Writeups and Case Studies#

Reading how real incidents unfolded — and how practitioners approached authorized testing — is one of the most efficient ways to build intuition for this field. The resources here include public incident analyses, technical blog posts, and educational writeups.

Landmark ICS and OT Incidents#

Dragos: Analyzing the Thread to Electric Grid Operations — Technical analysis of the malware used in the 2016 Ukraine power grid attack and other notable OT/ICS attacks including, but not limited to, STUXNET, Dragonfly, BLACKENERGY 2, and CRASHOVERRIDE. One of the few publicly documented cases of malware designed specifically to disrupt industrial control systems.
Mandiant: APT44 / SANDWORM Threat Actor Overview — Mandiant's reporting on the threat actor behind multiple destructive ICS attacks, including the Ukraine grid incidents. Useful for understanding how nation-state actors approach ICS targeting.
Kim Zetter: The Untold Story of the World's Most Dangerous Malware (Wired) — Narrative account of NotPetya, which caused over $10 billion in damage and disrupted industrial operations globally. Essential context for understanding real-world attack consequences.

Red Team and Penetration Testing Writeups#

SpecterOps Blog — Research blog from the team behind BloodHound, Ghostwriter, and other red team tools. Posts frequently cover Active Directory attack techniques, detection engineering, and adversary simulation methodology.
harmj0y (Will Schroeder) Blog — Technical deep-dives on Active Directory, Kerberos abuse, and Windows post-exploitation. Widely referenced in red team training programs.
Daniel Miessler: USecD — Practitioner writing covering security fundamentals, OSINT methodology, and security career development. Consistently high quality and beginner-accessible.

Physical Security Writeups#

Recurity Labs: Physical Security Assessment — European security firm with published physical security assessments and research. Covers tailgating, badge cloning, and sensor bypass.
DEF CON Physical Security Village Talk Archives — Recorded talks from the Physical Security Village at DEF CON. Covers lockpicking, badge cloning, RFID attacks, and social engineering in physical contexts.

Vulnerability Research and CVE Analyses#

Claroty Team82 Research — Detailed write-ups of ICS and IoT vulnerabilities discovered by Claroty researchers. Well-documented with CVE references and remediation guidance.
Project Zero Blog — Google's zero-day research blog. Technical depth is high; posts on browser, OS, and hypervisor vulnerabilities provide good models for thorough vulnerability documentation.
CERT/CC Vulnerability Notes — CERT Coordination Center's public vulnerability database. Includes ICS-relevant entries and coordinated disclosure documentation.

Educational Blog Series#

PortSwigger Web Security Academy — Free, structured curriculum covering web application vulnerabilities with accompanying hands-on labs. One of the best free resources for building web security fundamentals.
HackTricks — Community-maintained reference for penetration testing techniques. Broad coverage including Windows, Linux, web, and network attack patterns in an authorized testing context.
The Hacker Recipes — Structured guides for Active Directory, web application, and network attack techniques. Focused on authorized testing methodology.
SANS Whitepapers — Archive of practitioner-written white papers covering ICS security, threat hunting, incident response, and security architecture. Free to access.