jyahclaude/security-skills

GitHub: jyahclaude/security-skills

面向 Claude Code 用户的大规模安全技能集合，提供 506 个覆盖攻防全链路的即用型安全分析模板与操作指南。

Stars: 0 | Forks: 0

# 🛡️ Security Skills ### The Largest Claude Code Security Skills Collection

506 ready-to-use security skills for threat hunting, incident response, detection engineering, penetration testing, forensics, compliance & more

[![License](https://img.shields.io/badge/License-MIT-green?style=flat-square)](LICENSE) [![Claude Code](https://img.shields.io/badge/Claude_Code-Compatible-7B61FF?style=flat-square&logo=data:image/svg+xml;base64,PHN2ZyB3aWR0aD0iMjQiIGhlaWdodD0iMjQiIHZpZXdCb3g9IjAgMCAyNCAyNCIgZmlsbD0ibm9uZSIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIj48cGF0aCBkPSJNMTIgMkM2LjQ4IDIgMiA2LjQ4IDIgMTJzNC40OCAxMCAxMCAxMCAxMC00LjQ4IDEwLTEwUzE3LjUyIDIgMTIgMnoiIGZpbGw9IndoaXRlIi8+PC9zdmc+)](https://claude.ai/code) [![Skills](https://img.shields.io/badge/Skills-506-00FF88?style=flat-square)](#tool-categories) [![Stars](https://img.shields.io/github/stars/jyahclaude/security-skills?style=flat-square&color=yellow)](https://github.com/jyahclaude/security-skills/stargazers) [![Forks](https://img.shields.io/github/forks/jyahclaude/security-skills?style=flat-square&color=blue)](https://github.com/jyahclaude/security-skills/network/members) [![Last Commit](https://img.shields.io/github/last-commit/jyahclaude/security-skills?style=flat-square&color=00FF88)](https://github.com/jyahclaude/security-skills/commits/master)
![](https://img.shields.io/badge/16_Categories-7B61FF?style=for-the-badge) ![](https://img.shields.io/badge/506_Skills-00FF88?style=for-the-badge) ![](https://img.shields.io/badge/2,629_Files-FF61DC?style=for-the-badge) ![](https://img.shields.io/badge/Claude_Code_%7C_CLI_%7C_IDE-FFA116?style=for-the-badge&logo=windows&logoColor=white)

## ⚡ Quick Start # Clone all 506 skills git clone https://github.com/jyahclaude/security-skills.git # Copy a skill into your Claude Code skills directory cp -r security-skills/detecting-ransomware-encryption-behavior ~/.claude/skills/ # Or copy ALL skills at once cp -r security-skills/*/ ~/.claude/skills/ ## 📊 Coverage at a Glance

| Domain | Coverage | |:---|:---:| | 🔴 Offensive Security | ██████████ | | 🔵 Defensive Security | ██████████ | | 🟣 Threat Intelligence | ████████░░ | | 🟢 Compliance & GRC | ███████░░░ | | 🟡 Cloud Security | ████████░░ | | ⚪ OT/ICS Security | ██████░░░░ |

| Framework | Skills | |:---|:---:| | MITRE ATT&CK | 30+ | | NIST CSF | 15+ | | OWASP Top 10 | 20+ | | CIS Benchmarks | 10+ | | Zero Trust | 15+ | | ISO 27001 | 5+ |

## 📂 Skill Categories

| # | Category | Skills | | # | Category | Skills | |:---:|---|:---:|---|:---:|---|:---:| | 1 | 🔬 [Threat & Malware Analysis](#-threat--malware-analysis) | 45 | | 9 | 🏗️ [Implementing Security](#-implementing-security-measures) | 98 | | 2 | 📋 [Security Auditing](#-security-auditing) | 12 | | 10 | 🔎 [Incident Investigation](#-incident-investigation) | 3 | | 3 | 🏭 [Building Security Infra](#-building-security-infrastructure) | 26 | | 11 | 🧪 [Security Assessments](#-performing-security-assessments) | 90 | | 4 | ⚔️ [Security Operations](#-conducting-security-operations) | 7 | | 12 | 🔓 [Reverse Engineering](#-reverse-engineering) | 6 | | 5 | ⚙️ [Configuring Controls](#-configuring-security-controls) | 6 | | 13 | 🧨 [Security Testing](#-security-testing) | 11 | | 6 | 🚀 [Deploying Solutions](#-deploying-security-solutions) | 8 | | 14 | 🔒 [Securing Infrastructure](#-securing-infrastructure) | 1 | | 7 | 🚨 [Detection & Monitoring](#-detection--monitoring) | 96 | | 15 | 🚑 [Triaging & Response](#-triaging--response) | 3 | | 8 | 🎯 [Threat Hunting](#-threat-hunting) | 37 | | 16 | 🛠️ [Other Security](#-other-security-skills) | 57 |

