If your environment still runs Active Directory Federation Services (ADFS) — and most large enterprises that adopted federation between 2015 and 2020 still do — you are sitting on the single highest-value target in your identity stack. An attacker who extracts the ADFS token-signing certificate can mint SAML tokens for any user, including domain admins, with no further AD interaction and no Kerberos or NTLM tickets to detect. That class of attack is Golden SAML, and it’s exactly what hit SolarWinds-era victims in 2020. This is the practical ADFS security hardening guide for 2026: rotating signing certificates, auditing claim rules, enforcing Extranet Lockout, blocking the mimikatz / ADFSDump extraction path, and the migration path to Microsoft Entra ID for the eventual decommission. ...

A honeypot is a security resource whose value lies entirely in being attacked. It looks like a legitimate target — a database, an admin account, a file share, a misconfigured cloud key — but in reality it has no legitimate users, no real data, and one job: when someone touches it, raise an alarm. The first interaction is the alarm, and that’s why honeypots routinely deliver detection in minutes for techniques that signature-based EDR misses entirely. This guide answers what is a computer honeypot in 2026, walks through the practical taxonomy (low- vs high-interaction, production vs research), and shows the deployment patterns and SIEM integration that actually catch attackers rather than wasting blue-team time. ...

If an attacker compromises a single endpoint in your environment and finds a reused local Administrator password, they own every other workstation that shares it. That single misconfiguration is how a phishing click on one helpdesk laptop becomes a 4,000-endpoint ransomware incident — and it’s exactly what Windows LAPS (Local Administrator Password Solution) was built to prevent. This is the complete step-by-step Windows LAPS implementation guide for enterprise environments in 2026: AD schema preparation, KDS root key generation, encrypted password storage, Group Policy reference, PowerShell administration, and the full DSRM password backup workflow for Domain Controllers. ...

A default-installed Windows 11 endpoint in 2026 has eight major attack surfaces enabled out of the box that should not be: NTLM authentication, LM/NTLMv1 fallback in many cases, unsigned-driver execution, LSASS access from non-protected processes, BitLocker without PIN, Office macros from internet sources, SmartScreen passable via mark-of-the-web bypass, and PowerShell without script-block logging. This Windows 11 enterprise hardening guide for 2026 is the consolidated 10-phase rollout that closes every one of those gaps — aligned with the CIS Microsoft Windows 11 Enterprise Benchmark, Microsoft’s Security Baselines, and the operational realities of running a multi-thousand-endpoint fleet under Intune, Group Policy, or both. ...

NTLM has been on borrowed time for two decades, and Microsoft made it official: as of late 2023 Microsoft formally announced that NTLM is deprecated, with Kerberos and the new Negotiate-based authentication taking over. Windows 11 24H2 and Windows Server 2025 ship with NTLMv1 fully removed, and Microsoft strongly recommends auditing and disabling NTLMv2 wherever Kerberos can take over. This guide walks through how to disable NTLM in Windows safely — auditing first, staging the rollout, and rolling back cleanly if something breaks. ...

Platform TJCTF 2026 (Thomas Jefferson CTF) Difficulty Easy → Hard OS Mixed: Linux, macOS ARM64, WebAssembly, Network captures Tags JWT crafting, SSRF via URL normalization, Zip Slip, RSA parity oracle, ECDSA timing/Minerva, invalid-curve attacks, Chebyshev matrix exponentiation, ReDoS as side channel, pickle exploitation, PCK parsing, polyglot files, RTP LSB steganography TJCTF 2026 was the kind of multi-day event that rewards breadth — twenty-one challenges spread across web, reverse engineering, cryptography, forensics, and misc, with no single technique cracking more than two boxes. This writeup is the consolidated solve log: one paragraph of prompt + trick + solution per challenge, the actual flag, and the moments worth quoting verbatim. ...

Platform Midnight Sun CTF 2026 Quals Difficulty Trivial OS RISC-V 64-bit Linux Tags strings(1), reading the rules riscal is the kind of challenge that gets harder the more you respect the category label. “Reverse engineering” + “RISC-V” primes you to spin up a cross-disassembler, set up a qemu-user static binary, learn the RV64 calling convention, and start manually annotating decompilation. The intended solve is strings. ...

Platform Midnight Sun CTF 2026 Quals Difficulty Hard OS Linux x86-64 Tags Templated binary RE, radare2 scripting, automated static analysis empols is the kind of challenge that punishes you for trying to solve binaries by hand. The server hands you twenty fresh, randomly-generated x86-64 ELFs in one session and demands the validating input string for each — and you almost certainly cannot reverse-engineer twenty unique binaries fast enough to fit inside the session timeout. The intended path is to recognise that the binaries are generated from a small set of templates, then write a static-analysis engine that detects the template and extracts the answer from disassembly. ...

Platform THCON 2026 (Toulouse Hacking Convention) Difficulty Medium OS Steganography Tags Frequency analysis, binary encoding, PNG carving, LSB steganography PNG3D is the steganography challenge that rewards the simplest possible recon move — frequency analysis — and punishes anyone who tries fancy stego tools first. The challenge file is ~40 MB of UTF-8 text that looks like noise; the trick is to notice that two specific characters make up nearly all of it, in roughly equal numbers, and that’s a binary encoding screaming to be decoded. ...

Platform THCON 2026 (Toulouse Hacking Convention) Difficulty Easy OS OSINT Tags Reading prompts literally, CTF platform recon Most “find the hidden flag on a webpage” challenges teach you to look harder. This one teaches the opposite — that the most-obvious destination in the prompt is a decoy, and the answer is whatever a literal reading of the wording actually points at. The trick is recognising the misdirection before sinking thirty minutes into the wrong target. ...