Skip to content

outflank Security tooling (oST)

OST is a set of private offensive security tools created by the red teaming specialists of Outflank available for use by vetted red teams.

Learn About the Powerful Tools That Are Part of The Outflank Toolkit.

ouflank from s4applications

OST is a powerful toolbox made by red teamers for red teams.

Outflank Security Tooling (OST) is an essential toolkit for anyone involved in Red teaming, Penetration testing, or Vulnerability assessment. Developed by the experts at Outflank, OST includes a comprehensive suite of tools designed to help you identify and exploit vulnerabilities in your organisation’s systems and networks.

With OST, they bundle their internal tools for red teaming, adversary simulation or advanced penetration testing services. The toolkit provides shortcuts for hard stages like initial access, EDR evasion and OPSEC-safe lateral movement. OST includes techniques that have not yet been published or weaponised by other red teams.

The toolset is under continuous development and there are currently 10 tools available. These tools allow you to simulate similar techniques to what some APTs and Organized Crime Groups apply but are not available in public tools. OST tools are explicitly developed to bypass defensive measures and detection tools.

There are tools for every phase of the attack chain that help with initial compromise, command and control (C2), lateral traversal and clean-up.

Download an Outflank Security Tooling summary PDF.

Outflank Security Tooling

OST tools allow you to simulate similar techniques to what some APTs and Organised Crime Groups apply but are not available in public tools. OST tools are explicitly developed to help enable a skilled operator bypass defensive measures and detection tools.

The tools are categorised along the phases of a typical attack kill chain, In Phase, Through Phase and Out Phase:

In Phase

Office Intrusion Pack

The Office Intrusion Pack generates VBA macros based on various templates and settings. Currently it generates a .txt file with VBA code. The main use case is generating malicious macros to be used in maldocs for initial access or persistence (e.g. by backdooring normal.dotm).

Payload Generator  

Payload generator is a binary payload builder/transformer focused on OPSEC safety, operational traceability, and anti-forensics. It can generate various highly evasive malware artifacts for use in achieving initial access, gaining persistence, escalating privileges, or completing lateral movements during red team engagements. 

Offering the latest offensive R&D to help bypassing AV and EDR products, such as direct system calls, techniques to blend in with TI ETW, ROP gadgets, sleep masking, stack spoofing and much more.

Stego Loader

Stego loader allows the operator to embed a payload into an image file using Least Significant Bit Steganography. After the payload is embedded into the image, the image is still valid and viewable.

Through Phase

Stage 1

Stage 1 is Outflank’s custom Command-and-Control framework with focus on OPSEC and ‘Stage 1’ functionality.

Stage 1 is a light C2 framework that is aiming to be as OPSEC-safe as possible. Stage 1 uses features such as direct system calls and sleep masking to stay under the radar of AV and EDR for your initial access and local reconnaissance activities. I


SCMUseKerberos is a tool to change the Service Control Manager (SCM) APIs to use Kerberos for local authentication and to spawn an elevated beacon using a privileged (administrator) Kerberos token. 


Sharpfuscator, a custom .net obfuscator that helps bolster the evasiveness of C# executables, including open source C# tools.  

ShapFuscator is designed for AV/EDR static signature evasion. By analyzing the assembly with tools such as dnspy it is relatively easy to identify the encryption keys, the assembly features or the original tool.


Credential Pack

Credential Pack is a collection of tools that can be used with any Command and Control framework with BOF support and allows the red team operators to extract (dump) and obtain credentials.

Out Phase

Hidden Desktop 

Get a short demo of Hidden Desktop, one of the many tools in Fortra’s Outflank Security Tooling (OST), an elite toolset developed by and made for advanced red teams.

Hidden Desktop is an OPSEC safe implementation of hidden Virtual Network Computing (hVNC), which allows red teamers to create a second desktop on a targeted system that remains invisible to the user. 

Fake Ransom

FakeRansom is a tool developed and used to support in the out phase of a ransomware attack simulation. It is fake, yet real-life-like ransomware. It hijacks the screen and shows a full screen ransom notice combined with ongoing file listings of files of that computer.

It creates the sense of urgency and a stress factor that is often overlooked in a simulation.

Kernelkatz and KernelTool

a short demo of Kernelkatz and KernelTool, two of the many tools in Fortra’s Outflank Security Tooling (OST), an elite toolset developed and made for advanced red teams. Kernelkatz leverages a vulnerable driver to read LSASS memory and dump hashes, using a fresh driver that is not blocked by Device Guard so it can bypass LSA protections. KernelTool can then be used to remove process protections and modify callbacks.

Cobalt Strike UDRLs in 60 Seconds

Outflank Security Tool (OST) users can now leverage the power of User Defined Reflective Loaders (UDRLs) without writing C code or setting up a dev environment. 

Node in 60 secs

Outflank Security Tool (OST) provides .node payload generation, including Function Forwarding. Great for persistency in favorite Electron apps, such as Teams, Slack, VS Code.

Stage 1 Automation in 60 Seconds 

Outflank Security Tooling comes with its own C2 framework called Stage 1. Stage 1 is an OPSEC-focused C2 framework that provides red team operators with a lot of flexibility. One example is shown in this video: By leveraging the power of Python for automating tasks in Stage 1, and using the built in Jupyter Notebooks interface, red team operators can automate all kinds of tasks quickly and easily.

Download the Outflank OST Modules Technical Overview

Outflank Security Tooling is a set of private offensive security tools created by the red teaming specialists of Outflank. Download this 12 page high-level technical overview of the tools provided in OST.

Learn about the powerful tools that are part of the Outflank toolkit.

Integrations with other Fortra solutions

OST was developed to work in tandem with Fortra’s advanced adversary simulation tool, Cobalt Strike and automated penetration testing solution, Core Impact.

With OST, you can automate tedious and time-consuming tasks, such as password cracking, network reconnaissance, and post-exploitation, so you can focus on more complex and high-value activities. OST is constantly being updated to ensure they have the latest techniques and methods used by cybercriminals and other threat actors. By using OST, you can identify and remediate vulnerabilities before they can be exploited by attackers.

Outflank Security Tooling (OST) webinar - Introduction and Demo.

Let us know if you want to receive an invitation to the OST webinar to get your very own introduction and demonstration of the power of Outflank Security Tooling. Fill out the form below.

What to do next

Interested in a quote, or the opportunity to talk through your requirements further?

As a Fortra partner, S4 Applications will work with your business to help you understand what Outflank can offer to evaluate your attack surface, priorities, and goals and develop a roadmap to deploy the right solution for your needs.

World Map
World Map