Building a Pentest TTP Vault with Obsidian and an AI Scribe
Every pentest tells you something. Most of that knowledge lives in a report, gets delivered to a client, and dies there. The next engagement starts from scratch.
I got tired of that. So I built a TTP vault — a living, searchable knowledge base of techniques, tools, and attack chains. Here’s the architecture.
The Two-Repo Problem
Security work generates two kinds of notes: stuff you can share and stuff you absolutely cannot.
Client hostnames, internal IP ranges, org-specific findings, screenshots of prod systems — that’s private, forever. But the underlying technique? NTLM coercion via a misconfigured print spooler is the same technique regardless of which client’s network you found it on. That knowledge should be portable.
The solution is two repos with a hard separation:
| What | Where |
|---|---|
| Raw notes, client context, work-in-progress | Private iCloud vault (Obsidian only, never public) |
| Sanitized techniques, public portfolio | GitHub repo (no client details, ever) |
The rule is simple: before anything leaves the private vault, you strip it of every client-specific detail. What remains is the technique, the tool syntax, and the context for why it works.
The Vault Structure
The Obsidian vault is organized by ATT&CK-adjacent phases:
ttps/recon/
ttps/coercion/
ttps/credential-access/
ttps/lateral-movement/
ttps/persistence/
tools/
playbooks/
_templates/
Templates matter. A TTP note without a consistent schema is just a text file. The template enforces: technique name, MITRE mapping, detection surface, tool syntax, references. Playbooks chain TTPs into full attack sequences.
Where the AI Comes In
The friction in knowledge management isn’t the ideas — it’s the transcription. After an engagement, you have notes, terminal history, and a head full of context that will be gone in a week.
I run OpenClaw as a self-hosted AI agent with shell access and file write permissions. When I say “document this TTP,” it takes my rough notes, formats them against the template, fills in the MITRE mapping, and writes the file directly to the vault. Obsidian picks it up immediately.
The AI also handles the sanitization step for the public repo — given a private note, it strips client context and produces a clean version ready for GitHub. I review before pushing, but the mechanical work is done.
The Daily Quiz
The vault is only useful if you actually retain what’s in it. I have a cron job that fires on weekdays and posts a technique question to a Discord channel. I answer it, the AI grades and explains. Spaced repetition for pentest techniques.
It sounds gimmicky. It isn’t. The techniques you reach for under pressure are the ones you’ve rehearsed.
What This Actually Solves
The problem with pentest knowledge management isn’t that practitioners don’t know things — it’s that the knowledge is locked in their heads and in client-confidential reports. Neither of those scales.
A vault with a clean public/private separation lets you build a professional portfolio without ever violating client confidentiality. The public repo becomes a reference, a hiring signal, and a forcing function to actually document what you know.
The AI doesn’t replace the thinking. It eliminates the friction between the thinking and the file system.
Cyberforks builds security workflows that don’t suck. cyberforks.com