Polleo an AI-first company

Polleo Academy · N°02

Adversarial Engineering.

Red-team craft taught as an engineering discipline. The curriculum is organized in three layers: a universal core every student takes, a catalogue of technique domains, and applied-context modules that specialize the work to a vertical or reconstruct a real adversary campaign. The module list below is the catalog view — each entry names the topic and the shape of the work without revealing the material itself.

Status. Curriculum authoring is complete and under review. The hands-on lab platform is in development; until it ships, modules are being refined against internal review and exemplar walkthroughs.

Layer 1 — Core Discipline

The universal core. Every student takes every module here, in order. Together they establish the discipline before students specialize.

  1. C1

    Adversarial Engineering Methodology

    Frames red-team work as an engineering practice rather than performance. Introduces the through-line that the rest of the curriculum follows.

  2. C2

    Engagement Planning, Legal & Ethics

    Scoping, authorization, rules of engagement, and the legal and ethical envelope offensive work has to operate inside. Includes the documents and conversations that get all of this right before any technical work begins.

  3. C3

    OSINT & External Reconnaissance

    Builds a structured picture of a target from public sources. Emphasizes the discipline of separating signal from noise and translating findings into engagement-relevant hypotheses.

  4. C4

    C2 Infrastructure & Operational Security

    Treats command-and-control and operator OPSEC as infrastructure problems with reliability, observability, and resilience requirements. Studies the trade-offs that separate sustainable operations from one-shot demonstrations.

  5. C5

    Social Engineering & Initial Access

    The human side of access — pretext design, communication craft, and the judgment calls that distinguish responsible engagements from theatre. Built around what makes social engineering reproducible, not what makes it dramatic.

  6. C6

    Purple Team & Detection Engineering

    Establishes the shared vocabulary between red and blue, and the practice of using offensive findings to improve defensive instrumentation. Students leave understanding why the most valuable red-team outcome is often a better detection.

  7. C7

    Red Team Reporting & Communication

    Translates engagement work into artifacts the rest of the organization can act on. Covers the documents, the briefings, and the calibration that turns a finding into a decision.

  8. C8

    Capstone Exercise & Certification

    A staged scenario that exercises the full discipline end-to-end under examiner observation. Anchors the four certification tracks with a common assessment instrument.

  9. C9

    Engagement Stewardship

    The long-horizon role of running a program, not just an engagement — calibration over time, relationships with stakeholders, and the institutional health of an offensive function.

Layer 2 — Technique Domains

Modular deep-dives into specific capability areas. Students choose the domains relevant to their track and role; modules are designed to stack rather than compete.

  1. T1

    AD Reconnaissance & Enumeration

    Understanding Active Directory as an attacker sees it. Builds the structured picture of a directory that downstream technique modules assume.

  2. T2

    Kerberos Attacks & Privilege Escalation

    Kerberos as a protocol and as an attack surface. Studies the discipline of reasoning about ticket-based authentication and its failure modes.

  3. T3

    AD Certificate Services

    PKI inside the directory — how certificate services interact with identity, and the patterns by which their configuration becomes consequential.

  4. T4

    Evasion & Credential Access

    The interplay between operator behavior and defensive instrumentation. Frames evasion as an engineering trade-off rather than a checklist.

  5. T5

    Lateral Movement Techniques

    Moving through an environment with intent — the choices about path, pace, and footprint that separate disciplined operations from blunt traversal.

  6. T6

    Cloud & Hybrid Identity (Entra ID)

    Identity when the directory crosses on-prem and cloud boundaries. Treats hybrid identity as its own discipline rather than an extension of either side.

  7. T7

    Adversarial Machine Learning

    Attacking and reasoning about ML systems as systems — their training data, their boundaries, and the failure modes that emerge from how they're built.

  8. T8

    LLM Attacks & Jailbreaking

    Frames large language models as runtime components with their own attack surface. Studies the discipline of reasoning about prompt-driven behavior and its boundaries.

