Configure Fluentd and Fluent Bit for centralized log aggregation, routing, filtering, and enrichment across distributed
Hunt for adversary abuse of legitimate cloud services for C2, data staging, and exfiltration including abuse
Threat actor infrastructure tracking involves monitoring and mapping adversary-controlled assets including command-and-control
Detect compromised O365 and Google Workspace email accounts by analyzing inbox rule creation, suspicious sign-in
A Certificate Authority (CA) is the trust anchor in a PKI hierarchy, responsible for issuing, signing, and revoking
Build network traffic baselines from NetFlow/IPFIX data using Python pandas for statistical analysis, z-score
Detects credential stuffing attacks by analyzing authentication logs for login velocity anomalies, ASN diversity,
Assess SSL/TLS server configurations using the sslyze Python library to evaluate cipher suites, certificate chains,
AES (Advanced Encryption Standard) is a symmetric block cipher standardized by NIST (FIPS 197) used to protect
Identifying and exploiting OAuth 2.0 and OpenID Connect misconfigurations including redirect URI manipulation,
Analyzes malware command-and-control (C2) communication protocols to understand beacon patterns, command structures,
Implementing Cloud Data Loss Prevention (DLP) using Amazon Macie, Azure Information Protection, and Google Cloud
Implements an integrated incident ticketing system connecting SIEM alerts to ServiceNow, Jira, or TheHive for
Test for Server-Side Request Forgery vulnerabilities by probing cloud metadata endpoints, internal network services,
Build an automated system to track adversary infrastructure using passive DNS, certificate transparency, WHOIS — from Undermybelt/hermes-skills
Deploying Palo Alto Networks Prisma Access for SASE-based zero trust network access using GlobalProtect agents,
Recover files from disk images and unallocated space using Foremost's header-footer signature carving to extract
Perform Kerberoasting attacks using Impacket's GetUserSPNs to extract and crack Kerberos TGS tickets for Active
Intercepts and analyzes HTTP/HTTPS traffic from mobile applications using Burp Suite proxy to identify insecure
Apply least-privilege tool allowlisting, identity binding, and human-in-the-loop controls for agent tool calls.
Enumerates DNS records, attempts zone transfers, brute-forces subdomains, and maps DNS infrastructure during
Builds a structured vulnerability scanning workflow using tools like Nessus, Qualys, and OpenVAS to discover,
Detect process injection techniques (T1055) including CreateRemoteThread, process hollowing, and DLL injection
Implementing Google''s BeyondCorp zero trust access model to eliminate implicit trust from the network perimeter,
Builds comprehensive identity governance and lifecycle management processes including joiner-mover-leaver automation,
Deploy a Software-Defined Perimeter using the CSA v2.0 specification with Single Packet Authorization, mutual
Build a systematic threat hunt hypothesis framework that transforms threat intelligence, attack patterns, and
Detect RDP brute force attacks by analyzing Windows Security Event Logs for failed authentication patterns (Event
Configure Microsoft Entra ID (Azure AD) Conditional Access policies for zero trust access control. Covers signal-based
Configure GitHub Advanced Security with CodeQL to perform automated static analysis and vulnerability detection
Configures mutual TLS (mTLS) authentication between microservices using Python cryptography library for certificate
Detect and prevent API enumeration attacks including BOLA and IDOR exploitation by monitoring sequential identifier
SPF, DKIM, and DMARC form the three pillars of email authentication. Together they prevent domain spoofing, validate
Use the Malpedia platform and API to research malware family relationships, track variant evolution, link families
Detect Pass-the-Hash attacks by analyzing NTLM authentication patterns, identifying Type 3 logons with NTLM where
Perform authorized initial access using EvilGinx3 adversary-in-the-middle phishing framework to capture session
Deploy and configure the Dragos Platform for OT network monitoring, leveraging its 600+ industrial protocol
JSON Web Tokens (JWT) defined in RFC 7519 are compact, URL-safe tokens used for authentication and authorization
Implement User and Entity Behavior Analytics using Elasticsearch/OpenSearch to build behavioral baselines, calculate
Analyze Chromium-based browser artifacts using Hindsight to extract browsing history, downloads, cookies, cached
Probe RAG applications for prompt injection via poisoned retrieved context and embedding manipulation.
Deploys and configures CrowdStrike Falcon EDR agents across enterprise endpoints to enable real-time threat
The Diamond Model of Intrusion Analysis provides a structured framework for analyzing cyber intrusions by examining
Implement the CISA Zero Trust Maturity Model v2.0 across the five pillars of identity, devices, networks, applications,
Parse and analyze Cobalt Strike Malleable C2 profiles using dissect.cobaltstrike and pyMalleableC2 to extract
Configure SSL/TLS inspection on network security devices to decrypt, inspect, and re-encrypt HTTPS traffic for
Builds real-time incident response dashboards in Splunk, Elastic, or Grafana to provide SOC analysts and leadership
Auditing Google Cloud Platform IAM permissions to identify overly permissive bindings, primitive role usage,
Detect Kerberoasting attacks by monitoring for anomalous Kerberos TGS requests targeting service accounts with
Parse Windows Prefetch files using the windowsprefetch Python library to reconstruct application execution history,
Design and implement a comprehensive DevSecOps pipeline in GitLab CI/CD integrating SAST, DAST, container scanning,
Detect lateral movement in Azure AD/Entra ID environments using Microsoft Graph API audit logs, Azure Sentinel
Deploys canary files, honeypot shares, and decoy systems to detect ransomware activity at the earliest possible
Tests APIs for injection vulnerabilities including SQL injection, NoSQL injection, OS command injection, LDAP
Triages security alerts in Splunk Enterprise Security by classifying severity, investigating notable events,
Deploy and configure an OpenTAXII server to share and consume STIX-formatted cyber threat intelligence using
Crafts and injects custom network packets using Scapy, hping3, and Nemesis during authorized security assessments
Scan container images, IaC, and SBOMs for vulnerabilities and misconfigurations in CI/CD with Trivy.
Trigger machine account authentication with PetitPotam (MS-EFSR) and Coercer across MS-RPRN, MS-DFSNM, and MS-FSRVP to feed NTLM relay into AD CS Web Enrollment (ESC8) and other…
Analyze WAF (ModSecurity/AWS WAF/Cloudflare) logs to detect SQL injection attack campaigns. Parses ModSecurity