Cyber Shelf

// Comparison

Practical Social Engineering vs The Hacker Playbook 3: Which Should You Read?

Two cybersecurity books on Pentesting, compared honestly: who each is for, what each does best, and which to read first.

Intermediate
4/52022
Practical Social Engineering

A Primer for the Ethical Hacker

Joe Gray

Joe Gray's working manual for the social-engineering side of red team and threat intel: OSINT-driven recon, pretexting, phishing infrastructure, and the legal and ethical boundaries that separate professional work from criminal activity.

Intermediate
4/52018
The Hacker Playbook 3

Practical Guide to Penetration Testing — Red Team Edition

Peter Kim

Peter Kim's hands-on red-team field manual: assumed-breach scenarios, lateral movement, AV/EDR evasion, and the operational rhythm of a real engagement rather than a checklist of CVEs.

Read this if

Red teamers, fraud investigators, and threat-intel analysts who need to operationalize social engineering as a discipline rather than a stunt. Strongest for the OSINT-to-pretext pipeline — Gray shows how recon directly shapes what your call sounds like.
Junior-to-mid red teamers and pentesters moving past CTFs into corporate engagements who want a coherent narrative of how an op flows. The strongest part is the assumed-breach mindset — the assumption that you start from a foothold and have to make it count.

Skip this if

Readers wanting Mitnick-style war stories. Gray writes like a practitioner, not a memoirist; the book is procedural and careful, not dramatic. Also light on adversarial deepfake / voice-clone tradecraft, which is where the field has moved since 2022.
Readers expecting 2024-current tradecraft. Cobalt Strike, Sliver, EDR-bypass research, and modern identity attacks (AAD, conditional access, OAuth abuse) have all moved on since 2018. Treat the techniques as concepts, not commands.

Key takeaways

  • Recon is the engagement: a pretext that doesn't survive contact with the target's reality is a recon failure, not a delivery failure.
  • Documentation, scoping, and consent are not bureaucratic overhead; they are what separate professional social engineering from social engineering.
  • OSINT and SE are the same workflow viewed from two sides — what you can find is what you can credibly claim to know.
  • Assumed breach is the right starting frame for almost any modern engagement; perimeter-to-DA scenarios are increasingly fiction.
  • The book's value is the workflow — recon, foothold, escalate, persist, exfil — not the specific tools used to demonstrate it.
  • Pair every chapter with a current blog source; the toolchain rotates faster than print can track.

How they compare

Practical Social Engineering and The Hacker Playbook 3 are both rated 4/5 in our catalog. Pick by topic preference and reading style rather than by rating.

Both books target intermediate-level readers, so the choice is about topic, not difficulty.

Practical Social Engineering and The Hacker Playbook 3 both cover Pentesting, so reading them in sequence reinforces the same material from different angles.

Keep reading

Practical Social Engineering

Alternatives to Practical Social EngineeringWhat to read after Practical Social Engineering

The Hacker Playbook 3

Alternatives to The Hacker Playbook 3What to read after The Hacker Playbook 3

Related topics

Pentesting