cybersecuritySkill
Parses API Gateway access logs (AWS API Gateway, Kong, Nginx) to detect BOLA/IDOR attacks, rate limit bypass, credential scanning, and injection attempts. Uses pandas for statistical analysis of request patterns and anomaly detection. Use when investigating API abuse or building API-specific threat detection rules.
Security Operations
access-log-analysisapi-securityaws-api-gatewaybola-detection+4
ATT&CK4, 4 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Queries Azure Monitor activity logs and sign-in logs via azure-monitor-query to detect suspicious administrative operations, impossible travel, privilege escalation, and resource modifications. Builds KQL queries for threat hunting in Azure environments. Use when investigating suspicious Azure tenant activity or building cloud SIEM detections.
Security Operations
activity-logsazureazure-monitorcloud-security+2
ATT&CK5, 5 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Performs Linux memory acquisition using LiME (Linux Memory Extractor) kernel module and analysis with Volatility 3 framework. Extracts process lists, network connections, bash history, loaded kernel modules, and injected code from Linux memory images. Use when performing incident response on compromised Linux systems.
Security Operations
incident-responsekernel-moduleslimelinux-forensics+2
ATT&CK4, 4 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Parse Windows PowerShell Script Block Logs (Event ID 4104) from EVTX files to detect obfuscated commands, encoded payloads, and living-off-the-land techniques. Uses python-evtx to extract and reconstruct multi-block scripts, applies entropy analysis and pattern matching for Base64-encoded commands, Invoke-Expression abuse, download cradles, and AMSI bypass attempts.
Security Operations
endpoint-securityevent-id-4104obfuscation-detectionpowershell+2
ATT&CK7, 7 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Queries Certificate Transparency logs via crt.sh and pycrtsh to detect phishing domains, unauthorized certificate issuance, and shadow IT. Monitors newly issued certificates for typosquatting and brand impersonation using Levenshtein distance. Use for proactive phishing domain detection and certificate monitoring.
Security Operations
certificate-transparencycrt-shct-logsphishing-detection+2
ATT&CK4, 4 mappingsNIST CSF4, 4 mappingsATLAS2, 2 mappings
cybersecuritySkill
Parse Apache and Nginx access logs to detect SQL injection attempts, local file inclusion, directory traversal, web scanner fingerprints, and brute-force patterns. Uses regex-based pattern matching against OWASP attack signatures, GeoIP enrichment for source attribution, and statistical anomaly detection for request frequency and response size outliers.
Security Operations
apache-logsdirectory-traversalintrusion-detectionlfi-detection+3
ATT&CK5, 5 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Performs statistical analysis of Zeek conn.log connection intervals to detect C2 beaconing patterns. Uses the ZAT library to load Zeek logs into Pandas DataFrames, calculates inter-arrival time standard deviation, and flags periodic connections with low jitter. Use when hunting for command-and-control callbacks in network data.
Security Operations
c2-beaconingconn-log-analysisnetwork-securitystatistical-analysis+3
ATT&CK5, 5 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Detects insider data exfiltration by analyzing DLP policy violations, file access patterns, upload volume anomalies, and off-hours activity in endpoint and cloud logs. Uses pandas for behavioral analytics and statistical baselines. Use when investigating insider threats or building user behavior analytics for data loss prevention.
Security Operations
data-loss-preventiondlpexfiltration-detectioninsider-threat+2
ATT&CK5, 5 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Analyze WAF (ModSecurity/AWS WAF/Cloudflare) logs to detect SQL injection attack campaigns. Parses ModSecurity audit logs and JSON WAF event logs to identify SQLi patterns (UNION SELECT, OR 1=1, SLEEP(), BENCHMARK()), tracks attack sources, correlates multi-stage injection attempts, and generates incident reports with OWASP classification.
Security Operations
aws-wafcloudflare-wafmodsecuritysql-injection-detection+2
ATT&CK3, 3 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Scans GitHub Actions workflows and CI/CD pipeline configurations for supply chain attack vectors including unpinned actions, script injection via expressions, dependency confusion, and secrets exposure. Uses PyGithub and YAML parsing for automated audit. Use when hardening CI/CD pipelines or investigating compromised build systems.
