Sample Report Request Assessment
Labs

Tools & Techniques
Practical tooling, repeatable methods.

Wolfe Defense Labs builds and refines tools the way we design defenses: grounded in real tradecraft, respectful of small-team constraints, and tested in messy environments. This includes scripts, lab environments, automation, and techniques that support our offensive research and defensive engineering.

Internal & open-source tooling Cloud & endpoint aware Built for real operators

This page describes categories of tools and methods—not a full catalog. Many assets are private by design and surfaced through engagements.

Discuss tooling for your environment
Categories

What lives in our toolkit

We maintain a mix of homegrown utilities, orchestrations around open-source tools, and lab environments that let us safely experiment with offensive and defensive ideas.

Recon & mapping

Attack surface & exposure discovery

Tools focused on understanding how an organization really appears from the outside:

  • Domain, DNS, and certificate enumeration pipelines
  • External service & portal discovery tied to identity providers
  • Context-aware asset tagging for later risk analysis
Cloud & identity

Tenant survey & abuse modeling

Scripts and queries to map the shape of M365, Entra ID, Google Workspace, and key SaaS:

  • Role, group, and app registration enumeration
  • Conditional Access and policy state snapshots
  • Checks for common misconfigurations & risky patterns
Endpoint & internal

Hardening & lateral movement analysis

Windows- and Linux-focused utilities to understand internal reality:

  • Baseline vs. actual configuration drift analysis
  • Credential & local admin exposure checks
  • Network path & segmentation validation helpers
Techniques

How we use tools, not just which ones

Tools matter less than the methods behind them. We care about how results are interpreted, verified, and turned into actionable changes.

Repeatable pipelines

From ad hoc commands to structured flows

We convert repeated steps into pipelines that can be reused across clients:

  • Standardized recon & mapping sequences
  • Reusable queries for cloud and identity analysis
  • Scripts with clear, documented inputs & outputs
Experimentation

Safe abuse in controlled environments

Many techniques are validated in lab tenants and internal ranges:

  • Reproducing abuse paths before simulating them in real environments
  • Testing defender visibility and control coverage
  • Refining playbooks based on what actually shows up in logs
Operator-first

Tools that respect the person at the keyboard

We avoid fragile, “black box” automation. Instead:

  • Utilities that show their work and support manual override
  • Human-readable output that can be pasted into tickets & reports
  • Options for deeper analysis without forcing a single workflow
Examples

Representative tools & technique families

The specifics change as platforms and threats evolve, but these families give a sense of how we approach tooling in the lab.

Attack surface

Org-oriented scouting

A combination of commodity tools and custom logic to tie external signals back to real business units, providers, and identity systems.

  • Lightweight automation around well-known scanners
  • Normalization of results into consistent data models
  • Visualizations that support executive storytelling
Cloud / SaaS

Tenant x-ray passes

Semi-automated “x-ray” views of cloud and SaaS tenants to quickly spot outlier patterns:

  • High-privilege role usage and exception accounts
  • Risky OAuth permissions and trusted app lists
  • Legacy protocol usage and long-lived tokens
Defense checks

“Can we see it?” utilities

Tools designed not to exploit, but to verify detection and response coverage:

  • Safe actions that should generate known alerts or logs
  • Baseline checks for IR prerequisites (logging, retention, access)
  • Quick scripts to validate detections after tuning changes
Applied output

How tools & techniques show up in engagements

The value isn’t that we have tools—it’s how they accelerate and deepen the work we do in solutions, services, and readiness programs.

Faster, richer assessments

Attack surface, cloud, and internal posture assessments benefit from pre-built pipelines, letting us spend more time on interpretation and less on manual collection.

Realistic adversarial testing

Tools let us quickly test and reproduce abuse paths uncovered in research without improvising under time pressure during an engagement.

Better documentation & artifacts

Structured outputs feed directly into sample reports, remediation backlogs, and client internal documentation, reducing copy-paste errors and drift.

Training & knowledge transfer

Techniques and scripts often become the basis for training sessions, internal runbooks, or co-developed tooling with client teams.

Interested in lab-grade tools for real environments?

We use this toolkit to drive our services and solutions, and selectively collaborate with clients on customizations where it makes sense.

Discuss tooling for your environment See related research highlights