Red Teamers know: we have to keep RTFM-ing, especially in the API-driven world. The APIs docs will give you far more access than you might imagine. 1/n

Look for the words “soon to be deprecated” and “not recommended,” especially if these API endpoints or authentication approaches were once defaults. 2/n

Look for default authorizations (roles, capabilities,...) - even when these seemingly aren’t being used, they may still be available. 3/n

Fingerprint what tool or library deployed the environment/cluster/application. Read its APIs and tutorials. The most popular tutorials create a kind of second/third/... set of default configuration. 4/n

If something you’ve seen, read and/or tried before isn’t working, RTFM and search the web: did the API change, is there a header required for what you’re doing that wasn’t needed before, is your authentication token still fresh? 5/n

Can you script your API calls so they freshen their own token/session/fingerprint inline with the request? 6/n

Is this easier with another tool or language/library? 7/n

Do you need to evade detection by limiting/paging/cursoring the output so your API calls look like standard tools? 8/n

Might two heads be better than one? (Or n+1 better than n?) Who can you ask about this? 9/n

Can you talk to anyone at the API provider or one if it’s most popular consumers? 10/n

Have you checked for blogs, conference talks, and not-yet-famous tools? Even if you can’t bring tools (limited network access, need to “live off the land” for stealth, can’t install an interpreter/compile for this platform), you can answer questions by reading tool source. 11/n

Is it time to script, so you can loop over more things/all the things, save intermediate results and search those later without having to make more API calls? 12/n

In these days of quick free cloud credit, as well as Vagrant, Ansible, Terraform, etc, can you test your API calls and scripts against your own sample platform before you try them against your red team client? 13/n

Can you construct or even test your API calls using an online tool, particularly one that’s built into the API’s documentation site? 14/n

Meta-post: Have you asked your community to collaborate with you on your blog post? @dinodaizovi @IanColdwater @bradgeesaman @3nc0d3r @dmay3r @faithanalog @cj_cullen @mrgcastle 0/n