Skip to content

Security & Compliance Skills

838 curated security and compliance skills for AI coding agents. Access control, vulnerability scanning, compliance audit - all license-verified.

Deploying Cloudflare Access For Zero Trust

Deploying Cloudflare Access with Cloudflare Tunnel to provide zero trust access to self-hosted and private applications, configuring identity-aware access policies, device posture checks, and WARP client enrollment for VPN replacement.

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Deploying Decoy Files For Ransomware Detection

Deploys canary files (honeytokens) across file systems to detect ransomware encryption activity in real time. Uses strategically placed decoy documents monitored via file integrity monitoring or OS-level watchdogs to trigger alerts when ransomware modifies or encrypts them. Activates for requests involving ransomware canary deployment, honeyfile setup, deception-based ransomware detection, or file integrity monitoring for encryption.

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Deploying Edr Agent With Crowdstrike

Deploys and configures CrowdStrike Falcon EDR agents across enterprise endpoints to enable real-time threat detection, behavioral analysis, and automated response. Use when onboarding endpoints to EDR coverage, configuring detection policies, or integrating Falcon telemetry with SIEM platforms. Activates for requests involving CrowdStrike deployment, Falcon sensor installation, EDR policy configuration, or endpoint detection and response.

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Deploying Osquery For Endpoint Monitoring

Deploys and configures osquery for real-time endpoint monitoring using SQL-based queries to inspect running processes, open ports, installed software, and system configuration. Use when building visibility into endpoint state, threat hunting across fleet, or implementing compliance monitoring. Activates for requests involving osquery deployment, endpoint visibility, fleet management, or SQL-based endpoint querying.

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Deploying Palo Alto Prisma Access Zero Trust

Deploying Palo Alto Networks Prisma Access for SASE-based zero trust network access using GlobalProtect agents, ZTNA Connectors, security policy enforcement, and integration with Strata Cloud Manager for unified security management.

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Deploying Ransomware Canary Files

Deploys and monitors ransomware canary files across critical directories using Python's watchdog library for real-time filesystem event detection. Places strategically named decoy files that mimic high-value targets (financial records, credentials, database exports) in locations ransomware typically enumerates first. Monitors for any read, modify, rename, or delete operations on canary files and triggers immediate alerts via email, Slack webhook, or syslog when interaction is detected, providing early warning before full encryption begins.

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Deploying Software Defined Perimeter

Deploy a Software-Defined Perimeter using the CSA v2.0 specification with Single Packet Authorization, mutual TLS, and SDP controller/gateway configuration to enforce zero trust network access.

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Deploying Tailscale For Zero Trust Vpn

Deploy and configure Tailscale as a WireGuard-based zero trust mesh VPN with identity-aware access controls, ACLs, and exit nodes for secure peer-to-peer connectivity.

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Detecting AI Model Prompt Injection Attacks

Detects prompt injection attacks targeting LLM-based applications using a multi-layered defense combining regex pattern matching for known attack signatures, heuristic scoring for structural anomalies, and transformer-based classification with DeBERTa models. The detector analyzes user inputs before they reach the LLM, flagging direct injections (system prompt overrides, role-play escapes, instruction hijacking) and indirect injections (encoded payloads, multi-language obfuscation, delimiter-based escapes). Based on the OWASP LLM Top 10 (LLM01:2025 Prompt Injection) and Simon Willison's prompt injection taxonomy. Activates for requests involving prompt injection detection, LLM input sanitization, AI security scanning, or prompt attack classification.

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Detecting Anomalies In Industrial Control Systems

This skill covers deploying anomaly detection systems for industrial control environments using machine learning models trained on OT network baselines, physics-based process models, and behavioral analysis of industrial protocol communications. It addresses building normal behavior profiles for SCADA polling patterns, detecting deviations in Modbus/DNP3/OPC UA traffic, identifying rogue devices, and correlating network anomalies with physical process data from historians.