## 🔬 Threat & Malware Analysis | Skill | Tags | |:---|:---| | [`analyzing-android-malware-with-apktool`](analyzing-android-malware-with-apktool/) | `malware` `mobile` `android` | | [`analyzing-apt-group-with-mitre-navigator`](analyzing-apt-group-with-mitre-navigator/) | `threat-intel` `mitre` `apt` | | [`analyzing-azure-activity-logs-for-threats`](analyzing-azure-activity-logs-for-threats/) | `cloud` `azure` `logs` | | [`analyzing-bootkit-and-rootkit-samples`](analyzing-bootkit-and-rootkit-samples/) | `malware` `rootkit` `persistence` | | [`analyzing-browser-forensics-with-hindsight`](analyzing-browser-forensics-with-hindsight/) | `forensics` `browser` `artifacts` | | [`analyzing-certificate-transparency-for-phishing`](analyzing-certificate-transparency-for-phishing/) | `phishing` `certificates` `osint` | | [`analyzing-cobalt-strike-beacon-configuration`](analyzing-cobalt-strike-beacon-configuration/) | `c2` `cobalt-strike` `malware` | | [`analyzing-cobaltstrike-malleable-c2-profiles`](analyzing-cobaltstrike-malleable-c2-profiles/) | `c2` `cobalt-strike` `detection` | | [`analyzing-command-and-control-communication`](analyzing-command-and-control-communication/) | `c2` `network` `malware` | | [`analyzing-dns-logs-for-exfiltration`](analyzing-dns-logs-for-exfiltration/) | `dns` `exfiltration` `detection` | | [`analyzing-docker-container-forensics`](analyzing-docker-container-forensics/) | `containers` `forensics` `docker` | | [`analyzing-email-headers-for-phishing-investigation`](analyzing-email-headers-for-phishing-investigation/) | `email` `phishing` `headers` | | [`analyzing-golang-malware-with-ghidra`](analyzing-golang-malware-with-ghidra/) | `malware` `reverse-engineering` `golang` | | [`analyzing-heap-spray-exploitation`](analyzing-heap-spray-exploitation/) | `exploitation` `memory` `heap` | | [`analyzing-ios-app-security-with-objection`](analyzing-ios-app-security-with-objection/) | `mobile` `ios` `assessment` | | [`analyzing-kubernetes-audit-logs`](analyzing-kubernetes-audit-logs/) | `kubernetes` `cloud` `audit` | | [`analyzing-linux-audit-logs-for-intrusion`](analyzing-linux-audit-logs-for-intrusion/) | `linux` `logs` `intrusion` | | [`analyzing-linux-elf-malware`](analyzing-linux-elf-malware/) | `malware` `linux` `elf` | | [`analyzing-linux-kernel-rootkits`](analyzing-linux-kernel-rootkits/) | `rootkit` `linux` `kernel` | | [`analyzing-macro-malware-in-office-documents`](analyzing-macro-malware-in-office-documents/) | `malware` `office` `macros` | | [`analyzing-malware-behavior-with-cuckoo-sandbox`](analyzing-malware-behavior-with-cuckoo-sandbox/) | `malware` `sandbox` `dynamic` | | [`analyzing-malware-family-relationships-with-malpedia`](analyzing-malware-family-relationships-with-malpedia/) | `malware` `threat-intel` `classification` | | [`analyzing-malware-persistence-with-autoruns`](analyzing-malware-persistence-with-autoruns/) | `malware` `persistence` `windows` | | [`analyzing-malware-sandbox-evasion-techniques`](analyzing-malware-sandbox-evasion-techniques/) | `malware` `evasion` `sandbox` | | [`analyzing-memory-forensics-with-lime-and-volatility`](analyzing-memory-forensics-with-lime-and-volatility/) | `forensics` `memory` `volatility` | | [`analyzing-network-covert-channels-in-malware`](analyzing-network-covert-channels-in-malware/) | `malware` `network` `covert` | | [`analyzing-network-traffic-for-incidents`](analyzing-network-traffic-for-incidents/) | `network` `traffic` `incident` | | [`analyzing-network-traffic-of-malware`](analyzing-network-traffic-of-malware/) | `malware` `network` `pcap` | | [`analyzing-office365-audit-logs-for-compromise`](analyzing-office365-audit-logs-for-compromise/) | `cloud` `o365` `compromise` | | [`analyzing-outlook-pst-for-email-forensics`](analyzing-outlook-pst-for-email-forensics/) | `forensics` `email` `outlook` | | [`analyzing-packed-malware-with-upx-unpacker`](analyzing-packed-malware-with-upx-unpacker/) | `malware` `packing` `upx` | | [`analyzing-pdf-malware-with-pdfid`](analyzing-pdf-malware-with-pdfid/) | `malware` `pdf` `documents` | | [`analyzing-persistence-mechanisms-in-linux`](analyzing-persistence-mechanisms-in-linux/) | `persistence` `linux` `hunting` | | [`analyzing-ransomware-encryption-mechanisms`](analyzing-ransomware-encryption-mechanisms/) | `ransomware` `encryption` `analysis` | | [`analyzing-ransomware-leak-site-intelligence`](analyzing-ransomware-leak-site-intelligence/) | `ransomware` `threat-intel` `darkweb` | | [`analyzing-ransomware-network-indicators`](analyzing-ransomware-network-indicators/) | `ransomware` `network` `ioc` | | [`analyzing-ransomware-payment-wallets`](analyzing-ransomware-payment-wallets/) | `ransomware` `crypto` `investigation` | | [`analyzing-security-logs-with-splunk`](analyzing-security-logs-with-splunk/) | `siem` `splunk` `logs` | | [`analyzing-supply-chain-malware-artifacts`](analyzing-supply-chain-malware-artifacts/) | `supply-chain` `malware` `artifacts` | | [`analyzing-threat-actor-ttps-with-mitre-attack`](analyzing-threat-actor-ttps-with-mitre-attack/) | `mitre` `ttps` `threat-intel` | | [`analyzing-threat-actor-ttps-with-mitre-navigator`](analyzing-threat-actor-ttps-with-mitre-navigator/) | `mitre` `navigator` `mapping` | | [`analyzing-threat-intelligence-feeds`](analyzing-threat-intelligence-feeds/) | `threat-intel` `feeds` `ioc` | | [`analyzing-threat-landscape-with-misp`](analyzing-threat-landscape-with-misp/) | `misp` `threat-intel` `sharing` | | [`analyzing-uefi-bootkit-persistence`](analyzing-uefi-bootkit-persistence/) | `bootkit` `uefi` `persistence` | | [`analyzing-web-server-logs-for-intrusion`](analyzing-web-server-logs-for-intrusion/) | `web` `logs` `intrusion` | ## 📋 Security Auditing | Skill | Tags | |:---|:---| | [`auditing-aws-s3-bucket-permissions`](auditing-aws-s3-bucket-permissions/) | `aws` `s3` `cloud` | | [`auditing-azure-active-directory-configuration`](auditing-azure-active-directory-configuration/) | `azure` `ad` `identity` | | [`auditing-cloud-with-cis-benchmarks`](auditing-cloud-with-cis-benchmarks/) | `cloud` `cis` `compliance` | | [`auditing-entra-id-with-aadinternals`](auditing-entra-id-with-aadinternals/) | `azure` `entra` `identity` | | [`auditing-foundry-smart-contract-security`](auditing-foundry-smart-contract-security/) | `blockchain` `smart-contracts` `web3` | | [`auditing-gcp-iam-permissions`](auditing-gcp-iam-permissions/) | `gcp` `iam` `cloud` | | [`auditing-kubernetes-cluster-rbac`](auditing-kubernetes-cluster-rbac/) | `kubernetes` `rbac` `access` | | [`auditing-kubernetes-rbac-privilege-escalation`](auditing-kubernetes-rbac-privilege-escalation/) | `kubernetes` `privesc` `rbac` | | [`auditing-mcp-servers-for-tool-poisoning`](auditing-mcp-servers-for-tool-poisoning/) | `mcp` `ai-security` `supply-chain` | | [`auditing-terraform-infrastructure-for-security`](auditing-terraform-infrastructure-for-security/) | `terraform` `iac` `cloud` | | [`auditing-tls-certificate-transparency-logs`](auditing-tls-certificate-transparency-logs/) | `tls` `certificates` `transparency` | | [`auditing-uefi-firmware-with-chipsec`](auditing-uefi-firmware-with-chipsec/) | `firmware` `uefi` `hardware` | ## 🏭 Building Security Infrastructure | Skill | Tags | |:---|:---| | [`building-attack-pattern-library-from-cti-reports`](building-attack-pattern-library-from-cti-reports/) | `threat-intel` `patterns` `cti` | | [`building-automated-malware-submission-pipeline`](building-automated-malware-submission-pipeline/) | `malware` `automation` `pipeline` | | [`building-cloud-siem-with-sentinel`](building-cloud-siem-with-sentinel/) | `siem` `sentinel` `azure` | | [`building-detection-rule-with-splunk-spl`](building-detection-rule-with-splunk-spl/) | `splunk` `detection` `spl` | | [`building-detection-rules-with-sigma`](building-detection-rules-with-sigma/) | `sigma` `detection` `rules` | | [`building-incident-response-dashboard`](building-incident-response-dashboard/) | `ir` `dashboard` `soc` | | [`building-incident-response-playbook`](building-incident-response-playbook/) | `ir` `playbook` `procedures` | | [`building-incident-timeline-with-timesketch`](building-incident-timeline-with-timesketch/) | `forensics` `timeline` `ir` | | [`building-ioc-defanging-and-sharing-pipeline`](building-ioc-defanging-and-sharing-pipeline/) | `ioc` `sharing` `automation` | | [`building-ioc-enrichment-pipeline-with-opencti`](building-ioc-enrichment-pipeline-with-opencti/) | `ioc` `enrichment` `opencti` | | [`building-malware-incident-communication-template`](building-malware-incident-communication-template/) | `ir` `communication` `template` | | [`building-phishing-reporting-button-workflow`](building-phishing-reporting-button-workflow/) | `phishing` `workflow` `reporting` | | [`building-ransomware-playbook-with-cisa-framework`](building-ransomware-playbook-with-cisa-framework/) | `ransomware` `cisa` `playbook` | | [`building-soc-escalation-matrix`](building-soc-escalation-matrix/) | `soc` `escalation` `process` | | [`building-soc-metrics-and-kpi-tracking`](building-soc-metrics-and-kpi-tracking/) | `soc` `metrics` `kpi` | | [`building-soc-playbook-for-ransomware`](building-soc-playbook-for-ransomware/) | `soc` `ransomware` `playbook` | | [`building-threat-actor-profile-from-osint`](building-threat-actor-profile-from-osint/) | `osint` `threat-actor` `profiling` | | [`building-threat-feed-aggregation-with-misp`](building-threat-feed-aggregation-with-misp/) | `misp` `feeds` `aggregation` | | [`building-threat-hunt-hypothesis-framework`](building-threat-hunt-hypothesis-framework/) | `hunting` `hypothesis` `framework` | | [`building-threat-intelligence-enrichment-in-splunk`](building-threat-intelligence-enrichment-in-splunk/) | `splunk` `threat-intel` `enrichment` | | [`building-threat-intelligence-feed-integration`](building-threat-intelligence-feed-integration/) | `threat-intel` `feeds` `integration` | | [`building-threat-intelligence-platform`](building-threat-intelligence-platform/) | `threat-intel` `platform` `tip` | | [`building-vulnerability-aging-and-sla-tracking`](building-vulnerability-aging-and-sla-tracking/) | `vuln-mgmt` `sla` `tracking` | | [`building-vulnerability-dashboard-with-defectdojo`](building-vulnerability-dashboard-with-defectdojo/) | `vuln-mgmt` `defectdojo` `dashboard` | | [`building-vulnerability-exception-tracking-system`](building-vulnerability-exception-tracking-system/) | `vuln-mgmt` `exceptions` `risk` | | [`building-vulnerability-scanning-workflow`](building-vulnerability-scanning-workflow/) | `vuln-mgmt` `scanning` `workflow` | ## ⚔️ Conducting Security Operations | Skill | Tags | |:---|:---| | [`conducting-api-security-testing`](conducting-api-security-testing/) | `api` `testing` `offensive` | | [`conducting-cloud-incident-response`](conducting-cloud-incident-response/) | `cloud` `ir` `response` | | [`conducting-cloud-penetration-testing`](conducting-cloud-penetration-testing/) | `cloud` `pentest` `offensive` | | [`conducting-malware-incident-response`](conducting-malware-incident-response/) | `malware` `ir` `response` | | [`conducting-memory-forensics-with-volatility`](conducting-memory-forensics-with-volatility/) | `forensics` `memory` `volatility` | | [`conducting-phishing-incident-response`](conducting-phishing-incident-response/) | `phishing` `ir` `response` | | [`conducting-post-incident-lessons-learned`](conducting-post-incident-lessons-learned/) | `ir` `lessons-learned` `process` | ## ⚙️ Configuring Security Controls | Skill | Tags | |:---|:---| | [`configuring-host-based-intrusion-detection`](configuring-host-based-intrusion-detection/) | `hids` `endpoint` `detection` | | [`configuring-ldap-security-hardening`](configuring-ldap-security-hardening/) | `ldap` `hardening` `identity` | | [`configuring-microsegmentation-for-zero-trust`](configuring-microsegmentation-for-zero-trust/) | `zero-trust` `network` `segmentation` | | [`configuring-pfsense-firewall-rules`](configuring-pfsense-firewall-rules/) | `firewall` `pfsense` `network` | | [`configuring-snort-ids-for-intrusion-detection`](configuring-snort-ids-for-intrusion-detection/) | `ids` `snort` `network` | | [`configuring-windows-event-logging-for-detection`](configuring-windows-event-logging-for-detection/) | `windows` `logging` `detection` | ## 🚀 Deploying Security Solutions | Skill | Tags | |:---|:---| | [`deploying-cloud-deception-with-decoy-resources`](deploying-cloud-deception-with-decoy-resources/) | `deception` `cloud` `decoys` | | [`deploying-cloudflare-access-for-zero-trust`](deploying-cloudflare-access-for-zero-trust/) | `zero-trust` `cloudflare` `access` | | [`deploying-decoy-files-for-ransomware-detection`](deploying-decoy-files-for-ransomware-detection/) | `deception` `ransomware` `detection` | | [`deploying-edr-agent-with-crowdstrike`](deploying-edr-agent-with-crowdstrike/) | `edr` `crowdstrike` `endpoint` | | [`deploying-honeytokens-and-canarytokens`](deploying-honeytokens-and-canarytokens/) | `deception` `honeytokens` `detection` | | [`deploying-palo-alto-prisma-access-zero-trust`](deploying-palo-alto-prisma-access-zero-trust/) | `zero-trust` `palo-alto` `sase` | | [`deploying-ransomware-canary-files`](deploying-ransomware-canary-files/) | `ransomware` `canary` `detection` | | [`deploying-tailscale-for-zero-trust-vpn`](deploying-tailscale-for-zero-trust-vpn/) | `zero-trust` `vpn` `tailscale` | ## 🚨 Detection & Monitoring

