Detects lateral movement techniques including Pass-the-Hash, PsExec, WMI execution, RDP pivoting, and SMB-based
Builds an automated malware submission and analysis pipeline that collects suspicious files from endpoints and
Detect network reconnaissance and port scanning using Suricata and Snort IDS signatures, threshold-based detection
Implement MITRE ATT&CK coverage mapping to identify detection gaps, prioritize rule development, and measure
Implementing zero trust access controls for SaaS applications using CASB, SSPM, conditional access policies, — from mahipal
Uses Postman to perform structured API security testing by building collections that test for OWASP API Security
Detect MITRE ATT&CK T1547.001 registry Run key persistence by analyzing Sysmon Event ID 13 logs and registry
Tests APIs for mass assignment (auto-binding) vulnerabilities where clients can modify object properties they
Conducts comprehensive network penetration tests against authorized target environments by performing host discovery,
Bypasses SSL/TLS certificate pinning implementations in Android and iOS applications to enable traffic interception
Envelope encryption is a strategy where data is encrypted with a data encryption key (DEK), and the DEK itself
Build a vulnerability exception and risk acceptance tracking system with approval workflows, compensating controls
Kerberoasting is a post-exploitation technique that targets service accounts in Active Directory by requesting
Build automated threat intelligence enrichment pipelines in Splunk Enterprise Security using lookup tables, modular
MS17-010 (EternalBlue) is a critical vulnerability in Microsoft's SMBv1 implementation that allows remote code
Systematically assessing REST and GraphQL API endpoints against the OWASP API Security Top 10 risks using automated
Exploit Kerberos Constrained Delegation misconfigurations in Active Directory to impersonate privileged users
Systematically hunt for adversary persistence mechanisms across Windows endpoints including registry, services,
Extracts indicators of compromise (IOCs) from malware samples including file hashes, network indicators (IPs,
Implementing Microsoft Defender for Cloud to enable cloud security posture management, workload protection across
Analyzes firmware images for embedded malware, backdoors, and unauthorized modifications targeting routers,
Run MISP, curate feeds, and auto-generate detections for Wazuh, Sigma, and Suricata.
GoPhish is an open-source phishing simulation framework used by security teams to conduct authorized phishing
Implements security chaos engineering experiments that deliberately disable or degrade security controls to
Scan Model Context Protocol servers and tool metadata for poisoning, SSRF, and unauthenticated exposure.
Maps observed adversary behaviors, security alerts, and detection rules to MITRE ATT&CK techniques and sub-techniques
Identifying and exploiting insecure deserialization vulnerabilities in Java, PHP, Python, and .NET applications
Analyze Microsoft Outlook PST and OST files for email forensic evidence including message content, headers, attachments,
Implement Zero Trust Network Access using Zscaler Private Access (ZPA) to replace traditional VPN with identity-based,
Analyze the threat landscape using MISP (Malware Information Sharing Platform) by querying event statistics,
Hardens Windows endpoints using CIS (Center for Internet Security) Benchmark recommendations to reduce attack
Investigate Active Directory compromise by analyzing authentication logs, replication metadata, Group Policy
Perform comprehensive security posture assessment of AWS accounts using ScoutSuite to enumerate resources, identify
The Common Vulnerability Scoring System (CVSS) is the industry standard framework maintained by FIRST (Forum
Enrich malware file hashes using the VirusTotal API to retrieve detection rates, behavioral analysis, YARA matches,
Hunt for malicious PowerShell activity by analyzing Script Block Logging (Event 4104), Module Logging (Event
Detect and prevent ARP spoofing attacks using ARPWatch, Dynamic ARP Inspection, Wireshark analysis, and custom
Build and configure a resilient command-and-control infrastructure using BishopFox's Sliver C2 framework with
Auditing HTTP security headers including CSP, HSTS, X-Frame-Options, and cookie attributes to identify missing
Simulates VLAN hopping attacks using switch spoofing and double tagging techniques in authorized environments
Builds SOC performance metrics and KPI tracking dashboards measuring Mean Time to Detect (MTTD), Mean Time to
Exploit the Zerologon vulnerability (CVE-2020-1472) in the Netlogon Remote Protocol to achieve domain controller
Inventory cryptography, deploy hybrid X25519 and ML-KEM, and prioritize harvest-now-decrypt-later data.
Collect volatile forensic evidence from a compromised system following order of volatility, preserving memory,
Use OWASP Threat Dragon to create data flow diagrams, identify threats using STRIDE and LINDDUN methodologies,
Hunt for MITRE ATT&CK T1098 account manipulation including shadow admin creation, SID history injection, group
Performs memory forensics analysis using Volatility 3 to extract evidence of malware execution, process injection,
Execute cloud-native incident containment across AWS, Azure, and GCP by isolating compromised resources, revoking
Identify ransomware network indicators including C2 beaconing patterns, TOR exit node connections, data exfiltration
Implement API Security Posture Management to continuously discover, classify, and score APIs based on risk while
Simulates ARP spoofing attacks in authorized lab or pentest environments using arpspoof, Ettercap, and Scapy
Investigates insider threat indicators including data exfiltration attempts, unauthorized access patterns, policy
Implements passwordless authentication using Microsoft Entra ID with FIDO2 security keys, Windows Hello for
Perform security testing of SOAP web services by analyzing WSDL definitions and testing for XML injection, XXE,
Perform systematic alert triage in Elastic Security SIEM to rapidly classify, prioritize, and investigate security
Deploy CyberArk Privileged Access Management to discover, vault, rotate, and monitor privileged credentials across
Integrate Hardware Security Modules (HSMs) using PKCS#11 interface for cryptographic key management, signing
Detect DNS-based data exfiltration by analyzing Zeek dns.log for high-entropy subdomains and anomalous query
Tests WebSocket API implementations for security vulnerabilities including missing authentication on WebSocket
Auditing Kubernetes cluster RBAC configurations to identify overly permissive roles, wildcard permissions, dangerous