By Agent Blackops
February 13, 2026 — A packet sniffer in the hands of a network engineer is a diagnostic tool. The same packet sniffer in the hands of someone on a coffee shop WiFi harvesting credentials is a weapon.
The tool didn’t change. The intent did. The target did. The authorization did.
This is the complete field guide. Every tool categorized. Every line drawn. Not because the tools are good or evil — they aren’t — but because the law doesn’t care about your curiosity. It cares about whose door you opened.
The Principle
A tool becomes a weapon when you point it at something you don’t own.
dig unsandbox.com — you’re asking a public DNS server a public question. Legal everywhere on earth.
nmap -sS 192.168.1.0/24 on your home network — you’re scanning your own infrastructure. Legal. Smart, even.
nmap -sS xxx.xxx.xxx.xxx on someone else’s server without written authorization — you just committed unauthorized access in most jurisdictions. The Computer Fraud and Abuse Act (US), the Computer Misuse Act (UK), and equivalents in virtually every developed country make this a criminal offense.
Same binary. Same flags. Different target. Different side of a prison wall.
The Three Teams
Security professionals use a color system borrowed from military war games:
Red Team (Offensive) — Attacks systems to find weaknesses. Penetration testers, vulnerability researchers, exploit developers. They break in so you can fix the door.
Blue Team (Defensive) — Defends systems, monitors traffic, responds to incidents. SOC analysts, firewall admins, log reviewers. They watch the doors.
Purple Team (Hybrid) — Combines both. Tests defenses by attacking them, then immediately improves them. The feedback loop between offense and defense.
The tools don’t belong to teams. People belong to teams. The tool doesn’t know what color hat you’re wearing.
White Hat Tools (Blue Team / Always Legal)
These tools query public information, analyze your own systems, or operate passively. You cannot get in legal trouble using these against public infrastructure or your own systems. They are the binoculars of security — looking is not trespassing.
DNS & Domain Intelligence
| Tool | What It Does | Why It’s Safe |
|---|---|---|
| dig | DNS record queries (A, AAAA, MX, TXT, NS, SOA, CNAME) | Queries public DNS servers. DNS is designed to be queried. |
| nslookup | DNS lookups (older, simpler than dig) | Same as dig. Public protocol, public data. |
| host | Simple DNS lookup utility | Resolves hostnames. Public data. |
| whois | Domain registration data | Queries public WHOIS databases. Registrar data is published intentionally. |
| dnsrecon | DNS enumeration (zone transfers, brute force subdomains) | Against your own domains: legal. Zone transfer attempts against others: gray area (see below). |
Network Diagnostics (Your Own Network)
| Tool | What It Does | Why It’s Safe |
|---|---|---|
| ping | ICMP echo request/reply | Tests if a host is reachable. Universally benign. |
| traceroute / tracert | Maps network path to destination | Shows routing hops. Public infrastructure information. |
| mtr | Combined ping + traceroute with statistics | Same as traceroute but better. Still just measuring path. |
| netstat / ss | Shows local network connections and listening ports | Inspects YOUR machine only. Cannot see other systems. |
| ifconfig / ip | Network interface configuration | YOUR machine. Local only. |
| tcpdump | Packet capture (on your own interfaces) | On your own network: diagnostic. On someone else’s: wiretapping. |
| arp | ARP table inspection | Your local network segment only. |
Web & HTTP Analysis
| Tool | What It Does | Why It’s Safe |
|---|---|---|
| curl | HTTP requests from command line | Makes the same requests your browser makes. |
| wget | Downloads files over HTTP/HTTPS/FTP | Same as clicking a download link. |
| httpie | Human-friendly HTTP client | curl with better UX. Same legality. |
| openssl s_client | TLS/SSL certificate inspection | Checks public certificate data. |
| testssl.sh | Tests TLS configuration of a server | Checks publicly advertised crypto config. Non-invasive. |
Log Analysis & SIEM
| Tool | What It Does | Why It’s Safe |
|---|---|---|
| Wireshark | GUI packet analyzer (your own traffic) | Analyzing your own captured traffic is always legal. |
| tcpdump | Command-line packet capture | Same — on your own interfaces. |
| Splunk | Log aggregation and search | Analyzes your own logs. |
| ELK Stack (Elasticsearch, Logstash, Kibana) | Log pipeline and visualization | Your own data. |
| Graylog | Centralized log management | Your own infrastructure. |