Click to expand all 96 detection skills

| Skill | Tags | |:---|:---| | [`detecting-ai-model-prompt-injection-attacks`](detecting-ai-model-prompt-injection-attacks/) | `ai-security` `prompt-injection` | | [`detecting-anomalies-in-industrial-control-systems`](detecting-anomalies-in-industrial-control-systems/) | `ics` `ot` `anomaly` | | [`detecting-anomalous-authentication-patterns`](detecting-anomalous-authentication-patterns/) | `identity` `auth` `anomaly` | | [`detecting-api-enumeration-attacks`](detecting-api-enumeration-attacks/) | `api` `enumeration` `web` | | [`detecting-arp-poisoning-in-network-traffic`](detecting-arp-poisoning-in-network-traffic/) | `network` `arp` `mitm` | | [`detecting-attacks-on-historian-servers`](detecting-attacks-on-historian-servers/) | `ics` `ot` `historian` | | [`detecting-attacks-on-scada-systems`](detecting-attacks-on-scada-systems/) | `ics` `scada` `ot` | | [`detecting-aws-cloudtrail-anomalies`](detecting-aws-cloudtrail-anomalies/) | `aws` `cloudtrail` `cloud` | | [`detecting-aws-credential-exposure-with-trufflehog`](detecting-aws-credential-exposure-with-trufflehog/) | `aws` `credentials` `secrets` | | [`detecting-aws-guardduty-findings-automation`](detecting-aws-guardduty-findings-automation/) | `aws` `guardduty` `automation` | | [`detecting-aws-iam-privilege-escalation`](detecting-aws-iam-privilege-escalation/) | `aws` `iam` `privesc` | | [`detecting-azure-lateral-movement`](detecting-azure-lateral-movement/) | `azure` `lateral-movement` `cloud` | | [`detecting-azure-service-principal-abuse`](detecting-azure-service-principal-abuse/) | `azure` `identity` `abuse` | | [`detecting-azure-storage-account-misconfigurations`](detecting-azure-storage-account-misconfigurations/) | `azure` `storage` `misconfig` | | [`detecting-beaconing-patterns-with-zeek`](detecting-beaconing-patterns-with-zeek/) | `c2` `beaconing` `zeek` | | [`detecting-bluetooth-low-energy-attacks`](detecting-bluetooth-low-energy-attacks/) | `bluetooth` `wireless` `ble` | | [`detecting-broken-object-property-level-authorization`](detecting-broken-object-property-level-authorization/) | `api` `authorization` `owasp` | | [`detecting-business-email-compromise`](detecting-business-email-compromise/) | `bec` `email` `fraud` | | [`detecting-business-email-compromise-with-ai`](detecting-business-email-compromise-with-ai/) | `bec` `ai` `email` | | [`detecting-cloud-threats-with-guardduty`](detecting-cloud-threats-with-guardduty/) | `aws` `guardduty` `cloud` | | [`detecting-command-and-control-over-dns`](detecting-command-and-control-over-dns/) | `c2` `dns` `exfiltration` | | [`detecting-compromised-cloud-credentials`](detecting-compromised-cloud-credentials/) | `cloud` `credentials` `compromise` | | [`detecting-container-drift-at-runtime`](detecting-container-drift-at-runtime/) | `containers` `drift` `runtime` | | [`detecting-container-escape-attempts`](detecting-container-escape-attempts/) | `containers` `escape` `kubernetes` | | [`detecting-container-escape-with-falco-rules`](detecting-container-escape-with-falco-rules/) | `falco` `containers` `escape` | | [`detecting-container-runtime-threats-with-falco`](detecting-container-runtime-threats-with-falco/) | `falco` `containers` `runtime` | | [`detecting-credential-dumping-techniques`](detecting-credential-dumping-techniques/) | `credentials` `dumping` `mimikatz` | | [`detecting-cryptomining-in-cloud`](detecting-cryptomining-in-cloud/) | `cloud` `cryptomining` `abuse` | | [`detecting-data-and-model-poisoning`](detecting-data-and-model-poisoning/) | `ai-security` `poisoning` `ml` | | [`detecting-dcsync-attack-in-active-directory`](detecting-dcsync-attack-in-active-directory/) | `ad` `dcsync` `credential` | | [`detecting-deepfake-audio-in-vishing-attacks`](detecting-deepfake-audio-in-vishing-attacks/) | `deepfake` `vishing` `social-eng` | | [`detecting-dependency-confusion`](detecting-dependency-confusion/) | `supply-chain` `npm` `packages` | | [`detecting-dll-sideloading-attacks`](detecting-dll-sideloading-attacks/) | `dll` `sideloading` `evasion` | | [`detecting-dnp3-protocol-anomalies`](detecting-dnp3-protocol-anomalies/) | `ics` `dnp3` `ot` | | [`detecting-dns-exfiltration-with-dns-query-analysis`](detecting-dns-exfiltration-with-dns-query-analysis/) | `dns` `exfiltration` `analysis` | | [`detecting-email-account-compromise`](detecting-email-account-compromise/) | `email` `compromise` `identity` | | [`detecting-email-forwarding-rules-attack`](detecting-email-forwarding-rules-attack/) | `email` `rules` `persistence` | | [`detecting-entra-offensive-tools-in-graph-logs`](detecting-entra-offensive-tools-in-graph-logs/) | `azure` `entra` `graph-api` | | [`detecting-evasion-techniques-in-endpoint-logs`](detecting-evasion-techniques-in-endpoint-logs/) | `evasion` `endpoint` `logs` | | [`detecting-exfiltration-over-dns-with-zeek`](detecting-exfiltration-over-dns-with-zeek/) | `dns` `zeek` `exfiltration` | | [`detecting-fileless-attacks-on-endpoints`](detecting-fileless-attacks-on-endpoints/) | `fileless` `endpoint` `memory` | | [`detecting-fileless-malware-techniques`](detecting-fileless-malware-techniques/) | `fileless` `malware` `evasion` | | [`detecting-golden-ticket-attacks-in-kerberos-logs`](detecting-golden-ticket-attacks-in-kerberos-logs/) | `kerberos` `golden-ticket` `ad` | | [`detecting-golden-ticket-forgery`](detecting-golden-ticket-forgery/) | `kerberos` `golden-ticket` `forgery` | | [`detecting-indirect-prompt-injection`](detecting-indirect-prompt-injection/) | `ai-security` `prompt-injection` | | [`detecting-insider-data-exfiltration-via-dlp`](detecting-insider-data-exfiltration-via-dlp/) | `dlp` `insider` `exfiltration` | | [`detecting-insider-threat-behaviors`](detecting-insider-threat-behaviors/) | `insider` `ueba` `behavior` | | [`detecting-insider-threat-with-ueba`](detecting-insider-threat-with-ueba/) | `insider` `ueba` `analytics` | | [`detecting-kerberoasting-attacks`](detecting-kerberoasting-attacks/) | `kerberos` `kerberoasting` `ad` | | [`detecting-lateral-movement-in-network`](detecting-lateral-movement-in-network/) | `lateral-movement` `network` `hunting` | | [`detecting-lateral-movement-with-splunk`](detecting-lateral-movement-with-splunk/) | `lateral-movement` `splunk` `siem` | | [`detecting-lateral-movement-with-zeek`](detecting-lateral-movement-with-zeek/) | `lateral-movement` `zeek` `network` | | [`detecting-living-off-the-land-attacks`](detecting-living-off-the-land-attacks/) | `lotl` `lolbins` `evasion` | | [`detecting-living-off-the-land-with-lolbas`](detecting-living-off-the-land-with-lolbas/) | `lotl` `lolbas` `windows` | | [`detecting-malicious-npm-packages`](detecting-malicious-npm-packages/) | `supply-chain` `npm` `packages` | | [`detecting-malicious-scheduled-tasks-with-sysmon`](detecting-malicious-scheduled-tasks-with-sysmon/) | `sysmon` `persistence` `scheduled-tasks` | | [`detecting-mimikatz-execution-patterns`](detecting-mimikatz-execution-patterns/) | `mimikatz` `credentials` `detection` | | [`detecting-misconfigured-azure-storage`](detecting-misconfigured-azure-storage/) | `azure` `storage` `misconfig` | | [`detecting-mobile-malware-behavior`](detecting-mobile-malware-behavior/) | `mobile` `malware` `behavior` | | [`detecting-modbus-command-injection-attacks`](detecting-modbus-command-injection-attacks/) | `ics` `modbus` `injection` | | [`detecting-modbus-protocol-anomalies`](detecting-modbus-protocol-anomalies/) | `ics` `modbus` `ot` | | [`detecting-model-extraction-attacks`](detecting-model-extraction-attacks/) | `ai-security` `model-theft` `ml` | | [`detecting-network-anomalies-with-zeek`](detecting-network-anomalies-with-zeek/) | `zeek` `network` `anomaly` | | [`detecting-network-scanning-with-ids-signatures`](detecting-network-scanning-with-ids-signatures/) | `ids` `scanning` `signatures` | | [`detecting-ntlm-relay-with-event-correlation`](detecting-ntlm-relay-with-event-correlation/) | `ntlm` `relay` `ad` | | [`detecting-oauth-token-theft`](detecting-oauth-token-theft/) | `oauth` `tokens` `identity` | | [`detecting-pass-the-hash-attacks`](detecting-pass-the-hash-attacks/) | `pth` `credentials` `ad` | | [`detecting-pass-the-ticket-attacks`](detecting-pass-the-ticket-attacks/) | `ptt` `kerberos` `ad` | | [`detecting-port-scanning-with-fail2ban`](detecting-port-scanning-with-fail2ban/) | `scanning` `fail2ban` `network` | | [`detecting-privilege-escalation-attempts`](detecting-privilege-escalation-attempts/) | `privesc` `endpoint` `detection` | | [`detecting-privilege-escalation-in-kubernetes-pods`](detecting-privilege-escalation-in-kubernetes-pods/) | `kubernetes` `privesc` `pods` | | [`detecting-process-hollowing-technique`](detecting-process-hollowing-technique/) | `injection` `hollowing` `evasion` | | [`detecting-process-injection-techniques`](detecting-process-injection-techniques/) | `injection` `process` `evasion` | | [`detecting-qr-code-phishing-with-email-security`](detecting-qr-code-phishing-with-email-security/) | `phishing` `qr-code` `email` | | [`detecting-ransomware-encryption-behavior`](detecting-ransomware-encryption-behavior/) | `ransomware` `encryption` `behavior` | | [`detecting-ransomware-precursors-in-network`](detecting-ransomware-precursors-in-network/) | `ransomware` `precursors` `network` | | [`detecting-rdp-brute-force-attacks`](detecting-rdp-brute-force-attacks/) | `rdp` `brute-force` `windows` | | [`detecting-rootkit-activity`](detecting-rootkit-activity/) | `rootkit` `detection` `endpoint` | | [`detecting-s3-data-exfiltration-attempts`](detecting-s3-data-exfiltration-attempts/) | `aws` `s3` `exfiltration` | | [`detecting-secure-boot-bypass`](detecting-secure-boot-bypass/) | `secure-boot` `firmware` `bypass` | | [`detecting-serverless-function-injection`](detecting-serverless-function-injection/) | `serverless` `injection` `cloud` | | [`detecting-service-account-abuse`](detecting-service-account-abuse/) | `service-accounts` `identity` `abuse` | | [`detecting-shadow-api-endpoints`](detecting-shadow-api-endpoints/) | `api` `shadow-it` `discovery` | | [`detecting-shadow-it-cloud-usage`](detecting-shadow-it-cloud-usage/) | `shadow-it` `cloud` `governance` | | [`detecting-spearphishing-with-email-gateway`](detecting-spearphishing-with-email-gateway/) | `phishing` `email` `gateway` | | [`detecting-sql-injection-via-waf-logs`](detecting-sql-injection-via-waf-logs/) | `sqli` `waf` `web` | | [`detecting-stuxnet-style-attacks`](detecting-stuxnet-style-attacks/) | `ics` `stuxnet` `ot` | | [`detecting-supply-chain-attacks-in-ci-cd`](detecting-supply-chain-attacks-in-ci-cd/) | `supply-chain` `ci-cd` `pipeline` | | [`detecting-suspicious-oauth-application-consent`](detecting-suspicious-oauth-application-consent/) | `oauth` `consent` `identity` | | [`detecting-suspicious-powershell-execution`](detecting-suspicious-powershell-execution/) | `powershell` `execution` `windows` | | [`detecting-t1003-credential-dumping-with-edr`](detecting-t1003-credential-dumping-with-edr/) | `mitre-t1003` `edr` `credentials` | | [`detecting-t1055-process-injection-with-sysmon`](detecting-t1055-process-injection-with-sysmon/) | `mitre-t1055` `sysmon` `injection` | | [`detecting-t1548-abuse-elevation-control-mechanism`](detecting-t1548-abuse-elevation-control-mechanism/) | `mitre-t1548` `privesc` `uac` | | [`detecting-typosquatting-packages`](detecting-typosquatting-packages/) | `supply-chain` `typosquatting` | | [`detecting-typosquatting-packages-in-npm-pypi`](detecting-typosquatting-packages-in-npm-pypi/) | `supply-chain` `npm` `pypi` | | [`detecting-wmi-persistence`](detecting-wmi-persistence/) | `wmi` `persistence` `windows` |

