cybersecuritySkill
Uses the Linux Audit framework (auditd) with ausearch and aureport utilities to detect intrusion attempts, unauthorized access, privilege escalation, and suspicious system activity. Covers audit rule configuration, log querying, timeline reconstruction, and integration with SIEM platforms. Activates for requests involving auditd analysis, Linux audit log investigation, ausearch queries, aureport summaries, or host-based intrusion detection on Linux.
Incident Response
auditdaureportausearchforensics+3
ATT&CK4, 4 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Analyzes network traffic captures and flow data to identify adversary activity during security incidents, including command-and-control communications, lateral movement, data exfiltration, and exploitation attempts. Uses Wireshark, Zeek, and NetFlow analysis techniques. Activates for requests involving network traffic analysis, packet capture investigation, PCAP analysis, network forensics, C2 traffic detection, or exfiltration detection.
Incident Response
network-forensicspcap-analysistraffic-analysiswireshark+1
ATT&CK4, 4 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Leverages Splunk Enterprise Security and SPL (Search Processing Language) to investigate security incidents through log correlation, timeline reconstruction, and anomaly detection. Covers Windows event logs, firewall logs, proxy logs, and authentication data analysis. Activates for requests involving Splunk investigation, SPL queries, SIEM log analysis, security event correlation, or log-based incident investigation.
Incident Response
log-analysissecurity-monitoringsiemspl+1
ATT&CK5, 5 mappingsNIST CSF4, 4 mappingsATLAS3, 3 mappingsD3FEND5, 5 mappingsAI RMF5, 5 mappings
cybersecuritySkill
Designs and documents structured incident response playbooks that define step-by-step procedures for specific incident types aligned with NIST SP 800-61r3 and SANS PICERL frameworks. Covers playbook structure, decision trees, escalation criteria, RACI matrices, and integration with SOAR platforms. Activates for requests involving IR playbook creation, incident response procedure documentation, response runbook development, or SOAR playbook design.
Incident Response
ir-playbooknist-800-61response-proceduresrunbook+1
ATT&CK5, 5 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Build collaborative forensic incident timelines using Timesketch to ingest, normalize, and analyze multi-source event data for attack chain reconstruction and investigation documentation.
Incident Response
collaborative-forensicsdfirforensic-timelineincident-investigation+3
ATT&CK5, 5 mappingsNIST CSF4, 4 mappingsD3FEND5, 5 mappings
cybersecuritySkill
Build structured communication templates for malware incidents including stakeholder notifications, executive briefings, technical advisories, and regulatory disclosures with severity-based escalation procedures.
Incident Response
crisis-communicationexecutive-briefingincident-communicationmalware-response+2
ATT&CK5, 5 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Systematically collects, categorizes, and distributes indicators of compromise (IOCs) during and after security incidents to enable detection, blocking, and threat intelligence sharing. Covers network, host, email, and behavioral indicators using STIX/TAXII formats and threat intelligence platforms. Activates for requests involving IOC collection, indicator extraction, threat indicator sharing, compromise indicators, STIX export, or IOC enrichment.
Incident Response
ioc-collectionmispstix-taxiithreat-indicators+1
ATT&CK6, 6 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Collect volatile forensic evidence from a compromised system following order of volatility, preserving memory, network connections, processes, and system state before they are lost.
Incident Response
chain-of-custodydfirforensicsincident-response+2
ATT&CK5, 5 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Responds to security incidents in cloud environments (AWS, Azure, GCP) by performing identity-based containment, cloud-native log analysis, resource isolation, and forensic evidence acquisition adapted for ephemeral cloud infrastructure. Activates for requests involving cloud incident response, AWS security incident, Azure compromise, GCP breach, cloud forensics, or cloud identity compromise.
Incident Response
aws-forensicsazure-incident-responsecloud-irgcp-security+1
ATT&CK4, 4 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Responds to malware infections across enterprise endpoints by identifying the malware family, determining infection vectors, assessing spread, and executing eradication procedures. Covers the full lifecycle from detection through containment, analysis, removal, and recovery. Activates for requests involving malware response, malware eradication, trojan removal, worm containment, malware triage, or infected endpoint remediation.
Incident Response
endpoint-remediationeradicationmalware-analysismalware-response+1
ATT&CK5, 5 mappingsNIST CSF4, 4 mappingsD3FEND5, 5 mappings
cybersecuritySkill
Performs memory forensics analysis using Volatility 3 to extract evidence of malware execution, process injection, network connections, and credential theft from RAM dumps captured during incident response. Covers memory acquisition, process analysis, DLL inspection, and malware detection. Activates for requests involving memory forensics, RAM analysis, Volatility framework, memory dump investigation, volatile evidence analysis, or live memory acquisition.
Incident Response
dfirmemory-forensicsprocess-injectionram-analysis+1
ATT&CK5, 5 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Responds to phishing incidents by analyzing reported emails, extracting indicators, assessing credential compromise, quarantining malicious messages across the organization, and remediating affected accounts. Covers email header analysis, URL/attachment sandboxing, and mailbox-wide purge operations. Activates for requests involving phishing response, email incident, credential phishing, spear phishing investigation, or phishing remediation.
