The work, sanitized.

Cloned the client's CIO's voice and called their help desk. The agent ran zero identity verification and emailed network domain admin credentials to a non-client address. The engagement worked so well that I built the AI-assisted social engineering methodology and service offering for my employer at the time directly off the back of it. This is the kind of attack your help desk is going to start seeing — if it isn't already.

Built phishing infrastructure that defeated the bank's enterprise email security sandbox and put live payloads in user inboxes without a single flag. The setup: CIS-hardened delivery hosts, segmented firewalling that kept the vendor's inspection traffic out, and Apache mod_rewrite rules that quietly routed the vendor's ASNs and crawlers to a benign decoy while real users got the payload. Most phishing engagements lose at the email gateway. This one didn't.

Built and deployed the C2 infrastructure that anchored a successful red team engagement against the institution. Custom traffic profiles tuned to their expected egress, layered redirector chains, hardened back-end nodes. I was shadowing the engagement at the time, and the infrastructure I stood up is what carried the breach through. Internally celebrated as one of the more memorable wins of the year.

Pulled NAA credentials out of the client's SCCM deployment — a gap they thought they'd closed in prior engagements. From the NAA creds, I got onto a server holding cached domain admin credential material, and from there to full domain compromise. The client was visibly surprised when I walked them through it. SCCM is one of those systems most defenders assume is locked down. Most aren't.

Found an obscure security group with way too many permissions, granted via inheritance every prior assessment had missed. Used a low-priv account to add a rogue user into Domain Admins. The detection workflow caught it and fired an alert — but the snowball was already rolling, and I had every existing DA's NT hash before they could finish triaging. The client recognized the work directly during the engagement. Detection isn't worth much if your response window is slower than the attacker's escalation path.

Called the help desk pretending to be a Director of Finance. Talked through their verification questions and got the agent to reset credentials for the impersonated user. That single phone call gave the engagement its initial foothold and unlocked everything that came after. The bank revised help-desk verification procedures across their entire IT support organization as a direct result.

Cold-called the help desk impersonating the bank's CISO. No prior credential foothold — just enough OSINT to target the right identity and a pretext strong enough to carry the call. Worked through the stack of identity verification the agent put in front of me, got the CISO's credentials reset, and had them sent to an address I controlled. Logged in as the CISO from there. If your verification process can be defeated by a confident voice and the right OSINT, it's not a verification process.

Targeted phishing assessment against a defined user list. Caught more than three-quarters of them — well past where industry averages sit. The client's response was to politely ask that I not phish them again. I took that as the most honest review I'd received that year.

Wrote the team's methodology for building and maintaining sock puppet identities at nation-state-level fidelity — backstopping, infrastructure hygiene, behavioral consistency, longevity, compartmentalization. My boss was impressed enough that he made every red team member start their own. The OSINT and social engineering work that followed was meaningfully better for it.