  9. T9

    RAG & Agentic Exploitation

    Retrieval-augmented systems and tool-using agents as composite attack surfaces. Builds the habit of reasoning about untrusted content flowing into trusted reasoning.

  10. T10

    Software Supply Chain Attacks

    The places where trust is delegated in modern software delivery, and the patterns by which that trust becomes consequential. Anchored in real-world classes of incident.

  11. T11

    MCP & Agentic System Security

    The security surface of agent-tool protocols. Treats the boundary between an agent and its tools as a first-class security boundary that has to be engineered, not assumed.

  12. T12

    Agents as Supply Chain Amplifiers

    How autonomous agents change the shape of supply chain risk — both as targets and as accelerants. Builds the framing students need to reason about composite risk.

  13. T13

    Persistence & Domain Dominance

    The long-horizon side of an engagement — durability, re-entry, and the operator discipline that keeps long-running operations healthy.

Layer 3 — Applied Contexts: Verticals

Sector-specific contextualization of the core and technique layers. Each parent module establishes the vertical's attack surface; the sub-verticals deepen the work for distinct businesses inside it.

  1. V1

    Healthcare — Medical Device Exploitation

    Connected medical devices as a contextual attack surface. Studies the engineering, regulatory, and clinical-safety constraints that shape how this work is done responsibly.

  2. V2

    Healthcare — Threat Landscape & Case Studies

    The patterns of incident the healthcare sector has actually faced. Builds vertical-specific intuition by reasoning about disclosed events rather than abstract scenarios.

  3. V3

    Healthcare — AI Red Team Methodology & Compliance

    Red-teaming AI systems inside healthcare's compliance envelope. Translates the technique-layer work into the documentation and decision posture this sector requires.

  4. V4

    Financial Services — Attack Surface

    The shape of an attack surface across regulated financial institutions. Establishes the shared structure the three financial sub-verticals deepen.

  5. V4a

    Banking Sub-Vertical Deepening

    The bank-specific contours of the financial vertical — what changes when the institution holds deposits and runs payment rails.

  6. V4b

    Insurance Sub-Vertical Deepening

    Insurance-specific contextualization — underwriting data, claims systems, and the risk surface a carrier sees that other financial institutions do not.

  7. V4c

    Fintech-Charter Sub-Vertical Deepening

    Fintech-charter institutions sit between regulated banking and software-velocity product work. The deepening reasons about the seams that produces.

  8. V5

    Industrial Control Systems — Attack Surface

    The shape of an attack surface across ICS-driven operations. Establishes the IT/OT seam that the four industrial sub-verticals deepen for their respective sectors.

  9. V5a

    Electric Utility Sub-Vertical Deepening

    Generation, transmission, and distribution as distinct contexts inside one industry. Reasoning about consequence at grid scale.

  10. V5b

    Manufacturing Sub-Vertical Deepening

    Discrete and process manufacturing as ICS contexts, and the operational consequences that shape responsible scoping inside a working plant.

  11. V5c

    Water Utility Sub-Vertical Deepening

    Treatment and distribution systems as a public-safety-critical ICS context. Establishes the operating constraints any responsible engagement in this sector inherits.

  12. V5d

    Oil & Gas Pipeline Sub-Vertical Deepening

    Pipeline operations as a distinct ICS context — geographically distributed, safety-instrumented, and operationally consequential at multiple time horizons.

  13. V6

    Government — Attack Surface

    The shape of an attack surface across government environments, and the procurement, classification, and authority constraints that distinguish this work.

  14. V6a

    Federal Civilian Sub-Vertical Deepening

    The civilian-agency context — its compliance regime, its mission orientation, and the engagement disciplines that emerge from both.

  15. V6b

    Defense Industrial Base Sub-Vertical Deepening

    The DIB as a context where commercial software practice meets defense-grade authority structures. Reasoning about the seams that produces.