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Detecting Anomalous Authentication Patterns

Detects anomalous authentication patterns using UEBA analytics, statistical baselines, and machine learning models to identify impossible travel, credential stuffing, brute force, password spraying, and compromised account behaviors across authentication logs. Activates for requests involving authentication anomaly detection, login behavior analysis, UEBA implementation, or suspicious sign-in investigation.

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Detecting API Enumeration Attacks

Detect and prevent API enumeration attacks including BOLA and IDOR exploitation by monitoring sequential identifier access patterns and authorization failures.

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Detecting Arp Poisoning In Network Traffic

Detect and prevent ARP spoofing attacks using ARPWatch, Dynamic ARP Inspection, Wireshark analysis, and custom monitoring scripts to protect against man-in-the-middle interception.

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Detecting Attacks On Historian Servers

Detect cyber attacks targeting OT historian servers (OSIsoft PI, Ignition, Wonderware) that sit at the IT/OT boundary and serve as pivot points for lateral movement between enterprise and control networks, including data manipulation, unauthorized queries, and exploitation of historian-specific vulnerabilities.

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Detecting Attacks On Scada Systems

This skill covers detecting cyber attacks targeting Supervisory Control and Data Acquisition (SCADA) systems including man-in-the-middle attacks on industrial protocols, unauthorized command injection into PLCs, HMI compromise, historian data manipulation, and denial-of-service against control system communications. It leverages OT-specific intrusion detection systems, industrial protocol anomaly detection, and process data analytics to identify attacks that traditional IT security tools miss.

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Detecting AWS Cloudtrail Anomalies

Detect unusual API call patterns in AWS CloudTrail logs using boto3, statistical baselining, and behavioral analysis to identify credential compromise, privilege escalation, and unauthorized resource access.

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Detecting AWS Credential Exposure With Trufflehog

Detecting exposed AWS credentials in source code repositories, CI/CD pipelines, and configuration files using TruffleHog, git-secrets, and AWS-native detection mechanisms to prevent credential theft and unauthorized account access.

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Detecting AWS Guardduty Findings Automation

Automate AWS GuardDuty threat detection findings processing using EventBridge and Lambda to enable real-time incident response, automatic quarantine of compromised resources, and security notification workflows.

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Detecting AWS Iam Privilege Escalation

Detect AWS IAM privilege escalation paths using boto3 and Cloudsplaining policy analysis to identify overly permissive policies, dangerous permission combinations, and least-privilege violations

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Detecting Azure Lateral Movement

Detect lateral movement in Azure AD/Entra ID environments using Microsoft Graph API audit logs, Azure Sentinel KQL hunting queries, and sign-in anomaly correlation to identify privilege escalation, token theft, and cross-tenant pivoting.

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Detecting Azure Service Principal Abuse

Detect and investigate Azure service principal abuse including privilege escalation, credential compromise, admin consent bypass, and unauthorized enumeration in Microsoft Entra ID environments.

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Detecting Azure Storage Account Misconfigurations

Audit Azure Blob and ADLS storage accounts for public access exposure, weak or long-lived SAS tokens, missing encryption at rest, disabled HTTPS-only traffic, and outdated TLS versions using the azure-mgmt-storage Python SDK.

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Detecting Bluetooth Low Energy Attacks

Detects and analyzes Bluetooth Low Energy (BLE) security attacks including sniffing, replay attacks, GATT enumeration abuse, and Man-in-the-Middle interception. Uses Ubertooth One and nRF52840 sniffers for packet capture, the bleak Python library for GATT service enumeration, and crackle for BLE encryption cracking. Use when assessing IoT device BLE security, monitoring for BLE-based attacks on wireless infrastructure, or performing authorized BLE penetration testing. Activates for requests involving BLE security assessment, Ubertooth sniffing, GATT enumeration, or BLE replay detection.

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Detecting Broken Object Property Level Authorization

Detect and test for OWASP API3:2023 Broken Object Property Level Authorization vulnerabilities including excessive data exposure and mass assignment attacks.

