'Analyzes network traffic captures and flow data to identify adversary activity during security incidents, including

'Captures and analyzes network packet data using Wireshark and tshark to identify malicious traffic patterns,

Parse Windows LNK shortcut files to extract target paths, timestamps, volume information, and machine identifiers

'Designs and documents structured incident response playbooks that define step-by-step procedures for specific

Establish a structured operational process to triage, test, and deploy Microsoft Patch Tuesday security updates

Collect volatile forensic evidence from a compromised system following order of volatility, preserving memory,

'Conducts security testing of REST, GraphQL, and gRPC APIs to identify vulnerabilities in authentication, authorization,

'Responds to security incidents in cloud environments (AWS, Azure, GCP) by performing identity-based containment,

'This skill outlines methodologies for performing authorized penetration testing against AWS, Azure, and GCP

Perform DCSync attacks to replicate Active Directory credentials and establish domain persistence by extracting

'Conducts external reconnaissance using Open Source Intelligence (OSINT) techniques to map an organization''s

Conduct internal Active Directory reconnaissance using BloodHound Community Edition to map attack paths, identify

'Simulates man-in-the-middle attacks using Ettercap, mitmproxy, and Bettercap in authorized environments to intercept,

'Conducts comprehensive network penetration tests against authorized target environments by performing host discovery,

Pass-the-Ticket (PtT) is a lateral movement technique that uses stolen Kerberos tickets (TGT or TGS) to authenticate

Spearphishing simulation is a targeted social engineering attack vector used by red teams to gain initial access.

'Conducts authorized wireless network penetration tests to assess the security of WiFi infrastructure by testing

Deploy a Software-Defined Perimeter using the CSA v2.0 specification with Single Packet Authorization, mutual

Detect and prevent ARP spoofing attacks using ARPWatch, Dynamic ARP Inspection, Wireshark analysis, and custom

Detect and test for OWASP API3:2023 Broken Object Property Level Authorization vulnerabilities including excessive

'Detects command-and-control (C2) communications tunneled through DNS protocol including DNS tunneling tools

Detect DCSync attacks where adversaries abuse Active Directory replication privileges to extract password hashes

'Detects AI-generated deepfake audio used in voice phishing (vishing) attacks by extracting spectral features

'Detect command injection attacks against Modbus TCP/RTU protocol in ICS environments by monitoring for unauthorized

'This skill covers detecting anomalies in Modbus/TCP and Modbus RTU communications in industrial control systems.

Detect process hollowing (T1055.012) by analyzing memory-mapped sections, hollowed process indicators, and parent-child

'Detecting data exfiltration attempts from AWS S3 buckets by analyzing CloudTrail S3 data events, VPC Flow Logs,

Spearphishing targets specific individuals using personalized, researched content that bypasses generic spam

'Executes authorized phishing simulation campaigns to assess an organization''s susceptibility to email-based

Red team engagement planning is the foundational phase that defines scope, objectives, rules of engagement (ROE),

'Executes comprehensive red team exercises that simulate real-world adversary operations against an organization''s

BloodHound is a graph-based Active Directory reconnaissance tool that uses graph theory to reveal hidden and

'Analyzes and simulates BGP hijacking scenarios in authorized lab environments to assess route origin validation,

'Tests APIs for Broken Function Level Authorization (BFLA) vulnerabilities where regular users can invoke administrative

Discover and exploit broken link hijacking vulnerabilities by identifying references to expired domains, decommissioned

Exploit Kerberos Constrained Delegation misconfigurations in Active Directory to impersonate privileged users

'Tests and exploits deep link (URL scheme and App Link) vulnerabilities in Android and iOS mobile applications

'Tests APIs for excessive data exposure where endpoints return more data than the client application needs, relying

Detecting and exploiting HTTP request smuggling vulnerabilities caused by Content-Length and Transfer-Encoding

Identifying and exploiting Insecure Direct Object Reference vulnerabilities to access unauthorized resources

'Identifies and exploits insecure local data storage vulnerabilities in Android and iOS mobile applications including

Identifying and exploiting insecure deserialization vulnerabilities in Java, PHP, Python, and .NET applications

'Identifies and exploits IPv6-specific vulnerabilities including SLAAC spoofing, Router Advertisement flooding,

Discover and exploit mass assignment vulnerabilities in REST APIs to escalate privileges, modify restricted fields,

Exploit the noPac vulnerability chain (CVE-2021-42278 sAMAccountName spoofing and CVE-2021-42287 KDC PAC confusion)

Detect and exploit NoSQL injection vulnerabilities in MongoDB, CouchDB, and other NoSQL databases to demonstrate

Detect and exploit race condition vulnerabilities in web applications using Turbo Intruder's single-packet attack

'Identifies and exploits SMB protocol vulnerabilities using Metasploit Framework during authorized penetration

'Identifies and exploits SQL injection vulnerabilities in web applications during authorized penetration tests

Detecting and exploiting SQL injection vulnerabilities using sqlmap to extract database contents during authorized