cue-ai 0.4.1 → 0.6.0

package/profiles/cybersecurity/profile.yaml

@@ -1,761 +1,784 @@
 name: cybersecurity
 icon: "🔒"
-description: "Skills from mukul975/Anthropic-Cybersecurity-Skills"
+description: "Skills from mukul975/Anthropic-Cybersecurity-Skills + agentshield (agent config auditor)"
 inherits: core
 skills:
   local:
-    - acquiring-disk-image-with-dd-and-dcfldd
-    - analyzing-active-directory-acl-abuse
-    - analyzing-android-malware-with-apktool
-    - analyzing-api-gateway-access-logs
-    - analyzing-apt-group-with-mitre-navigator
-    - analyzing-azure-activity-logs-for-threats
-    - analyzing-bootkit-and-rootkit-samples
-    - analyzing-browser-forensics-with-hindsight
-    - analyzing-campaign-attribution-evidence
-    - analyzing-certificate-transparency-for-phishing
-    - analyzing-cloud-storage-access-patterns
-    - analyzing-cobalt-strike-beacon-configuration
-    - analyzing-cobaltstrike-malleable-c2-profiles
-    - analyzing-command-and-control-communication
-    - analyzing-cyber-kill-chain
-    - analyzing-disk-image-with-autopsy
-    - analyzing-dns-logs-for-exfiltration
-    - analyzing-docker-container-forensics
-    - analyzing-email-headers-for-phishing-investigation
-    - analyzing-ethereum-smart-contract-vulnerabilities
-    - analyzing-golang-malware-with-ghidra
-    - analyzing-heap-spray-exploitation
-    - analyzing-indicators-of-compromise
-    - analyzing-ios-app-security-with-objection
-    - analyzing-kubernetes-audit-logs
-    - analyzing-linux-audit-logs-for-intrusion
-    - analyzing-linux-elf-malware
-    - analyzing-linux-kernel-rootkits
-    - analyzing-linux-system-artifacts
-    - analyzing-lnk-file-and-jump-list-artifacts
-    - analyzing-macro-malware-in-office-documents
-    - analyzing-malicious-pdf-with-peepdf
-    - analyzing-malicious-url-with-urlscan
-    - analyzing-malware-behavior-with-cuckoo-sandbox
-    - analyzing-malware-family-relationships-with-malpedia
-    - analyzing-malware-persistence-with-autoruns
-    - analyzing-malware-sandbox-evasion-techniques
-    - analyzing-memory-dumps-with-volatility
-    - analyzing-memory-forensics-with-lime-and-volatility
-    - analyzing-mft-for-deleted-file-recovery
-    - analyzing-network-covert-channels-in-malware
-    - analyzing-network-flow-data-with-netflow
-    - analyzing-network-packets-with-scapy
-    - analyzing-network-traffic-for-incidents
-    - analyzing-network-traffic-of-malware
-    - analyzing-network-traffic-with-wireshark
-    - analyzing-office365-audit-logs-for-compromise
-    - analyzing-outlook-pst-for-email-forensics
-    - analyzing-packed-malware-with-upx-unpacker
-    - analyzing-pdf-malware-with-pdfid
-    - analyzing-persistence-mechanisms-in-linux
-    - analyzing-powershell-empire-artifacts
-    - analyzing-powershell-script-block-logging
-    - analyzing-prefetch-files-for-execution-history
-    - analyzing-ransomware-encryption-mechanisms
-    - analyzing-ransomware-leak-site-intelligence
-    - analyzing-ransomware-network-indicators
-    - analyzing-ransomware-payment-wallets
-    - analyzing-sbom-for-supply-chain-vulnerabilities
-    - analyzing-security-logs-with-splunk
-    - analyzing-slack-space-and-file-system-artifacts
-    - analyzing-supply-chain-malware-artifacts
-    - analyzing-threat-actor-ttps-with-mitre-attack
-    - analyzing-threat-actor-ttps-with-mitre-navigator
-    - analyzing-threat-intelligence-feeds
-    - analyzing-threat-landscape-with-misp
-    - analyzing-tls-certificate-transparency-logs
-    - analyzing-typosquatting-domains-with-dnstwist
-    - analyzing-uefi-bootkit-persistence
-    - analyzing-usb-device-connection-history
-    - analyzing-web-server-logs-for-intrusion
-    - analyzing-windows-amcache-artifacts
-    - analyzing-windows-event-logs-in-splunk
-    - analyzing-windows-lnk-files-for-artifacts
-    - analyzing-windows-prefetch-with-python
-    - analyzing-windows-registry-for-artifacts
-    - analyzing-windows-shellbag-artifacts
-    - auditing-aws-s3-bucket-permissions
-    - auditing-azure-active-directory-configuration
-    - auditing-cloud-with-cis-benchmarks
-    - auditing-gcp-iam-permissions
-    - auditing-kubernetes-cluster-rbac
-    - auditing-terraform-infrastructure-for-security
-    - auditing-tls-certificate-transparency-logs
-    - automating-ioc-enrichment
-    - building-adversary-infrastructure-tracking-system
-    - building-attack-pattern-library-from-cti-reports
-    - building-automated-malware-submission-pipeline
-    - building-c2-infrastructure-with-sliver-framework
-    - building-cloud-siem-with-sentinel
-    - building-detection-rule-with-splunk-spl
-    - building-detection-rules-with-sigma
-    - building-devsecops-pipeline-with-gitlab-ci
-    - building-identity-federation-with-saml-azure-ad
-    - building-identity-governance-lifecycle-process
-    - building-incident-response-dashboard
-    - building-incident-response-playbook
-    - building-incident-timeline-with-timesketch
-    - building-ioc-defanging-and-sharing-pipeline
-    - building-ioc-enrichment-pipeline-with-opencti
-    - building-malware-incident-communication-template
-    - building-patch-tuesday-response-process
-    - building-phishing-reporting-button-workflow
-    - building-ransomware-playbook-with-cisa-framework
-    - building-red-team-c2-infrastructure-with-havoc
