Skip to content
View warpedatom's full-sized avatar

Block or report warpedatom

Block user

Prevent this user from interacting with your repositories and sending you notifications. Learn more about blocking users.

You must be logged in to block users.

Maximum 250 characters. Please don’t include any personal information such as legal names or email addresses. Markdown is supported. This note will only be visible to you.
Report abuse

Contact GitHub support about this user’s behavior. Learn more about reporting abuse.

Report abuse
warpedatom/README.md

Velkris banner

Velkris | Offensive Security & Adversary Simulation

Enterprise Penetration Testing • Active Directory Security • Adversary Emulation • Detection Validation

Red Team MITRE ATT&CK OffsetInspect LinkedIn

Intrā. Manē. Age.
Get in. Stay in. Act.


About

I am an offensive security practitioner focused on enterprise penetration testing, Active Directory attack paths, adversary simulation, and detection-informed tradecraft.

My work emphasizes controlled execution, repeatable methodology, evidence preservation, and clear technical reporting. Offensive security should do more than demonstrate that access is possible. It should identify meaningful attack paths, measure defensive visibility, and produce recommendations that materially reduce organizational risk.

My approach draws from the behaviors and operational patterns of mature criminal and state-sponsored adversaries while remaining bounded by authorization, defined objectives, and rules of engagement.

Focus Areas

  • Active Directory enumeration, exploitation, and privilege escalation
  • Kerberos abuse and identity-based attack paths
  • Credential access and lateral movement
  • MITRE ATT&CK-aligned adversary emulation
  • State-sponsored adversary tradecraft analysis
  • Offensive tooling and workflow automation
  • Windows telemetry and detection validation
  • Evidence collection and remediation-focused reporting

Operator Principles

Intrā. Manē. Age.
Gain access. Maintain operational influence. Accomplish the authorized objective.

Mission Before Technique

A vulnerability, shell, credential, or privileged account is not necessarily the objective. Techniques are selected according to the mission, the target environment, and the agreed rules of engagement.

The value of an operation is measured by whether it answers a meaningful security question—not by the number of tools executed or systems compromised.

Emulate Behaviors, Not Reputation

Adversary emulation should reproduce relevant behaviors, decision patterns, and attack sequences without attempting to imitate recklessness or cause uncontrolled impact.

State-sponsored and advanced adversaries are studied for their:

  • Operational sequencing
  • Identity and access tradecraft
  • Persistence strategies
  • Command-and-control patterns
  • Collection priorities
  • Defensive evasion techniques
  • Target selection and mission focus

The objective is to test whether the organization can recognize and interrupt those behaviors under controlled conditions.

Assume Visibility, Then Validate It

Operate under the assumption that defensive controls and telemetry exist.

For each meaningful action, determine:

  • Whether the behavior was prevented
  • Whether telemetry was generated
  • Whether an alert was created
  • Whether the alert contained sufficient context
  • Whether defenders could investigate and respond
  • Whether the activity could be correlated across systems

Absence of an alert is a finding. An alert without actionable context may also be a finding.

Preserve Optionality

Avoid unnecessary disruption, irreversible actions, and premature escalation.

A disciplined operator maintains multiple paths forward, minimizes avoidable exposure, and selects techniques proportionate to the objective. Access should be expanded deliberately rather than indiscriminately.

Evidence Over Assumption

Every material conclusion should be supported by reproducible evidence.

Evidence should establish:

  • What action was performed
  • When it occurred
  • Which system, identity, or control was involved
  • What access or impact was demonstrated
  • What telemetry or alerting resulted
  • How the attack path could be reproduced
  • What remediation would break or reduce the path

Access Is Not the Finish Line

Initial access demonstrates entry. Persistence demonstrates resilience. Objective completion demonstrates risk.

A complete operation evaluates whether an adversary could:

  1. Get in — establish an initial foothold
  2. Stay in — maintain access and continue operating
  3. Act — achieve the authorized operational objective

The ultimate outcome should be measurable security improvement.

Authorization Is Absolute

All activity must remain within the approved scope, rules of engagement, and legal authority.

Operational realism never overrides:

  • Safety
  • Scope boundaries
  • Data-handling requirements
  • Client constraints
  • Stop conditions
  • Professional judgment

Assessment Outcomes

A useful assessment should determine:

  • Which attack paths present meaningful business risk
  • Whether controls prevented, detected, or missed adversary behavior
  • What telemetry and alerts were generated
  • Whether alerts were timely and actionable
  • Whether identities, privileges, or trust relationships could be chained
  • Whether access could be maintained after initial compromise
  • Whether critical business objectives could be reached
  • Which changes would materially reduce the likelihood or impact of compromise

Featured Project

A self-contained PowerShell module for mapping byte offsets and detection boundaries back to precise source-code context across scripts, binaries, and embedded byte sequences.

Capabilities include:

  • Performing streaming hexadecimal and ASCII inspection without loading entire files into memory
  • Accurately mapping UTF-8 and UTF-16 byte offsets to characters and source lines
  • Identifying detection boundaries through AMSI and Microsoft Defender providers
  • Validating boundary stability through repeated scans and prefix-search analysis
  • Producing human-readable, PowerShell object, JSON, and CSV output
  • Providing deterministic cleanup and provider-aware error handling without bundled third-party binaries

Current Research

  • Active Directory compromise paths
  • Kerberos authentication and ticket abuse
  • Active Directory Certificate Services
  • ACL, delegation, and trust abuse
  • Cross-domain and cross-forest attack paths
  • Lateral movement and remote execution
  • Credential access and password auditing
  • State-sponsored adversary behaviors
  • MITRE ATT&CK technique mapping
  • Command-and-control architecture
  • PowerShell, Python, Bash, C#, and C
  • Windows telemetry and detection validation
  • Repeatable penetration testing methodology
  • Evidence-driven technical reporting

Technical Stack

Offensive Security

Kali LinuxWindows Active DirectoryBloodHoundNetExec ImpacketRubeusMimikatzResponder HashcatNmapNucleiHTTPXBurp Suite

Development and Automation

PowerShellPythonBashC#C GitGitHub Actionspipxvenv

Adversary Emulation and Detection

MITRE ATT&CKWindows Event LogsSysmonSigma
Telemetry AnalysisDetection ValidationThreat-Informed Testing

Documentation and Reporting

MarkdownObsidianEvidence Tracking
Attack-Path DocumentationReporting TemplatesRemediation Guidance


Certifications and Training

Certification / Training Status
CompTIA Security+ Completed
TCM Security PJPT Completed
TCM Security PNPT Completed
Altered Security CRTP Completed
Zero-Point Security CRTO In Progress

Current Development Path

Active Directory Security → Enterprise Penetration Testing → Red Team Operations → Threat-Informed Adversary Emulation → Detection-Aware Tradecraft → Advanced Tooling


Connect

LinkedIn  •  OffsetInspect  •  Email


Intrā. Manē. Age.

© 2026 Velkris | Authorized Offensive Security Research

All testing is performed under explicit authorization in approved professional, isolated, or lab-controlled environments for security research, professional development, and defensive improvement.

Pinned Loading

  1. OffsetInspect OffsetInspect Public

    PowerShell module for mapping byte offsets to source context and locating AMSI or Microsoft Defender detection boundaries in text and binary files.

    PowerShell 34 5