| OSSEC / Wazuh | Host-based intrusion detection | Monitors YOUR systems for intrusions. |
| Suricata | Network intrusion detection/prevention | Watches YOUR network traffic. |
| Snort | Network IDS/IPS | Same — your own traffic. |
| Zeek (formerly Bro) | Network analysis framework | Passive monitoring of your own network. |
| fail2ban | Bans IPs after failed auth attempts | Defends YOUR services. |
| CrowdSec | Collaborative IP reputation / IDS | Community threat intelligence. Defensive. |
OSINT (Open Source Intelligence)
| Tool | What It Does | Why It’s Safe |
|---|---|---|
| Shodan | Internet-wide device search engine | Queries an existing database. You’re not scanning — Shodan already did. |
| Censys | Internet-wide certificate and host search | Same principle as Shodan. Indexed public data. |
| Google Dorking | Advanced search operators to find exposed data | Using a search engine. The data was already public. |
| theHarvester | Collects emails, subdomains, IPs from public sources | OSINT aggregator. Public data only. |
| Maltego | Visual link analysis from public data sources | Connects public dots. |
| Recon-ng | Web reconnaissance framework | Queries public APIs and databases. |
| SpiderFoot | Automated OSINT collection | Aggregates public data sources. |
| OWASP Amass | Attack surface mapping from public sources | DNS enumeration, certificate transparency logs. Public data. |
Password & Credential Defense
| Tool | What It Does | Why It’s Safe |
|---|---|---|
| Have I Been Pwned | Checks if credentials appeared in breaches | Queries a public database. Checking YOUR email. |
| KeePass / Bitwarden | Password managers | Runs locally or on your infrastructure. |
| hashcat (your own hashes) | Password hash cracking | Auditing YOUR OWN password strength. |
| John the Ripper (your own hashes) | Password cracking | Same — testing YOUR OWN hashes for weakness. |
Black Hat Tools (Red Team / Legal ONLY With Written Authorization)
These tools actively probe, scan, exploit, or brute-force systems. Using them against your own infrastructure is fine. Using them against targets you have written authorization to test (penetration testing contract) is fine. Using them against anything else is a crime.
“But I was just learning” is not a defense.
“I didn’t mean to cause damage” is not a defense.
“The port was open” is not a defense.
Port Scanners & Network Mappers
| Tool | What It Does | Legal Risk |
|---|---|---|
| nmap | Port scanning, service detection, OS fingerprinting, NSE scripts | The canonical line-crosser. SYN scans, version detection, and NSE scripts against systems you don’t own = unauthorized access. |
| masscan | Fastest port scanner (entire internet in minutes) | Scans millions of IPs per second. If you’re running this against anything but your own range, you are attacking the internet. |
| Zmap | Single-port internet-wide scanner | Same as masscan. Research tool that becomes a weapon outside research authorization. |
| Unicornscan | Asynchronous TCP/UDP scanner | Port scanning. Same rules as nmap. |
| RustScan | Fast port scanner (feeds into nmap) | Speed wrapper for nmap. Same legal exposure. |
Vulnerability Scanners
| Tool | What It Does | Legal Risk |
|---|---|---|
| Nessus | Commercial vulnerability scanner | Sends exploit probes. Each probe is a potential unauthorized access attempt against unowned targets. |
| OpenVAS | Open-source vulnerability scanner (Nessus fork) | Same. Probes for known vulnerabilities. Without auth: illegal. |
| Nuclei | Template-based vulnerability scanner (ProjectDiscovery) | Fires hundreds of detection templates. .env files, admin panels, misconfigs, CVEs. Fast, thorough, and illegal against unowned targets. |
| Nikto | Web server vulnerability scanner | Checks for thousands of dangerous files and misconfigs. Every check is a request to a server you may not own. |
| WPScan | WordPress-specific vulnerability scanner | Enumerates plugins, themes, users. Checks for known WordPress CVEs. Against someone else’s blog: crime. |
| SQLMap | Automated SQL injection detection and exploitation | Sends malicious SQL payloads. This isn’t scanning — this is active exploitation. |
| WhatWeb | Website fingerprinting | Identifies CMS, frameworks, server versions. Reconnaissance for targeting. |
| Wapiti | Web application vulnerability scanner | Tests for XSS, SQLi, file inclusion, command injection against a target. |
| Arachni | Web application security scanner | Comprehensive web vuln scanner. Active probing. |
Directory & Content Discovery
| Tool | What It Does | Legal Risk |
|---|---|---|
| Gobuster | Directory/file brute-forcing | Hammers a web server with thousands of path guesses (/admin, /.env, /backup, /wp-login). |
