We have seen a consistent set of patterns in attacker behaviors, and breach targets, over the last year. We often see where adversaries are repeat offenders - reusing the same recon techniques, and the same threat infrastructure (in new ways), to attack the same target again - if the target continues to play whack-a-mole treating hardening systems and investigating breaches as one-off events. This presentation will focus on the common patterns of compromise, and adversarial behavior in the early stages of the "kill-chain", leading up to the first attack. The goal for Red-teams & vuln-managers is to show how adversaries do recon and setup, to enable you to measure & manage your attack surface more realistically to how your adversaries will map it out. The goal for Blue-teams & IR is to show new patterns and pivots we see adversaries make, and what Internet security datasets you can use to pinpoint them.