Conduct wireless network security assessments using Kismet to detect rogue access points, hidden SSIDs, weak
Parse Apache and Nginx access logs to detect SQL injection attempts, local file inclusion, directory traversal,
Acquire and analyze mobile device data using Cellebrite UFED and open-source tools to extract communications,
Implement automated incident response playbooks in Cortex XSOAR to orchestrate security workflows across SOC
Detect process injection techniques (T1055) including classic DLL injection, process hollowing, and APC injection
Leverages Splunk Enterprise Security and SPL (Search Processing Language) to investigate security incidents
Extract and catalog attack patterns from cyber threat intelligence reports into a structured STIX-based library
Hunt for adversary abuse of legitimate cloud services for C2, data staging, and exfiltration including abuse
Building a Threat Intelligence Platform (TIP) involves deploying and integrating multiple CTI tools into a unified
Zero-Knowledge Proofs (ZKPs) allow a prover to demonstrate knowledge of a secret (such as a password or private
Captures and analyzes network packet data using Wireshark and tshark to identify malicious traffic patterns,
Simulates SSL stripping attacks using sslstrip, Bettercap, and mitmproxy in authorized environments to test
Securing API Gateway endpoints with AWS WAF by configuring managed rule groups for OWASP Top 10 protection,
Analyzes structured and unstructured threat intelligence feeds to extract actionable indicators, adversary tactics,
Detect DNS-based data exfiltration by analyzing Zeek dns.log for high-entropy subdomains and anomalous query
Discover and inventory all privileged accounts across enterprise infrastructure including domain admins, local
Examine file system slack space, MFT entries, USN journal, and alternate data streams to recover hidden data
Develop and apply a multi-factor asset criticality scoring model to weight vulnerability prioritization based
Performs OAuth 2.0 scope minimization review to identify over-permissioned third-party application integrations,
Identifies and exploits SMB protocol vulnerabilities using Metasploit Framework during authorized penetration
Triage web application vulnerability findings from DAST/SAST scanners using OWASP risk rating methodology to
Deploy and query Arkime (formerly Moloch) for full packet capture network traffic analysis. Uses the Arkime API
Implements threat modeling using the MITRE ATT&CK framework to map adversary TTPs against organizational assets,
Analyze IP address reputation using the Shodan API to identify open ports, running services, known vulnerabilities,
Identifies and unpacks UPX-packed and other packed malware samples to expose the original executable code for
Hunt for MITRE ATT&CK T1098 account manipulation including shadow admin creation, SID history injection, group
Deploys and configures CrowdStrike Falcon EDR agents across enterprise endpoints to enable real-time threat
Detect process injection techniques (T1055) including CreateRemoteThread, process hollowing, and DLL injection
Analyze binary exploitation techniques including buffer overflows and ROP chains using pwntools Python library.
Configure IAM permission boundaries in AWS to delegate role creation to developers while enforcing maximum privilege
Performs runtime dynamic analysis of Android applications using Frida, Objection, and Android Debug Bridge to
Conduct a focused Active Directory penetration test to enumerate domain objects, discover attack paths with BloodHound,
Deobfuscates malicious JavaScript code used in web-based attacks, phishing pages, and dropper scripts by reversing
Parses API Gateway access logs (AWS API Gateway, Kong, Nginx) to detect BOLA/IDOR attacks, rate limit bypass,
MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics, techniques, and procedures (TTPs)
Detect and exploit blind Server-Side Request Forgery vulnerabilities using out-of-band techniques, DNS interactions,
Executes structured recovery from a ransomware incident following NIST and CISA frameworks, including environment
Deploy and configure the Havoc C2 framework with teamserver, HTTPS listeners, redirectors, and Demon agents for
Integrate gitleaks and trufflehog into CI/CD pipelines to detect leaked secrets before deployment
Integrates Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), and Software
Identifying and exploiting OAuth 2.0 and OpenID Connect misconfigurations including redirect URI manipulation,
Auditing Terraform infrastructure-as-code for security misconfigurations using Checkov, tfsec, Terrascan, and
Implement API Security Posture Management to continuously discover, classify, and score APIs based on risk while
Detect and prevent API enumeration attacks including BOLA and IDOR exploitation by monitoring sequential identifier
Pod Security Standards (PSS) define three levels of security policies -- Privileged, Baseline, and Restricted
Implementing Zero Trust Network Access (ZTNA) in cloud environments by configuring identity-aware proxies, micro-segmentation,
Detect RDP brute force attacks by analyzing Windows Security Event Logs for failed authentication patterns (Event
Deploy and configure Rapid7 InsightVM Security Console and Scan Engines for authenticated and unauthenticated
Deploy Google BeyondCorp Enterprise zero trust access controls using Identity-Aware Proxy (IAP), context-aware
Implement GCP Binary Authorization to enforce deploy-time security controls that ensure only trusted, attested
Enrich malware file hashes using the VirusTotal API to retrieve detection rates, behavioral analysis, YARA matches,
Auditing Microsoft Entra ID (Azure Active Directory) configuration to identify risky authentication policies,
Implement NextDNS as a zero trust DNS filtering layer with encrypted resolution, threat intelligence blocking,
Red team engagement planning is the foundational phase that defines scope, objectives, rules of engagement (ROE),
Deploy and operate CAPEv2 sandbox for automated malware analysis with behavioral monitoring, payload extraction,
Deploy Breach and Attack Simulation tools to continuously validate security control effectiveness by safely emulating
Configure and execute agentless vulnerability scanning using network protocols, cloud snapshot analysis, and
Automate network traffic analysis using tshark and pyshark for protocol statistics, suspicious flow detection,
Performing security reviews of serverless functions across AWS Lambda, Azure Functions, and GCP Cloud Functions
Configure and deploy Palo Alto Networks next-generation firewalls with App-ID, User-ID, zone-based policies,