'Parses Software Bill of Materials (SBOM) in CycloneDX and SPDX JSON formats to identify supply chain vulnerabilities

'Leverages Splunk Enterprise Security and SPL (Search Processing Language) to investigate security incidents

Examine file system slack space, MFT entries, USN journal, and alternate data streams to recover hidden data

Investigate supply chain attack artifacts including trojanized software updates, compromised build pipelines,

MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics, techniques, and procedures (TTPs)

'Map advanced persistent threat (APT) group tactics, techniques, and procedures (TTPs) to the MITRE ATT&CK framework

'Analyzes structured and unstructured threat intelligence feeds to extract actionable indicators, adversary tactics,

Analyze the threat landscape using MISP (Malware Information Sharing Platform) by querying event statistics,

'Queries Certificate Transparency logs via crt.sh and pycrtsh to detect phishing domains, unauthorized certificate

Detect typosquatting, homograph phishing, and brand impersonation domains using dnstwist to generate domain permutations

'Analyzes UEFI bootkit persistence mechanisms including firmware implants in SPI flash, EFI System Partition

Investigate USB device connection history from Windows registry, event logs, and setupapi logs to track removable

Parse Apache and Nginx access logs to detect SQL injection attempts, local file inclusion, directory traversal,

'Parses and analyzes the Windows Amcache.hve registry hive to extract evidence of program execution, application

'Analyzes Windows Security, System, and Sysmon event logs in Splunk to detect authentication attacks, privilege

Parse Windows LNK shortcut files to extract target paths, timestamps, volume information, and machine identifiers

Parse Windows Prefetch files using the windowsprefetch Python library to reconstruct application execution history,

Extract and analyze Windows Registry hives to uncover user activity, installed software, autostart entries, and

Analyze Windows Shellbag registry artifacts to reconstruct folder browsing activity, detect access to removable

'Systematically audit AWS S3 bucket permissions to identify publicly accessible buckets, overly permissive ACLs,

'Auditing Microsoft Entra ID (Azure Active Directory) configuration to identify risky authentication policies,

'This skill details how to conduct cloud security audits using Center for Internet Security benchmarks for AWS,

'Auditing Google Cloud Platform IAM permissions to identify overly permissive bindings, primitive role usage,

'Auditing Kubernetes cluster RBAC configurations to identify overly permissive roles, wildcard permissions, dangerous

'Auditing Terraform infrastructure-as-code for security misconfigurations using Checkov, tfsec, Terrascan, and

'Monitors Certificate Transparency (CT) logs to detect unauthorized certificate issuance, discover subdomains

'Automates the enrichment of raw indicators of compromise with multi-source threat intelligence context using

Build an automated system to track adversary infrastructure using passive DNS, certificate transparency, WHOIS

Extract and catalog attack patterns from cyber threat intelligence reports into a structured STIX-based library

'Builds an automated malware submission and analysis pipeline that collects suspicious files from endpoints and

Build and configure a resilient command-and-control infrastructure using BishopFox's Sliver C2 framework with

'This skill covers deploying Microsoft Sentinel as a cloud-native SIEM and SOAR platform for centralized security

Build effective detection rules using Splunk Search Processing Language (SPL) correlation searches to identify

'Builds vendor-agnostic detection rules using the Sigma rule format for threat detection across SIEM platforms

Design and implement a comprehensive DevSecOps pipeline in GitLab CI/CD integrating SAST, DAST, container scanning,

Establish SAML 2.0 identity federation between on-premises Active Directory and Azure AD (Microsoft Entra ID)

'Builds comprehensive identity governance and lifecycle management processes including joiner-mover-leaver automation,

'Builds real-time incident response dashboards in Splunk, Elastic, or Grafana to provide SOC analysts and leadership

'Designs and documents structured incident response playbooks that define step-by-step procedures for specific

Build collaborative forensic incident timelines using Timesketch to ingest, normalize, and analyze multi-source

Build an automated pipeline to defang indicators of compromise (URLs, IPs, domains, emails) for safe sharing

OpenCTI is an open-source platform for managing cyber threat intelligence knowledge, built on STIX 2.1 as its

Build structured communication templates for malware incidents including stakeholder notifications, executive

Establish a structured operational process to triage, test, and deploy Microsoft Patch Tuesday security updates

Implement a phishing report button in email clients with automated triage workflow that analyzes user-reported

'Builds a structured ransomware incident response playbook aligned with the CISA StopRansomware Guide and NIST

Deploy and configure the Havoc C2 framework with teamserver, HTTPS listeners, redirectors, and Demon agents for

Apply bottom-up and top-down role mining techniques to discover optimal RBAC roles from existing user-permission

Build a structured SOC escalation matrix defining severity tiers, response SLAs, escalation paths, and notification

'Builds SOC performance metrics and KPI tracking dashboards measuring Mean Time to Detect (MTTD), Mean Time to