Systematically assessing REST and GraphQL API endpoints against the OWASP API Security Top 10 risks using automated
Correlates security events in IBM QRadar SIEM using AQL (Ariel Query Language), custom rules, building blocks,
Configures Windows Group Policy Objects (GPO) to prevent ransomware execution and limit its spread. Implements
Recover deleted files from disk images and storage media using PhotoRec's file signature-based carving engine
Implement Just-In-Time (JIT) access provisioning to eliminate standing privileges by granting temporary, time-bound
Hunt for Volume Shadow Copy deletion activity that indicates ransomware preparation or anti-forensics by monitoring
Analyzes Windows Security, System, and Sysmon event logs in Splunk to detect authentication attacks, privilege
Execute HTTP Parameter Pollution attacks to bypass input validation, WAF rules, and security controls by injecting
Responds to phishing incidents by analyzing reported emails, extracting indicators, assessing credential compromise,
Analyze memory dumps using Volatility3 plugins to detect injected code, rootkits, credential theft, and malware
Configure Google Workspace advanced phishing and malware protection settings including pre-delivery scanning,
Perform forensic acquisition and analysis of cloud storage services including Google Drive, OneDrive, Dropbox,
Detects early-stage ransomware indicators in network traffic before encryption begins, including initial access
Reverse engineers iOS applications using Frida dynamic instrumentation to understand internal logic, extract
Test JWT implementations for critical vulnerabilities including algorithm confusion, none algorithm bypass, kid
Reverse engineer Rust-compiled malware using IDA Pro and Ghidra with techniques for handling non-null-terminated
Detect cyber attacks targeting OT historian servers (OSIsoft PI, Ignition, Wonderware) that sit at the IT/OT
The Common Vulnerability Scoring System (CVSS) is the industry standard framework maintained by FIRST (Forum
Investigate supply chain attack artifacts including trojanized software updates, compromised build pipelines,
Implement API abuse detection using token bucket, sliding window, and adaptive rate limiting algorithms to prevent
Simulates man-in-the-middle attacks using Ettercap, mitmproxy, and Bettercap in authorized environments to intercept,
Conducts external reconnaissance using Open Source Intelligence (OSINT) techniques to map an organization''s
Detect malicious email forwarding rules created by adversaries to maintain persistent access to email communications
Implementing Microsoft Defender for Cloud to enable cloud security posture management, workload protection across
Performing authorized privilege escalation assessments in AWS environments to identify IAM misconfigurations
Conduct authorized physical penetration testing using tailgating, badge cloning, lock bypassing, and rogue device
Detect unusual API call patterns in AWS CloudTrail logs using boto3, statistical baselining, and behavioral analysis
Implements passwordless authentication using Microsoft Entra ID with FIDO2 security keys, Windows Hello for
Analyze Windows LNK shortcut files and Jump List artifacts to establish evidence of file access, program execution,
Detect adversary lateral movement across networks using Splunk SPL queries against Windows authentication logs,
Use Sysinternals Autoruns to systematically identify and analyze malware persistence mechanisms across registry
Nikto is an open-source web server and web application scanner that tests against over 7,000 potentially dangerous
Detect unauthorized SaaS and cloud service usage (shadow IT) by analyzing proxy logs, DNS query logs, and netflow
Executes authorized attack simulations against Active Directory environments to identify misconfigurations,
Conduct forensic investigations in cloud environments by collecting and analyzing logs, snapshots, and metadata
Exploit the Zerologon vulnerability (CVE-2020-1472) in the Netlogon Remote Protocol to achieve domain controller
Develop and implement OT-specific incident response playbooks aligned with SANS PICERL framework, IEC 62443,
Execute a phased DMARC rollout from p=none monitoring through p=quarantine to p=reject enforcement, ensuring
Perform Kerberoasting attacks using Impacket's GetUserSPNs to extract and crack Kerberos TGS tickets for Active
Deploys and configures Zeek (formerly Bro) network security monitor to passively analyze network traffic, generate
Hunt for supply chain compromise indicators including trojanized software updates, compromised dependencies,
Configure Microsoft Entra ID (Azure AD) Conditional Access policies for zero trust access control. Covers signal-based
Enumerate and audit Active Directory forest trust relationships using impacket for SID filtering analysis, trust
Email sandboxing detonates suspicious attachments and URLs in isolated environments to detect zero-day malware
Crafts and injects custom network packets using Scapy, hping3, and Nemesis during authorized security assessments
Tests API authentication mechanisms for weaknesses including broken token validation, missing authentication
Detecting and exploiting SQL injection vulnerabilities using sqlmap to extract database contents during authorized
Configures Microsoft Defender for Endpoint (MDE) advanced protection settings including attack surface reduction
Enforce Kubernetes network segmentation using Calico CNI network policies and global network policies to control
Hardware Security Modules (HSMs) are tamper-resistant physical devices that safeguard cryptographic keys and
Exploits JWT algorithm confusion vulnerabilities where the server''s token verification library accepts the
Monitor Certificate Transparency logs using crt.sh and Certstream to detect phishing domains, lookalike certificates,
Deploys deception technology including honeypots, honeytokens, and decoy systems to detect attackers who have
Detect unauthorized modifications to running containers by monitoring for binary execution drift, file system
Extracts indicators of compromise (IOCs) from malware samples including file hashes, network indicators (IPs,
Parses and analyzes the Windows Amcache.hve registry hive to extract evidence of program execution, application
Traces ransomware cryptocurrency payment flows using blockchain analysis tools such as Chainalysis Reactor,
Exploit the noPac vulnerability chain (CVE-2021-42278 sAMAccountName spoofing and CVE-2021-42287 KDC PAC confusion)
Detect T1547.001 startup folder persistence by monitoring Windows startup directories for suspicious file creation,
Detect LSASS credential dumping, SAM database extraction, and NTDS.dit theft using Sysmon Event ID 10, Windows