Universal coding patterns, constraints, TDD workflow, atomic todos

Multi-person projects - shared state, todo claiming, handoffs

makepad-2.0-design-judgment

Investigate a reported problem, find its root cause, and create a GitHub issue with a TDD fix plan. This is a mostly hands-off workflow - minimize questions to the user.

Monitor Certificate Transparency logs using crt.sh and Certstream to detect phishing domains, lookalike certificates,

'Analyzes intrusion activity against the Lockheed Martin Cyber Kill Chain framework to identify which phases

Investigate compromised Docker containers by analyzing images, layers, volumes, logs, and runtime artifacts to

URLScan.io is a free service for scanning and analyzing suspicious URLs. It captures screenshots, DOM content,

'Analyzes malicious PDF files using PDFiD, pdf-parser, and peepdf to identify embedded JavaScript, shellcode,

Parse Windows Prefetch files to determine program execution history including run counts, timestamps, and referenced

'Systematically audit AWS S3 bucket permissions to identify publicly accessible buckets, overly permissive ACLs,

'Monitors Certificate Transparency (CT) logs to detect unauthorized certificate issuance, discover subdomains

'Systematically collects, categorizes, and distributes indicators of compromise (IOCs) during and after security

Configure AWS Verified Access to provide VPN-less zero trust network access to internal applications using identity

Harden LDAP directory services against common attacks including credential harvesting, LDAP injection, anonymous

Deploy Cisco Duo multi-factor authentication across enterprise applications, VPN, RDP, and SSH access points.

'Configuring Zscaler Private Access (ZPA) to replace traditional VPN with zero trust network access by deploying

'Deploying Cloudflare Access with Cloudflare Tunnel to provide zero trust access to self-hosted and private applications,

'Deploying Palo Alto Networks Prisma Access for SASE-based zero trust network access using GlobalProtect agents,

Automate AWS GuardDuty threat detection findings processing using EventBridge and Lambda to enable real-time

Detect and investigate Azure service principal abuse including privilege escalation, credential compromise, admin

Deploy AI and NLP-powered detection systems to identify business email compromise attacks by analyzing writing

Container escape is a critical attack technique where an adversary breaks out of container isolation to access

Detect malicious email forwarding rules created by adversaries to maintain persistent access to email communications

Detect Kerberoasting attacks by monitoring for anomalous Kerberos TGS requests targeting service accounts with

Detect adversary lateral movement across networks using Splunk SPL queries against Windows authentication logs,

Detect Pass-the-Hash attacks by analyzing NTLM authentication patterns, identifying Type 3 logons with NTLM where

Detect privilege escalation attempts including token manipulation, UAC bypass, unquoted service paths, kernel

Detect abuse of service accounts through anomalous interactive logons, privilege escalation, lateral movement,

'Detects typosquatting attacks in npm and PyPI package registries by analyzing package name similarity using

Detect C2 beaconing patterns in network traffic using frequency analysis, jitter detection, and domain reputation

Hunt for data exfiltration through network traffic analysis, detecting unusual data flows, DNS tunneling, cloud

Detect DCSync attacks by analyzing Windows Event ID 4662 for unauthorized DS-Replication-Get-Changes requests

Hunt for adversary abuse of legitimate cloud services for C2, data staging, and exfiltration including abuse

Hunt for adversary persistence through Windows Management Instrumentation event subscriptions by monitoring WMI

Hunt for registry-based persistence mechanisms including Run keys, Winlogon modifications, IFEO injection, and

Hunt for adversary persistence via Windows Scheduled Tasks by analyzing task creation events, suspicious task

Hunt for Volume Shadow Copy deletion activity that indicates ransomware preparation or anti-forensics by monitoring

Detect T1547.001 startup folder persistence by monitoring Windows startup directories for suspicious file creation,

Hunt for supply chain compromise indicators including trojanized software updates, compromised dependencies,

Hunt for adversary persistence and execution via Windows scheduled tasks by analyzing task creation events, suspicious

Hunt for unusual network connections by analyzing outbound traffic patterns, rare destinations, non-standard

Configure IAM permission boundaries in AWS to delegate role creation to developers while enforcing maximum privilege

Implement Amazon Macie to automatically discover, classify, and protect sensitive data in S3 buckets using machine

Configure Microsoft Entra Privileged Identity Management to enforce just-in-time role activation, approval workflows,

Implement the CISA Zero Trust Maturity Model v2.0 across the five pillars of identity, devices, networks, applications,

Deploy Breach and Attack Simulation tools to continuously validate security control effectiveness by safely emulating

The Diamond Model of Intrusion Analysis provides a structured framework for analyzing cyber intrusions by examining

Envelope encryption is a strategy where data is encrypted with a data encryption key (DEK), and the DEK itself

Configure SAML 2.0 single sign-on for Google Workspace with a third-party identity provider, enabling centralized