Incident Response
credential-compromiseemail-header-analysisemail-securitymailbox-remediation+1
ATT&CK6, 6 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Facilitate structured post-incident reviews to identify root causes, document what worked and failed, and produce actionable recommendations to improve future incident response.
Incident Response
after-action-reviewincident-responselessons-learnedpost-incident+1
ATT&CK4, 4 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Executes containment strategies to stop active adversary operations and prevent lateral movement during a confirmed security breach. Implements short-term and long-term containment using network segmentation, endpoint isolation, credential revocation, and access control modifications. Activates for requests involving breach containment, lateral movement prevention, network isolation, active threat containment, or live incident response.
Incident Response
breach-containmentcredential-revocationlateral-movementlive-response+1
ATT&CK5, 5 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Detect compromised O365 and Google Workspace email accounts by analyzing inbox rule creation, suspicious sign-in locations, mail forwarding rules, and unusual API access patterns via Microsoft Graph and audit logs.
Incident Response
account-takeoverbecemail-compromiseinbox-rules+3
ATT&CK5, 5 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Systematically remove malware, backdoors, and attacker persistence mechanisms from infected systems while ensuring complete eradication and preventing re-infection.
Incident Response
dfireradicationincident-responsemalware-removal+1
ATT&CK23, 23 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Deploy and configure Velociraptor for scalable endpoint forensic artifact collection during incident response using VQL queries, hunts, and pre-built artifact packs across Windows, Linux, and macOS environments.
Incident Response
dfirendpoint-collectionforensic-artifactsincident-response+4
ATT&CK5, 5 mappingsNIST CSF4, 4 mappingsD3FEND5, 5 mappings
cybersecuritySkill
Investigate Active Directory compromise by analyzing authentication logs, replication metadata, Group Policy changes, and Kerberos ticket anomalies to identify attacker persistence and lateral movement paths.
Incident Response
active-directorycompromise-investigationdfirgolden-ticket+4
ATT&CK12, 12 mappingsNIST CSF4, 4 mappingsD3FEND5, 5 mappings
cybersecuritySkill
Execute cloud-native incident containment across AWS, Azure, and GCP by isolating compromised resources, revoking credentials, preserving forensic evidence, and applying security group restrictions to prevent lateral movement.
Incident Response
awsazurecloud-forensicscloud-security+4
ATT&CK5, 5 mappingsNIST CSF4, 4 mappingsD3FEND5, 5 mappings
cybersecuritySkill
Conducts disk forensics investigations using forensic imaging, file system analysis, artifact recovery, and timeline reconstruction to support incident response cases. Utilizes tools such as FTK Imager, Autopsy, and The Sleuth Kit for evidence acquisition, deleted file recovery, and artifact examination. Activates for requests involving disk forensics, hard drive analysis, forensic imaging, file recovery, evidence acquisition, or digital forensic investigation.
Incident Response
chain-of-custodydisk-forensicsevidence-acquisitionfile-recovery+1
ATT&CK5, 5 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Investigates insider threat incidents involving employees, contractors, or trusted partners who misuse authorized access to steal data, sabotage systems, or violate security policies. Combines digital forensics, user behavior analytics, and HR/legal coordination to build an evidence-based case. Activates for requests involving insider threat investigation, employee data theft, privilege misuse, user behavior anomaly, or internal threat detection.
Incident Response
data-exfiltrationdfirinsider-threatprivilege-misuse+1
ATT&CK5, 5 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Executes a structured ransomware incident response from initial detection through containment, forensic analysis, decryption assessment, recovery, and post-incident hardening. Addresses ransom negotiation considerations, backup integrity verification, and regulatory notification requirements. Activates for requests involving ransomware response, ransomware recovery, crypto-ransomware, data encryption attack, ransom payment decision, or ransomware containment.
Incident Response
backup-restorationcisa-guidanceencryption-recoveryransom-negotiation+1
ATT&CK5, 5 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Test and validate ransomware recovery procedures including backup restore operations, RTO/RPO target verification, recovery sequencing, and clean restore validation to ensure organizational resilience against destructive ransomware attacks.
Incident Response
backupdisaster-recoveryincident-responseransomware+3
ATT&CK5, 5 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Performs initial triage of security incidents to determine severity, scope, and required response actions using the NIST SP 800-61r3 and SANS PICERL frameworks. Classifies incidents by type, assigns priority based on business impact, and routes to appropriate response teams. Activates for requests involving incident triage, security alert classification, severity assessment, incident prioritization, or initial incident analysis.
Incident Response
incident-triagenist-800-61sans-picerlseverity-classification+1
ATT&CK8, 8 mappingsNIST CSF4, 4 mappingsD3FEND5, 5 mappings
cybersecuritySkill
Classify and prioritize security incidents using structured IR playbooks to determine severity, assign response teams, and initiate appropriate response procedures.
Incident Response
incident-responseplaybookseverity-classificationsoc+1
ATT&CK4, 4 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Validate backup integrity through cryptographic hash verification, automated restore testing, corruption detection, and recoverability checks to ensure backups are reliable for disaster recovery and ransomware response scenarios.
Incident Response
backupdisaster-recoveryhash-verificationincident-response+2
ATT&CK5, 5 mappingsNIST CSF4, 4 mappings