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Detecting Business Email Compromise

Business Email Compromise (BEC) is a sophisticated fraud scheme where attackers impersonate executives, vendors, or trusted partners to trick employees into transferring funds, sharing sensitive data,

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Detecting Cloud Threats With Guardduty

This skill teaches security teams how to deploy and operationalize Amazon GuardDuty for continuous threat detection across AWS accounts and workloads. It covers enabling protection plans for S3, EKS, EC2 runtime monitoring, and Lambda, interpreting finding severity levels, and building automated response workflows using EventBridge and Lambda.

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Detecting Command And Control Over DNS

Detects command-and-control (C2) communications tunneled through DNS protocol including DNS tunneling tools (Iodine, dnscat2, dns2tcp, Cobalt Strike DNS beacon), domain generation algorithms (DGA), encoded payload delivery via TXT/CNAME records, and DNS beaconing patterns. Covers Shannon entropy analysis of query subdomains, statistical anomaly detection, ML-based DGA classification, passive DNS correlation, and Zeek/Suricata signature development. Activates for requests involving DNS-based C2 detection, DNS tunnel identification, suspicious DNS traffic investigation, or DGA domain classification.

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Detecting Compromised Cloud Credentials

Detecting compromised cloud credentials across AWS, Azure, and GCP by analyzing anomalous API activity, impossible travel patterns, unauthorized resource provisioning, and credential abuse indicators using GuardDuty, Defender for Identity, and SCC Event Threat Detection.

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Detecting Container Drift At Runtime

Detect unauthorized modifications to running containers by monitoring for binary execution drift, file system changes, and configuration deviations from the original container image.

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Detecting Container Escape Attempts

Container escape is a critical attack technique where an adversary breaks out of container isolation to access the host system or other containers. Detection involves monitoring for escape indicators

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Detecting Container Escape With Falco Rules

Detect container escape attempts in real-time using Falco runtime security rules that monitor syscalls, file access, and privilege escalation.

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Detecting Credential Dumping Techniques

Detect LSASS credential dumping, SAM database extraction, and NTDS.dit theft using Sysmon Event ID 10, Windows Security logs, and SIEM correlation rules

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Detecting Cryptomining In Cloud

This skill teaches security teams how to detect and respond to unauthorized cryptocurrency mining operations in cloud environments. It covers identifying cryptomining indicators through compute usage anomalies, network traffic patterns to mining pools, GuardDuty CryptoCurrency findings, and runtime process monitoring on EC2, ECS, EKS, and Azure Automation workloads.

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Detecting Dcsync Attack In Active Directory

Detect DCSync attacks where adversaries abuse Active Directory replication privileges to extract password hashes by monitoring for non-domain-controller accounts requesting directory replication via DsGetNCChanges.

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Detecting Deepfake Audio In Vishing Attacks

Detects AI-generated deepfake audio used in voice phishing (vishing) attacks by extracting spectral features (MFCC, spectral centroid, spectral contrast, zero-crossing rate) and classifying samples with machine learning models. Supports batch analysis of audio files, generates confidence scores, and produces forensic reports. Activates for requests involving deepfake voice detection, vishing investigation, AI-generated speech analysis, voice cloning detection, or audio authenticity verification.

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Detecting Dll Sideloading Attacks

Detect DLL side-loading attacks where adversaries place malicious DLLs alongside legitimate applications to hijack execution flow for defense evasion.

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Detecting Dnp3 Protocol Anomalies

Detect anomalies in DNP3 (Distributed Network Protocol 3) communications used in SCADA systems by monitoring for unauthorized control commands, firmware update attempts, protocol violations, and deviations from baseline traffic patterns using deep packet inspection and machine learning approaches.

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Detecting DNS Exfiltration With DNS Query Analysis

Detect data exfiltration through DNS tunneling by analyzing query entropy, subdomain length, query volume, TXT record abuse, and response payload sizes using passive DNS monitoring.