## 🎯 Threat Hunting

Click to expand all 37 hunting skills

| Skill | Tags | |:---|:---| | [`hunting-advanced-persistent-threats`](hunting-advanced-persistent-threats/) | `apt` `advanced` `persistent` | | [`hunting-bootkits-in-efi-system-partition`](hunting-bootkits-in-efi-system-partition/) | `bootkit` `efi` `firmware` | | [`hunting-credential-stuffing-attacks`](hunting-credential-stuffing-attacks/) | `credentials` `stuffing` `auth` | | [`hunting-evtx-with-chainsaw`](hunting-evtx-with-chainsaw/) | `evtx` `chainsaw` `windows` | | [`hunting-for-anomalous-powershell-execution`](hunting-for-anomalous-powershell-execution/) | `powershell` `anomaly` `windows` | | [`hunting-for-beaconing-with-frequency-analysis`](hunting-for-beaconing-with-frequency-analysis/) | `beaconing` `frequency` `c2` | | [`hunting-for-cobalt-strike-beacons`](hunting-for-cobalt-strike-beacons/) | `cobalt-strike` `beacons` `c2` | | [`hunting-for-command-and-control-beaconing`](hunting-for-command-and-control-beaconing/) | `c2` `beaconing` `network` | | [`hunting-for-data-exfiltration-indicators`](hunting-for-data-exfiltration-indicators/) | `exfiltration` `data-loss` `dlp` | | [`hunting-for-data-staging-before-exfiltration`](hunting-for-data-staging-before-exfiltration/) | `staging` `exfiltration` `data` | | [`hunting-for-dcom-lateral-movement`](hunting-for-dcom-lateral-movement/) | `dcom` `lateral-movement` `windows` | | [`hunting-for-dcsync-attacks`](hunting-for-dcsync-attacks/) | `dcsync` `ad` `credentials` | | [`hunting-for-defense-evasion-via-timestomping`](hunting-for-defense-evasion-via-timestomping/) | `timestomping` `evasion` `forensics` | | [`hunting-for-dns-based-persistence`](hunting-for-dns-based-persistence/) | `dns` `persistence` `infrastructure` | | [`hunting-for-dns-tunneling-with-zeek`](hunting-for-dns-tunneling-with-zeek/) | `dns` `tunneling` `zeek` | | [`hunting-for-domain-fronting-c2-traffic`](hunting-for-domain-fronting-c2-traffic/) | `domain-fronting` `c2` `cdn` | | [`hunting-for-lateral-movement-via-wmi`](hunting-for-lateral-movement-via-wmi/) | `wmi` `lateral-movement` `windows` | | [`hunting-for-living-off-the-cloud-techniques`](hunting-for-living-off-the-cloud-techniques/) | `lotc` `cloud` `evasion` | | [`hunting-for-living-off-the-land-binaries`](hunting-for-living-off-the-land-binaries/) | `lolbins` `lotl` `windows` | | [`hunting-for-lolbins-execution-in-endpoint-logs`](hunting-for-lolbins-execution-in-endpoint-logs/) | `lolbins` `endpoint` `logs` | | [`hunting-for-ntlm-relay-attacks`](hunting-for-ntlm-relay-attacks/) | `ntlm` `relay` `ad` | | [`hunting-for-persistence-mechanisms-in-windows`](hunting-for-persistence-mechanisms-in-windows/) | `persistence` `windows` `registry` | | [`hunting-for-persistence-via-wmi-subscriptions`](hunting-for-persistence-via-wmi-subscriptions/) | `wmi` `persistence` `subscriptions` | | [`hunting-for-process-injection-techniques`](hunting-for-process-injection-techniques/) | `injection` `process` `memory` | | [`hunting-for-registry-persistence-mechanisms`](hunting-for-registry-persistence-mechanisms/) | `registry` `persistence` `windows` | | [`hunting-for-registry-run-key-persistence`](hunting-for-registry-run-key-persistence/) | `registry` `run-keys` `autostart` | | [`hunting-for-scheduled-task-persistence`](hunting-for-scheduled-task-persistence/) | `scheduled-tasks` `persistence` `windows` | | [`hunting-for-shadow-copy-deletion`](hunting-for-shadow-copy-deletion/) | `vss` `ransomware` `recovery` | | [`hunting-for-spearphishing-indicators`](hunting-for-spearphishing-indicators/) | `phishing` `spearphishing` `email` | | [`hunting-for-startup-folder-persistence`](hunting-for-startup-folder-persistence/) | `startup` `persistence` `windows` | | [`hunting-for-supply-chain-compromise`](hunting-for-supply-chain-compromise/) | `supply-chain` `compromise` `software` | | [`hunting-for-suspicious-scheduled-tasks`](hunting-for-suspicious-scheduled-tasks/) | `scheduled-tasks` `anomaly` `windows` | | [`hunting-for-t1098-account-manipulation`](hunting-for-t1098-account-manipulation/) | `mitre-t1098` `accounts` `persistence` | | [`hunting-for-unusual-network-connections`](hunting-for-unusual-network-connections/) | `network` `anomaly` `connections` | | [`hunting-for-unusual-service-installations`](hunting-for-unusual-service-installations/) | `services` `persistence` `windows` | | [`hunting-for-webshell-activity`](hunting-for-webshell-activity/) | `webshell` `web` `persistence` | | [`hunting-saas-sso-token-abuse`](hunting-saas-sso-token-abuse/) | `saas` `sso` `tokens` |