-    - building-role-mining-for-rbac-optimization
-    - building-soc-escalation-matrix
-    - building-soc-metrics-and-kpi-tracking
-    - building-soc-playbook-for-ransomware
-    - building-threat-actor-profile-from-osint
-    - building-threat-feed-aggregation-with-misp
-    - building-threat-hunt-hypothesis-framework
-    - building-threat-intelligence-enrichment-in-splunk
-    - building-threat-intelligence-feed-integration
-    - building-threat-intelligence-platform
-    - building-vulnerability-aging-and-sla-tracking
-    - building-vulnerability-dashboard-with-defectdojo
-    - building-vulnerability-exception-tracking-system
-    - building-vulnerability-scanning-workflow
-    - bypassing-authentication-with-forced-browsing
-    - collecting-indicators-of-compromise
-    - collecting-open-source-intelligence
-    - collecting-threat-intelligence-with-misp
-    - collecting-volatile-evidence-from-compromised-host
-    - conducting-api-security-testing
-    - conducting-cloud-incident-response
-    - conducting-cloud-penetration-testing
-    - conducting-domain-persistence-with-dcsync
-    - conducting-external-reconnaissance-with-osint
-    - conducting-full-scope-red-team-engagement
-    - conducting-internal-network-penetration-test
-    - conducting-internal-reconnaissance-with-bloodhound-ce
-    - conducting-malware-incident-response
-    - conducting-man-in-the-middle-attack-simulation
-    - conducting-memory-forensics-with-volatility
-    - conducting-mobile-app-penetration-test
-    - conducting-network-penetration-test
-    - conducting-pass-the-ticket-attack
-    - conducting-phishing-incident-response
-    - conducting-post-incident-lessons-learned
-    - conducting-social-engineering-penetration-test
-    - conducting-social-engineering-pretext-call
-    - conducting-spearphishing-simulation-campaign
-    - conducting-wireless-network-penetration-test
-    - configuring-active-directory-tiered-model
-    - configuring-aws-verified-access-for-ztna
-    - configuring-certificate-authority-with-openssl
-    - configuring-host-based-intrusion-detection
-    - configuring-hsm-for-key-storage
-    - configuring-identity-aware-proxy-with-google-iap
-    - configuring-ldap-security-hardening
-    - configuring-microsegmentation-for-zero-trust
-    - configuring-multi-factor-authentication-with-duo
-    - configuring-network-segmentation-with-vlans
-    - configuring-oauth2-authorization-flow
-    - configuring-pfsense-firewall-rules
-    - configuring-snort-ids-for-intrusion-detection
-    - configuring-suricata-for-network-monitoring
-    - configuring-tls-1-3-for-secure-communications
-    - configuring-windows-defender-advanced-settings
-    - configuring-windows-event-logging-for-detection
-    - configuring-zscaler-private-access-for-ztna
-    - containing-active-breach
-    - correlating-security-events-in-qradar
-    - correlating-threat-campaigns
-    - deobfuscating-javascript-malware
-    - deobfuscating-powershell-obfuscated-malware
-    - deploying-active-directory-honeytokens
-    - deploying-cloudflare-access-for-zero-trust
-    - deploying-decoy-files-for-ransomware-detection
-    - deploying-edr-agent-with-crowdstrike
-    - deploying-osquery-for-endpoint-monitoring
-    - deploying-palo-alto-prisma-access-zero-trust
-    - deploying-ransomware-canary-files
-    - deploying-software-defined-perimeter
-    - deploying-tailscale-for-zero-trust-vpn
-    - detecting-ai-model-prompt-injection-attacks
-    - detecting-anomalies-in-industrial-control-systems
-    - detecting-anomalous-authentication-patterns
-    - detecting-api-enumeration-attacks
-    - detecting-arp-poisoning-in-network-traffic
-    - detecting-attacks-on-historian-servers
-    - detecting-attacks-on-scada-systems
-    - detecting-aws-cloudtrail-anomalies
-    - detecting-aws-credential-exposure-with-trufflehog
-    - detecting-aws-guardduty-findings-automation
-    - detecting-aws-iam-privilege-escalation
-    - detecting-azure-lateral-movement
-    - detecting-azure-service-principal-abuse
-    - detecting-azure-storage-account-misconfigurations
-    - detecting-beaconing-patterns-with-zeek
-    - detecting-bluetooth-low-energy-attacks
-    - detecting-broken-object-property-level-authorization
-    - detecting-business-email-compromise
-    - detecting-business-email-compromise-with-ai
-    - detecting-cloud-threats-with-guardduty
-    - detecting-command-and-control-over-dns
-    - detecting-compromised-cloud-credentials
-    - detecting-container-drift-at-runtime
-    - detecting-container-escape-attempts
-    - detecting-container-escape-with-falco-rules
-    - detecting-credential-dumping-techniques
-    - detecting-cryptomining-in-cloud
-    - detecting-dcsync-attack-in-active-directory
-    - detecting-deepfake-audio-in-vishing-attacks
-    - detecting-dll-sideloading-attacks
-    - detecting-dnp3-protocol-anomalies
-    - detecting-dns-exfiltration-with-dns-query-analysis
-    - detecting-email-account-compromise
-    - detecting-email-forwarding-rules-attack
-    - detecting-evasion-techniques-in-endpoint-logs
-    - detecting-exfiltration-over-dns-with-zeek
-    - detecting-fileless-attacks-on-endpoints
-    - detecting-fileless-malware-techniques
-    - detecting-golden-ticket-attacks-in-kerberos-logs
-    - detecting-golden-ticket-forgery