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Detecting Email Account Compromise

Detect compromised O365 and Google Workspace email accounts by analyzing inbox rule creation, suspicious sign-in locations, mail forwarding rules, and unusual API access patterns via Microsoft Graph and audit logs.

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Detecting Email Forwarding Rules Attack

Detect malicious email forwarding rules created by adversaries to maintain persistent access to email communications for intelligence collection and BEC attacks.

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Detecting Evasion Techniques In Endpoint Logs

Detects defense evasion techniques used by adversaries in endpoint logs including log tampering, timestomping, process injection, and security tool disabling. Use when investigating suspicious endpoint behavior, building detection rules for evasion tactics, or conducting threat hunting for stealthy adversary activity. Activates for requests involving evasion detection, defense evasion analysis, log tampering detection, or MITRE ATT&CK TA0005.

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Detecting Exfiltration Over DNS With Zeek

Detect DNS-based data exfiltration by analyzing Zeek dns.log for high-entropy subdomains and anomalous query patterns

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Detecting Fileless Attacks On Endpoints

Detects fileless malware and in-memory attacks that execute entirely in RAM without writing persistent files to disk, evading traditional antivirus. Use when building detections for PowerShell-based attacks, reflective DLL injection, WMI persistence, and registry-resident malware. Activates for requests involving fileless malware detection, in-memory attacks, PowerShell exploitation, or living-off-the-land techniques.

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Detecting Fileless Malware Techniques

Detects and analyzes fileless malware that operates entirely in memory using PowerShell, WMI, .NET reflection, registry-resident payloads, and living-off-the-land binaries (LOLBins) without writing traditional executable files to disk. Activates for requests involving fileless threat detection, in-memory malware investigation, LOLBin abuse analysis, or WMI persistence examination.

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Detecting Golden Ticket Attacks In Kerberos Logs

Detect Golden Ticket attacks in Active Directory by analyzing Kerberos TGT anomalies including mismatched encryption types, impossible ticket lifetimes, non-existent accounts, and forged PAC signatures in domain controller event logs.

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Detecting Golden Ticket Forgery

Detect Kerberos Golden Ticket forgery by analyzing Windows Event ID 4769 for RC4 encryption downgrades (0x17), abnormal ticket lifetimes, and krbtgt account anomalies in Splunk and Elastic SIEM

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Detecting Insider Threat With Ueba

Implement User and Entity Behavior Analytics using Elasticsearch/OpenSearch to build behavioral baselines, calculate anomaly scores, perform peer group analysis, and detect insider threat indicators such as data exfiltration, privilege abuse, and unauthorized access patterns.

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Detecting Kerberoasting Attacks

Detect Kerberoasting attacks by monitoring for anomalous Kerberos TGS requests targeting service accounts with SPNs for offline password cracking.

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Detecting Lateral Movement In Network

Identifies lateral movement techniques in enterprise networks by analyzing authentication logs, network flows, SMB traffic, and RDP sessions using Zeek, Velociraptor, and SIEM correlation rules to detect attackers moving between systems.

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Detecting Lateral Movement With Splunk

Detect adversary lateral movement across networks using Splunk SPL queries against Windows authentication logs, SMB traffic, and remote service abuse.

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Detecting Lateral Movement With Zeek

Detect lateral movement in network traffic using Zeek (formerly Bro) log analysis. Parses conn.log, smb_mapping.log, smb_files.log, dce_rpc.log, kerberos.log, and ntlm.log to identify SMB file transfers, NTLM account spray activity, remote service execution, and anomalous internal connections.

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Detecting Living Off The Land Attacks

Detect abuse of legitimate Windows binaries (LOLBins) used for living off the land attacks. Monitors process creation, command-line arguments, and parent-child relationships to identify suspicious LOLBin execution patterns.