## 🏗️ Implementing Security Measures

Click to expand all 98 implementation skills

| Skill | Tags | |:---|:---| | [`implementing-aes-encryption-for-data-at-rest`](implementing-aes-encryption-for-data-at-rest/) | `encryption` `aes` `data-protection` | | [`implementing-anti-phishing-training-program`](implementing-anti-phishing-training-program/) | `phishing` `training` `awareness` | | [`implementing-anti-ransomware-group-policy`](implementing-anti-ransomware-group-policy/) | `ransomware` `gpo` `windows` | | [`implementing-api-abuse-detection-with-rate-limiting`](implementing-api-abuse-detection-with-rate-limiting/) | `api` `rate-limiting` `abuse` | | [`implementing-api-gateway-security-controls`](implementing-api-gateway-security-controls/) | `api` `gateway` `controls` | | [`implementing-api-key-security-controls`](implementing-api-key-security-controls/) | `api` `keys` `secrets` | | [`implementing-api-schema-validation-security`](implementing-api-schema-validation-security/) | `api` `schema` `validation` | | [`implementing-api-security-posture-management`](implementing-api-security-posture-management/) | `api` `posture` `management` | | [`implementing-api-security-testing-with-42crunch`](implementing-api-security-testing-with-42crunch/) | `api` `testing` `42crunch` | | [`implementing-api-threat-protection-with-apigee`](implementing-api-threat-protection-with-apigee/) | `api` `apigee` `protection` | | [`implementing-aqua-security-for-container-scanning`](implementing-aqua-security-for-container-scanning/) | `containers` `aqua` `scanning` | | [`implementing-attack-path-analysis-with-xm-cyber`](implementing-attack-path-analysis-with-xm-cyber/) | `attack-path` `xm-cyber` `risk` | | [`implementing-attack-surface-management`](implementing-attack-surface-management/) | `asm` `surface` `discovery` | | [`implementing-aws-config-rules-for-compliance`](implementing-aws-config-rules-for-compliance/) | `aws` `config` `compliance` | | [`implementing-aws-nitro-enclave-security`](implementing-aws-nitro-enclave-security/) | `aws` `nitro` `enclave` | | [`implementing-aws-security-hub`](implementing-aws-security-hub/) | `aws` `security-hub` `cspm` | | [`implementing-aws-security-hub-compliance`](implementing-aws-security-hub-compliance/) | `aws` `security-hub` `compliance` | | [`implementing-beyondcorp-zero-trust-access-model`](implementing-beyondcorp-zero-trust-access-model/) | `zero-trust` `beyondcorp` `google` | | [`implementing-bgp-security-with-rpki`](implementing-bgp-security-with-rpki/) | `bgp` `rpki` `routing` | | [`implementing-browser-isolation-for-zero-trust`](implementing-browser-isolation-for-zero-trust/) | `zero-trust` `browser` `isolation` | | [`implementing-canary-tokens-for-network-intrusion`](implementing-canary-tokens-for-network-intrusion/) | `canary` `deception` `detection` | | [`implementing-cisa-zero-trust-maturity-model`](implementing-cisa-zero-trust-maturity-model/) | `zero-trust` `cisa` `maturity` | | [`implementing-cloud-dlp-for-data-protection`](implementing-cloud-dlp-for-data-protection/) | `dlp` `cloud` `data-protection` | | [`implementing-cloud-security-posture-management`](implementing-cloud-security-posture-management/) | `cspm` `cloud` `posture` | | [`implementing-cloud-vulnerability-posture-management`](implementing-cloud-vulnerability-posture-management/) | `cvpm` `cloud` `vulnerability` | | [`implementing-cloud-waf-rules`](implementing-cloud-waf-rules/) | `waf` `cloud` `web` | | [`implementing-conduit-security-for-ot-remote-access`](implementing-conduit-security-for-ot-remote-access/) | `ot` `remote-access` `conduit` | | [`implementing-continuous-security-validation-with-bas`](implementing-continuous-security-validation-with-bas/) | `bas` `validation` `continuous` | | [`implementing-deception-based-detection-with-canarytoken`](implementing-deception-based-detection-with-canarytoken/) | `deception` `canary` `detection` | | [`implementing-device-posture-assessment-in-zero-trust`](implementing-device-posture-assessment-in-zero-trust/) | `zero-trust` `device` `posture` | | [`implementing-devsecops-security-scanning`](implementing-devsecops-security-scanning/) | `devsecops` `scanning` `ci-cd` | | [`implementing-disk-encryption-with-bitlocker`](implementing-disk-encryption-with-bitlocker/) | `encryption` `bitlocker` `windows` | | [`implementing-dmarc-dkim-spf-email-security`](implementing-dmarc-dkim-spf-email-security/) | `email` `dmarc` `dkim` | | [`implementing-ebpf-security-monitoring`](implementing-ebpf-security-monitoring/) | `ebpf` `monitoring` `linux` | | [`implementing-email-sandboxing-with-proofpoint`](implementing-email-sandboxing-with-proofpoint/) | `email` `sandbox` `proofpoint` | | [`implementing-end-to-end-encryption-for-messaging`](implementing-end-to-end-encryption-for-messaging/) | `e2ee` `encryption` `messaging` | | [`implementing-endpoint-detection-with-wazuh`](implementing-endpoint-detection-with-wazuh/) | `edr` `wazuh` `endpoint` | | [`implementing-endpoint-dlp-controls`](implementing-endpoint-dlp-controls/) | `dlp` `endpoint` `data-protection` | | [`implementing-envelope-encryption-with-aws-kms`](implementing-envelope-encryption-with-aws-kms/) | `encryption` `kms` `aws` | | [`implementing-epss-score-for-vulnerability-prioritization`](implementing-epss-score-for-vulnerability-prioritization/) | `epss` `vulnerability` `prioritization` | | [`implementing-gcp-vpc-firewall-rules`](implementing-gcp-vpc-firewall-rules/) | `gcp` `firewall` `vpc` | | [`implementing-github-advanced-security-for-code-scanning`](implementing-github-advanced-security-for-code-scanning/) | `github` `sast` `code-scanning` | | [`implementing-google-workspace-admin-security`](implementing-google-workspace-admin-security/) | `google` `workspace` `admin` | | [`implementing-google-workspace-phishing-protection`](implementing-google-workspace-phishing-protection/) | `google` `phishing` `email` | | [`implementing-hardware-security-key-authentication`](implementing-hardware-security-key-authentication/) | `fido2` `hardware-key` `mfa` | | [`implementing-hipaa-security-rule-safeguards`](implementing-hipaa-security-rule-safeguards/) | `hipaa` `compliance` `healthcare` | | [`implementing-honeypot-for-ransomware-detection`](implementing-honeypot-for-ransomware-detection/) | `honeypot` `ransomware` `deception` | | [`implementing-honeytokens-for-breach-detection`](implementing-honeytokens-for-breach-detection/) | `honeytokens` `deception` `breach` | | [`implementing-ics-firewall-with-tofino`](implementing-ics-firewall-with-tofino/) | `ics` `firewall` `tofino` | | [`implementing-identity-verification-for-zero-trust`](implementing-identity-verification-for-zero-trust/) | `zero-trust` `identity` `verification` | | [`implementing-iec-62443-security-zones`](implementing-iec-62443-security-zones/) | `ics` `iec-62443` `zones` | | [`implementing-infrastructure-as-code-security-scanning`](implementing-infrastructure-as-code-security-scanning/) | `iac` `scanning` `terraform` | | [`implementing-iso-27001-information-security-management`](implementing-iso-27001-information-security-management/) | `iso-27001` `isms` `compliance` | | [`implementing-kubernetes-pod-security-standards`](implementing-kubernetes-pod-security-standards/) | `kubernetes` `pods` `security` | | [`implementing-llm-guardrails-for-security`](implementing-llm-guardrails-for-security/) | `ai-security` `guardrails` `llm` | | [`implementing-mimecast-targeted-attack-protection`](implementing-mimecast-targeted-attack-protection/) | `email` `mimecast` `protection` | | [`implementing-mitre-attack-coverage-mapping`](implementing-mitre-attack-coverage-mapping/) | `mitre` `coverage` `mapping` | | [`implementing-mtls-for-zero-trust-services`](implementing-mtls-for-zero-trust-services/) | `mtls` `zero-trust` `tls` | | [`implementing-nerc-cip-compliance-controls`](implementing-nerc-cip-compliance-controls/) | `nerc-cip` `compliance` `energy` | | [`implementing-network-deception-with-honeypots`](implementing-network-deception-with-honeypots/) | `deception` `honeypots` `network` | | [`implementing-network-intrusion-prevention-with-suricata`](implementing-network-intrusion-prevention-with-suricata/) | `ips` `suricata` `network` | | [`implementing-network-segmentation-with-firewall-zones`](implementing-network-segmentation-with-firewall-zones/) | `segmentation` `firewall` `zones` | | [`implementing-next-generation-firewall-with-palo-alto`](implementing-next-generation-firewall-with-palo-alto/) | `ngfw` `palo-alto` `firewall` | | [`implementing-ot-incident-response-playbook`](implementing-ot-incident-response-playbook/) | `ot` `ir` `playbook` | | [`implementing-patch-management-for-ot-systems`](implementing-patch-management-for-ot-systems/) | `ot` `patching` `management` | | [`implementing-patch-management-workflow`](implementing-patch-management-workflow/) | `patching` `workflow` `management` | | [`implementing-pci-dss-compliance-controls`](implementing-pci-dss-compliance-controls/) | `pci-dss` `compliance` `payments` | | [`implementing-pod-security-admission-controller`](implementing-pod-security-admission-controller/) | `kubernetes` `admission` `pods` | | [`implementing-proofpoint-email-security-gateway`](implementing-proofpoint-email-security-gateway/) | `email` `proofpoint` `gateway` | | [`implementing-ransomware-backup-strategy`](implementing-ransomware-backup-strategy/) | `ransomware` `backup` `recovery` | | [`implementing-ransomware-kill-switch-detection`](implementing-ransomware-kill-switch-detection/) | `ransomware` `kill-switch` `detection` | | [`implementing-rbac-hardening-for-kubernetes`](implementing-rbac-hardening-for-kubernetes/) | `kubernetes` `rbac` `hardening` | | [`implementing-runtime-security-with-tetragon`](implementing-runtime-security-with-tetragon/) | `tetragon` `runtime` `ebpf` | | [`implementing-security-chaos-engineering`](implementing-security-chaos-engineering/) | `chaos` `resilience` `testing` | | [`implementing-security-information-sharing-with-stix2`](implementing-security-information-sharing-with-stix2/) | `stix` `sharing` `threat-intel` | | [`implementing-security-monitoring-with-datadog`](implementing-security-monitoring-with-datadog/) | `datadog` `monitoring` `observability` | | [`implementing-siem-correlation-rules-for-apt`](implementing-siem-correlation-rules-for-apt/) | `siem` `correlation` `apt` | | [`implementing-siem-use-case-tuning`](implementing-siem-use-case-tuning/) | `siem` `tuning` `optimization` | | [`implementing-siem-use-cases-for-detection`](implementing-siem-use-cases-for-detection/) | `siem` `use-cases` `detection` | | [`implementing-soar-playbook-for-phishing`](implementing-soar-playbook-for-phishing/) | `soar` `phishing` `automation` | | [`implementing-stix-taxii-feed-integration`](implementing-stix-taxii-feed-integration/) | `stix` `taxii` `feeds` | | [`implementing-supply-chain-security-with-in-toto`](implementing-supply-chain-security-with-in-toto/) | `supply-chain` `in-toto` `integrity` | | [`implementing-taxii-server-with-opentaxii`](implementing-taxii-server-with-opentaxii/) | `taxii` `opentaxii` `sharing` | | [`implementing-threat-intelligence-lifecycle-management`](implementing-threat-intelligence-lifecycle-management/) | `threat-intel` `lifecycle` `management` | | [`implementing-threat-modeling-with-mitre-attack`](implementing-threat-modeling-with-mitre-attack/) | `threat-modeling` `mitre` `risk` | | [`implementing-ticketing-system-for-incidents`](implementing-ticketing-system-for-incidents/) | `ticketing` `ir` `workflow` | | [`implementing-velociraptor-for-ir-collection`](implementing-velociraptor-for-ir-collection/) | `velociraptor` `ir` `collection` | | [`implementing-vulnerability-management-with-greenbone`](implementing-vulnerability-management-with-greenbone/) | `vuln-mgmt` `greenbone` `scanning` | | [`implementing-vulnerability-remediation-sla`](implementing-vulnerability-remediation-sla/) | `vuln-mgmt` `sla` `remediation` | | [`implementing-vulnerability-sla-breach-alerting`](implementing-vulnerability-sla-breach-alerting/) | `vuln-mgmt` `sla` `alerting` | | [`implementing-web-application-logging-with-modsecurity`](implementing-web-application-logging-with-modsecurity/) | `waf` `modsecurity` `logging` | | [`implementing-zero-trust-dns-with-nextdns`](implementing-zero-trust-dns-with-nextdns/) | `zero-trust` `dns` `nextdns` | | [`implementing-zero-trust-for-saas-applications`](implementing-zero-trust-for-saas-applications/) | `zero-trust` `saas` `access` | | [`implementing-zero-trust-in-cloud`](implementing-zero-trust-in-cloud/) | `zero-trust` `cloud` `architecture` | | [`implementing-zero-trust-network-access`](implementing-zero-trust-network-access/) | `ztna` `zero-trust` `network` | | [`implementing-zero-trust-network-access-with-zscaler`](implementing-zero-trust-network-access-with-zscaler/) | `ztna` `zscaler` `zero-trust` | | [`implementing-zero-trust-with-beyondcorp`](implementing-zero-trust-with-beyondcorp/) | `zero-trust` `beyondcorp` `google` | | [`implementing-zero-trust-with-hashicorp-boundary`](implementing-zero-trust-with-hashicorp-boundary/) | `zero-trust` `boundary` `hashicorp` |

