Logan Goins is an Operator on the SpecterOps Adversary Simulation team serving as a Consultant, where he executes and leads Adversary Simulation exercises for SpecterOps clients. His published research focuses on Active Directory and operationalizing offensive security capability, and is the author of a variety of offensive identity driven tools including SOAPy, SharpSuccessor, and others.
A summary of his security research, capability/tradecraft development, community contributions, and certifications, can be found below:
- Experience:
- Consultant, Adversary Simulation at SpecterOps (May 2026 - Present)
- Associate Consultant, Adversary Simulation at SpecterOps (May 2025 to May 2026)
- Offensive Security Consultant Co-op at IBM X-Force Red (January 2025 to May 2025)
- Offensive Security Consultant Intern at IBM X-Force Red (May 2024 to August 2024)
- Education:
- Bachelors in Cybersecurity, UT San Antonio (In progress)
- Tooling Development:
- BadTakeover, Beacon Object File (BOF) for Using the BadSuccessor Technique for Account Takeover (Sep 2025)
- SharpSuccessor, .NET Proof of Concept (POC) for fully weaponizing Yuval Gordon’s (@YuG0rd) BadSuccessor attack from Akamai. (May 2025)
- Stifle, a .NET post-exploitation utility to exploit strong explicit certificate mappings (ESC14) for account takeover in Active Directory environments. (Feb 2025)
- Krueger, Proof of Concept (PoC) .NET tool for remotely disabling EDR with weaponized WDAC to enable lateral movement. (Dec 2024)
- Cable, .NET post-exploitation toolkit for Active Directory reconnaissance and exploitation. (Nov 2024)
- SOAPy, Proof of Concept (PoC) Python tool for conducting offensive interaction with Active Directory Web Services (ADWS) from Linux hosts. (Aug 2024)
- Major Blogs:
- Wait, Why is my WebClient Started? - SCCM Hierarchy Takeover via NTLM Relay to LDAP (Jan 2026)
- The (Near) Return of the King: Account Takeover Using the BadSuccessor Technique (Oct 2025)
- Operating Outside the Box: NTLM Relaying Low-Privilege HTTP Auth to LDAP (Aug 2025)
- Make Sure to Use SOAP(y) – An Operators Guide to Stealthy AD Collection Using ADWS (July 2025)
- Attacking and Defending Configuration Manager - An Attackers Easy Win (April 2025)
- SOAPy: Stealthy enumeration of Active Directory environments through ADWS (Feb 2025)
- Using Offensive .NET to Enumerate and Exploit Active Directory Environments (Oct 2024)
- NTLM Relaying to LDAP - The Hail Mary of Network Compromise (July 2024)
- Active Directory Certificate Services (AD CS) - A Beautifully Vulnerable and Mis-configurable Mess (May 2024)
- Certifications:
- Adversary Tactics: Identity Driven Offensive Tradecraft (IDOT)
- Attacking and Defending Azure & M365
- Certified Red Team Operator (CRTO)
- Offensive Security Certified Professional (OSCP)
- CompTIA Cybersecurity Analyst+ ce (CySA+) - April 2023 to April 2026
- CompTIA Security+ ce - April 2023 to April 2026