THE SOLDIERS
CODE

We are cyber-soldiers. Not in the romantic sense of keyboard warriors fighting imaginary battles, but in the practical sense of operators who understand that every system is a battlefield, every network is contested territory, and every vulnerability is an open door.

This is not a Soldiers Code of philosophy. This is a tactical doctrine for offensive operations in the digital domain. We do not ask permission to understand systems. We do not apologize for knowing how they break. We do not accept that security through obscurity is anything other than security through incompetence.

The Soldiers Code is the operational framework for C.S.F. It defines how we think, how we operate, and how we share knowledge in an environment where information is the primary weapon and ignorance is the primary vulnerability.

The ability to attack is the foundation of the ability to defend. You cannot secure what you do not understand. You cannot defend against techniques you have never studied. The separation of "offensive" and "defensive" security is a bureaucratic fiction maintained by organizations that benefit from your ignorance.

We assert: The right to learn, practice, and share offensive security techniques without apology. Penetration testing, exploit development, social engineering, and network intrusion are not criminal skills — they are essential skills for anyone serious about security.

Every vulnerability disclosed, every exploit documented, every technique shared makes the entire ecosystem stronger. The vendors who complain about "irresponsible disclosure" are the same vendors who ignored the vulnerability for years until it became public. We do not work on their timeline.

The Offensive Operator's Creed:

• I will learn how systems break before I claim to know how they work.
• I will practice offensive techniques in authorized environments.
• I will share knowledge freely because the alternative is collective weakness.
• I will not gatekeep techniques to maintain artificial status.

There is a difference between authorization and permission. Permission is what you ask from authority. Authorization is what you establish through contracts, scope agreements, and legal frameworks.

We operate under authorization:

Authorized Targets:

• Systems you own or have explicit written permission to test
• Bug bounty programs with published scope
• Capture the Flag (CTF) environments and wargames
• Intentionally vulnerable training applications
• Research environments with proper ethical approval

Unauthorized Targets:

• Production systems you do not own
• Networks you have not been contracted to test
• Individuals' personal devices or accounts
• Critical infrastructure without explicit authorization
• Any system where "testing" is actually just unauthorized access

The line is clear. Cross it and you are not an operator — you are a liability to the community and a criminal under the law. We do not defend unauthorized access. We do not romanticize it. We do not tolerate it.

Offensive operations require discipline. The same tools that find vulnerabilities can cause damage. The same techniques that test defenses can disrupt services. The same knowledge that empowers can destroy.

Operational Rules of Engagement:

01 — Document Everything. Every scan, every exploit attempt, every command executed. If you cannot produce logs of your actions, you cannot defend your authorization. Documentation is your proof of legitimacy.

02 — Minimize Impact. Test in non-production environments when possible. Use non-destructive techniques first. Avoid denial-of-service unless explicitly authorized. Your goal is to find vulnerabilities, not to cause damage.

03 — Respect Scope. If the contract says "web application only," do not scan the internal network. If the bug bounty says "no social engineering," do not phish employees. Scope violations destroy trust and end careers.

04 — Disclose Responsibly. Give vendors reasonable time to patch (30-90 days is standard). Coordinate disclosure timelines. Publish details only after patches are available. The goal is to improve security, not to enable mass exploitation.

05 — Protect Your OPSEC. Use dedicated testing infrastructure. Separate your research identity from your personal identity. Assume everything you do is logged. Operate as if you will need to defend your actions in court — because you might.

Modern systems are not isolated fortresses. They are interconnected ecosystems with attack surfaces that span:

Technical Surfaces:

• Network Layer: Exposed services, misconfigurations, weak protocols
• Application Layer: Web apps, APIs, mobile apps, desktop software
• Infrastructure Layer: Cloud misconfigurations, container escapes, CI/CD pipelines
• Hardware Layer: Firmware vulnerabilities, side-channel attacks, physical access
• Supply Chain: Third-party dependencies, compromised libraries, vendor access

Human Surfaces:

• Social Engineering: Phishing, pretexting, elicitation, impersonation
• Insider Threats: Disgruntled employees, compromised credentials, privilege abuse
• OSINT: Public information weaponized for targeting and reconnaissance
• Physical Security: Tailgating, badge cloning, dumpster diving, facility access

We train across all surfaces. A network penetration tester who cannot social engineer is half an operator. A social engineer who cannot exploit a web app is incomplete. A hardware hacker who ignores the human element is missing the easiest vector.

The best operators are multi-domain. They understand that the weakest link is rarely the firewall — it is the person who configured it, the vendor who shipped it with default credentials, or the employee who clicked the phishing link.

A technique known by one operator is a single-use weapon. A technique shared with the community is a force multiplier. Every guide published, every tool released, every writeup documented makes the entire community more capable.

We share knowledge because:

• Defenders need to know what attackers know
• Researchers need to build on each other's work
• Students need real-world examples, not sanitized textbooks
• The security industry benefits from collective intelligence
• Hoarding knowledge to maintain status is a betrayal of the mission

What We Share:

• Detailed technical writeups with reproducible steps
• Exploit code and proof-of-concept demonstrations
• Tools, scripts, and automation frameworks
• Lessons learned from real engagements (sanitized for confidentiality)
• Training materials, guides, and educational content

What We Do Not Share:

• Client-specific data or confidential engagement details
• Personally identifiable information (PII) of targets
• Zero-day vulnerabilities before responsible disclosure
• Techniques designed solely for illegal activity
• Information that would enable mass harm without defensive value

The line between education and enablement is judgment. We trust operators to exercise it.

The threat landscape has evolved. The techniques that worked in 2020 are table stakes in 2026. The adversaries have adapted. So must we.

Current Threat Vectors:

AI-Augmented Attacks: LLMs generate perfect phishing emails. Deepfakes bypass video authentication. Automated vulnerability discovery outpaces human researchers. The attacker's toolkit is now artificially intelligent.

Supply Chain Compromise: Attacking the target directly is hard. Attacking their vendors, their build systems, their dependencies — that is the new normal. SolarWinds was not an anomaly. It was a preview.

Cloud Misconfigurations: The migration to cloud has created an explosion of attack surface. S3 buckets left open. IAM policies too permissive. Secrets in environment variables. The cloud is not secure by default.

Identity as the Perimeter: Network perimeters are dead. Identity is the new perimeter. MFA fatigue attacks, session hijacking, token theft — if you can compromise identity, you own the kingdom.

Cognitive Warfare: The battlefield is not just technical. It is psychological. Influence operations, disinformation campaigns, and algorithmic manipulation are active operations running against populations at scale.

We adapt or we fail. The operators who cling to 2015 techniques will be irrelevant. The operators who study current TTPs, who practice against modern defenses, who understand the adversary's playbook — they will survive.