T-ALC · Engagement Methodology

The Total Adversarial
Lifecycle

A published methodology for full-spectrum adversarial assessment, remediation, and ongoing posture. Twelve phases, color-coded by category, sequenced by dependency rather than by convention. Click the wheel or expand any phase to read deeper — every level discloses more.

Barr Cyber LLC Kalispell, MT
// 00 — Premise

The T-ALC is the published methodology Barr Cyber operates from. It is a structural lifecycle: phases describe the work; tooling lives in a separate section because tools change and the lifecycle doesn't.

Phases are sequenced by dependency, not by ritual — a phase appears in its position because the prior phase's exit criteria are its entry conditions. Where vectors are parallel (network, physical, wireless, social all serve initial access), the page says so. The lifecycle is a wheel because the firm-client relationship is cyclical: phase 11 (Ongoing Posture) loops back to phase 00 (re-scoping) when the next engagement opens. A single engagement is a traversal of the wheel; the relationship is a return to it.

Engagements run in two modes that change what telemetry the operator can observe: open (the client's defenders know the engagement is happening and the operator can compare offensive activity against defender-side telemetry post-engagement) and blind (the defenders are not informed; the operator's record stands alone until the engagement closes). The methodology accommodates both; the difference matters most in phases 02, 07, and 08, where defender-side correlation is part of the value.

// 01 — The Wheel
12 PHASES
Scope & Closure
Reconnaissance
Initial Access
Post-Exploitation
Defender-Facing
// 02 — Phase Detail
Select a phase on the wheel to open its detail ▲
// 03 — Tooling Surface

Tooling lives in its own section because tools evolve, the lifecycle doesn't. Hardware platforms, software frameworks, and engagement-specific tooling are listed below by category. Configurations, chained tradecraft, and engagement-specific tool deployments are disclosed under NDA during scoping.

PLATFORM
Operating Systems & Base Distros
  • Kali Linux — primary offensive distribution
  • Fedora — operator workstation
  • ParrotOS — alternative offensive platform
  • Windows 10/11 — for AD-targeted tooling and native testing
  • BackTrack — legacy reference (predecessor to Kali, retained for historical artifact analysis)
Serves phases: all
OFFENSIVE
Reconnaissance & OSINT
  • Maltego — link analysis and relationship mapping
  • theHarvester — email, subdomain, and host harvesting
  • Recon-ng — modular OSINT framework
  • Amass / Sublist3r — subdomain enumeration
  • Shodan / Censys — internet-exposed device search
  • crt.sh — certificate transparency log search
  • HaveIBeenPwned — breach-data correlation
Serves phases: 01
OFFENSIVE
Active Enumeration & Scanning
  • Nmap — service discovery and version enumeration
  • Masscan — high-rate port scanning at scale
  • Nessus / OpenVAS — vulnerability scanning
  • Nikto — web server scanning
  • Gobuster / Feroxbuster — directory and content discovery
  • Burp Suite — web application proxy and testing
Serves phases: 02
OFFENSIVE
Network Exploitation
  • Metasploit Framework — exploitation and post-exploitation
  • sqlmap — automated SQL injection
  • Hydra / Medusa — network authentication brute force
  • CrackMapExec / NetExec — network execution across SMB/WinRM/MSSQL
  • Impacket — Python classes for network protocols (psexec, secretsdump, GetUserSPNs, etc.)
  • Responder — LLMNR/NBT-NS poisoning
Serves phases: 03 (network vector)
OFFENSIVE
Physical Engagement Hardware
  • Hak5 Bash Bunny — multi-vector USB attack platform
  • Hak5 USB Rubber Ducky — keystroke injection
  • Hak5 LAN Turtle — covert LAN access
  • Hak5 O.MG Cable — HID injection cable
  • Proxmark3 — RFID/NFC analysis and cloning
  • Flipper Zero — multi-protocol RF/NFC/IR multitool
  • Lock pick set, badge analysis kit, drop-device staging
Serves phases: 03 (physical vector). Engagement-specific scoping under counsel review.
OFFENSIVE
Wireless & RF
  • Hak5 Wi-Fi Pineapple Mk7 — Wi-Fi auditing, rogue-AP, evil-twin assessment
  • HackRF One — software-defined radio (1 MHz – 6 GHz)
  • Aircrack-ng suite — Wi-Fi capture, injection, and key recovery
  • Kismet — wireless network detection and sniffing
  • Ubertooth One — Bluetooth analysis
  • Flipper Zero — Sub-GHz, NFC, RFID, infrared
Serves phases: 03 (wireless vector). Requires written RF perimeter authorization.
OFFENSIVE
Social Engineering
  • Gophish — open-source phishing campaign framework
  • SET (Social Engineering Toolkit) — multi-vector social engineering
  • Evilginx2 — MITM phishing for session capture (incl. MFA bypass)
  • BeEF (Browser Exploitation Framework) — browser hooking and exploitation for post-click pivot
  • King Phisher — phishing campaign management
Serves phases: 03 (social vector). Requires explicit human-layer testing authorization in ROE.
OFFENSIVE
Post-Exploitation & C2
  • Sliver — open-source command-and-control framework
  • Metasploit Meterpreter — payload management
  • PowerShell Empire / Starkiller — PowerShell post-exploitation
  • Covenant — .NET C2 framework
  • Custom C2 infrastructure for engagement-specific blend posture
Serves phases: 04
OFFENSIVE
Credential Access & Identity
  • Mimikatz — Windows credential extraction (LSASS, tickets, hashes)
  • Rubeus — Kerberos ticket manipulation (Kerberoasting, AS-REP roasting, S4U)
  • BloodHound / SharpHound — Active Directory attack-path mapping
  • Hashcat / John the Ripper — offline password and hash cracking
  • secretsdump.py (Impacket) — NTDS.dit and SAM extraction
Serves phases: 05
OFFENSIVE
Lateral Movement & Pivoting
  • Impacket (psexec, smbexec, wmiexec, dcomexec)
  • CrackMapExec / NetExec — credential spraying and execution across hosts
  • Chisel / Ligolo-ng — pivot and tunneling
  • SOCKS proxy infrastructure for segmented-network traversal
  • Cloud-native lateral movement tooling (Pacu for AWS, ROADtools for Entra ID)
Serves phases: 06, 07
ANALYSIS
Reverse Engineering & Binary Analysis
  • Ghidra — NSA-developed reverse engineering suite
  • radare2 / Cutter — open-source RE framework
  • x64dbg — Windows debugger
  • Frida — dynamic instrumentation
  • IDA Free — disassembler (commercial Pro available as engagement scope warrants)
Serves phases: 02, 04, 08 (artifact analysis)
CLOSURE
Forensics & Evidence Preservation
  • Autopsy / The Sleuth Kit — disk forensics
  • Volatility — memory forensics
  • KAPE (Kroll Artifact Parser/Extractor) — triage collection
  • FTK Imager — disk imaging and preview
  • Wireshark — network capture analysis
  • Sysinternals Suite — Windows live forensics
  • ForensicGSuite — Barr Cyber's cloud-platform admin-export forensics module
Serves phases: 08, 09
DEFENSIVE
Endpoint Hardening & Defensive Tooling
  • BarrCyber_EndpointHardening — firm's own idempotent hardening module (PowerShell)
  • Microsoft Sysmon — endpoint telemetry instrumentation
  • Microsoft Defender for Endpoint — managed endpoint protection
  • CIS Benchmarks — hardening baselines
  • Omniscient — Barr Cyber's data-driven endpoint configuration platform
Serves phases: 10, 11
FRAMEWORK
Compliance & Reporting Frameworks
  • MITRE ATT&CK — adversarial behavior mapping
  • PCI DSS v4.0 — command-level evidence mapping
  • NIST CSF — capability and control mapping
  • ISO 27001 — control alignment for audit prep
  • CIS Controls — prioritized control set
Serves phases: 09
// 04 — Changelog
Document History