-    - detecting-insider-data-exfiltration-via-dlp
-    - detecting-insider-threat-behaviors
-    - detecting-insider-threat-with-ueba
-    - detecting-kerberoasting-attacks
-    - detecting-lateral-movement-in-network
-    - detecting-lateral-movement-with-splunk
-    - detecting-lateral-movement-with-zeek
-    - detecting-living-off-the-land-attacks
-    - detecting-living-off-the-land-with-lolbas
-    - detecting-malicious-scheduled-tasks-with-sysmon
-    - detecting-mimikatz-execution-patterns
-    - detecting-misconfigured-azure-storage
-    - detecting-mobile-malware-behavior
-    - detecting-modbus-command-injection-attacks
-    - detecting-modbus-protocol-anomalies
-    - detecting-network-anomalies-with-zeek
-    - detecting-network-scanning-with-ids-signatures
-    - detecting-ntlm-relay-with-event-correlation
-    - detecting-oauth-token-theft
-    - detecting-pass-the-hash-attacks
-    - detecting-pass-the-ticket-attacks
-    - detecting-port-scanning-with-fail2ban
-    - detecting-privilege-escalation-attempts
-    - detecting-privilege-escalation-in-kubernetes-pods
-    - detecting-process-hollowing-technique
-    - detecting-process-injection-techniques
-    - detecting-qr-code-phishing-with-email-security
-    - detecting-ransomware-encryption-behavior
-    - detecting-ransomware-precursors-in-network
-    - detecting-rdp-brute-force-attacks
-    - detecting-rootkit-activity
-    - detecting-s3-data-exfiltration-attempts
-    - detecting-serverless-function-injection
-    - detecting-service-account-abuse
-    - detecting-shadow-api-endpoints
-    - detecting-shadow-it-cloud-usage
-    - detecting-spearphishing-with-email-gateway
-    - detecting-sql-injection-via-waf-logs
-    - detecting-stuxnet-style-attacks
-    - detecting-supply-chain-attacks-in-ci-cd
-    - detecting-suspicious-oauth-application-consent
-    - detecting-suspicious-powershell-execution
-    - detecting-t1003-credential-dumping-with-edr
-    - detecting-t1055-process-injection-with-sysmon
-    - detecting-t1548-abuse-elevation-control-mechanism
-    - detecting-typosquatting-packages-in-npm-pypi
-    - detecting-wmi-persistence
-    - eradicating-malware-from-infected-systems
-    - evaluating-threat-intelligence-platforms
-    - executing-active-directory-attack-simulation
-    - executing-phishing-simulation-campaign
-    - executing-red-team-engagement-planning
-    - executing-red-team-exercise
-    - exploiting-active-directory-certificate-services-esc1
-    - exploiting-active-directory-with-bloodhound
-    - exploiting-api-injection-vulnerabilities
-    - exploiting-bgp-hijacking-vulnerabilities
-    - exploiting-broken-function-level-authorization
-    - exploiting-broken-link-hijacking
-    - exploiting-constrained-delegation-abuse
-    - exploiting-deeplink-vulnerabilities
-    - exploiting-excessive-data-exposure-in-api
-    - exploiting-http-request-smuggling
-    - exploiting-idor-vulnerabilities
-    - exploiting-insecure-data-storage-in-mobile
-    - exploiting-insecure-deserialization
-    - exploiting-ipv6-vulnerabilities
-    - exploiting-jwt-algorithm-confusion-attack
-    - exploiting-kerberoasting-with-impacket
-    - exploiting-mass-assignment-in-rest-apis
-    - exploiting-ms17-010-eternalblue-vulnerability
-    - exploiting-nopac-cve-2021-42278-42287
-    - exploiting-nosql-injection-vulnerabilities
-    - exploiting-oauth-misconfiguration
-    - exploiting-prototype-pollution-in-javascript
-    - exploiting-race-condition-vulnerabilities
-    - exploiting-server-side-request-forgery
-    - exploiting-smb-vulnerabilities-with-metasploit
-    - exploiting-sql-injection-vulnerabilities
-    - exploiting-sql-injection-with-sqlmap
-    - exploiting-template-injection-vulnerabilities
-    - exploiting-type-juggling-vulnerabilities
-    - exploiting-vulnerabilities-with-metasploit-framework
-    - exploiting-websocket-vulnerabilities
-    - exploiting-zerologon-vulnerability-cve-2020-1472
-    - extracting-browser-history-artifacts
-    - extracting-config-from-agent-tesla-rat
-    - extracting-credentials-from-memory-dump
-    - extracting-iocs-from-malware-samples
-    - extracting-memory-artifacts-with-rekall
-    - extracting-windows-event-logs-artifacts
-    - generating-threat-intelligence-reports
-    - hardening-docker-containers-for-production
-    - hardening-docker-daemon-configuration
-    - hardening-linux-endpoint-with-cis-benchmark
-    - hardening-windows-endpoint-with-cis-benchmark
-    - hunting-advanced-persistent-threats
-    - hunting-credential-stuffing-attacks
-    - hunting-for-anomalous-powershell-execution
-    - hunting-for-beaconing-with-frequency-analysis
-    - hunting-for-cobalt-strike-beacons
-    - hunting-for-command-and-control-beaconing
-    - hunting-for-data-exfiltration-indicators
-    - hunting-for-data-staging-before-exfiltration
-    - hunting-for-dcom-lateral-movement
-    - hunting-for-dcsync-attacks
-    - hunting-for-defense-evasion-via-timestomping
-    - hunting-for-dns-based-persistence
-    - hunting-for-dns-tunneling-with-zeek
-    - hunting-for-domain-fronting-c2-traffic
-    - hunting-for-lateral-movement-via-wmi
-    - hunting-for-living-off-the-cloud-techniques
-    - hunting-for-living-off-the-land-binaries
-    - hunting-for-lolbins-execution-in-endpoint-logs
-    - hunting-for-ntlm-relay-attacks
