The way RAG works is easier to understand if you stop thinking about AI memory. Think about a dictionary instead. You do not memorize every definition before you need one. Look up the word when you need it. RAG does the same thing with your files — chunks them, embeds them into a vector database, and pulls back only what matches your question. The model never sees the whole library. ...
Topics: Ollama, MCP, Python, Kali Linux, Responsible Scope The tool does not determine whether you are a professional. Scope does. Before any script runs, before any model generates a command, you need written authorization for every target you plan to touch. That is not a disclaimer to skip past. Every piece of tooling in this article enforces that principle because I have watched what happens when it gets ignored. A few years ago a student ran a scan against a host that was not in the lab scope. I did not give a zero and move on. That student wrote the apology email. Not me, the student wrote it, disclosed exactly what ran and what the scan returned, and waited to hear what the victim decided to do about it. Outside a classroom, unauthorized access carries consequences the victim controls, not the teacher. That framing changes how seriously students take scope documents. ...
Author: Mario Martinez Jr. (ku5e / Gary7) | TryHackMe USA Rank #76 | Top 1% Difficulty: Easy Topics: x86 Assembly, Opcodes, MOV/LEA/NOP, Arithmetic Instructions, Logical Instructions, Flags, Conditionals, Branching, Stack Operations, Function Calls Link: x86 Assembly Crash Course on TryHackMe Answers are redacted within the narrative to allow you to complete the tasks on your own, but a full table of answers is available at the end of this walkthrough. Assembly is the lowest level of human-readable language and the highest level a compiled binary can be reliably decompiled to. When you open a malware sample in Ghidra or x64dbg, you are reading assembly. There is no layer above it. This room covers the instructions you will see on every analysis: MOV, LEA, NOP, ADD, SUB, XOR, CMP, TEST, JMP, PUSH, POP, and CALL. Complete the x86 Architecture Overview room first if you have not already. ...
Author: Mario Martinez Jr. (ku5e / Gary7) | TryHackMe USA Rank #76 | Top 1% Difficulty: Easy Topics: CPU Architecture, x86 Registers, Memory Layout, Stack Analysis, Malware Analysis Fundamentals Link: x86 Architecture Overview on TryHackMe Answers are redacted within the narrative to allow you to complete the tasks on your own, but a full table of answers is available at the end of this walkthrough. This room gives you the mental model that makes malware analysis readable. Before you open a binary in Ghidra or step through a sample in x64dbg, you need to know what the CPU is actually doing with its registers and memory. The room covers Von Neumann architecture, x86 registers from EAX down to the segment registers, the four-section memory layout, and the stack. It takes about an hour. If you plan to do any serious reverse engineering, that hour is not optional. ...
Author: Mario Martinez Jr. (ku5e / Gary7) | TryHackMe USA Rank #76 | Top 1% Difficulty: Easy Topics: Threat Modelling, MITRE ATT&CK, DREAD, STRIDE, PASTA Link: Threat Modelling on TryHackMe Answers are redacted within the narrative to allow you to complete the tasks on your own, but a full table of answers is available at the end of this walkthrough. This room walks through four threat modeling frameworks used by security teams to identify, categorize, and prioritize risks. You apply each framework to realistic organizational scenarios, including a financial services company and an e-commerce payment processor. ...
Author: Mario Martinez Jr. (ku5e / Gary7) | TryHackMe USA Top 1% Difficulty: Easy Topics: Threat Intelligence, Containment Strategies, Incident Response, Wireshark Answers are redacted within the narrative to allow you to complete the tasks on your own, but a full table of answers is available at the end of this walkthrough. This room is a lecture-heavy introduction to threat intelligence creation and containment strategies within the incident response cycle. Most tasks pair reading with a single comprehension question. The practical at the end drops a packet capture on the desktop and asks you to pull three specific values from the traffic. Wireshark filtering gets you there fast. ...
Author: Mario Martinez Jr. (ku5e / Gary7) | TryHackMe USA Top 1% Difficulty: Easy Topics: Persistence Mechanisms, Backdoors, Incident Response, Linux Forensics Answers are redacted within the narrative to allow you to complete the tasks on your own, but a full table of answers is available at the end of this walkthrough. A server is already compromised. The attacker believes they cleared out. Your job is finding what they left behind before the machine goes back to production. The IR team has isolated the machine and handed you credentials for an account with root privileges. Five backdoors are planted somewhere on the system. Finding them requires knowing what a clean Linux install looks like. Anything that doesn’t match is a lead. ...
Author: Mario Martinez Jr. (ku5e / Gary7) | TryHackMe USA Rank #76 | Top 1% Difficulty: Easy Topics: Incident Response, CSIRT, Digital Forensics, Log Management, Windows Event Logs Answers are redacted within the narrative to allow you to complete the tasks on your own, but a full table of answers is available at the end of this walkthrough. This room covers the Preparation phase of the incident response lifecycle, the foundation that determines whether a team can respond to a breach effectively or scramble in the dark. You take the role of an incident responder building out the people, processes, and technology required to detect and contain adversarial activity before the next room moves into identification and scoping. ...
Author: Mario Martinez Jr. (ku5e / Gary7) | TryHackMe USA Top 1% Difficulty: Easy Topics: Incident Response, Security Alerts, Asset Inventory, IoC Management Answers are redacted within the narrative to allow you to complete the tasks on your own, but a full table of answers is available at the end of this walkthrough. This room positions you as an incident responder at SwiftSpend Financial (SSF), a fictional organization facing a potential security compromise. You work through a series of support tickets in Outlook, cross-reference an Asset Inventory, and populate a Spreadsheet of Doom (SoD) with indicators of compromise. The room frames itself around identification, scoping, and the feedback loop between the two. In practice, it functions as an email reading exercise where you extract IoCs from ticket exchanges and map them to organizational assets. ...
Author: Mario Martinez Jr. (ku5e / Gary7) | TryHackMe USA Top 1% Difficulty: Medium Topics: Incident Response, Eradication, Remediation, MITRE ATT&CK, Jenkins, Cyber Kill Chain Answers are redacted within the narrative to allow you to complete the tasks on your own, but a full table of answers is available at the end of this walkthrough. This is the fourth room in the Live IR Module, picking up after Preparation, Identification and Scoping, and Threat Intel and Containment. By this point the scope is set and the bad guys are identified. The job now is to remove them cleanly, patch what let them in, and bring systems back online without handing the attacker a warning signal in the process. The room tests your sleuthing ability as much as your IR theory — and the MITRE ATT&CK Framework proves its worth again. ...