Hunt for adversary persistence through Windows Management Instrumentation event subscriptions by monitoring WMI

Hunt for registry-based persistence mechanisms including Run keys, Winlogon modifications, IFEO injection, and

Hunt for adversary persistence via Windows Scheduled Tasks by analyzing task creation events, suspicious task

Hunt for Volume Shadow Copy deletion activity that indicates ransomware preparation or anti-forensics by monitoring

Detect T1547.001 startup folder persistence by monitoring Windows startup directories for suspicious file creation,

Hunt for supply chain compromise indicators including trojanized software updates, compromised dependencies,

Hunt for adversary persistence and execution via Windows scheduled tasks by analyzing task creation events, suspicious

Hunt for MITRE ATT&CK T1098 account manipulation including shadow admin creation, SID history injection, group

Hunt for unusual network connections by analyzing outbound traffic patterns, rare destinations, non-standard

Detect suspicious Windows service installations (MITRE ATT&CK T1543.003) by parsing System event logs for Event

Deploy Aqua Security's Trivy scanner to detect vulnerabilities, misconfigurations, secrets, and license issues

Configure IAM permission boundaries in AWS to delegate role creation to developers while enforcing maximum privilege

Implement Amazon Macie to automatically discover, classify, and protect sensitive data in S3 buckets using machine

Configure Microsoft Entra Privileged Identity Management to enforce just-in-time role activation, approval workflows,

Implement the CISA Zero Trust Maturity Model v2.0 across the five pillars of identity, devices, networks, applications,

Implement Cloud Security Posture Management using AWS Security Hub, Azure Defender for Cloud, and open-source

Enforce Kubernetes network segmentation using Calico CNI network policies and global network policies to control

Deploy Breach and Attack Simulation tools to continuously validate security control effectiveness by safely emulating

The Diamond Model of Intrusion Analysis provides a structured framework for analyzing cyber intrusions by examining

'Implements eBPF-based security monitoring using Cilium Tetragon for real-time process execution tracking, network

Envelope encryption is a strategy where data is encrypted with a data encryption key (DEK), and the DEK itself

Configure SAML 2.0 single sign-on for Google Workspace with a third-party identity provider, enabling centralized

'Deploys canary files, honeypot shares, and decoy systems to detect ransomware activity at the earliest possible

Deploy SailPoint IdentityNow or IdentityIQ for identity governance and administration. Covers identity lifecycle

Implement Just-In-Time (JIT) access provisioning to eliminate standing privileges by granting temporary, time-bound

'Implementing microsegmentation using Akamai Guardicore Segmentation to map application dependencies, create

'This skill covers implementing North American Electric Reliability Corporation Critical Infrastructure Protection

'Implements 802.1X port-based network access control using RADIUS authentication, PacketFence NAC, and switch

Deploy and manage network honeypots using OpenCanary, T-Pot, or Cowrie to detect unauthorized access, lateral

Configure and deploy Palo Alto Networks next-generation firewalls with App-ID, User-ID, zone-based policies,

Deploy CyberArk Privileged Access Management to discover, vault, rotate, and monitor privileged credentials across

Deploy and configure Proofpoint Email Protection as a secure email gateway to detect and block phishing, malware,

Harden Kubernetes Role-Based Access Control by implementing least-privilege policies, auditing role bindings,

Implement eBPF-based runtime security observability and enforcement in Kubernetes clusters using Cilium Tetragon

Implement SAML 2.0 Single Sign-On (SSO) using Okta as the Identity Provider (IdP). This skill covers end-to-end

Tune SIEM detection rules to reduce false positives by analyzing alert volumes, creating whitelists, adjusting

Deploy CyberArk Secure Cloud Access to eliminate standing privileges in hybrid and multi-cloud environments using

Implement NextDNS as a zero trust DNS filtering layer with encrypted resolution, threat intelligence blocking,

Deploy Google BeyondCorp Enterprise zero trust access controls using Identity-Aware Proxy (IAP), context-aware

Implement HashiCorp Boundary for identity-aware zero trust infrastructure access management with dynamic credential

'Investigates phishing email incidents from initial user report through header analysis, URL/attachment detonation,

'This skill covers implementing Okta as a centralized identity provider for cloud environments, configuring SSO

'Monitors dark web forums, marketplaces, paste sites, and ransomware leak sites for mentions of organizational

'Monitors Modbus TCP traffic on SCADA and ICS networks to detect anomalous function code usage, unauthorized

The Common Vulnerability Scoring System (CVSS) is the industry standard framework maintained by FIRST (Forum

'Reverse engineers malicious Android APK files using JADX decompiler to analyze Java/Kotlin source code, identify

Harbor is an open-source container registry that provides security features including vulnerability scanning

>-

Identifies dependencies at heightened risk of exploitation or takeover. Use when assessing supply chain attack surface, evaluating dependency health, or scoping security engagements.

A 6-phase process for creating a workflow-based skill from scratch.