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Detecting Living Off The Land With Lolbas

Detect Living Off the Land Binaries (LOLBins/LOLBAS) abuse including certutil, regsvr32, mshta, and rundll32 via process telemetry, Sigma rules, and parent-child process analysis

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Detecting Malicious Scheduled Tasks With Sysmon

Detect malicious scheduled task creation and modification using Sysmon Event IDs 1 (Process Create for schtasks.exe), 11 (File Create for task XML), and Windows Security Event 4698/4702. The analyst correlates task creation with suspicious parent processes, public directory paths, and encoded command arguments to identify persistence and lateral movement via scheduled tasks. Activates for requests involving scheduled task detection, Sysmon persistence hunting, or T1053.005 Scheduled Task/Job analysis.

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Detecting Mimikatz Execution Patterns

Detect Mimikatz execution through command-line patterns, LSASS access signatures, binary indicators, and in-memory detection of known modules.

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Detecting Misconfigured Azure Storage

Detecting misconfigured Azure Storage accounts including publicly accessible blob containers, missing encryption settings, overly permissive SAS tokens, disabled logging, and network access violations using Azure CLI, PowerShell, and Microsoft Defender for Storage.

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Detecting Mobile Malware Behavior

Detects and analyzes malicious behavior in mobile applications through behavioral analysis, permission abuse detection, network traffic monitoring, and dynamic instrumentation. Use when analyzing suspicious mobile applications for data exfiltration, command-and-control communication, credential stealing, SMS interception, or other malware indicators. Activates for requests involving mobile malware analysis, app behavior monitoring, trojan detection, or suspicious app investigation.

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Detecting Modbus Command Injection Attacks

Detect command injection attacks against Modbus TCP/RTU protocol in ICS environments by monitoring for unauthorized write operations, anomalous function codes, malformed frames, and deviations from established communication baselines using ICS-aware IDS and protocol deep packet inspection.

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Detecting Modbus Protocol Anomalies

This skill covers detecting anomalies in Modbus/TCP and Modbus RTU communications in industrial control systems. It addresses function code monitoring, register range validation, timing analysis, unauthorized client detection, and deep packet inspection for malformed Modbus frames. The skill leverages Zeek with Modbus protocol analyzers, Suricata IDS with OT rules, and custom Python-based detection using Markov chain models for normal Modbus transaction sequences.

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Detecting Network Anomalies With Zeek

Deploys and configures Zeek (formerly Bro) network security monitor to passively analyze network traffic, generate structured logs, detect anomalous behavior, and create custom detection scripts for threat hunting and incident response.

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Detecting Network Scanning With Ids Signatures

Detect network reconnaissance and port scanning using Suricata and Snort IDS signatures, threshold-based detection rules, and traffic anomaly analysis to identify Nmap, Masscan, and custom scanning activity.

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Detecting Ntlm Relay With Event Correlation

Detect NTLM relay attacks through Windows Security Event correlation by analyzing Event 4624 LogonType 3 for IP-to-hostname mismatches, identifying Responder/LLMNR poisoning artifacts, auditing SMB and LDAP signing enforcement across the domain, and detecting NTLM downgrade attacks from NTLMv2 to NTLMv1 using event log analysis.

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Detecting OAuth Token Theft

Detects and responds to OAuth token theft and replay attacks in cloud environments, focusing on Microsoft Entra ID (Azure AD) token protection, conditional access policies, and sign-in anomaly detection. Covers access token theft, refresh token replay, Primary Refresh Token (PRT) abuse, and pass-the-cookie attacks. Activates for requests involving OAuth token theft detection, token replay prevention, Azure AD conditional access token protection, or cloud identity attack investigation.

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Detecting Pass The Hash Attacks

Detect Pass-the-Hash attacks by analyzing NTLM authentication patterns, identifying Type 3 logons with NTLM where Kerberos is expected, and correlating with credential dumping.

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Detecting Port Scanning With Fail2ban

Configures Fail2ban with custom filters and actions to detect port scanning activity, SSH brute force attempts, and network reconnaissance, automatically banning offending IP addresses and alerting security teams to suspicious network probing.