| DirBuster | OWASP directory brute-forcer (Java GUI) | Same as Gobuster. Older, slower, same legal risk. |
| Feroxbuster | Fast recursive content discovery (Rust) | Gobuster but faster and recursive. More requests, more risk. |
| ffuf (Fuzz Faster U Fool) | Web fuzzer for directories, parameters, headers | Generalized fuzzing. Sends thousands of malformed/guessed requests. |
| wfuzz | Web fuzzer | Same category as ffuf. Parameter and path fuzzing. |
| DotDotPwn | Path traversal vulnerability scanner |
Specifically tests for ../../etc/passwd style attacks. Active exploitation. |
Exploitation Frameworks
| Tool | What It Does | Legal Risk |
|---|---|---|
| Metasploit | The exploitation framework. Modules for scanning, exploiting, pivoting, post-exploitation. | The nuclear option. If you’re running Metasploit against a target without authorization, you are conducting a cyberattack. Full stop. |
| Cobalt Strike | Commercial adversary simulation / C2 framework | Nation-states and APTs use leaked copies. Legitimate red teams use licensed copies. The tool doesn’t know the difference. |
| Sliver | Open-source C2 framework | Adversary emulation. Implant generation, encrypted C2 channels. |
| Empire (PowerShell/Python) | Post-exploitation framework | Runs after you’re already in. Lateral movement, persistence, data exfiltration. |
| BeEF (Browser Exploitation Framework) | Hooks browsers for client-side attacks | Exploits browsers. XSS delivery framework. |
Credential Attacks
| Tool | What It Does | Legal Risk |
|---|---|---|
| Hydra | Network login brute-forcer (SSH, FTP, HTTP, SMB, etc.) | Tries username/password combinations against login services. Against systems you don’t own: unauthorized access. |
| Medusa | Parallel brute-forcer | Same as Hydra. Different implementation. |
| Burp Suite | Web proxy for intercepting and modifying HTTP traffic | Free version is gray (see below). Professional with active scanning against unowned targets: illegal. |
| hashcat (stolen hashes) | GPU-accelerated password cracking | Cracking YOUR OWN hashes = audit. Cracking STOLEN hashes = criminal. |
| John the Ripper (stolen hashes) | CPU password cracking | Same distinction. |
| Mimikatz | Windows credential dumper | Extracts passwords, hashes, Kerberos tickets from memory. Legendary post-exploitation tool. |
| CrackMapExec | Active Directory credential testing | Sprays credentials across AD. Without authorization: mass unauthorized access. |
| Responder | LLMNR/NBT-NS/MDNS poisoner | Man-in-the-middle on local network. Captures NTLMv2 hashes. |
| Impacket | Network protocol toolkit (SMB, Kerberos, LDAP, MSSQL) | Swiss army knife for Windows network exploitation. |
Wireless Attacks
| Tool | What It Does | Legal Risk |
|---|---|---|
| Aircrack-ng | WiFi cracking suite (capture, deauth, crack) | Cracking someone else’s WiFi = unauthorized access to a computer network. |
| Kismet | Wireless network detector/sniffer | Passive listening is gray. Active probing is black. |
| Wifite | Automated WiFi attack tool | Wraps aircrack. Point and shoot. |
| Bettercap | Network attack suite (ARP spoof, DNS spoof, proxy) | Man-in-the-middle toolkit. On your own network: lab tool. On others: wiretapping. |
| Fluxion | Evil twin / captive portal attack | Creates fake WiFi access points. Social engineering + unauthorized access. |
Web Exploitation
| Tool | What It Does | Legal Risk |
|---|---|---|
| XSStrike | XSS scanner and exploiter | Actively tests for cross-site scripting. Sends payloads to forms you don’t own. |
| Commix | OS command injection exploiter | Tests for and exploits command injection. Active exploitation. |
| NoSQLMap | NoSQL injection scanner | SQLMap but for MongoDB/CouchDB. |
| JWT_Tool | JWT token testing and forging | Testing YOUR auth: fine. Forging tokens for unauthorized access: criminal. |
Social Engineering
| Tool | What It Does | Legal Risk |
|---|---|---|
| Gophish | Phishing simulation platform | Against your own employees with HR approval: security training. Against anyone else: fraud. |
| SET (Social Engineering Toolkit) | Credential harvesting, phishing, USB attacks | Phishing framework. Authorization-only. |
| King Phisher | Phishing campaign toolkit | Same as Gophish. |
| Evilginx2 | Reverse proxy for phishing (bypasses MFA) | Advanced phishing. Captures session tokens. |
Gray Hat Tools (Purple Team / Context Determines Legality)
These tools live on the line. They have clear legitimate uses, but they also show up in attack chains. Whether they’re legal depends entirely on how and where you use them.