## 🔎 Incident Investigation | Skill | Tags | |:---|:---| | [`investigating-insider-threat-indicators`](investigating-insider-threat-indicators/) | `insider` `indicators` `ueba` | | [`investigating-phishing-email-incident`](investigating-phishing-email-incident/) | `phishing` `email` `investigation` | | [`investigating-ransomware-attack-artifacts`](investigating-ransomware-attack-artifacts/) | `ransomware` `artifacts` `forensics` | ## 🧪 Performing Security Assessments

Click to expand all 90 assessment skills

| Skill | Tags | |:---|:---| | [`performing-active-directory-vulnerability-assessment`](performing-active-directory-vulnerability-assessment/) | `ad` `assessment` `windows` | | [`performing-adversary-in-the-middle-phishing-detection`](performing-adversary-in-the-middle-phishing-detection/) | `aitm` `phishing` `detection` | | [`performing-agentless-vulnerability-scanning`](performing-agentless-vulnerability-scanning/) | `scanning` `agentless` `vuln` | | [`performing-ai-driven-osint-correlation`](performing-ai-driven-osint-correlation/) | `osint` `ai` `correlation` | | [`performing-alert-triage-with-elastic-siem`](performing-alert-triage-with-elastic-siem/) | `elastic` `triage` `siem` | | [`performing-api-security-testing-with-postman`](performing-api-security-testing-with-postman/) | `api` `postman` `testing` | | [`performing-authenticated-vulnerability-scan`](performing-authenticated-vulnerability-scan/) | `scanning` `authenticated` `vuln` | | [`performing-automated-malware-analysis-with-cape`](performing-automated-malware-analysis-with-cape/) | `cape` `malware` `automated` | | [`performing-bluetooth-security-assessment`](performing-bluetooth-security-assessment/) | `bluetooth` `wireless` `assessment` | | [`performing-cloud-forensics-investigation`](performing-cloud-forensics-investigation/) | `cloud` `forensics` `investigation` | | [`performing-cloud-forensics-with-aws-cloudtrail`](performing-cloud-forensics-with-aws-cloudtrail/) | `aws` `cloudtrail` `forensics` | | [`performing-cloud-incident-containment-procedures`](performing-cloud-incident-containment-procedures/) | `cloud` `containment` `ir` | | [`performing-cloud-log-forensics-with-athena`](performing-cloud-log-forensics-with-athena/) | `aws` `athena` `log-analysis` | | [`performing-cloud-native-forensics-with-falco`](performing-cloud-native-forensics-with-falco/) | `falco` `cloud-native` `forensics` | | [`performing-cloud-native-threat-hunting-with-aws-detective`](performing-cloud-native-threat-hunting-with-aws-detective/) | `aws` `detective` `hunting` | | [`performing-cloud-penetration-testing-with-pacu`](performing-cloud-penetration-testing-with-pacu/) | `aws` `pacu` `pentest` | | [`performing-cloud-storage-forensic-acquisition`](performing-cloud-storage-forensic-acquisition/) | `cloud` `storage` `acquisition` | | [`performing-container-escape-detection`](performing-container-escape-detection/) | `containers` `escape` `detection` | | [`performing-container-image-hardening`](performing-container-image-hardening/) | `containers` `hardening` `images` | | [`performing-container-security-scanning-with-trivy`](performing-container-security-scanning-with-trivy/) | `trivy` `containers` `scanning` | | [`performing-content-security-policy-bypass`](performing-content-security-policy-bypass/) | `csp` `bypass` `web` | | [`performing-cryptographic-audit-of-application`](performing-cryptographic-audit-of-application/) | `crypto` `audit` `application` | | [`performing-dark-web-monitoring-for-threats`](performing-dark-web-monitoring-for-threats/) | `darkweb` `monitoring` `osint` | | [`performing-deception-technology-deployment`](performing-deception-technology-deployment/) | `deception` `deployment` `honeypot` | | [`performing-disk-forensics-investigation`](performing-disk-forensics-investigation/) | `disk` `forensics` `investigation` | | [`performing-dns-tunneling-detection`](performing-dns-tunneling-detection/) | `dns` `tunneling` `detection` | | [`performing-docker-bench-security-assessment`](performing-docker-bench-security-assessment/) | `docker` `bench` `cis` | | [`performing-endpoint-forensics-investigation`](performing-endpoint-forensics-investigation/) | `endpoint` `forensics` `investigation` | | [`performing-endpoint-vulnerability-remediation`](performing-endpoint-vulnerability-remediation/) | `endpoint` `remediation` `patching` | | [`performing-false-positive-reduction-in-siem`](performing-false-positive-reduction-in-siem/) | `siem` `false-positive` `tuning` | | [`performing-firmware-malware-analysis`](performing-firmware-malware-analysis/) | `firmware` `malware` `iot` | | [`performing-gcp-penetration-testing-with-gcpbucketbrute`](performing-gcp-penetration-testing-with-gcpbucketbrute/) | `gcp` `pentest` `storage` | | [`performing-gcp-security-assessment-with-forseti`](performing-gcp-security-assessment-with-forseti/) | `gcp` `forseti` `assessment` | | [`performing-graphql-security-assessment`](performing-graphql-security-assessment/) | `graphql` `api` `assessment` | | [`performing-hardware-security-module-integration`](performing-hardware-security-module-integration/) | `hsm` `hardware` `crypto` | | [`performing-insider-threat-investigation`](performing-insider-threat-investigation/) | `insider` `investigation` `ueba` | | [`performing-ioc-enrichment-automation`](performing-ioc-enrichment-automation/) | `ioc` `enrichment` `automation` | | [`performing-ios-app-security-assessment`](performing-ios-app-security-assessment/) | `ios` `mobile` `assessment` | | [`performing-iot-security-assessment`](performing-iot-security-assessment/) | `iot` `assessment` `devices` | | [`performing-kubernetes-etcd-security-assessment`](performing-kubernetes-etcd-security-assessment/) | `kubernetes` `etcd` `assessment` | | [`performing-kubernetes-penetration-testing`](performing-kubernetes-penetration-testing/) | `kubernetes` `pentest` `cloud` | | [`performing-lateral-movement-detection`](performing-lateral-movement-detection/) | `lateral-movement` `detection` `network` | | [`performing-linux-log-forensics-investigation`](performing-linux-log-forensics-investigation/) | `linux` `logs` `forensics` | | [`performing-log-analysis-for-forensic-investigation`](performing-log-analysis-for-forensic-investigation/) | `logs` `forensics` `analysis` | | [`performing-log-source-onboarding-in-siem`](performing-log-source-onboarding-in-siem/) | `siem` `onboarding` `logs` | | [`performing-malware-hash-enrichment-with-virustotal`](performing-malware-hash-enrichment-with-virustotal/) | `virustotal` `malware` `hashes` | | [`performing-malware-ioc-extraction`](performing-malware-ioc-extraction/) | `malware` `ioc` `extraction` | | [`performing-malware-persistence-investigation`](performing-malware-persistence-investigation/) | `malware` `persistence` `investigation` | | [`performing-malware-triage-with-yara`](performing-malware-triage-with-yara/) | `yara` `malware` `triage` | | [`performing-memory-forensics-with-volatility3`](performing-memory-forensics-with-volatility3/) | `volatility` `memory` `forensics` | | [`performing-memory-forensics-with-volatility3-plugins`](performing-memory-forensics-with-volatility3-plugins/) | `volatility` `plugins` `memory` | | [`performing-mobile-device-forensics-with-cellebrite`](performing-mobile-device-forensics-with-cellebrite/) | `mobile` `cellebrite` `forensics` | | [`performing-network-forensics-with-wireshark`](performing-network-forensics-with-wireshark/) | `wireshark` `network` `pcap