-    - hunting-for-persistence-mechanisms-in-windows
-    - hunting-for-persistence-via-wmi-subscriptions
-    - hunting-for-process-injection-techniques
-    - hunting-for-registry-persistence-mechanisms
-    - hunting-for-registry-run-key-persistence
-    - hunting-for-scheduled-task-persistence
-    - hunting-for-shadow-copy-deletion
-    - hunting-for-spearphishing-indicators
-    - hunting-for-startup-folder-persistence
-    - hunting-for-supply-chain-compromise
-    - hunting-for-suspicious-scheduled-tasks
-    - hunting-for-t1098-account-manipulation
-    - hunting-for-unusual-network-connections
-    - hunting-for-unusual-service-installations
-    - hunting-for-webshell-activity
-    - implementing-aes-encryption-for-data-at-rest
-    - implementing-alert-fatigue-reduction
-    - implementing-anti-phishing-training-program
-    - implementing-anti-ransomware-group-policy
-    - implementing-api-abuse-detection-with-rate-limiting
-    - implementing-api-gateway-security-controls
-    - implementing-api-key-security-controls
-    - implementing-api-rate-limiting-and-throttling
-    - implementing-api-schema-validation-security
-    - implementing-api-security-posture-management
-    - implementing-api-security-testing-with-42crunch
-    - implementing-api-threat-protection-with-apigee
-    - implementing-application-whitelisting-with-applocker
-    - implementing-aqua-security-for-container-scanning
-    - implementing-attack-path-analysis-with-xm-cyber
-    - implementing-attack-surface-management
-    - implementing-aws-config-rules-for-compliance
-    - implementing-aws-iam-permission-boundaries
-    - implementing-aws-macie-for-data-classification
-    - implementing-aws-nitro-enclave-security
-    - implementing-aws-security-hub
-    - implementing-aws-security-hub-compliance
-    - implementing-azure-ad-privileged-identity-management
-    - implementing-azure-defender-for-cloud
-    - implementing-beyondcorp-zero-trust-access-model
-    - implementing-bgp-security-with-rpki
-    - implementing-browser-isolation-for-zero-trust
-    - implementing-canary-tokens-for-network-intrusion
-    - implementing-cisa-zero-trust-maturity-model
-    - implementing-cloud-dlp-for-data-protection
-    - implementing-cloud-security-posture-management
-    - implementing-cloud-trail-log-analysis
-    - implementing-cloud-vulnerability-posture-management
-    - implementing-cloud-waf-rules
-    - implementing-cloud-workload-protection
-    - implementing-code-signing-for-artifacts
-    - implementing-conditional-access-policies-azure-ad
-    - implementing-conduit-security-for-ot-remote-access
-    - implementing-container-image-minimal-base-with-distroless
-    - implementing-container-network-policies-with-calico
-    - implementing-continuous-security-validation-with-bas
-    - implementing-data-loss-prevention-with-microsoft-purview
-    - implementing-ddos-mitigation-with-cloudflare
-    - implementing-deception-based-detection-with-canarytoken
-    - implementing-delinea-secret-server-for-pam
-    - implementing-device-posture-assessment-in-zero-trust
-    - implementing-devsecops-security-scanning
-    - implementing-diamond-model-analysis
-    - implementing-digital-signatures-with-ed25519
-    - implementing-disk-encryption-with-bitlocker
-    - implementing-dmarc-dkim-spf-email-security
-    - implementing-dragos-platform-for-ot-monitoring
-    - implementing-ebpf-security-monitoring
-    - implementing-email-sandboxing-with-proofpoint
-    - implementing-end-to-end-encryption-for-messaging
-    - implementing-endpoint-detection-with-wazuh
-    - implementing-endpoint-dlp-controls
-    - implementing-envelope-encryption-with-aws-kms
-    - implementing-epss-score-for-vulnerability-prioritization
-    - implementing-file-integrity-monitoring-with-aide
-    - implementing-fuzz-testing-in-cicd-with-aflplusplus
-    - implementing-gcp-binary-authorization
-    - implementing-gcp-organization-policy-constraints
-    - implementing-gcp-vpc-firewall-rules
-    - implementing-gdpr-data-protection-controls
-    - implementing-gdpr-data-subject-access-request
-    - implementing-github-advanced-security-for-code-scanning
-    - implementing-google-workspace-admin-security
-    - implementing-google-workspace-phishing-protection
-    - implementing-google-workspace-sso-configuration
-    - implementing-hardware-security-key-authentication
-    - implementing-hashicorp-vault-dynamic-secrets
-    - implementing-honeypot-for-ransomware-detection
-    - implementing-honeytokens-for-breach-detection
-    - implementing-ics-firewall-with-tofino
-    - implementing-identity-governance-with-sailpoint
-    - implementing-identity-verification-for-zero-trust
-    - implementing-iec-62443-security-zones
-    - implementing-image-provenance-verification-with-cosign
-    - implementing-immutable-backup-with-restic
-    - implementing-infrastructure-as-code-security-scanning
-    - implementing-iso-27001-information-security-management
-    - implementing-just-in-time-access-provisioning
-    - implementing-jwt-signing-and-verification
-    - implementing-kubernetes-network-policy-with-calico
-    - implementing-kubernetes-pod-security-standards
-    - implementing-llm-guardrails-for-security
-    - implementing-log-forwarding-with-fluentd
-    - implementing-log-integrity-with-blockchain
