JSON Web Tokens (JWT) defined in RFC 7519 are compact, URL-safe tokens used for authentication and authorization
Deploy and manage network honeypots using OpenCanary, T-Pot, or Cowrie to detect unauthorized access, lateral
Detect WMI-based lateral movement by analyzing Windows Event ID 4688 process creation and Sysmon Event ID 1 for
Scan container images, filesystems, and Kubernetes manifests for vulnerabilities, misconfigurations, exposed
Implement the CISA Zero Trust Maturity Model v2.0 across the five pillars of identity, devices, networks, applications,
Detect WMI event subscription persistence by analyzing Sysmon Event IDs 19, 20, and 21 for malicious EventFilter,
Performs systematic security testing of web applications following the OWASP Web Security Testing Guide (WSTG)
Spearphishing targets specific individuals using personalized, researched content that bypasses generic spam
Tests API rate limiting implementations for bypass vulnerabilities by manipulating request headers, IP addresses,
Conduct a thick client application penetration test to identify insecure local storage, hardcoded credentials,
Malware IOC extraction is the process of analyzing malicious software to identify actionable indicators of compromise
Implements full disk encryption using Microsoft BitLocker on Windows endpoints to protect data at rest from
Investigate USB device connection history from Windows registry, event logs, and setupapi logs to track removable
Analyzes malicious PDF files using PDFiD, pdf-parser, and peepdf to identify embedded JavaScript, shellcode,
Identifies lateral movement techniques in enterprise networks by analyzing authentication logs, network flows,
Testing web applications for path traversal vulnerabilities that allow reading or writing arbitrary files on
Detect kernel-level rootkits in Linux memory dumps using Volatility3 linux plugins (check_syscall, lsmod, hidden_modules),
Hunt for unusual network connections by analyzing outbound traffic patterns, rare destinations, non-standard
Identify command-and-control beaconing patterns in network traffic by applying statistical frequency analysis,
Configure and execute authenticated vulnerability scans using OpenVAS/Greenbone Vulnerability Management with
Performs GraphQL introspection attacks to extract the full API schema including types, queries, mutations, subscriptions,
Detect typosquatting, homograph phishing, and brand impersonation domains using dnstwist to generate domain permutations
Implements HashiCorp Vault dynamic secrets engines for database credentials, AWS IAM keys, and PKI certificates
Harden the Docker daemon by configuring daemon.json with user namespace remapping, TLS authentication, rootless
Detect Kerberos Pass-the-Ticket (PtT) attacks by analyzing Windows Event IDs 4768, 4769, and 4771 for anomalous
Write multi-event correlation rules that detect APT lateral movement by chaining Windows authentication events,
Performs comprehensive security assessments of IoT devices and their ecosystems by testing hardware interfaces,
Trivy is a comprehensive open-source vulnerability scanner by Aqua Security that detects vulnerabilities in OS
Identifies and exploits SQL injection vulnerabilities in web applications during authorized penetration tests
Deploy and configure Tofino industrial firewalls from Belden/Hirschmann to protect SCADA systems and PLCs using
Design and execute a social engineering penetration test including phishing, vishing, smishing, and physical
Conducts comprehensive network penetration tests against authorized target environments by performing host discovery,
Detecting exposed AWS credentials in source code repositories, CI/CD pipelines, and configuration files using
Implement API schema validation using OpenAPI specifications and JSON Schema to enforce input/output contracts
Performs advanced network reconnaissance using Nmap''s scripting engine, timing controls, evasion techniques,
Triages security alerts in Splunk Enterprise Security by classifying severity, investigating notable events,
Detects and responds to OAuth token theft and replay attacks in cloud environments, focusing on Microsoft Entra
Implements security monitoring using Datadog Cloud SIEM, Cloud Security Management (CSM), and Workload Protection
Detect network reconnaissance and port scanning using Suricata and Snort IDS signatures, threshold-based detection
Tune SIEM detection rules to reduce false positives by analyzing alert volumes, creating whitelists, adjusting
Detect AWS IAM privilege escalation paths using boto3 and Cloudsplaining policy analysis to identify overly permissive
Automate OSINT collection using SpiderFoot REST API and CLI for target profiling, module-based reconnaissance,
Bypasses SSL/TLS certificate pinning implementations in Android and iOS applications to enable traffic interception
Detect sandbox evasion techniques in malware samples by analyzing timing checks, VM artifact queries, user interaction
Detects and analyzes malicious behavior in mobile applications through behavioral analysis, permission abuse
Capture and analyze network traffic using Wireshark and tshark to reconstruct network events, extract artifacts,
Open Source Intelligence (OSINT) gathering is the first active phase of a red team engagement, where operators
Uses Microsoft RESTler to perform stateful REST API fuzzing by automatically generating and executing test sequences
Detects rootkit presence on compromised systems by identifying hidden processes, hooked system calls, modified
Conduct internal Active Directory reconnaissance using BloodHound Community Edition to map attack paths, identify
Systematically collects, categorizes, and distributes indicators of compromise (IOCs) during and after security
Implement a vulnerability aging dashboard and SLA tracking system to measure remediation performance against
Scan container images for known vulnerabilities using Anchore Grype with SBOM-based matching and configurable
Configure SAML 2.0 single sign-on for Google Workspace with a third-party identity provider, enabling centralized
Configure rsyslog for centralized log collection with TLS encryption, custom templates, and log rotation. Generates
Configure and execute access recertification campaigns in Saviynt Enterprise Identity Cloud to validate user
Test and validate ransomware recovery procedures including backup restore operations, RTO/RPO target verification,
Analyzes network traffic generated by malware during sandbox execution or live incident response to identify
Plan and execute authorized vishing (voice phishing) pretext calls to assess employee susceptibility to social
Build an append-only log integrity chain using SHA-256 hash chaining for tamper detection. Each log entry is