The Problem with Most Methodology Resources
When you start studying for the CPTS or any serious penetration testing certification, you run into the same format everywhere: enumerate, exploit, post-exploit, lateral movement, privilege escalation. It’s a clean model. It makes sense as a mental framework for understanding how an engagement flows from start to finish.
The problem is that it doesn’t answer the question you’re actually asking in the moment.
When nmap finishes and you’re looking at port 445 open on a target, you don’t need a section on the enumeration phase — you need to know what commands to run against SMB right now. When you find a WordPress install, you need the wpscan flags, the default credential list, and the path to the theme editor. You don’t need to read through a five-stage lifecycle to find them.
Most methodology notes are written to explain the process. They don’t work well as a lookup reference under time pressure, which is exactly when you need them most.
What I Actually Needed
I realized this clearly during the CPTS exam. The notes I’d built while studying were organized around the curriculum structure — modules, phases, concepts. They were fine for learning. They were the wrong shape for working.
What I actually wanted was closer to a field manual than a textbook. See port 21 open → go to the FTP page. Find a Joomla install → go to the Joomla page. Pick up an NTLM hash → go to Hashcat and look up the mode. The reference should match the thing in front of you, not a phase in a model.
That meant organizing by service and tool rather than by attack stage.
What I Built
The methodology on this site is built around that idea. The structure has four sections:
Checklists — these are the closest thing to a traditional lifecycle format. They cover the major phases of a CPTS-style engagement in order: external recon, foothold, internal enumeration, lateral movement, privilege escalation, Active Directory attacks. Each is a checkbox list of techniques to work through. This is the “what stage am I at and what should I be doing” layer.
Host Services — organized by port number. If you see port 1433 open, you go to the MSSQL page. If you see 2049, you go to NFS. Each page covers enumeration, exploitation, and any privilege escalation vectors specific to that service. The mental model is: nmap shows you a number, that number takes you to a page.
Web Services — same idea but for what you find when you browse to port 80 or 443. See WordPress, go to the WordPress page. See a /manager/html path, go to Tomcat. The starting point is HTTP enumeration, and the pages branch from what you identify.
Tools — individual reference pages for the tools I use regularly: Nmap, NXC, Hashcat, John, Impacket, BloodHound, and so on. When I need the right flag for a specific task, I want one place to look it up rather than a man page.
Who This Is For
I don’t expect anyone to copy this and use it as their own methodology. That would mostly miss the point.
A large part of the value I got from building this came from the building itself — deciding how to organize things, figuring out which mental model to use for which kind of problem, understanding why a service-based lookup works better for me under pressure than a phase-based checklist. That process is where the learning happened. The site is the artifact, but the thinking that went into it is the part that actually stuck.
What I’m sharing it for is different. Methodology is a space where people tend to assume there’s one right answer — usually whatever structure the certification uses, or whatever the first resource they found was organized around. I wanted to show that there isn’t a one size fits all methodology. The tool has to fit the person using it. My approach works for how my brain works during an engagement. It might not work for yours, and that’s fine.
If this gives someone a starting point for building their own, or shows them it’s worth thinking carefully about how they structure their notes rather than just copying someone else’s, that’s the outcome I’m after. Not replication — inspiration to do the same thing for yourself.
Where It Is Now
This is version one. It covers the CPTS curriculum fairly completely — all the major services from the attack paths I worked through, the AD techniques, the web exploitation basics. It’s exam-tested in the sense that I built most of it because I needed it for the exam, and the gaps I found became new pages.
It’s also deliberately not a secrets document. Everything here is things you can find in HTB Academy, in documentation, in other people’s notes. The value isn’t in the information itself — it’s in the organization. Having the right commands one click away from an nmap result is the thing that matters.
It’ll keep growing. Boxes get added, engagements surface new techniques, and the pages get deeper. The goal is that it stays useful rather than complete.