-    - implementing-memory-protection-with-dep-aslr
-    - implementing-microsegmentation-with-guardicore
-    - implementing-mimecast-targeted-attack-protection
-    - implementing-mitre-attack-coverage-mapping
-    - implementing-mobile-application-management
-    - implementing-mtls-for-zero-trust-services
-    - implementing-nerc-cip-compliance-controls
-    - implementing-network-access-control
-    - implementing-network-access-control-with-cisco-ise
-    - implementing-network-deception-with-honeypots
-    - implementing-network-intrusion-prevention-with-suricata
-    - implementing-network-policies-for-kubernetes
-    - implementing-network-segmentation-for-ot
-    - implementing-network-segmentation-with-firewall-zones
-    - implementing-network-traffic-analysis-with-arkime
-    - implementing-network-traffic-baselining
-    - implementing-next-generation-firewall-with-palo-alto
-    - implementing-opa-gatekeeper-for-policy-enforcement
-    - implementing-ot-incident-response-playbook
-    - implementing-ot-network-traffic-analysis-with-nozomi
-    - implementing-pam-for-database-access
-    - implementing-passwordless-auth-with-microsoft-entra
-    - implementing-passwordless-authentication-with-fido2
-    - implementing-patch-management-for-ot-systems
-    - implementing-patch-management-workflow
-    - implementing-pci-dss-compliance-controls
-    - implementing-pod-security-admission-controller
-    - implementing-policy-as-code-with-open-policy-agent
-    - implementing-privileged-access-management-with-cyberark
-    - implementing-privileged-access-workstation
-    - implementing-privileged-session-monitoring
-    - implementing-proofpoint-email-security-gateway
-    - implementing-purdue-model-network-segmentation
-    - implementing-ransomware-backup-strategy
-    - implementing-ransomware-kill-switch-detection
-    - implementing-rapid7-insightvm-for-scanning
-    - implementing-rbac-hardening-for-kubernetes
-    - implementing-rsa-key-pair-management
-    - implementing-runtime-application-self-protection
-    - implementing-runtime-security-with-tetragon
-    - implementing-saml-sso-with-okta
-    - implementing-scim-provisioning-with-okta
-    - implementing-secret-scanning-with-gitleaks
-    - implementing-secrets-management-with-vault
-    - implementing-secrets-scanning-in-ci-cd
-    - implementing-security-chaos-engineering
-    - implementing-security-information-sharing-with-stix2
-    - implementing-security-monitoring-with-datadog
-    - implementing-semgrep-for-custom-sast-rules
-    - implementing-siem-correlation-rules-for-apt
-    - implementing-siem-use-case-tuning
-    - implementing-siem-use-cases-for-detection
-    - implementing-sigstore-for-software-signing
-    - implementing-soar-automation-with-phantom
-    - implementing-soar-playbook-for-phishing
-    - implementing-soar-playbook-with-palo-alto-xsoar
-    - implementing-stix-taxii-feed-integration
-    - implementing-supply-chain-security-with-in-toto
-    - implementing-syslog-centralization-with-rsyslog
-    - implementing-taxii-server-with-opentaxii
-    - implementing-threat-intelligence-lifecycle-management
-    - implementing-threat-modeling-with-mitre-attack
-    - implementing-ticketing-system-for-incidents
-    - implementing-usb-device-control-policy
-    - implementing-velociraptor-for-ir-collection
-    - implementing-vulnerability-management-with-greenbone
-    - implementing-vulnerability-remediation-sla
-    - implementing-vulnerability-sla-breach-alerting
-    - implementing-web-application-logging-with-modsecurity
-    - implementing-zero-knowledge-proof-for-authentication
-    - implementing-zero-standing-privilege-with-cyberark
-    - implementing-zero-trust-dns-with-nextdns
-    - implementing-zero-trust-for-saas-applications
-    - implementing-zero-trust-in-cloud
-    - implementing-zero-trust-network-access
-    - implementing-zero-trust-network-access-with-zscaler
-    - implementing-zero-trust-with-beyondcorp
-    - implementing-zero-trust-with-hashicorp-boundary
-    - integrating-dast-with-owasp-zap-in-pipeline
-    - integrating-sast-into-github-actions-pipeline
-    - intercepting-mobile-traffic-with-burpsuite
-    - investigating-insider-threat-indicators
-    - investigating-phishing-email-incident
-    - investigating-ransomware-attack-artifacts
-    - managing-cloud-identity-with-okta
-    - managing-intelligence-lifecycle
-    - mapping-mitre-attack-techniques
-    - monitoring-darkweb-sources
-    - monitoring-scada-modbus-traffic-anomalies
-    - performing-access-recertification-with-saviynt
-    - performing-access-review-and-certification
-    - performing-active-directory-bloodhound-analysis
-    - performing-active-directory-compromise-investigation
-    - performing-active-directory-forest-trust-attack
-    - performing-active-directory-penetration-test
-    - performing-active-directory-vulnerability-assessment
-    - performing-adversary-in-the-middle-phishing-detection
-    - performing-agentless-vulnerability-scanning
-    - performing-ai-driven-osint-correlation
-    - performing-alert-triage-with-elastic-siem
-    - performing-android-app-static-analysis-with-mobsf
-    - performing-api-fuzzing-with-restler
-    - performing-api-inventory-and-discovery
-    - performing-api-rate-limiting-bypass
-    - performing-api-security-testing-with-postman
