Build effective detection rules using Splunk Search Processing Language (SPL) correlation searches to identify
Testing web applications for clickjacking vulnerabilities by assessing frame embedding controls and crafting
Detects lateral movement techniques including Pass-the-Hash, PsExec, WMI execution, RDP pivoting, and SMB-based
Execute a wireless network penetration test to assess WiFi security by capturing handshakes, cracking WPA2/WPA3
Container escape is a critical attack technique where an adversary breaks out of container isolation to access
Performs purple team exercises by coordinating red team adversary emulation with blue team detection validation
Implementing AWS Config rules for continuous compliance monitoring of AWS resources, deploying managed and custom
Queries Azure Monitor activity logs and sign-in logs via azure-monitor-query to detect suspicious administrative
Detect malicious scheduled task creation and modification using Sysmon Event IDs 1 (Process Create for schtasks.exe),
Deploy XM Cyber's continuous exposure management platform to map attack paths, identify choke points, and prioritize
Implement MITRE ATT&CK coverage mapping to identify detection gaps, prioritize rule development, and measure
Exploit Kerberos Constrained Delegation misconfigurations in Active Directory to impersonate privileged users
Use OWASP Threat Dragon to create data flow diagrams, identify threats using STRIDE and LINDDUN methodologies,
Reverse engineers malicious Android APK files using JADX decompiler to analyze Java/Kotlin source code, identify
Extract and analyze Cobalt Strike beacon configuration from PE files and memory dumps to identify C2 infrastructure,
Secure Helm chart deployments by validating chart integrity, scanning templates for misconfigurations, and enforcing
Perform systematic SIEM false positive reduction through rule tuning, threshold adjustment, correlation refinement,
Identifying and exploiting Insecure Direct Object Reference vulnerabilities to access unauthorized resources
Detects defense evasion techniques used by adversaries in endpoint logs including log tampering, timestomping,
Detects and exploits ransomware kill switch mechanisms including mutex-based execution guards, domain-based
Extract, parse, and analyze Windows Event Logs (EVTX) using Chainsaw, Hayabusa, and EvtxECmd to detect lateral
Implementing AWS CloudTrail log analysis for security monitoring, threat detection, and forensic investigation
Detect data staging activity before exfiltration by monitoring for archive creation with 7-Zip/RAR, unusual temp
Deploys and configures Suricata IDS/IPS with Emerging Threats rulesets, EVE JSON logging, and custom rules for
Perform comprehensive Windows forensic artifact analysis using Eric Zimmerman's open-source EZ Tools suite including
Responds to security incidents in cloud environments (AWS, Azure, GCP) by performing identity-based containment,
Detect DCSync attacks by analyzing Windows Event ID 4662 for unauthorized DS-Replication-Get-Changes requests
Build an automated system to track adversary infrastructure using passive DNS, certificate transparency, WHOIS
Perform forensic analysis of SQLite databases to recover deleted records from freelists and WAL files, decode
Analyzes network traffic captures and flow data to identify adversary activity during security incidents, including
Detect and exploit NoSQL injection vulnerabilities in MongoDB, CouchDB, and other NoSQL databases to demonstrate
Develops comprehensive threat actor profiles for APT groups, criminal organizations, and hacktivist collectives
Parse Office 365 Unified Audit Logs via Microsoft Graph API to detect email forwarding rule creation, inbox delegation,
Detects ransomware encryption activity in real time using entropy analysis, file system I/O monitoring, and
Triage and prioritize vulnerabilities using CISA's Stakeholder-Specific Vulnerability Categorization (SSVC) decision
Tests authentication and authorization mechanisms in mobile application APIs to identify broken authentication,
Implements Delinea Secret Server for privileged access management (PAM) including secret vault configuration,
Deploy and configure an OpenTAXII server to share and consume STIX-formatted cyber threat intelligence using
AES (Advanced Encryption Standard) is a symmetric block cipher standardized by NIST (FIPS 197) used to protect
SPF, DKIM, and DMARC form the three pillars of email authentication. Together they prevent domain spoofing, validate
Implements security chaos engineering experiments that deliberately disable or degrade security controls to
GoPhish is an open-source phishing simulation framework used by security teams to conduct authorized phishing
MS17-010 (EternalBlue) is a critical vulnerability in Microsoft's SMBv1 implementation that allows remote code
Performs static analysis of Windows PE (Portable Executable) malware samples using PEStudio to examine file
Envelope encryption is a strategy where data is encrypted with a data encryption key (DEK), and the DEK itself
A Certificate Authority (CA) is the trust anchor in a PKI hierarchy, responsible for issuing, signing, and revoking
Detect insider threat behavioral indicators including unusual data access, off-hours activity, mass file downloads,
Deploys canary tokens and honeytokens (fake AWS credentials, DNS canaries, document beacons, database records)
Configures host-based intrusion detection systems (HIDS) to monitor endpoint file integrity, system calls, and
Build an automated pipeline to defang indicators of compromise (URLs, IPs, domains, emails) for safe sharing
Detect and prevent privilege escalation in Kubernetes pods by monitoring security contexts, capabilities, and
Deploy AI and NLP-powered detection systems to identify business email compromise attacks by analyzing writing
Configures pfSense firewall rules, NAT policies, VPN tunnels, and traffic shaping to enforce network segmentation,
Craft, send, sniff, and dissect network packets using Scapy for protocol analysis, network reconnaissance, and
Implementing device posture assessment as a zero trust access control by integrating endpoint health signals
Dark web monitoring involves systematically scanning Tor hidden services, underground forums, paste sites, and
Sign and verify container image provenance using Sigstore Cosign with keyless OIDC-based signing, attestations,
Performs rapid malware triage and classification using YARA rules to match file patterns, strings, byte sequences,
Investigate compromised Docker containers by analyzing images, layers, volumes, logs, and runtime artifacts to
Implement automated user provisioning and deprovisioning using SCIM 2.0 protocol with Okta as the identity provider.