The methodology document is versioned because it changes. Each refinement is captured before the public page is updated.

— Added phase 00 (Scope & Authorization) as the explicit entry to the lifecycle. The legal-authorization layer was previously implicit; making it explicit aligns with the doctrine's "every boundary owned" principle.

— Renamed phase 03 to Initial Access, with network, physical, wireless, and social explicitly framed as parallel vectors within one phase rather than sequential steps.

— Consolidated foothold and persistence into phase 04. In adversarial reality the operator establishes durability immediately after access; the lifecycle now reflects that.

— Reordered so persistence precedes objective action (phases 04 then 07) — matching how adversaries actually operate.

— Separated tooling into its own surface that can evolve without disturbing the lifecycle.

— Multi-level progressive disclosure added so the reader controls depth.

— Fourth-level operator-grade prose expansions added to every detail card across all twelve phases. Each expansion holds the engagement's actual operating discipline at the depth a technical peer or hostile examiner would require: ground specificity in place of rhetorical phrasing, named mechanisms in place of category labels, structural framing in place of enumeration. The expansions commit the firm publicly to the practices it operates by — anti-lock-in artifact licensing, retraction discipline on findings, manual verification against automated output, contemporaneous chain-of-custody, per-vector authorization, harm-avoidance in objective demonstration.

Refinements following external adversarial peer review (June 2026). Three substantive gaps closed: multi-vector de-confliction added to Phase 03 dependencies, specifying the engagement command channel, contingency rules, and break-glass coordination required for simultaneous multi-vector engagements; instrumented logging specified in Phase 04 implant placement, resolving the operator-agility-vs-compliance-completeness conflict by making artifact logging tooling-driven rather than hand-typed during operations; blind-mode break-glass protocol added to Phase 04 dependencies, naming the Phase 00 escalation contact as the explicit disambiguation channel when foothold loss cannot be distinguished from defender interdiction and instituting the no-push-against-ambiguity rule. Phase 02 service-discovery language refined to make the automated-triage-then-manual-verification workflow explicit. Retractions accepted on the methodology document are themselves part of the methodology — the document applies the same evidentiary discipline to itself that it applies to engagement findings.

v0.1 and v0.2 of the T-ALC existed internally during initial firm formation and are retained in the firm's engineering record. v0.3 is the first version published publicly. Subsequent refinements will be noted here as they land, driven by what engagements teach. Substantial restructurings will produce a major version bump (v1.0) gated on documented per-phase execution against the current bar.