Detect Golden Ticket attacks in Active Directory by analyzing Kerberos TGT anomalies including mismatched encryption
Parses Kubernetes API server audit logs (JSON lines) to detect exec-into-pod, secret access, RBAC modifications,
Implements SIEM detection use cases by designing correlation rules, threshold alerts, and behavioral analytics
Implements security controls at the API gateway layer including authentication enforcement, rate limiting, request
Automate phishing incident response using Splunk SOAR REST API to create containers, add artifacts, and trigger
Identifying and exploiting SSRF vulnerabilities to access internal services, cloud metadata, and restricted network
Monitor for brand impersonation attacks across domains, social media, mobile apps, and dark web channels to detect
Configure microsegmentation policies to enforce least-privilege workload-to-workload access using tools like
Detect container escape attempts in real-time using Falco runtime security rules that monitor syscalls, file
Detects anomalous authentication patterns using UEBA analytics, statistical baselines, and machine learning
Integrate Hardware Security Modules (HSMs) using PKCS#11 interface for cryptographic key management, signing
Build network traffic baselines from NetFlow/IPFIX data using Python pandas for statistical analysis, z-score
Detect MITRE ATT&CK T1547.001 registry Run key persistence by analyzing Sysmon Event ID 13 logs and registry
Enumerate subdomains of target domains using ProjectDiscovery's Subfinder passive reconnaissance tool to map
Detect lateral movement in network traffic using Zeek (formerly Bro) log analysis. Parses conn.log, smb_mapping.log,
Identifying and exploiting Cross-Origin Resource Sharing misconfigurations that allow unauthorized cross-domain
Maps observed adversary behaviors, security alerts, and detection rules to MITRE ATT&CK techniques and sub-techniques
Build automated threat intelligence enrichment pipelines in Splunk Enterprise Security using lookup tables, modular
Detect domain fronting C2 traffic by analyzing SNI vs HTTP Host header mismatches in proxy logs and TLS certificate
Performs memory forensics analysis using Volatility 3 to extract evidence of malware execution, process injection,
Detect and test for OWASP API3:2023 Broken Object Property Level Authorization vulnerabilities including excessive
BloodHound is a graph-based Active Directory reconnaissance tool that uses graph theory to reveal hidden and
Uses Postman to perform structured API security testing by building collections that test for OWASP API Security
Extract and analyze Windows Registry hives to uncover user activity, installed software, autostart entries, and
Extract cached credentials, password hashes, Kerberos tickets, and authentication tokens from memory dumps using
Configuring Google Cloud Identity-Aware Proxy (IAP) to enforce per-request identity verification for Compute
Executes authorized phishing simulation campaigns to assess an organization''s susceptibility to email-based
Detect and prevent ARP spoofing attacks using ARPWatch, Dynamic ARP Inspection, Wireshark analysis, and custom
Detect Kerberoasting attacks by monitoring for anomalous Kerberos TGS requests targeting service accounts with
Analyze advanced persistent threat (APT) group techniques using MITRE ATT&CK Navigator to create layered heatmaps
Conduct red team operations using the Covenant C2 framework for authorized adversary simulation, including listener
Detect compromised O365 and Google Workspace email accounts by analyzing inbox rule creation, suspicious sign-in
Detect anomalies in DNP3 (Distributed Network Protocol 3) communications used in SCADA systems by monitoring
Deploy and configure Velociraptor for scalable endpoint forensic artifact collection during incident response
Parse NetFlow v9 and IPFIX records to detect volumetric anomalies, port scanning, data exfiltration, and C2 beaconing
Plan and execute a comprehensive red team engagement covering reconnaissance through post-exploitation using
Systematically hunt for adversary persistence mechanisms across Windows endpoints including registry, services,
Detect PowerShell Empire framework artifacts in Windows event logs by identifying Base64 encoded launcher patterns,
Tests APIs for mass assignment (auto-binding) vulnerabilities where clients can modify object properties they
Conduct a sector-specific threat landscape assessment by analyzing threat actor targeting patterns, common attack
Deploy SailPoint IdentityNow or IdentityIQ for identity governance and administration. Covers identity lifecycle
Deploy DefectDojo as a centralized vulnerability management dashboard with scanner integrations, deduplication,
Identifying and validating cross-site scripting vulnerabilities using Burp Suite's scanner, intruder, and repeater
Detecting and exploiting HTTP request smuggling vulnerabilities caused by Content-Length and Transfer-Encoding
Deploys canary files, honeypot shares, and decoy systems to detect ransomware activity at the earliest possible
Performs runtime mobile security exploration of iOS applications using Objection, a Frida-powered toolkit that
Performs Linux memory acquisition using LiME (Linux Memory Extractor) kernel module and analysis with Volatility
Investigates phishing email incidents from initial user report through header analysis, URL/attachment detonation,
Spearphishing simulation is a targeted social engineering attack vector used by red teams to gain initial access.
Executes comprehensive red team exercises that simulate real-world adversary operations against an organization''s
Identify, collect, and analyze ransomware attack artifacts to determine the variant, initial access vector, encryption
Hardens Windows endpoints using CIS (Center for Internet Security) Benchmark recommendations to reduce attack
Detect command injection attacks against Modbus TCP/RTU protocol in ICS environments by monitoring for unauthorized
Integrate AFL++ coverage-guided fuzz testing into CI/CD pipelines to discover memory corruption, input handling,
Detecting misconfigured Azure Storage accounts including publicly accessible blob containers, missing encryption
Write custom Semgrep SAST rules in YAML to detect application-specific vulnerabilities, enforce coding standards,
Deploy CyberArk Privileged Access Management to discover, vault, rotate, and monitor privileged credentials across
MISP (Malware Information Sharing Platform) is an open-source threat intelligence platform for gathering, sharing,
Implements cloud workload protection using boto3 and google-cloud APIs for runtime security monitoring, process
Deploys canary files (honeytokens) across file systems to detect ransomware encryption activity in real time.