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Detecting Privilege Escalation In Kubernetes Pods

Detect and prevent privilege escalation in Kubernetes pods by monitoring security contexts, capabilities, and syscall patterns with Falco and OPA policies.

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Detecting Process Hollowing Technique

Detect process hollowing (T1055.012) by analyzing memory-mapped sections, hollowed process indicators, and parent-child process anomalies in EDR telemetry.

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Detecting Process Injection Techniques

Detects and analyzes process injection techniques used by malware including classic DLL injection, process hollowing, APC injection, thread hijacking, and reflective loading. Uses memory forensics, API monitoring, and behavioral analysis to identify injection artifacts. Activates for requests involving process injection detection, code injection analysis, hollowed process investigation, or in-memory threat detection.

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Detecting Qr Code Phishing With Email Security

Detect and prevent QR code phishing (quishing) attacks that bypass traditional email security by embedding malicious URLs in QR code images within emails.

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Detecting Ransomware Encryption Behavior

Detects ransomware encryption activity in real time using entropy analysis, file system I/O monitoring, and behavioral heuristics. Identifies mass file modification patterns, abnormal entropy spikes in written data, and suspicious process behavior characteristic of ransomware encryption routines. Activates for requests involving ransomware behavioral detection, entropy-based file monitoring, I/O anomaly detection, or real-time encryption activity alerting.

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Detecting Ransomware Precursors In Network

Detects early-stage ransomware indicators in network traffic before encryption begins, including initial access broker activity, command-and-control beaconing, credential harvesting, reconnaissance scanning, and staging behavior. Uses network detection tools (Zeek, Suricata, Arkime), SIEM correlation rules, and threat intelligence feeds to identify ransomware precursor patterns such as Cobalt Strike beacons, Mimikatz network signatures, and RDP brute-force attempts. Activates for requests involving pre-ransomware detection, network-based ransomware indicators, or early warning ransomware monitoring.

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Detecting Rdp Brute Force Attacks

Detect RDP brute force attacks by analyzing Windows Security Event Logs for failed authentication patterns (Event ID 4625), successful logons after failures (Event ID 4624), NLA failures, and source IP frequency analysis.

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Detecting Rootkit Activity

Detects rootkit presence on compromised systems by identifying hidden processes, hooked system calls, modified kernel structures, hidden files, and covert network connections using memory forensics, cross-view detection, and integrity checking techniques. Activates for requests involving rootkit detection, hidden process discovery, kernel integrity checking, or system call hook analysis.

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Detecting S3 Data Exfiltration Attempts

Detecting data exfiltration attempts from AWS S3 buckets by analyzing CloudTrail S3 data events, VPC Flow Logs, GuardDuty findings, Amazon Macie alerts, and S3 access patterns to identify unauthorized bulk downloads and cross-account data transfers.

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Detecting Serverless Function Injection

Detects and prevents code injection attacks targeting serverless functions (AWS Lambda, Azure Functions, Google Cloud Functions) through event source poisoning, malicious layer injection, runtime command execution, and IAM privilege escalation via function modification. The analyst combines static analysis of function code, CloudTrail event correlation, runtime behavior monitoring, and IAM policy auditing to identify injection vectors across the expanded serverless attack surface including API Gateway, S3, SQS, DynamoDB Streams, and CloudWatch event triggers. Activates for requests involving Lambda security assessment, serverless injection detection, function event poisoning analysis, or serverless privilege escalation investigation.

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Detecting Shadow API Endpoints

Discover and inventory shadow API endpoints that operate outside documented specifications using traffic analysis, code scanning, and API discovery platforms.

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Detecting Shadow It Cloud Usage

Detect unauthorized SaaS and cloud service usage (shadow IT) by analyzing proxy logs, DNS query logs, and netflow data using Python pandas for traffic pattern analysis and domain classification.