-    - performing-arp-spoofing-attack-simulation
-    - performing-asset-criticality-scoring-for-vulns
-    - performing-authenticated-scan-with-openvas
-    - performing-authenticated-vulnerability-scan
-    - performing-automated-malware-analysis-with-cape
-    - performing-aws-account-enumeration-with-scout-suite
-    - performing-aws-privilege-escalation-assessment
-    - performing-bandwidth-throttling-attack-simulation
-    - performing-binary-exploitation-analysis
-    - performing-blind-ssrf-exploitation
-    - performing-bluetooth-security-assessment
-    - performing-brand-monitoring-for-impersonation
-    - performing-clickjacking-attack-test
-    - performing-cloud-asset-inventory-with-cartography
-    - performing-cloud-forensics-investigation
-    - performing-cloud-forensics-with-aws-cloudtrail
-    - performing-cloud-incident-containment-procedures
-    - performing-cloud-log-forensics-with-athena
-    - performing-cloud-native-forensics-with-falco
-    - performing-cloud-native-threat-hunting-with-aws-detective
-    - performing-cloud-penetration-testing-with-pacu
-    - performing-cloud-storage-forensic-acquisition
-    - performing-container-escape-detection
-    - performing-container-image-hardening
-    - performing-container-security-scanning-with-trivy
-    - performing-content-security-policy-bypass
-    - performing-credential-access-with-lazagne
-    - performing-cryptographic-audit-of-application
-    - performing-csrf-attack-simulation
-    - performing-cve-prioritization-with-kev-catalog
-    - performing-dark-web-monitoring-for-threats
-    - performing-deception-technology-deployment
-    - performing-directory-traversal-testing
-    - performing-disk-forensics-investigation
-    - performing-dmarc-policy-enforcement-rollout
-    - performing-dns-enumeration-and-zone-transfer
-    - performing-dns-tunneling-detection
-    - performing-docker-bench-security-assessment
-    - performing-dynamic-analysis-of-android-app
-    - performing-dynamic-analysis-with-any-run
-    - performing-endpoint-forensics-investigation
-    - performing-endpoint-vulnerability-remediation
-    - performing-entitlement-review-with-sailpoint-iiq
-    - performing-external-network-penetration-test
-    - performing-false-positive-reduction-in-siem
-    - performing-file-carving-with-foremost
-    - performing-firmware-extraction-with-binwalk
-    - performing-firmware-malware-analysis
-    - performing-fuzzing-with-aflplusplus
-    - performing-gcp-penetration-testing-with-gcpbucketbrute
-    - performing-gcp-security-assessment-with-forseti
-    - performing-graphql-depth-limit-attack
-    - performing-graphql-introspection-attack
-    - performing-graphql-security-assessment
-    - performing-hardware-security-module-integration
-    - performing-hash-cracking-with-hashcat
-    - performing-http-parameter-pollution-attack
-    - performing-ics-asset-discovery-with-claroty
-    - performing-indicator-lifecycle-management
-    - performing-initial-access-with-evilginx3
-    - performing-insider-threat-investigation
-    - performing-ioc-enrichment-automation
-    - performing-ios-app-security-assessment
-    - performing-iot-security-assessment
-    - performing-ip-reputation-analysis-with-shodan
-    - performing-jwt-none-algorithm-attack
-    - performing-kerberoasting-attack
-    - performing-kubernetes-cis-benchmark-with-kube-bench
-    - performing-kubernetes-etcd-security-assessment
-    - performing-kubernetes-penetration-testing
-    - performing-lateral-movement-detection
-    - performing-lateral-movement-with-wmiexec
-    - performing-linux-log-forensics-investigation
-    - performing-log-analysis-for-forensic-investigation
-    - performing-log-source-onboarding-in-siem
-    - performing-malware-hash-enrichment-with-virustotal
-    - performing-malware-ioc-extraction
-    - performing-malware-persistence-investigation
-    - performing-malware-triage-with-yara
-    - performing-memory-forensics-with-volatility3
-    - performing-memory-forensics-with-volatility3-plugins
-    - performing-mobile-app-certificate-pinning-bypass
-    - performing-mobile-device-forensics-with-cellebrite
-    - performing-network-forensics-with-wireshark
-    - performing-network-packet-capture-analysis
-    - performing-network-traffic-analysis-with-tshark
-    - performing-network-traffic-analysis-with-zeek
-    - performing-nist-csf-maturity-assessment
-    - performing-oauth-scope-minimization-review
-    - performing-oil-gas-cybersecurity-assessment
-    - performing-open-source-intelligence-gathering
-    - performing-osint-with-spiderfoot
-    - performing-ot-network-security-assessment
-    - performing-ot-vulnerability-assessment-with-claroty
-    - performing-ot-vulnerability-scanning-safely
-    - performing-packet-injection-attack
-    - performing-paste-site-monitoring-for-credentials
-    - performing-phishing-simulation-with-gophish
-    - performing-physical-intrusion-assessment
-    - performing-plc-firmware-security-analysis
-    - performing-post-quantum-cryptography-migration
-    - performing-power-grid-cybersecurity-assessment
-    - performing-privacy-impact-assessment
-    - performing-privilege-escalation-assessment
-    - performing-privilege-escalation-on-linux
-    - performing-privileged-account-access-review