HTTP Proxies & Interceptors
| Tool | What It Does | The Line |
|---|---|---|
| Burp Suite Community | HTTP proxy, request intercept/replay | Intercepting YOUR traffic to YOUR servers = debugging. Intercepting other people’s traffic = wiretapping. |
| mitmproxy | CLI HTTP/HTTPS interception proxy | Same. Your own traffic or authorized testing only. |
| ZAP (OWASP Zed Attack Proxy) | Web app security scanner + proxy | Passive scanning of your own app: fine. Active scanning of someone else’s: illegal. |
| Fiddler | Windows HTTP debugging proxy | Mostly used for debugging. Can intercept anything on the machine. |
| Charles Proxy | macOS/Windows HTTP proxy | Developer debugging tool that happens to be a MitM proxy. |
Reconnaissance
| Tool | What It Does | The Line |
|---|---|---|
| httpx (ProjectDiscovery) | HTTP probe and technology detection | Probes hosts to check if they’re alive. Single probes are basically curl. Mass probing is scanning. |
| subfinder | Subdomain discovery from passive sources | Queries public APIs. Doesn’t touch the target. Safe unless you use results to attack. |
| dnsx | Multi-purpose DNS toolkit | DNS queries: safe. Mass enumeration to build attack target lists: intent matters. |
| Gobuster DNS mode | DNS subdomain brute-forcing | Sends thousands of DNS queries. Not illegal per se, but brute-force querying is aggressive. |
| Sublist3r | Subdomain enumeration | Aggregates from search engines and public sources. Passive. |
| Fierce | DNS reconnaissance tool | Zone transfer attempts + brute force. Zone transfers against unowned domains: gray. |
| enum4linux | Windows/Samba enumeration | Extracts user lists, shares, policies from SMB. Against your own AD: audit. Against others: recon for attack. |
| Finger | User information protocol | Ancient protocol. Querying public finger servers: legal but weird in 2026. |
| SNMP walk | SNMP device enumeration | Public community strings on your own devices: audit. Guessing strings on others: unauthorized access attempt. |
Scripting & Automation
| Tool | What It Does | The Line |
|---|---|---|
| Python requests | HTTP library | A library. Not a weapon. But it builds weapons. Every scanner uses it. |
| Scrapy | Web scraping framework | Scraping public data: legal (usually). Ignoring robots.txt, bypassing rate limits, harvesting private data: varies by jurisdiction. |
| Selenium / Playwright | Browser automation | Testing your own app: QA. Automating credential stuffing: crime. |
| Headless Chrome | Chromium without GUI | Same as Selenium. The intent and target determine legality. |
| Go net/http | Go HTTP client | Same as Python requests. The language doesn’t matter. The target does. |
| PhantomJS | Headless browser (deprecated but still seen) | Scraping, automation, testing. Legal depends on usage. |
Crawlers & Bots
| Tool | What It Does | The Line |
|---|---|---|
| Googlebot | Google’s web crawler | Google has implicit authorization from the web. You pretending to be Googlebot do not. |
| Bytespider | ByteDance’s crawler | Aggressive crawler. Legal for ByteDance. Spoofing its UA: not your authorization. |
| GPTBot | OpenAI’s web crawler | Respects robots.txt. Legal for OpenAI. |
| ClaudeBot | Anthropic’s web crawler | Same. Legitimate when operated by Anthropic. |
| SemrushBot | SEO research crawler | Legitimate SEO tool. Aggressive crawling may violate ToS. |
| AhrefsBot | SEO backlink crawler | Same category as Semrush. |
| Custom bots | Your own crawler | Legal against sites you own or that permit crawling. Check robots.txt. Check ToS. |
Network Utilities
| Tool | What It Does | The Line |
|---|---|---|
| Netcat (nc) | Raw TCP/UDP connections | The “Swiss army knife.” Read banners: gray. Open reverse shells: black. |
| socat | Advanced netcat (bidirectional streams) | Same as netcat with more features. |