` | | [`performing-network-packet-capture-analysis`](performing-network-packet-capture-analysis/) | `pcap` `network` `analysis` | | [`performing-oil-gas-cybersecurity-assessment`](performing-oil-gas-cybersecurity-assessment/) | `ot` `oil-gas` `assessment` | | [`performing-osint-with-spiderfoot`](performing-osint-with-spiderfoot/) | `osint` `spiderfoot` `recon` | | [`performing-ot-network-security-assessment`](performing-ot-network-security-assessment/) | `ot` `network` `assessment` | | [`performing-ot-vulnerability-assessment-with-claroty`](performing-ot-vulnerability-assessment-with-claroty/) | `ot` `claroty` `vulnerability` | | [`performing-ot-vulnerability-scanning-safely`](performing-ot-vulnerability-scanning-safely/) | `ot` `scanning` `safety` | | [`performing-paste-site-monitoring-for-credentials`](performing-paste-site-monitoring-for-credentials/) | `osint` `paste-sites` `credentials` | | [`performing-phishing-simulation-with-gophish`](performing-phishing-simulation-with-gophish/) | `gophish` `phishing` `simulation` | | [`performing-plc-firmware-security-analysis`](performing-plc-firmware-security-analysis/) | `plc` `firmware` `ics` | | [`performing-power-grid-cybersecurity-assessment`](performing-power-grid-cybersecurity-assessment/) | `power-grid` `ot` `assessment` | | [`performing-ransomware-response`](performing-ransomware-response/) | `ransomware` `response` `ir` | | [`performing-ransomware-tabletop-exercise`](performing-ransomware-tabletop-exercise/) | `ransomware` `tabletop` `exercise` | | [`performing-s7comm-protocol-security-analysis`](performing-s7comm-protocol-security-analysis/) | `s7comm` `ics` `siemens` | | [`performing-scada-hmi-security-assessment`](performing-scada-hmi-security-assessment/) | `scada` `hmi` `ics` | | [`performing-second-order-sql-injection`](performing-second-order-sql-injection/) | `sqli` `second-order` `web` | | [`performing-security-headers-audit`](performing-security-headers-audit/) | `headers` `web` `audit` | | [`performing-serverless-function-security-review`](performing-serverless-function-security-review/) | `serverless` `review` `cloud` | | [`performing-service-account-audit`](performing-service-account-audit/) | `service-accounts` `audit` `identity` | | [`performing-service-account-credential-rotation`](performing-service-account-credential-rotation/) | `credentials` `rotation` `service-accounts` | | [`performing-soap-web-service-security-testing`](performing-soap-web-service-security-testing/) | `soap` `web-services` `testing` | | [`performing-soc-tabletop-exercise`](performing-soc-tabletop-exercise/) | `soc` `tabletop` `exercise` | | [`performing-soc2-type2-audit-preparation`](performing-soc2-type2-audit-preparation/) | `soc2` `audit` `compliance` | | [`performing-sqlite-database-forensics`](performing-sqlite-database-forensics/) | `sqlite` `database` `forensics` | | [`performing-ssl-tls-security-assessment`](performing-ssl-tls-security-assessment/) | `tls` `ssl` `assessment` | | [`performing-static-malware-analysis-with-pe-studio`](performing-static-malware-analysis-with-pe-studio/) | `pe-studio` `malware` `static` | | [`performing-steganography-detection`](performing-steganography-detection/) | `steganography` `detection` `hidden` | | [`performing-threat-emulation-with-atomic-red-team`](performing-threat-emulation-with-atomic-red-team/) | `atomic` `red-team` `emulation` | | [`performing-threat-hunting-with-elastic-siem`](performing-threat-hunting-with-elastic-siem/) | `elastic` `hunting` `siem` | | [`performing-threat-hunting-with-yara-rules`](performing-threat-hunting-with-yara-rules/) | `yara` `hunting` `rules` | | [`performing-threat-intelligence-sharing-with-misp`](performing-threat-intelligence-sharing-with-misp/) | `misp` `sharing` `threat-intel` | | [`performing-threat-landscape-assessment-for-sector`](performing-threat-landscape-assessment-for-sector/) | `threat-landscape` `sector` `assessment` | | [`performing-threat-modeling-with-owasp-threat-dragon`](performing-threat-modeling-with-owasp-threat-dragon/) | `threat-modeling` `owasp` `dragon` | | [`performing-vulnerability-scanning-with-nessus`](performing-vulnerability-scanning-with-nessus/) | `nessus` `scanning` `vulnerability` | | [`performing-web-application-firewall-bypass`](performing-web-application-firewall-bypass/) | `waf` `bypass` `offensive` | | [`performing-web-application-vulnerability-triage`](performing-web-application-vulnerability-triage/) | `web` `triage` `vulnerability` | | [`performing-wireless-security-assessment-with-kismet`](performing-wireless-security-assessment-with-kismet/) | `wireless` `kismet` `assessment` | | [`performing-yara-rule-development-for-detection`](performing-yara-rule-development-for-detection/) | `yara` `rules` `detection` |

## 🔓 Reverse Engineering | Skill | Tags | |:---|:---| | [`reverse-engineering-android-malware-with-jadx`](reverse-engineering-android-malware-with-jadx/) | `android` `jadx` `mobile` | | [`reverse-engineering-dotnet-malware-with-dnspy`](reverse-engineering-dotnet-malware-with-dnspy/) | `.net` `dnspy` `windows` | | [`reverse-engineering-ios-app-with-frida`](reverse-engineering-ios-app-with-frida/) | `ios` `frida` `mobile` | | [`reverse-engineering-malware-with-ghidra`](reverse-engineering-malware-with-ghidra/) | `ghidra` `malware` `binary` | | [`reverse-engineering-ransomware-encryption-routine`](reverse-engineering-ransomware-encryption-routine/) | `ransomware` `encryption` `crypto` | | [`reverse-engineering-rust-malware`](reverse-engineering-rust-malware/) | `rust` `malware` `analysis` | ## 🧨 Security Testing | Skill | Tags | |:---|:---| | [`testing-api-for-mass-assignment-vulnerability`](testing-api-for-mass-assignment-vulnerability/) | `api` `mass-assignment` `owasp` | | [`testing-api-security-with-owasp-top-10`](testing-api-security-with-owasp-top-10/) | `api` `owasp` `top-10` | | [`testing-for-email-header-injection`](testing-for-email-header-injection/) | `email` `injection` `headers` | | [`testing-for-host-header-injection`](testing-for-host-header-injection/) | `host-header` `injection` `web` | | [`testing-for-xml-injection-vulnerabilities`](testing-for-xml-injection-vulnerabilities/) | `xml` `injection` `web` | | [`testing-for-xss-vulnerabilities-with-burpsuite`](testing-for-xss-vulnerabilities-with-burpsuite/) | `xss` `burpsuite` `web` | | [`testing-for-xxe-injection-vulnerabilities`](testing-for-xxe-injection-vulnerabilities/) | `xxe` `injection` `xml` | | [`testing-jwt-token-security`](testing-jwt-token-security/) | `jwt` `tokens` `auth` | | [`testing-prompt-injection-in-rag-pipelines`](testing-prompt-injection-in-rag-pipelines/) | `ai-security` `rag` `injection` | | [`testing-ransomware-recovery-procedures`](testing-ransomware-recovery-procedures/) | `ransomware` `recovery` `testing` | | [`testing-websocket-api-security`](testing-websocket-api-security/) | `websocket` `api` `testing` | ## 🔒 Securing Infrastructure | Skill | Tags | |:---|:---| | [`securing-api-gateway-with-aws-waf`](securing-api-gateway-with-aws-waf/) | `aws` `waf` `api-gateway` | ## 🚑 Triaging & Response | Skill | Tags | |:---|:---| | [`triaging-security-alerts-in-splunk`](triaging-security-alerts-in-splunk/) | `splunk` `alerts` `triage` | | [`triaging-security-incident`](triaging-security-incident/) | `incident` `triage` `response` | | [`triaging-security-incident-with-ir-playbook`](triaging-security-incident-with-ir-playbook/) | `ir` `playbook` `triage` | ## 🛠️ Other Security Skills