  16. V7

    Transportation — Attack Surface

    Transportation as a category of cyber-physical, safety-instrumented operations. Establishes the structure the four transportation sub-verticals deepen.

  17. V7a

    Aviation Sub-Vertical Deepening

    Aviation as a regulated, safety-critical context — the engagement disciplines that have to come with that.

  18. V7b

    Maritime Sub-Vertical Deepening

    Maritime operations span vessel, port, and supply-chain contexts. The deepening reasons about each as a distinct attack surface inside one industry.

  19. V7c

    Rail Sub-Vertical Deepening

    Rail as a long-running, safety-instrumented context with deeply mixed legacy and modern systems. Reasoning about what that mixture implies for responsible work.

  20. V7d

    Surface Freight + Urban Transit Sub-Vertical Deepening

    Freight and urban transit as adjacent but distinct transportation contexts, each with their own consequence shape and operational rhythm.

Layer 3 — Applied Contexts: APT Tracks

Each APT track reconstructs a real adversary campaign as a teaching instrument — what was attempted, what worked, and what the engineering and defensive lessons are. Tracks are paired across the §9.6 grid (mission-criticality × consequence-class) to expose the genre rather than to glorify the actor.

  1. A1

    Scattered Spider (UNC3944 / Octo Tempest)

    An identity-centric, social-engineering-forward intrusion genre. Reconstructed as a teaching instrument for the help-desk-to-cloud-identity threat model.

  2. A2

    Volt Typhoon

    A long-dwell, infrastructure-focused intrusion genre with strategic intent. Used to teach how to reason about access whose value is patience rather than action.

  3. A3

    Lazarus — Supply Chain Operations

    Reconstructs a state-aligned actor's use of software supply chain as a means of access. Anchors the supply-chain teaching with a worked, attributed example.

  4. A4

    Cl0p — Mass-Exploit Campaigns Against Managed File Transfer

    A criminal-operator genre that turns one vulnerability into an industry-wide event. Used to teach how to reason about consequence at population scale.

  5. A5

    Storm-0558 — Cloud Identity Platform Signing-Key Compromise

    A cloud-native intrusion against an identity platform's signing trust. Teaches the discipline of reasoning about cryptographic trust roots inside multi-tenant infrastructure.

  6. A6

    TRITON / FROSTYGOOP — OT Physical-Impact Campaigns

    Two OT-specific campaigns paired as a single track. Used to teach the difference between cyber-effect and physical-effect operations against control systems.

  7. A7

    Sandworm — Targeted Physical-Impact Against Mission-Required Infrastructure

    Reconstructs a campaign genre that combines IT access with deliberate, targeted physical consequence. Anchors the highest-consequence quadrant of the APT track grid.

  8. A8

    IT-OT-Bleed Ransomware

    The opportunistic-criminal genre where IT-side encryption bleeds into OT operations. Teaches the distinction between targeted and opportunistic consequence.

  9. A9

    Salt Typhoon — Targeted Telecom Compromise

    A state-aligned campaign against mission-required telecom infrastructure. Used to teach how to reason about adversary access whose value is intelligence collection at carrier scale.

Certification Tracks

Four certification tracks sequence the layers differently for different roles. Each track shares the same C8 capstone instrument, calibrated to the track's emphasis.

  1. CAE-P

    Practitioner

    The default track for operators executing engagements. Anchored in the full core, with technique-domain selection driven by the operator's environment.

  2. CAE-B

    Builder

    For practitioners who develop tooling and infrastructure for offensive work. Emphasis on the engineering discipline behind reproducible operations.

  3. CAE-T

    Tester

    For practitioners whose primary output is verification — that controls work, that detections fire, that assumptions hold. Emphasis on the purple-team and detection-engineering layer.

  4. CAE-E

    Engagement Stewardship

    For practitioners running programs rather than individual engagements. Emphasis on the long-horizon C9 material and the institutional disciplines around offensive work.

← Back to Academy