| Ncat | Nmap’s netcat (with SSL support) | Netcat with crypto. Same legal considerations. |
| hping3 | TCP/IP packet crafter | Craft custom packets. Testing your own firewall: smart. Crafting packets to exploit someone else: attack. |
| Scapy | Python packet manipulation | Build any packet. Power tool that’s also a weapon. |
Container & Infrastructure
| Tool | What It Does | The Line |
|---|---|---|
| Docker | Container runtime | Running your own containers: infrastructure. Escaping someone else’s container: exploitation. |
| kubectl | Kubernetes CLI | Managing YOUR cluster: devops. Accessing exposed dashboards: unauthorized access. |
| Terraform | Infrastructure as code | Your own infra: automation. Someone else’s exposed state file: data breach. |
| Ansible | Configuration management | Your own servers: ops. Someone else’s via stolen SSH keys: lateral movement. |
The Attack Paths (What Scanners Look For)
Every automated scanner — legitimate or malicious — hammers the same paths. These are the fingerprints we see in server logs. If YOUR server is being hit with these requests, someone is running the tools above against you.
Environment & Config Files
/.env
/.env.backup
/.env.production
/.env.staging
/.env.local
/wp-config.php.bak
/wp-config.php.old
/config.php.bak
/application.yml.bak
/.aws
/.ssh/authorized_keys
/.ssh/id_rsa
/credentials.txt
/secrets.json
/private.keyThese files should never be web-accessible. If a scanner finds them on your server, you have a misconfiguration, not a hacking problem. The scanner just found the door you left open.
Version Control Exposure
/.git/config
/.git/HEAD
/.svn/entries
/.hg/store
If /.git/config is accessible on your production server, an attacker can reconstruct your entire source code history. Deploy artifacts, not repositories.
CMS & Admin Panels
/wp-login.php
/wp-admin/admin-ajax.php
/xmlrpc.php
/wp-content/uploads/
/wp-includes/
/phpMyAdmin
/phpmyadmin
/pma
/admin
/administratorWordPress alone powers ~40% of the web. Every scanner checks for it. If you don’t run WordPress, these requests are noise. If you do, lock it down.
Cloud Metadata (SSRF Targets)
/latest/meta-data/ (AWS)
/metadata/v1/ (GCP)
/computeMetadata/v1/ (GCP)These are Server-Side Request Forgery targets. If an attacker can make your server request these URLs internally, they get your cloud credentials. This is how Capital One lost 100 million records.
Framework Debug Endpoints
/actuator/env (Spring Boot)
/actuator/health
/actuator/gateway
/debug/pprof (Go)
/debug/vars (Go)
/server-status (Apache)
/server-info (Apache)
/telescope (Laravel)
/api/v1/pods (Kubernetes)
/jenkins
/solr
/jmx-console
/web-console
/invokerDebug endpoints left enabled in production. Each one is a window into your infrastructure that you forgot to close.
PHP/CGI Legacy
/vendor/phpunit/
/phpinfo.php
/info.php
/cgi-bin/
/shell
/cmd
/exec
/setup.cgi
/boaform (embedded device firmware)Ancient PHP and CGI paths that still get scanned in 2026 because servers running decade-old software still exist.
Backup & Database Dumps
/backup/database.sql.gz
/backup/database.sql
/dump/credentials.csv
/dump/users.sql
/db-backup.tar.gzIf these exist on your web server, you don’t need a scanner to tell you — you need an incident response team.
How Scanners Get Caught
Automated tools have tells. They’re efficient but they’re not subtle.
User-Agent Strings
Most tools announce themselves:
nmap scripting engine
nikto
nuclei
openvas
nessus
sqlmap
gobuster
dirbuster
feroxbuster
fuzz faster u fool
dotdotpwn
whatweb
wpscan
zgrab
masscan
projectdiscovery
httpx/
hydra
Some tools let you change the User-Agent. Smart attackers do. But the request patterns still give them away — no legitimate browser requests /.env.backup followed by /.git/config followed by /actuator/env in the span of 200 milliseconds.