-    - performing-privileged-account-discovery
-    - performing-purple-team-atomic-testing
-    - performing-purple-team-exercise
-    - performing-ransomware-response
-    - performing-ransomware-tabletop-exercise
-    - performing-red-team-phishing-with-gophish
-    - performing-red-team-with-covenant
-    - performing-s7comm-protocol-security-analysis
-    - performing-sca-dependency-scanning-with-snyk
-    - performing-scada-hmi-security-assessment
-    - performing-second-order-sql-injection
-    - performing-security-headers-audit
-    - performing-serverless-function-security-review
-    - performing-service-account-audit
-    - performing-service-account-credential-rotation
-    - performing-soap-web-service-security-testing
-    - performing-soc-tabletop-exercise
-    - performing-soc2-type2-audit-preparation
-    - performing-sqlite-database-forensics
-    - performing-ssl-certificate-lifecycle-management
-    - performing-ssl-stripping-attack
-    - performing-ssl-tls-inspection-configuration
-    - performing-ssl-tls-security-assessment
-    - performing-ssrf-vulnerability-exploitation
-    - performing-static-malware-analysis-with-pe-studio
-    - performing-steganography-detection
-    - performing-subdomain-enumeration-with-subfinder
-    - performing-supply-chain-attack-simulation
-    - performing-thick-client-application-penetration-test
-    - performing-threat-emulation-with-atomic-red-team
-    - performing-threat-hunting-with-elastic-siem
-    - performing-threat-hunting-with-yara-rules
-    - performing-threat-intelligence-sharing-with-misp
-    - performing-threat-landscape-assessment-for-sector
-    - performing-threat-modeling-with-owasp-threat-dragon
-    - performing-timeline-reconstruction-with-plaso
-    - performing-user-behavior-analytics
-    - performing-vlan-hopping-attack
-    - performing-vulnerability-scanning-with-nessus
-    - performing-web-application-firewall-bypass
-    - performing-web-application-penetration-test
-    - performing-web-application-scanning-with-nikto
-    - performing-web-application-vulnerability-triage
-    - performing-web-cache-deception-attack
-    - performing-web-cache-poisoning-attack
-    - performing-wifi-password-cracking-with-aircrack
-    - performing-windows-artifact-analysis-with-eric-zimmerman-tools
-    - performing-wireless-network-penetration-test
-    - performing-wireless-security-assessment-with-kismet
-    - performing-yara-rule-development-for-detection
-    - prioritizing-vulnerabilities-with-cvss-scoring
-    - processing-stix-taxii-feeds
-    - profiling-threat-actor-groups
-    - recovering-deleted-files-with-photorec
-    - recovering-from-ransomware-attack
-    - remediating-s3-bucket-misconfiguration
-    - reverse-engineering-android-malware-with-jadx
-    - reverse-engineering-dotnet-malware-with-dnspy
-    - reverse-engineering-ios-app-with-frida
-    - reverse-engineering-malware-with-ghidra
-    - reverse-engineering-ransomware-encryption-routine
-    - reverse-engineering-rust-malware
-    - scanning-container-images-with-grype
-    - scanning-containers-with-trivy-in-cicd
-    - scanning-docker-images-with-trivy
-    - scanning-infrastructure-with-nessus
-    - scanning-kubernetes-manifests-with-kubesec
-    - scanning-network-with-nmap-advanced
-    - securing-api-gateway-with-aws-waf
-    - securing-aws-iam-permissions
-    - securing-aws-lambda-execution-roles
-    - securing-azure-with-microsoft-defender
-    - securing-container-registry-images
-    - securing-container-registry-with-harbor
-    - securing-github-actions-workflows
-    - securing-helm-chart-deployments
-    - securing-historian-server-in-ot-environment
-    - securing-kubernetes-on-cloud
-    - securing-remote-access-to-ot-environment
-    - securing-serverless-functions
-    - testing-android-intents-for-vulnerabilities
-    - testing-api-authentication-weaknesses
-    - testing-api-for-broken-object-level-authorization
-    - testing-api-for-mass-assignment-vulnerability
-    - testing-api-security-with-owasp-top-10
-    - testing-cors-misconfiguration
-    - testing-for-broken-access-control
-    - testing-for-business-logic-vulnerabilities
-    - testing-for-email-header-injection
-    - testing-for-host-header-injection
-    - testing-for-json-web-token-vulnerabilities
-    - testing-for-open-redirect-vulnerabilities
-    - testing-for-sensitive-data-exposure
-    - testing-for-xml-injection-vulnerabilities
-    - testing-for-xss-vulnerabilities
-    - testing-for-xss-vulnerabilities-with-burpsuite
-    - testing-for-xxe-injection-vulnerabilities
-    - testing-jwt-token-security
-    - testing-mobile-api-authentication
-    - testing-oauth2-implementation-flaws
-    - testing-ransomware-recovery-procedures
-    - testing-websocket-api-security
-    - tracking-threat-actor-infrastructure
-    - triaging-security-alerts-in-splunk
-    - triaging-security-incident
-    - triaging-security-incident-with-ir-playbook
-    - triaging-vulnerabilities-with-ssvc-framework
-    - validating-backup-integrity-for-recovery
-mcps: []
+    - security/agentshield
+    - offensive-osint
+    - osint-methodology
+  npx:
+    - repo: mukul975/Anthropic-Cybersecurity-Skills
+      skills:
+        - acquiring-disk-image-with-dd-and-dcfldd
+        - analyzing-active-directory-acl-abuse
