MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics, techniques, and procedures (TTPs)

'Analyzes UEFI bootkit persistence mechanisms including firmware implants in SPI flash, EFI System Partition

'Parses and analyzes the Windows Amcache.hve registry hive to extract evidence of program execution, application

Parse Windows LNK shortcut files to extract target paths, timestamps, volume information, and machine identifiers

Extract and analyze Windows Registry hives to uncover user activity, installed software, autostart entries, and

Analyze Windows Shellbag registry artifacts to reconstruct folder browsing activity, detect access to removable

'This skill details how to conduct cloud security audits using Center for Internet Security benchmarks for AWS,

'Auditing Google Cloud Platform IAM permissions to identify overly permissive bindings, primitive role usage,

'Auditing Kubernetes cluster RBAC configurations to identify overly permissive roles, wildcard permissions, dangerous

'Auditing Terraform infrastructure-as-code for security misconfigurations using Checkov, tfsec, Terrascan, and

'Monitors Certificate Transparency (CT) logs to detect unauthorized certificate issuance, discover subdomains

'Automates the enrichment of raw indicators of compromise with multi-source threat intelligence context using

Extract and catalog attack patterns from cyber threat intelligence reports into a structured STIX-based library

'Builds an automated malware submission and analysis pipeline that collects suspicious files from endpoints and

Build effective detection rules using Splunk Search Processing Language (SPL) correlation searches to identify

Design and implement a comprehensive DevSecOps pipeline in GitLab CI/CD integrating SAST, DAST, container scanning,

Establish SAML 2.0 identity federation between on-premises Active Directory and Azure AD (Microsoft Entra ID)

'Builds comprehensive identity governance and lifecycle management processes including joiner-mover-leaver automation,

'Designs and documents structured incident response playbooks that define step-by-step procedures for specific

Build collaborative forensic incident timelines using Timesketch to ingest, normalize, and analyze multi-source

Build an automated pipeline to defang indicators of compromise (URLs, IPs, domains, emails) for safe sharing

OpenCTI is an open-source platform for managing cyber threat intelligence knowledge, built on STIX 2.1 as its

Build structured communication templates for malware incidents including stakeholder notifications, executive

Establish a structured operational process to triage, test, and deploy Microsoft Patch Tuesday security updates

'Builds a structured ransomware incident response playbook aligned with the CISA StopRansomware Guide and NIST

Deploy and configure the Havoc C2 framework with teamserver, HTTPS listeners, redirectors, and Demon agents for

Apply bottom-up and top-down role mining techniques to discover optimal RBAC roles from existing user-permission

Build a structured SOC escalation matrix defining severity tiers, response SLAs, escalation paths, and notification

'Builds SOC performance metrics and KPI tracking dashboards measuring Mean Time to Detect (MTTD), Mean Time to

'Builds a structured SOC incident response playbook for ransomware attacks covering detection, containment, eradication,

Build comprehensive threat actor profiles using open-source intelligence (OSINT) techniques to document adversary

Deploy MISP (Malware Information Sharing Platform) to aggregate, correlate, and distribute threat intelligence

Build a systematic threat hunt hypothesis framework that transforms threat intelligence, attack patterns, and

Build automated threat intelligence enrichment pipelines in Splunk Enterprise Security using lookup tables, modular

Building a Threat Intelligence Platform (TIP) involves deploying and integrating multiple CTI tools into a unified

Implement a vulnerability aging dashboard and SLA tracking system to measure remediation performance against

Deploy DefectDojo as a centralized vulnerability management dashboard with scanner integrations, deduplication,

Build a vulnerability exception and risk acceptance tracking system with approval workflows, compensating controls

'Systematically collects, categorizes, and distributes indicators of compromise (IOCs) during and after security

'Collects and synthesizes open-source intelligence (OSINT) about threat actors, malicious infrastructure, and

MISP (Malware Information Sharing Platform) is an open-source threat intelligence platform for gathering, sharing,

Collect volatile forensic evidence from a compromised system following order of volatility, preserving memory,

'Conducts security testing of REST, GraphQL, and gRPC APIs to identify vulnerabilities in authentication, authorization,

'Responds to security incidents in cloud environments (AWS, Azure, GCP) by performing identity-based containment,

'This skill outlines methodologies for performing authorized penetration testing against AWS, Azure, and GCP

Perform DCSync attacks to replicate Active Directory credentials and establish domain persistence by extracting

'Conducts external reconnaissance using Open Source Intelligence (OSINT) techniques to map an organization''s

Plan and execute a comprehensive red team engagement covering reconnaissance through post-exploitation using

Execute an internal network penetration test simulating an insider threat or post-breach attacker to identify

Conduct internal Active Directory reconnaissance using BloodHound Community Edition to map attack paths, identify