Configure SSL/TLS inspection on network security devices to decrypt, inspect, and re-encrypt HTTPS traffic for
Implements application whitelisting using Windows AppLocker to restrict unauthorized software execution on endpoints,
Investigates insider threat indicators including data exfiltration attempts, unauthorized access patterns, policy
Parse Windows PowerShell Script Block Logs (Event ID 4104) from EVTX files to detect obfuscated commands, encoded
Extract stored credentials from compromised endpoints using the LaZagne post-exploitation tool to recover passwords
Executes Atomic Red Team tests for MITRE ATT&CK technique validation using the atomic-operator Python framework.
Automate GoPhish phishing simulation campaigns using the Python gophish library. Creates email templates with
Detect Kerberos Golden Ticket forgery by analyzing Windows Event ID 4769 for RC4 encryption downgrades (0x17),
Builds a structured SOC incident response playbook for ransomware attacks covering detection, containment, eradication,
Proactively hunts for Advanced Persistent Threat (APT) activity within enterprise environments using hypothesis-driven
Automate AWS GuardDuty threat detection findings processing using EventBridge and Lambda to enable real-time
Establish SAML 2.0 identity federation between on-premises Active Directory and Azure AD (Microsoft Entra ID)
Performs entitlement review and access certification campaigns using SailPoint IdentityIQ including manager
Perform comprehensive ICS/OT asset discovery using Claroty xDome platform, leveraging passive monitoring, Claroty
Tests REST and GraphQL APIs for Broken Object Level Authorization (BOLA/IDOR) vulnerabilities where an authenticated
Build collaborative forensic incident timelines using Timesketch to ingest, normalize, and analyze multi-source
Simulates bandwidth throttling and network degradation attacks using tc, iperf3, and Scapy in authorized environments
Performs proactive threat hunting in Elastic Security SIEM using KQL/EQL queries, detection rules, and Timeline
Detect Cobalt Strike beacon network activity using default TLS certificate signatures (serial 8BB00EE), JA3/JA3S/JARM
Tests APIs for injection vulnerabilities including SQL injection, NoSQL injection, OS command injection, LDAP
Use the Malpedia platform and API to research malware family relationships, track variant evolution, link families
Simulates VLAN hopping attacks using switch spoofing and double tagging techniques in authorized environments
Conduct systematic reviews of privileged accounts to validate access rights, identify excessive permissions,
Detect DCSync attacks where adversaries abuse Active Directory replication privileges to extract password hashes
Detecting and exploiting Server-Side Template Injection (SSTI) vulnerabilities across Jinja2, Twig, Freemarker,
Map advanced persistent threat (APT) group tactics, techniques, and procedures (TTPs) to the MITRE ATT&CK framework
OpenCTI is an open-source platform for managing cyber threat intelligence knowledge, built on STIX 2.1 as its
Parse Windows Prefetch files to determine program execution history including run counts, timestamps, and referenced
Detect C2 beaconing patterns in network traffic using frequency analysis, jitter detection, and domain reputation
Parse and analyze email headers to trace the origin of phishing emails, verify sender authenticity, and identify
Hunt for DNS-based persistence mechanisms including DNS hijacking, dangling CNAME records, wildcard DNS abuse,
PCI DSS 4.0.1 establishes 12 requirements across 6 control objectives for organizations that store, process, or transmit cardholder data.
Build a vulnerability exception and risk acceptance tracking system with approval workflows, compensating controls
Integrate FIRST's Exploit Prediction Scoring System (EPSS) API to prioritize vulnerability remediation based
Execute and test the JWT none algorithm attack to bypass signature verification by manipulating the alg header
Detect and respond to Adversary-in-the-Middle (AiTM) phishing attacks that use reverse proxy kits like EvilProxy,
Perform systematic alert triage in Elastic Security SIEM to rapidly classify, prioritize, and investigate security
Campaign attribution analysis involves systematically evaluating evidence to determine which threat actor or
Hunt for adversary persistence via Windows Scheduled Tasks by analyzing task creation events, suspicious task
Implement Kubernetes network segmentation using Calico NetworkPolicy and GlobalNetworkPolicy for zero-trust pod-to-pod
Detect privilege escalation attempts including token manipulation, UAC bypass, unquoted service paths, kernel
Conduct systematic access reviews and certifications to ensure users have appropriate access rights aligned with
Plans and facilitates tabletop exercises simulating ransomware incidents to test organizational readiness, decision-making,
Tests WebSocket API implementations for security vulnerabilities including missing authentication on WebSocket
Hardens Linux endpoints using CIS Benchmark recommendations for Ubuntu, RHEL, and CentOS to reduce attack surface,
Detect Pass-the-Hash attacks by analyzing NTLM authentication patterns, identifying Type 3 logons with NTLM where
Proactively hunt for adversary abuse of legitimate system binaries (LOLBins) to execute malicious payloads while
Perform authorized initial access using EvilGinx3 adversary-in-the-middle phishing framework to capture session
Analyzes malware command-and-control (C2) communication protocols to understand beacon patterns, command structures,
STIX (Structured Threat Information eXpression) and TAXII (Trusted Automated eXchange of Intelligence Information)
Installs, configures, and tunes Snort 3 intrusion detection system to monitor network traffic for malicious
Perform security assessments of SCADA Human-Machine Interface (HMI) systems to identify vulnerabilities in web-based
Simulates ARP spoofing attacks in authorized lab or pentest environments using arpspoof, Ettercap, and Scapy
Intercepts and analyzes HTTP/HTTPS traffic from mobile applications using Burp Suite proxy to identify insecure
Builds a structured vulnerability scanning workflow using tools like Nessus, Qualys, and OpenVAS to discover,
Detects fileless malware and in-memory attacks that execute entirely in RAM without writing persistent files
Design and implement a comprehensive DevSecOps pipeline in GitLab CI/CD integrating SAST, DAST, container scanning,
Analyzes RAM memory dumps from compromised systems using the Volatility framework to identify malicious processes,
Build comprehensive threat actor profiles using open-source intelligence (OSINT) techniques to document adversary
Implements Mobile Application Management (MAM) policies to protect enterprise data on managed and unmanaged