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Detecting Spearphishing With Email Gateway

Spearphishing targets specific individuals using personalized, researched content that bypasses generic spam filters. Email security gateways (SEGs) like Microsoft Defender for Office 365, Proofpoint,

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Detecting SQL Injection Via Waf Logs

Analyze WAF (ModSecurity/AWS WAF/Cloudflare) logs to detect SQL injection attack campaigns. Parses ModSecurity audit logs and JSON WAF event logs to identify SQLi patterns (UNION SELECT, OR 1=1, SLEEP(), BENCHMARK()), tracks attack sources, correlates multi-stage injection attempts, and generates incident reports with OWASP classification.

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Detecting Stuxnet Style Attacks

This skill covers detecting sophisticated cyber-physical attacks that follow the Stuxnet attack pattern of modifying PLC logic while spoofing sensor readings to hide the manipulation from operators. It addresses PLC logic integrity monitoring, physics-based process anomaly detection, engineering workstation compromise indicators, USB-borne attack vectors, and multi-stage attack chain detection spanning IT-to-OT lateral movement through to process manipulation.

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Detecting Supply Chain Attacks In CI CD

Scans GitHub Actions workflows and CI/CD pipeline configurations for supply chain attack vectors including unpinned actions, script injection via expressions, dependency confusion, and secrets exposure. Uses PyGithub and YAML parsing for automated audit. Use when hardening CI/CD pipelines or investigating compromised build systems.

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Detecting Suspicious OAuth Application Consent

Detect risky OAuth application consent grants in Azure AD / Microsoft Entra ID using Microsoft Graph API, audit logs, and permission analysis to identify illicit consent grant attacks.

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Detecting Suspicious Powershell Execution

Detect suspicious PowerShell execution patterns including encoded commands, download cradles, AMSI bypass attempts, and constrained language mode evasion.

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Detecting T1003 Credential Dumping With Edr

Detect OS credential dumping techniques targeting LSASS memory, SAM database, NTDS.dit, and cached credentials using EDR telemetry, Sysmon process access monitoring, and Windows security event correlation.

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Detecting T1055 Process Injection With Sysmon

Detect process injection techniques (T1055) including classic DLL injection, process hollowing, and APC injection by analyzing Sysmon events for cross-process memory operations, remote thread creation, and anomalous DLL loading patterns.

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Detecting T1548 Abuse Elevation Control Mechanism

Detect abuse of elevation control mechanisms including UAC bypass, sudo exploitation, and setuid/setgid manipulation by monitoring registry modifications, process elevation flags, and unusual parent-child process relationships.

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Detecting Typosquatting Packages In npm Pypi

Detects typosquatting attacks in npm and PyPI package registries by analyzing package name similarity using Levenshtein distance and other string metrics, examining publish date heuristics to identify recently created packages mimicking established ones, and flagging download count anomalies where suspicious packages have disproportionately low usage compared to their legitimate targets. The analyst queries the PyPI JSON API and npm registry API to gather package metadata for automated comparison. Activates for requests involving package typosquatting detection, dependency confusion analysis, malicious package identification, or software supply chain threat hunting in package registries.

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Detecting Wmi Persistence

Detect WMI event subscription persistence by analyzing Sysmon Event IDs 19, 20, and 21 for malicious EventFilter, EventConsumer, and FilterToConsumerBinding creation.

#mukul-cybersecurity-skills#security#cybersecuritySecurity & Compliance

Django Access Review

Django access control and IDOR security review. Use when reviewing Django views, DRF viewsets, ORM queries, or any Python/Django code handling user authorization. Trigger keywords: "IDOR", "access control", "authorization", "Django permissions", "object permissions", "tenant isolation", "broken access".

#observability#sentry#applicationSecurity & Compliance

Domain Intel

Passive domain reconnaissance using Python stdlib. Subdomain discovery, SSL certificate inspection, WHOIS lookups, DNS records, domain availability checks, and bulk multi-domain analysis. No API keys required.