Click to expand all 57 other skills

| Skill | Tags | |:---|:---| | [`achieving-cmmc-level-2-compliance`](achieving-cmmc-level-2-compliance/) | `cmmc` `compliance` `defense` | | [`agent-architecture-audit`](agent-architecture-audit/) | `agents` `architecture` `audit` | | [`attack-fingerprints`](attack-fingerprints/) | `attribution` `fingerprints` `analysis` | | [`audit-website`](audit-website/) | `web` `audit` `assessment` | | [`automating-ioc-enrichment`](automating-ioc-enrichment/) | `ioc` `enrichment` `automation` | | [`automation-audit-ops`](automation-audit-ops/) | `automation` `audit` `operations` | | [`canary-watch`](canary-watch/) | `canary` `monitoring` `detection` | | [`click-path-audit`](click-path-audit/) | `web` `click-path` `ux-security` | | [`collecting-threat-intelligence-with-misp`](collecting-threat-intelligence-with-misp/) | `misp` `collection` `threat-intel` | | [`content-quality-auditor`](content-quality-auditor/) | `content` `quality` `audit` | | [`correlating-security-events-in-qradar`](correlating-security-events-in-qradar/) | `qradar` `correlation` `siem` | | [`correlating-threat-campaigns`](correlating-threat-campaigns/) | `campaigns` `correlation` `threat-intel` | | [`customs-trade-compliance`](customs-trade-compliance/) | `trade` `compliance` `customs` | | [`defi-amm-security`](defi-amm-security/) | `defi` `amm` `blockchain` | | [`deobfuscating-javascript-malware`](deobfuscating-javascript-malware/) | `javascript` `deobfuscation` `malware` | | [`deobfuscating-powershell-obfuscated-malware`](deobfuscating-powershell-obfuscated-malware/) | `powershell` `deobfuscation` `malware` | | [`designing-adversary-engagement-with-mitre-engage`](designing-adversary-engagement-with-mitre-engage/) | `mitre-engage` `adversary` `deception` | | [`django-security`](django-security/) | `django` `python` `web-security` | | [`domain-authority-auditor`](domain-authority-auditor/) | `domain` `authority` `seo-security` | | [`ecc-tools-cost-audit`](ecc-tools-cost-audit/) | `cost` `audit` `tools` | | [`emulating-cloud-attacks-with-stratus-red-team`](emulating-cloud-attacks-with-stratus-red-team/) | `stratus` `red-team` `cloud` | | [`eradicating-malware-from-infected-systems`](eradicating-malware-from-infected-systems/) | `malware` `eradication` `cleanup` | | [`evaluating-threat-intelligence-platforms`](evaluating-threat-intelligence-platforms/) | `tip` `evaluation` `threat-intel` | | [`extracting-credentials-from-memory-dump`](extracting-credentials-from-memory-dump/) | `credentials` `memory` `extraction` | | [`extracting-iocs-from-malware-samples`](extracting-iocs-from-malware-samples/) | `ioc` `malware` `extraction` | | [`fleet-hunting-with-velociraptor`](fleet-hunting-with-velociraptor/) | `velociraptor` `fleet` `hunting` | | [`generating-forensic-timelines-with-hayabusa`](generating-forensic-timelines-with-hayabusa/) | `hayabusa` `timeline` `forensics` | | [`generating-threat-intelligence-reports`](generating-threat-intelligence-reports/) | `reports` `threat-intel` `writing` | | [`hardening-docker-containers-for-production`](hardening-docker-containers-for-production/) | `docker` `hardening` `containers` | | [`hardening-docker-daemon-configuration`](hardening-docker-daemon-configuration/) | `docker` `daemon` `hardening` | | [`hardening-linux-endpoint-with-cis-benchmark`](hardening-linux-endpoint-with-cis-benchmark/) | `linux` `cis` `hardening` | | [`hardening-windows-endpoint-with-cis-benchmark`](hardening-windows-endpoint-with-cis-benchmark/) | `windows` `cis` `hardening` | | [`healthcare-phi-compliance`](healthcare-phi-compliance/) | `healthcare` `phi` `compliance` | | [`hipaa-compliance`](hipaa-compliance/) | `hipaa` `compliance` `healthcare` | | [`laravel-security`](laravel-security/) | `laravel` `php` `web-security` | | [`llm-trading-agent-security`](llm-trading-agent-security/) | `llm` `trading` `ai-security` | | [`mapping-mitre-attack-techniques`](mapping-mitre-attack-techniques/) | `mitre` `mapping` `techniques` | | [`modeling-threats-with-opencti`](modeling-threats-with-opencti/) | `opencti` `modeling` `threat-intel` | | [`operationalizing-misp-threat-feeds`](operationalizing-misp-threat-feeds/) | `misp` `feeds` `operations` | | [`orchestrating-llm-attacks-with-pyrit`](orchestrating-llm-attacks-with-pyrit/) | `pyrit` `llm` `red-team` | | [`perl-security`](perl-security/) | `perl` `security` `web` | | [`plugin-auditor`](plugin-auditor/) | `plugins` `audit` `supply-chain` | | [`post-exploiting-microsoft-graph-with-graphrunner`](post-exploiting-microsoft-graph-with-graphrunner/) | `graph-api` `post-exploit` `azure` | | [`processing-stix-taxii-feeds`](processing-stix-taxii-feeds/) | `stix` `taxii` `processing` | | [`production-audit`](production-audit/) | `production` `audit` `operations` | | [`profiling-threat-actor-groups`](profiling-threat-actor-groups/) | `threat-actors` `profiling` `intelligence` | | [`quarkus-security`](quarkus-security/) | `quarkus` `java` `web-security` | | [`recovering-from-ransomware-attack`](recovering-from-ransomware-attack/) | `ransomware` `recovery` `ir` | | [`seo-audit`](seo-audit/) | `seo` `audit` `web` | | [`security-bounty-hunter`](security-bounty-hunter/) | `bug-bounty` `offensive` `hunting` | | [`security-ids`](security-ids/) | `ids` `detection` `network` | | [`security-review`](security-review/) | `review` `assessment` `code` | | [`security-scan`](security-scan/) | `scanning` `automated` `assessment` | | [`springboot-security`](springboot-security/) | `spring-boot` `java` `web-security` | | [`swift-actor-persistence`](swift-actor-persistence/) | `swift` `actors` `persistence` | | [`tracking-threat-actor-infrastructure`](tracking-threat-actor-infrastructure/) | `infrastructure` `tracking` `osint` | | [`workspace-surface-audit`](workspace-surface-audit/) | `workspace` `surface` `audit` |

### 🏷️ Top Tags ![](https://img.shields.io/badge/ransomware-FF0000?style=flat-square) ![](https://img.shields.io/badge/malware-DC143C?style=flat-square) ![](https://img.shields.io/badge/threat--intel-7B61FF?style=flat-square) ![](https://img.shields.io/badge/zero--trust-00CED1?style=flat-square) ![](https://img.shields.io/badge/cloud-4169E1?style=flat-square) ![](https://img.shields.io/badge/forensics-2E8B57?style=flat-square) ![](https://img.shields.io/badge/mitre-FF8C00?style=flat-square) ![](https://img.shields.io/badge/detection-00FF88?style=flat-square) ![](https://img.shields.io/badge/kubernetes-326CE5?style=flat-square) ![](https://img.shields.io/badge/aws-FF9900?style=flat-square) ![](https://img.shields.io/badge/azure-0078D4?style=flat-square) ![](https://img.shields.io/badge/phishing-FF61DC?style=flat-square) ![](https://img.shields.io/badge/siem-6A0DAD?style=flat-square) ![](https://img.shields.io/badge/ics%2Fot-8B4513?style=flat-square) ![](https://img.shields.io/badge/ai--security-FF4500?style=flat-square) ![](https://img.shields.io/badge/deception-FFD700?style=flat-square) ![](https://img.shields.io/badge/supply--chain-FF1493?style=flat-square) ![](https://img.shields.io/badge/osint-32CD32?style=flat-square) ![](https://img.shields.io/badge/compliance-4682B4?style=flat-square) ![](https://img.shields.io/badge/pentest-B22222?style=flat-square) ### 📜 License This project is licensed under the MIT License — see the [LICENSE](LICENSE) file for details. ### 🤝 Contributing PRs welcome! To add a skill, create a folder with a `SKILL.md` file and open a pull request. ### ⭐ Star This Repo If you find these skills useful, please star the repo — it helps others discover it. _{Built for Claude Code · Maintained by @jyahclaude}

标签：AI提示词, DLL 劫持, 事件响应, 域环境安全, 大语言模型, 威胁分析, 子域名突变, 密码管理, 数字取证, 数据泄露, 服务器监控, 漏洞利用检测, 网络安全, 自动化侦查工具, 自动化脚本, 隐私保护