but it gives you enough understanding to know what artifacts your attacks leave behind, what investigators look for, and how the defensive side of the house operates. When we walk through the forensic investigation of the MedSecure red team engagement, you see your own attack chain from the other side, and the perspective is invaluable.
Key Themes
Trust is the ultimate attack surface. Supply chain attacks work because we trust our tools, our dependencies, our vendors, and our update mechanisms. Red team operations work because employees trust emails, badge readers, and internal systems. Understanding trust relationships -- where they exist, why they exist, and how they can be abused -- is the thread that connects every chapter in this part.
Operations require more than techniques. Running a red team campaign requires planning, coordination, communication, stealth, and judgment. Bug bounty hunting requires methodology, persistence, and report writing. Incident response requires process discipline and evidence handling. The technical skills from earlier parts are necessary but not sufficient for the operational demands of Part 7.
The attacker-defender feedback loop. Ethical hacking does not exist in a vacuum. Every vulnerability you find, every red team engagement you execute, every bug bounty report you submit feeds back into the defensive ecosystem. Chapter 37 makes this explicit by showing you the defender's perspective, but the feedback loop is present in every chapter. The point of everything we do is to make organizations more secure, and understanding the full lifecycle -- from attack to detection to response to remediation -- makes that mission more effective.
Realism demands breadth. A modern adversary does not limit themselves to one technique or one domain. They combine social engineering with technical exploitation, leverage supply chain access with lateral movement, and adapt their approach based on what defenses they encounter. Parts 3 through 6 gave you the individual skills. Part 7 teaches you to combine them into operations that reflect how real adversaries actually behave.
How This Part Connects
Parts 3 through 6 built your technical skill set -- system exploitation, web attacks, post-exploitation, and specialized domain testing. Part 7 wraps those skills in operational context. The red team engagement against MedSecure draws on every preceding part: the reconnaissance from Part 2, the exploitation from Parts 3 and 4, the post-exploitation from Part 5, and the specialized domain attacks from Part 6. Supply chain attacks chain with the web application and cloud techniques you learned earlier. Bug bounty hunting applies your web and API testing skills in a different operational model.
Part 8 shifts from technical operations to professional practice: methodology standards, report writing, compliance frameworks, and career development. The operational skills from Part 7 are what you will be documenting in the reports from Part 8, justifying within the compliance frameworks, and building a career around. And Part 9's capstone projects will ask you to execute end-to-end engagements that combine the technical depth of Parts 3 through 6 with the operational maturity of Part 7 and the professional standards of Part 8.
The battlefield is wider than any single system. Let us see the full picture.