Examine Linux system artifacts including auth logs, cron jobs, shell history, and system configuration to uncover

'Executes malware samples in Cuckoo Sandbox to observe runtime behavior including process creation, file system

Use the Malpedia platform and API to research malware family relationships, track variant evolution, link families

Detect and analyze covert communication channels used by malware including DNS tunneling, ICMP exfiltration,

Parse NetFlow v9 and IPFIX records to detect volumetric anomalies, port scanning, data exfiltration, and C2 beaconing

Parse Windows PowerShell Script Block Logs (Event ID 4104) from EVTX files to detect obfuscated commands, encoded

'Analyzes encryption algorithms, key management, and file encryption routines used by ransomware families to

'Traces ransomware cryptocurrency payment flows using blockchain analysis tools such as Chainalysis Reactor,

Examine file system slack space, MFT entries, USN journal, and alternate data streams to recover hidden data

MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics, techniques, and procedures (TTPs)

'Queries Certificate Transparency logs via crt.sh and pycrtsh to detect phishing domains, unauthorized certificate

Investigate USB device connection history from Windows registry, event logs, and setupapi logs to track removable

Parse Apache and Nginx access logs to detect SQL injection attempts, local file inclusion, directory traversal,

'Analyzes Windows Security, System, and Sysmon event logs in Splunk to detect authentication attacks, privilege

'Auditing Kubernetes cluster RBAC configurations to identify overly permissive roles, wildcard permissions, dangerous

Build an automated system to track adversary infrastructure using passive DNS, certificate transparency, WHOIS

Build and configure a resilient command-and-control infrastructure using BishopFox's Sliver C2 framework with

Establish SAML 2.0 identity federation between on-premises Active Directory and Azure AD (Microsoft Entra ID)

'Builds comprehensive identity governance and lifecycle management processes including joiner-mover-leaver automation,

Implement a phishing report button in email clients with automated triage workflow that analyzes user-reported

'Builds a structured ransomware incident response playbook aligned with the CISA StopRansomware Guide and NIST

Deploy and configure the Havoc C2 framework with teamserver, HTTPS listeners, redirectors, and Demon agents for

Apply bottom-up and top-down role mining techniques to discover optimal RBAC roles from existing user-permission

Build a structured SOC escalation matrix defining severity tiers, response SLAs, escalation paths, and notification

'Builds a structured SOC incident response playbook for ransomware attacks covering detection, containment, eradication,

Building a Threat Intelligence Platform (TIP) involves deploying and integrating multiple CTI tools into a unified

Build a vulnerability exception and risk acceptance tracking system with approval workflows, compensating controls

'Responds to malware infections across enterprise endpoints by identifying the malware family, determining infection

Implement Microsoft's Enhanced Security Admin Environment (ESAE) tiered administration model for Active Directory.

A Certificate Authority (CA) is the trust anchor in a PKI hierarchy, responsible for issuing, signing, and revoking

'Configures host-based intrusion detection systems (HIDS) to monitor endpoint file integrity, system calls, and

'Configuring Google Cloud Identity-Aware Proxy (IAP) to enforce per-request identity verification for Compute

'Designs and implements VLAN-based network segmentation on managed switches to isolate network zones, enforce

'Configures pfSense firewall rules, NAT policies, VPN tunnels, and traffic shaping to enforce network segmentation,

'Configures Microsoft Defender for Endpoint (MDE) advanced protection settings including attack surface reduction

'Executes containment strategies to stop active adversary operations and prevent lateral movement during a confirmed

'Correlates disparate security incidents, IOCs, and adversary behaviors across time and organizations to identify

Systematically deobfuscate multi-layer PowerShell malware using AST analysis, dynamic tracing, and tools like

'Deploys canary files (honeytokens) across file systems to detect ransomware encryption activity in real time.

'Deploys and configures CrowdStrike Falcon EDR agents across enterprise endpoints to enable real-time threat

'Deploys and monitors ransomware canary files across critical directories using Python''s watchdog library for

Deploy and configure Tailscale as a WireGuard-based zero trust mesh VPN with identity-aware access controls,

'This skill covers deploying anomaly detection systems for industrial control environments using machine learning

Detect and prevent API enumeration attacks including BOLA and IDOR exploitation by monitoring sequential identifier

'Detect cyber attacks targeting OT historian servers (OSIsoft PI, Ignition, Wonderware) that sit at the IT/OT

'This skill teaches security teams how to deploy and operationalize Amazon GuardDuty for continuous threat detection

'Detecting compromised cloud credentials across AWS, Azure, and GCP by analyzing anomalous API activity, impossible

'Detects defense evasion techniques used by adversaries in endpoint logs including log tampering, timestomping,

Detect Kerberos Golden Ticket forgery by analyzing Windows Event ID 4769 for RC4 encryption downgrades (0x17),

'Identifies lateral movement techniques in enterprise networks by analyzing authentication logs, network flows,