Cyber Shelf

// Comparison

Attacking Network Protocols vs Windows Security Internals: Which Should You Read?

Two cybersecurity books on Offensive, compared honestly: who each is for, what each does best, and which to read first.

Advanced
5/52017
Attacking Network Protocols

A Hacker's Guide to Capture, Analysis, and Exploitation

James Forshaw

James Forshaw, Project Zero veteran, on how to capture, parse, and break protocols from the wire up to the application layer, with a strong focus on building reusable analysis tooling.

Advanced
5/52024
Windows Security Internals

A Deep Dive into Windows Authentication, Authorization, and Auditing

James Forshaw

Forshaw takes apart the Windows security model from the SRM and access tokens up through Kerberos, with live PowerShell you can run against your own machine. The most authoritative single source on how Windows actually decides who can do what.

Read this if

Anyone who needs to understand traffic, not just see it. Forshaw is the rare Project Zero veteran who can also teach; the book turns network protocol analysis into a learnable craft.
Vulnerability researchers, red teamers, and platform security engineers who need ground truth on tokens, SDs, logon, and the kernel security reference monitor.

Skip this if

Beginners who haven't yet handled a pcap, or readers who only want HTTP/web. The book covers Layer 2 through application-level RPC, and the value compounds the deeper you go.
Anyone after a high-level overview or defensive playbook. This is mechanism, not policy, and it assumes you want to read SDDL by hand.

Key takeaways

  • Capturing, parsing, and replaying traffic is one workflow, not three, and Forshaw's tooling-first framing makes that explicit.
  • Custom-protocol auditing (the part security curricula skip) is the part of the book that pays back hardest, especially for embedded, OT, and proprietary stacks.
  • The "build your own network analysis tool" chapters teach more about how protocols actually work than any number of Wireshark lessons.
  • Windows authorization is one coherent system once you see the SRM, tokens, and security descriptors as a single pipeline.
  • The author's NtObjectManager PowerShell toolkit turns abstract security theory into something you can poke at interactively.
  • Most Windows privilege-escalation bugs come from misunderstanding this model, not from exotic memory corruption.

How they compare

Attacking Network Protocols and Windows Security Internals are both rated 5/5 in our catalog. Pick by topic preference and reading style rather than by rating.

Both books target advanced-level readers, so the choice is about topic, not difficulty.

Attacking Network Protocols and Windows Security Internals both cover Offensive, so reading them in sequence reinforces the same material from different angles.

Keep reading

Attacking Network Protocols

Alternatives to Attacking Network ProtocolsWhat to read after Attacking Network Protocols

Windows Security Internals

Alternatives to Windows Security InternalsWhat to read after Windows Security Internals

Related topics

Offensive