Visualizations

Interactive Pyramid of Pain by David Bianco. Click each layer to explore attacker evasion cost, defensive ROI, detection methods, and real-world ATT&CK-mapped examples from hash values up to TTPs.

Interactive 12-month APT campaign timeline showing how hash values, infrastructure, artifacts, and tools rotate constantly while TTPs remain unchanged. Click each layer to see the operational context behind each rotation frequency.

Interactive six-stage intelligence lifecycle. Step through direction, collection, processing, analysis, dissemination, and feedback at tactical, operational, and strategic cycle speeds, with real examples at each stage.

Interactive diagram of SaltStack's master-minion architecture. Explore the ZeroMQ pub-sub topology, event bus, pillar distribution, and how jobs flow from the Salt Master to managed nodes.

Step-by-step diagram of a SaltStack configuration management exercise. Traces state application from top.sls through pillar rendering to minion execution, showing each phase of a highstate run.

Visualizing the manual resolution of API addresses. Demonstrates how malware parses the Export Directory, walks the AddressOfNames, and retrieves function addresses without using GetProcAddress.

Interactive viewer for the Portable Executable (PE) file format structures. Explore the DOS Header, NT Headers, and Optional Header fields used by the Windows Loader.

Interactive simulation of a Direct Kernel Object Manipulation (DKOM) attack against Windows Protected Processes (PPL). Steps through loading a driver, locating the EPROCESS structure, and patching the protection bit.

Interactive visualization of command-and-control infrastructure topology. Toggle cloud redirectors and domain fronting to see how traffic is routed and disguised between implant and team server.

Interactive visualization of C2 beacon timing patterns and sleep obfuscation techniques. Compare how jitter affects beacon regularity and how sleep masks hide implants from memory scanners between check-ins.

Interactive flowchart of the Command and Control OODA loop. Steps through initial infection, C2 callback, command retrieval, and action on objectives, with detail on what happens inside each phase.

Interactive map of Windows process memory regions. Explore private, image-backed, and mapped memory regions, protection flags, and the anomalies that memory forensics tools hunt for when detecting injected code.

Interactive walkthrough of a BITSAdmin-based attack chain. Shows how the Windows BITS service is abused for payload delivery, persistence, and defense evasion using a signed Microsoft binary.

Interactive reference of Living Off the Land Binaries and Scripts categories. Browse built-in Windows tools abused for execution, persistence, lateral movement, and defense evasion, organized by ATT&CK tactic.

Interactive playground for exploring PowerShell obfuscation and execution techniques. Demonstrates common encoding and evasion patterns used in living-off-the-land attacks.

Interactive visualization of WMI-based lateral movement. Traces how an attacker uses WMI to execute commands on a remote host, the protocols involved, and the forensic artifacts left behind.

Interactive visualization of Windows thread synchronization primitives. Explore how mutexes, events, semaphores, and critical sections coordinate concurrent execution and where deadlocks can occur.

Interactive visualization of the Win32 message queue and event loop. Trace how window messages flow from hardware input through the OS queue to the application's WndProc callback.

Interactive diagram of Windows security privilege levels. Explore the boundaries between user mode, kernel mode, hypervisor, and firmware, and how each layer restricts access from below.

Interactive demonstration of a grammar-based log parser for credential stealer output. Shows how formal grammars extract structured data from stealer logs across different malware families.

Interactive visualization of Go runtime internals. Explore goroutine stacks, interface representations, slice and map headers, and how the garbage collector traces object graphs — essential context for reverse engineering Go binaries.

Interactive mapping of the Chomsky formal language hierarchy to security contexts. Explore how regular expressions, context-free grammars, and Turing-complete models apply to protocol analysis, malware detection, and parsing.

Interactive finite automaton simulator. Build and step through DFA and NFA state machines, trace input strings, and see how finite automata underpin regex engines and network protocol parsers.

Interactive Venn diagram of the Chomsky formal language hierarchy. Visualizes the containment relationships between regular, context-free, context-sensitive, and recursively enumerable languages with security-relevant examples at each level.

Interactive pushdown automaton simulator. Step through context-free grammar recognition using a stack-based machine, and see how PDAs recognize languages that finite automata cannot, such as balanced brackets and nested structures.

Interactive visualization showing how different detection layers work together to identify threats. Explore the architecture, data flow, and evasion techniques used in modern malware detection systems.

Interactive visualization of Windows virtual memory states, allocation patterns, and protection mechanisms. Essential for understanding memory-based malware techniques.

Interactive comparison of DNS-over-HTTPS and DNS-over-TLS. Visualizes how each protocol encrypts DNS queries, the trust models involved, and the security and privacy tradeoffs between them.

Interactive visualization of DNS tunneling for data exfiltration and C2. Shows how data is encoded into DNS queries and responses to bypass network controls that block direct connections.

Interactive demonstration of Internationalized Domain Name homograph attacks. Shows how visually identical Unicode characters are used to register deceptive domains and how browsers and DNS resolvers detect them.

Interactive step-by-step demonstration of how DNS queries are resolved from client to authoritative nameserver. Perfect for understanding network security analysis fundamentals.

Interactive demonstration of how sample size affects the reliability of benchmark measurements. See how the Law of Large Numbers applies to system performance testing.

Interactive visualization of Lagrange interpolation showing how polynomials pass through given points using basis polynomials and mathematical interpolation

Interactive visualization showing how API calls flow from user applications through system layers to the Windows kernel. Essential for understanding malware evasion techniques.

Interactive visualization of the Hill cipher encryption and decryption process using matrix operations