Security Operations
ci-cd-securitydependency-pinningdevsecopsgithub-actions+2
ATT&CK4, 4 mappingsNIST CSF4, 4 mappingsATLAS2, 2 mappingsAI RMF3, 3 mappings
cybersecuritySkill
Uses Rekall memory forensics framework to analyze memory dumps for process hollowing, injected code via VAD anomalies, hidden processes, and rootkit detection. Applies plugins like pslist, psscan, vadinfo, malfind, and dlllist to extract forensic artifacts from Windows memory images. Use during incident response memory analysis.
Security Operations
code-injectionincident-responsememory-forensicsprocess-hollowing+3
ATT&CK5, 5 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Detects credential stuffing attacks by analyzing authentication logs for login velocity anomalies, ASN diversity, password spray patterns, and geographic distribution of failed logins. Uses statistical analysis on Splunk or raw log data. Use when investigating account takeover campaigns or building detection rules for auth abuse.
Security Operations
account-takeoverasn-analysisauthentication-logscredential-stuffing+2
ATT&CK5, 5 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Deploys DNS, HTTP, and AWS API key canary tokens across network infrastructure to detect unauthorized access and lateral movement. Integrates with webhook alerting (Slack, Teams, email, generic HTTP) for real-time intrusion notifications. Provides automated token generation, placement strategies, and monitoring for enterprise network environments. Use when building deception-based network intrusion detection with Canarytokens.org and Thinkst Canary platforms.
Security Operations
breach-detectioncanary-tokensdeceptionhoneytokens+2
ATT&CK11, 11 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Implements eBPF-based security monitoring using Cilium Tetragon for real-time process execution tracking, network connection observability, file access auditing, and runtime enforcement. Covers TracingPolicy CRD authoring with kprobe/tracepoint hooks, in-kernel filtering via matchArgs/matchBinaries selectors, JSON event export, and integration with SIEM pipelines. Use when building kernel-level runtime security observability for Linux hosts or Kubernetes clusters.
Security Operations
ciliumebpfkernel-securitykubernetes-security+3
ATT&CK5, 5 mappingsNIST CSF4, 4 mappingsATLAS3, 3 mappingsAI RMF3, 3 mappings
cybersecuritySkill
Deploy and configure Wazuh SIEM/XDR for endpoint detection including agent management, custom decoder and rule XML creation, alert querying via the Wazuh REST API, and automated response actions.
Security Operations
custom-rulesendpoint-detectionincident-responsesiem+2
ATT&CK5, 5 mappingsNIST CSF4, 4 mappingsAI RMF5, 5 mappings
cybersecuritySkill
Deploys canary tokens and honeytokens (fake AWS credentials, DNS canaries, document beacons, database records) that trigger alerts when accessed by attackers. Uses the Canarytokens API and custom webhook integrations for breach detection. Use when building deception-based early warning systems for intrusion detection.
Security Operations
breach-detectioncanary-tokensdeception-technologydns-canary+2
ATT&CK5, 5 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Configure Fluentd and Fluent Bit for centralized log aggregation, routing, filtering, and enrichment across distributed infrastructure
Security Operations
centralized-loggingfluent-bitfluentdlog-aggregation+3
ATT&CK5, 5 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Build an append-only log integrity chain using SHA-256 hash chaining for tamper detection. Each log entry is hashed with the previous entry's hash to create a blockchain-like structure where modifying any entry invalidates all subsequent hashes. Implements log ingestion, chain verification, tamper detection with pinpoint identification, and periodic checkpoint anchoring to external timestamping services.
Security Operations
audit-logginghash-chaininglog-integritysecurity-operations+2
ATT&CK3, 3 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Configures mutual TLS (mTLS) authentication between microservices using Python cryptography library for certificate generation and ssl module for TLS verification. Validates certificate chains, checks expiration, and audits mTLS deployment status. Use when implementing zero-trust service-to-service authentication.
