

Operating C2 for Red Team Operations: Pivoting & Beacon Object Files
Who this workshop is for
Security practitioners who want hands-on time driving a C2, not another tool demo
Pentesters and red teamers who want a structured grounding in C2 tradecraft and the OPSEC thinking behind it
Blue teamers, detection engineers, and defenders who want to see how operators move, so they can catch them
No prior C2 experience needed. We start from standing up the server and build up to live pivoting, so beginners and experienced operators both have room to work.
What's included
Live, hands-on sessions in a dedicated lab range, where you operate a real C2
Live hands-on throughout: land your first agent, then pivot deeper across the range
Certificate of participation with CEP Credits
Recording included: a full session recording for everyone who registers
A dedicated detection walkthrough: how the blue team catches what you ran
Closing Q&A with the instructors on screen
A place in a focused, small cohort working the same range together
Red teams are expected to emulate real adversaries. But operating a C2 framework end-to-end, standing up the server, landing your first agent, keeping your footprint small, and pivoting deeper, is a skill set most practitioners never get structured time to build.
Spraying tools across a network isn't tradecraft. Modern defenders see noisy operators coming.
Sleep and jitter. In-process execution. Beacon Object Files. SOCKS pivoting. These aren't advanced extras. They're the everyday mechanics of operating with OPSEC in mind. And for most people, the only place to pick them up is mid-engagement, where there's no room to experiment.
Not because people don't care. Because a realistic, safe range time is hard to come by.
This workshop closes that gap.
In one focused session, you'll stand up an open-source C2, drive it through the full kill chain (foothold, post-ex, BOFs, pivot), and learn to think about OPSEC at every step, the way an operator does on a live engagement.
What makes this workshop different
It's built around live operation in a lab range, not a slide deck and a Q&A
You run the full chain yourself (first agent, post-ex comms, BOF execution, lateral movement), the way a real op unfolds
A dedicated detection segment shows how the blue team catches what you ran, so you leave understanding both sides of the engagement
What you'll learn
A focused, hands-on grounding in how red teams operate command and control, and the OPSEC thinking that separates good ops from noisy ones.
The foundations of C2
What C2 is, why red teams rely on it, and the core architecture: team server, listeners, redirectors
How to stand up an open-source C2 and generate, then deploy, an agent into the range
How to land your first agent and run clean post-exploitation comms
How to operate with OPSEC in mind
How sleep, jitter, and timing shape an agent's traffic and reduce noise
Why in-process execution beats spawning new processes for OPSEC
What Beacon Object Files are, how to load and run pre-built BOFs, and where they sit in a post-ex workflow
How to move through the network
How to use a single foothold to reach internal hosts
SOCKS proxying and port forwarding to work across network segments
How to move laterally through the range the way an operator does, and how each move looks to a defender
🗓 Workshop Agenda (14:00 – 18:00)
14:00–14:15 | 15m | Setup & Ground Rules: objectives, lab access, rules of engagement and scope
14:15–15:00 | 45m | C2 Fundamentals & Server Setup: what C2 is and why; team server, listeners, redirectors; generating and deploying your first agent into the range
15:00–15:10 | 10m | Checkpoint: Everyone Lands an Agent: a sync point so the whole room has a live agent before going deeper
15:10–15:55 | 45m | Agent Operation & OPSEC: post-ex comms, sleep/jitter, and the operator's decision loop, what each action costs and the quieter alternative
15:55–16:10 | 15m | Break
16:10–16:50 | 40m | Beacon Object Files & In-Process Execution: what BOFs are, why in-process beats spawning a process, loading and running pre-built BOFs
16:50–17:35 | 45m | Pivoting & Lateral Movement: foothold to internal hosts, SOCKS proxying and port forwarding, moving across segments
17:35–18:00 | 25m | Detection, Hardening & Wrap-up: how the blue team catches each step, defensive takeaways, Q&A, teardown
Learn directly from operators who run this work
Ariz Soriano, Senior Content Engineer at TryHackMe
A cohort, not just a course
You're not watching from the back row of a webinar. Everyone works the same lab range, so you can compare approaches, talk through OPSEC calls, and see how other practitioners handle the same foothold.
The format is intentional: you'll work in groups of three throughout the session, operating alongside other practitioners and getting unstuck quickly when an agent doesn't land or a pivot won't hold.