#broad-capability#development#creativeSecurity & Compliance

Dpa Review

Review a Data Processing Agreement against your DPA playbook — auto-detects whether you're processor or controller and applies the right half of the playbook. Use when the user says "review this DPA", "check this data processing addendum", "customer sent their DPA", "is this DPA okay", or attaches a DPA.

#legal#contracts#ndaSecurity & Compliance

Draft Nda

Draft a detailed Non-Disclosure Agreement between two parties covering information types, jurisdiction, and clauses needing legal review. Use when creating confidentiality agreements or preparing an NDA for a partnership.

#work-life#productivity#product-managementSecurity & Compliance

Dsar Response

Walk through a Data Subject Access Request (or deletion, portability, correction request) and draft the response — verify identity, locate data system-by-system, assess exemptions, draft the acknowledgment and substantive response letters. Use when a DSAR comes in, the user pastes an access/deletion/portability/correction request, or says "DSAR came in", "access request", "right to be forgotten", or "someone wants their data".

#legal#contracts#ndaSecurity & Compliance

Elasticsearch Audit

Enable, configure, and query Elasticsearch security audit logs. Use when the task involves audit logging setup, event filtering, or investigating security incidents like failed logins.

#elastic#elasticsearch#kibanaSecurity & Compliance

Elasticsearch Authn

Authenticate to Elasticsearch using native, file-based, LDAP/AD, SAML, OIDC, Kerberos, JWT, or certificate realms. Use when connecting with credentials, choosing a realm, or managing API keys. Assumes the target realms are already configured.

#elastic#elasticsearch#kibanaSecurity & Compliance

Elasticsearch Authz

Manage Elasticsearch RBAC: native users, roles, role mappings, document- and field-level security. Use when creating users or roles, assigning privileges, or mapping external realms like LDAP/SAML.

#elastic#elasticsearch#kibanaSecurity & Compliance

Elasticsearch Security Troubleshooting

Diagnose and resolve Elasticsearch security errors: 401/403 failures, TLS problems, expired API keys, role mapping mismatches, and Kibana login issues. Use when the user reports a security error.

#elastic#elasticsearch#kibanaSecurity & Compliance

Entra Agent ID

Microsoft Entra Agent ID (preview) for creating OAuth2-capable AI agent identities via Microsoft Graph beta API. Covers Agent Identity Blueprints, BlueprintPrincipals, Agent Identities, required permissions, sponsors, and Workload Identity Federation. Includes Microsoft Entra SDK for AgentID (containerized sidecar) for polyglot agent authentication (Docker/Kubernetes), 3P agent integration, autonomous and interactive agent patterns. Triggers: "agent identity", "agent id", "Agent Identity Blueprint", "BlueprintPrincipal", "entra agent", "agent identity provisioning", "Graph agent identity", "entra sidecar", "agent id sidecar", "auth sidecar", "3P agent", "third-party agent identity", "polyglot agent auth".

#broad-capability#development#setupSecurity & Compliance

Entra Agent ID

Provision Microsoft Entra Agent Identity Blueprints, BlueprintPrincipals, and per-instance Agent Identities via Microsoft Graph, and configure OAuth 2.0 token exchange (fmi_path, OBO, cross-tenant) including the Microsoft Entra SDK for AgentID sidecar. USE FOR: Agent Identity Blueprint, BlueprintPrincipal, agent OAuth, fmi_path token exchange, agent OBO, Workload Identity Federation for agents, polyglot agent auth, Microsoft.Identity.Web.AgentIdentities. DO NOT USE FOR: standard Entra app registration (use entra-app-registration), Azure RBAC (use azure-rbac), Microsoft Foundry agent authoring (use microsoft-foundry).

#broad-capability#development#setupSecurity & Compliance

Entra Agent User

Create Agent Users in Microsoft Entra ID from Agent Identities, enabling AI agents to act as digital workers with user identity capabilities in Microsoft 365 and Azure environments.

#github-copilot#identity#accessSecurity & Compliance