Security Operations
certificate-managementmicroservices-securitymtlsmutual-tls+2
ATT&CK5, 5 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Implements security chaos engineering experiments that deliberately disable or degrade security controls to verify detection and response capabilities. Tests WAF bypass, firewall rule removal, log pipeline disruption, and EDR disablement scenarios using boto3 and subprocess. Use when validating SOC detection coverage and resilience.
Security Operations
control-validationdetection-validationresilience-testingsecurity-chaos-engineering+1
ATT&CK5, 5 mappingsNIST CSF4, 4 mappingsATLAS3, 3 mappingsAI RMF3, 3 mappings
cybersecuritySkill
Implements security monitoring using Datadog Cloud SIEM, Cloud Security Management (CSM), and Workload Protection to detect threats, enforce compliance, and respond to security events across cloud and hybrid infrastructure. Covers Agent deployment, log source ingestion, detection rule creation, security dashboards, and automated notification workflows. Activates for requests involving Datadog security setup, Cloud SIEM configuration, CSM threat detection, or security monitoring dashboards.
Security Operations
cloud-securitycsmdatadogdetection-rules+4
ATT&CK5, 5 mappingsNIST CSF4, 4 mappingsD3FEND5, 5 mappingsAI RMF5, 5 mappings
cybersecuritySkill
Write multi-event correlation rules that detect APT lateral movement by chaining Windows authentication events, process execution telemetry, and network connection logs across hosts. Uses Splunk SPL and Sigma rule format to correlate Event IDs 4624, 4648, 4688, and Sysmon Events 1/3 within sliding time windows to surface attack sequences invisible to single-event detections.
Security Operations
apt-detectioncorrelation-ruleslateral-movementsecurity-operations+2
ATT&CK5, 5 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Tune SIEM detection rules to reduce false positives by analyzing alert volumes, creating whitelists, adjusting thresholds, and measuring detection efficacy metrics in Splunk and Elastic
Security Operations
alert-tuningdetection-engineeringelasticfalse-positive-reduction+3
ATT&CK5, 5 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Automate phishing incident response using Splunk SOAR REST API to create containers, add artifacts, and trigger playbooks
Security Operations
incident-responsephishingsoarsplunk-phantom
ATT&CK5, 5 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Configure rsyslog for centralized log collection with TLS encryption, custom templates, and log rotation. Generates server and client configuration files with GnuTLS stream drivers, x509 certificate authentication, per-host log segregation, and reliable queue settings for high-availability syslog infrastructure.
Security Operations
log-centralizationlog-managementrsyslogsecurity-operations+2
ATT&CK5, 5 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Detects DNS tunneling by computing Shannon entropy of DNS query names, analyzing query length distributions, inspecting TXT record payloads, and identifying high subdomain cardinality. Uses scapy for packet capture analysis and statistical methods to distinguish legitimate DNS from covert channels. Use when hunting for data exfiltration.
Security Operations
dns-analysisdns-tunnelingexfiltration-detectionsecurity-operations+2
ATT&CK5, 5 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Automate GoPhish phishing simulation campaigns using the Python gophish library. Creates email templates with tracking pixels, configures SMTP sending profiles, builds target groups from CSV, launches campaigns, and analyzes results including open rates, click rates, and credential submission statistics for security awareness assessment.
Security Operations
campaign-automationgophishphishing-simulationred-teaming+2
ATT&CK5, 5 mappingsNIST CSF4, 4 mappings
cybersecuritySkill
Test for Server-Side Request Forgery vulnerabilities by probing cloud metadata endpoints, internal network services, and protocol handlers through user-controllable URL parameters. Tests AWS/GCP/Azure metadata APIs (169.254.169.254), internal port scanning via HTTP, URL scheme bypass techniques, and DNS rebinding detection.
Security Operations
cloud-metadata-abusepenetration-testingssrfvulnerability-exploitation+1
ATT&CK6, 6 mappingsNIST CSF4, 4 mappings