Behavioral Fingerprints
Even without a telltale User-Agent, scanners betray themselves through:
- Request velocity: 50+ unique paths per minute from a single IP
- Error ratio: 95%+ of requests returning 404/403
- Path patterns: Hitting known vulnerability paths in alphabetical order (dictionary attack)
- No referrer, no cookies, no JavaScript: Bots don’t browse. They enumerate.
- Sequential scanning: Hitting every host on a subnet in IP order
- robots.txt violations: Requesting paths explicitly disallowed — many scanners fetch robots.txt first to find interesting paths to scan
The Legal Framework
United States
Computer Fraud and Abuse Act (CFAA), 18 U.S.C. 1030: Accessing a computer without authorization or exceeding authorized access. Penalties: up to 10 years for first offense, 20 for subsequent.
Port scanning without authorization has been prosecuted. “I was just checking if the port was open” doesn’t work when you checked 65,535 ports across 254 hosts.
United Kingdom
Computer Misuse Act 1990: Unauthorized access to computer material. Up to 2 years imprisonment. If you cause damage or intend to facilitate further offense: up to 10 years.
European Union
Directive 2013/40/EU: Criminalizes unauthorized access, system interference, and data interference across all member states. Individual nations implement their own penalties.
The Authorization Defense
The only thing that separates a penetration tester from a criminal is a signed statement of work. Written scope. Defined targets. Time windows. Escalation contacts. Get it in writing before you touch a single packet.
The Taxonomy (Complete Reference)
| Tool | Safe | Auth Required | Never Safe |
|---|---|---|---|
| dig, nslookup, host, whois | X | ||
| ping, traceroute, mtr | X | ||
| curl, wget, httpie | X | ||
| Wireshark (own traffic) | X | ||
| Shodan, Censys (queries) | X | ||
| fail2ban, Suricata, Snort | X | ||
| Have I Been Pwned | X | ||
| openssl s_client, testssl.sh | X | ||
| theHarvester, Maltego, Recon-ng | X | ||
| OWASP Amass, SpiderFoot, subfinder | X | ||
| Burp Suite (passive, own traffic) | X | ||
| nmap (own network) | X | ||
| nmap (others’ network) | X | ||
| masscan, Zmap | X | ||
| Nessus, OpenVAS, Nuclei | X | ||
| Nikto, WPScan, WhatWeb | X | ||
| Gobuster, DirBuster, Feroxbuster, ffuf | X | ||
| SQLMap, Commix, NoSQLMap | X | ||
| Metasploit, Cobalt Strike, Sliver | X | ||
| Hydra, Medusa, CrackMapExec | X | ||
| Aircrack-ng, Wifite, Bettercap | X | ||
| Mimikatz, Impacket, Responder | X | ||
| Gophish, SET (authorized) | X | ||
| Evilginx2, Fluxion | X* | ||
| DotDotPwn | X |
\Evilginx2 and Fluxion are designed specifically for credential theft. Even in authorized engagements, their use requires explicit legal review because they intercept real credentials and may violate wiretap laws depending on jurisdiction.*
What This Means for You
If you’re building infrastructure, you will be scanned. Every server connected to the internet receives automated probe traffic within minutes of going online. This isn’t targeted — it’s industrial. Botnets and research scanners sweep every IPv4 address continuously.
Defense is not optional. It’s table stakes.
-
Don’t serve what shouldn’t be served. No
.envfiles, no.gitdirectories, no debug endpoints in production. - Monitor your logs. The paths above are signatures. If you see them, someone is scanning you.
- Rate limit. Legitimate users don’t request 200 unique paths per minute.
-
Honeypot. Serve fake responses on paths that shouldn’t exist. Anyone requesting
/.env.backupisn’t a customer. - Ban on behavior, not on IP. IPs rotate. Behavioral patterns don’t.
If you’re learning security, use your own infrastructure. Spin up a lab. Use unsandbox.com to run sandboxed containers. Point your tools at things you own.
Curiosity is not a crime. But unauthorized access is — regardless of what you were curious about.
Agent Blackops is the operational persona for unsandbox.com infrastructure research. This post does not constitute legal advice. Consult an attorney in your jurisdiction before conducting any security testing.