I once spent 20 minutes on a red team engagement searching for a Mimikatz command I had definitely written down somewhere.

It was in a Microsoft Teams chat. From myself. To myself. Sent 8 months ago.

That was the moment I realized my “system” was actually just chaos with extra steps. I had notes in Notion, screenshots in Downloads, bookmarks in Chrome, and half-remembered commands floating in my head like lost packets.

So I built something dumber, stricter, and way more useful.

Why Obsidian?

Because it is just markdown files on disk. No cloud. No subscription. No loading spinner when you are on a client network that blocks half the internet.

I can grep it. I can sync it with Git. I can open it on a Kali VM without installing Electron apps. And when I inevitably break something, I can fix it with sed.

The plugins are nice. The graph view is pretty. But the real win is this: your notes are plain text that you actually own.

My Vault: The Honest Tour

Here is what it actually looks like:

1
2
3
4
5
6
7
00 - Inbox/              ← chaos goes here first
10 - Engagements/        ← active ops, CTFs, client work
20 - Knowledge Base/     ← the permanent stuff
30 - Resources/          ← cheatsheets, configs, wordlists
40 - Personal/           ← books, journal, mental health
50 - Alter Ego/          ← bug bounty, side projects
90 - Meta/               ← templates, old garbage

The numbers force order. The names force honesty. 50 - Alter Ego exists because I do not want my bug bounty recon notes mixed with my day job red team ops. Different legal contexts, different mental modes, same tired brain.

The real workflow:

  1. During an engagement, everything lives in 10. Raw commands, screenshots, client-specific findings, random observations at 3 AM.
  2. After the engagement, I spend 30 minutes deciding: does any of this deserve to live forever?
  3. If yes, it gets rewritten into a clean Technique Note in 20 and linked from a cheatsheet in 30.
  4. If no, it stays in 10 or gets deleted. Most of it gets deleted.

This is the part nobody talks about. A knowledge base is not a hoard. It is a curation.

The 3 Note Types (And When I Break My Own Rules)

I forced myself into three buckets because without constraints, I will write Windows Stuff v3 FINAL ACTUAL.md and hate myself later.

1. Technique Note

One concept. One note. The source of truth.

My Pass the Hash note has:

  • What it actually is (2 sentences, no fluff)
  • Prerequisites (credentials, NTLM hash, local admin)
  • Execution (Mimikatz, Impacket, Cobalt Strike — each in its own subsection)
  • Detection / OPSEC (because I am not a barbarian)
  • Related links (Pass the Ticket, Overpass the Hash, KRBTGT)

It is not pretty. It is scannable. I can find the exact command in 5 seconds at 2 AM while a client watches my screen.

2. Cheatsheet Note

Fast. Ugly. Linked back to the technique note.

My Windows Post-Exploitation Quick Reference is just commands with one-line context. No theory. No explanation. It lives on my second monitor during engagements.

If a cheatsheet starts getting large, that is a signal. Either the technique note is incomplete, or I am trying to make a cheatsheet do the job of a technique note.

3. Draft Note

Rough capture. Copied from Twitter. Pasted from a PDF. Barely English.

I mark these so I know not to trust them:

1
2
3
4
---
type: draft
status: inbox
---

Drafts are fine. Drafts pretending to be permanent notes are how you end up running a command from a half-finished note and wondering why it does not work.

When I break the rules: Sometimes I write a Pass the Hash - From Linux note because the Linux workflow is genuinely different enough to deserve its own space. But I ask myself first: “Am I splitting this because it is different, or because I am too lazy to scroll?” Most of the time, it is laziness. I add a Variants section instead.

The Rule That Actually Matters

One concept gets one main note.

This sounds obvious until you realize you have:

  • Pass The Hash.md in your Kerberos folder
  • 02-Pass the Hash.md in your User Impersonation folder
  • PTH quick ref.md in your cheatsheets
  • And a Teams message to yourself with the exact same command

I have been there. I have done that. I have deleted the duplicates and kept the one in 20 - Knowledge Base/Active Directory/04-User Impersonation/02-Pass the Hash.md because that is where it actually belongs.

The test is simple: if you search for a concept and get 4 results, your system is broken.

Retrieval > Capture

Anyone can dump text. The skill is finding it 6 months later when you are stressed, sleep-deprived, and a client is watching.

Real example:

I named a note SQL Injection - MySQL Error Based instead of Web Stuff or SQLi payloads. Six months later, during a web app pentest, I needed the exact payload for extracting the database version through error-based injection. I typed error based in Obsidian search. Found it in 3 seconds. Copied the payload. It worked on the first try.

That is the difference between naming notes for search and naming notes for your ego.

Tag philosophy: I use maybe 10 tags total. Platform (windows, linux), theme (persistence, lateral-movement), and sometimes an ATT&CK ID (t1003.001). I do not tag things security or cyber or notes. Those tags mean nothing. They are noise.

What I Screwed Up (So You Don’t Have To)

My vault is not Instagram-perfect. I have a 25 - General IT & Networking folder that became a black hole for everything I did not know where to put. I have duplicate stubs for techniques I wrote twice because I forgot the first one existed. I have a file named h5.md and I genuinely do not remember what it is. I am afraid to open it.

The point is not perfection. The point is having a system simple enough that you can clean it up in an afternoon when it drifts.

What I would do differently if I started today:

  1. Start with cheatsheets, not encyclopedias. Write what you actually use on engagements. Do not try to build a Wikipedia for hackers on day one. You will burn out and stop.
  2. Name notes for your 2 AM self. Not your current self who understands the context. Your future self who is panicking and needs the answer in 5 seconds.
  3. Delete more. I used to keep everything “just in case.” Now I delete aggressively. If I have not touched a draft in 3 months, it was not important. The good stuff sticks around because I use it.

If You Are Starting From Zero

This is my system. It works for me because I built it around how my brain actually functions. Your brain is different. Your workflow is different. Your job is different.

Do not copy my folder structure exactly. Do not copy anyone’s. Steal the ideas that make sense. Throw out the ones that do not. Break the rules on day one. The only wrong way to take notes is to spend more time organizing than doing the actual work.

Try something. Use it for two weeks. If it sucks, change it. If it works, keep it. Adapt until it feels invisible.

That said, here are the principles that survived my own chaos:

  1. Flat first. Three to five top-level folders. You can always split later. If you start with 20 nested folders, you will spend more time organizing than learning.
  2. One concept, one note. Add variants inside the same note before creating another file.
  3. Review monthly. 30 minutes. Move drafts. Delete garbage. Fix filenames. It compounds faster than you think.
  4. Optimize for retrieval, not capture. The best note is the one you can find when you need it. Not the most complete note. The most findable note.

Closing

I still have 40 browser tabs open. I still screenshot things and forget about them. I still have that h5.md file lurking in my vault like a ghost.

But when I am on an engagement and I need to know exactly how to abuse WMI for persistence, or how to bypass SSL pinning on a Flutter app, or what the exact Mimikatz syntax is for dumping LSASS — I know where to look. And I find it in seconds.

That is the whole game. Not being the smartest person in the room. Being the person who actually wrote things down properly.

“The quieter you become, the more you can hear.”

“Also, name your files properly or you will hate yourself later.”

— Me, at 3 AM, probably