+        - analyzing-android-malware-with-apktool
+        - analyzing-api-gateway-access-logs
+        - analyzing-apt-group-with-mitre-navigator
+        - analyzing-azure-activity-logs-for-threats
+        - analyzing-bootkit-and-rootkit-samples
+        - analyzing-browser-forensics-with-hindsight
+        - analyzing-campaign-attribution-evidence
+        - analyzing-certificate-transparency-for-phishing
+        - analyzing-cloud-storage-access-patterns
+        - analyzing-cobalt-strike-beacon-configuration
+        - analyzing-cobaltstrike-malleable-c2-profiles
+        - analyzing-command-and-control-communication
+        - analyzing-cyber-kill-chain
+        - analyzing-disk-image-with-autopsy
+        - analyzing-dns-logs-for-exfiltration
+        - analyzing-docker-container-forensics
+        - analyzing-email-headers-for-phishing-investigation
+        - analyzing-ethereum-smart-contract-vulnerabilities
+        - analyzing-golang-malware-with-ghidra
+        - analyzing-heap-spray-exploitation
+        - analyzing-indicators-of-compromise
+        - analyzing-ios-app-security-with-objection
+        - analyzing-kubernetes-audit-logs
+        - analyzing-linux-audit-logs-for-intrusion
+        - analyzing-linux-elf-malware
+        - analyzing-linux-kernel-rootkits
+        - analyzing-linux-system-artifacts
+        - analyzing-lnk-file-and-jump-list-artifacts
+        - analyzing-macro-malware-in-office-documents
+        - analyzing-malicious-pdf-with-peepdf
+        - analyzing-malicious-url-with-urlscan
+        - analyzing-malware-behavior-with-cuckoo-sandbox
+        - analyzing-malware-family-relationships-with-malpedia
+        - analyzing-malware-persistence-with-autoruns
+        - analyzing-malware-sandbox-evasion-techniques
+        - analyzing-memory-dumps-with-volatility
+        - analyzing-memory-forensics-with-lime-and-volatility
+        - analyzing-mft-for-deleted-file-recovery
+        - analyzing-network-covert-channels-in-malware
+        - analyzing-network-flow-data-with-netflow
+        - analyzing-network-packets-with-scapy
+        - analyzing-network-traffic-for-incidents
+        - analyzing-network-traffic-of-malware
+        - analyzing-network-traffic-with-wireshark
+        - analyzing-office365-audit-logs-for-compromise
+        - analyzing-outlook-pst-for-email-forensics
+        - analyzing-packed-malware-with-upx-unpacker
+        - analyzing-pdf-malware-with-pdfid
+        - analyzing-persistence-mechanisms-in-linux
+        - analyzing-powershell-empire-artifacts
+        - analyzing-powershell-script-block-logging
+        - analyzing-prefetch-files-for-execution-history
+        - analyzing-ransomware-encryption-mechanisms
+        - analyzing-ransomware-leak-site-intelligence
+        - analyzing-ransomware-network-indicators
+        - analyzing-ransomware-payment-wallets
+        - analyzing-sbom-for-supply-chain-vulnerabilities
+        - analyzing-security-logs-with-splunk
+        - analyzing-slack-space-and-file-system-artifacts
+        - analyzing-supply-chain-malware-artifacts
+        - analyzing-threat-actor-ttps-with-mitre-attack
+        - analyzing-threat-actor-ttps-with-mitre-navigator
+        - analyzing-threat-intelligence-feeds
+        - analyzing-threat-landscape-with-misp
+        - analyzing-tls-certificate-transparency-logs
+        - analyzing-typosquatting-domains-with-dnstwist
+        - analyzing-uefi-bootkit-persistence
+        - analyzing-usb-device-connection-history
+        - analyzing-web-server-logs-for-intrusion
+        - analyzing-windows-amcache-artifacts
+        - analyzing-windows-event-logs-in-splunk
+        - analyzing-windows-lnk-files-for-artifacts
+        - analyzing-windows-prefetch-with-python
+        - analyzing-windows-registry-for-artifacts
+        - analyzing-windows-shellbag-artifacts
+        - auditing-aws-s3-bucket-permissions
+        - auditing-azure-active-directory-configuration
+        - auditing-cloud-with-cis-benchmarks
+        - auditing-gcp-iam-permissions
+        - auditing-kubernetes-cluster-rbac
+        - auditing-terraform-infrastructure-for-security
+        - auditing-tls-certificate-transparency-logs
+        - automating-ioc-enrichment
+        - building-adversary-infrastructure-tracking-system
+        - building-attack-pattern-library-from-cti-reports
+        - building-automated-malware-submission-pipeline
+        - building-c2-infrastructure-with-sliver-framework
+        - building-cloud-siem-with-sentinel
+        - building-detection-rule-with-splunk-spl
+        - building-detection-rules-with-sigma
+        - building-devsecops-pipeline-with-gitlab-ci
+        - building-identity-federation-with-saml-azure-ad
+        - building-identity-governance-lifecycle-process
+        - building-incident-response-dashboard
+        - building-incident-response-playbook
+        - building-incident-timeline-with-timesketch
+        - building-ioc-defanging-and-sharing-pipeline
+        - building-ioc-enrichment-pipeline-with-opencti
+        - building-malware-incident-communication-template
+        - building-patch-tuesday-response-process
+        - building-phishing-reporting-button-workflow
+        - building-ransomware-playbook-with-cisa-framework
+        - building-red-team-c2-infrastructure-with-havoc
+        - building-role-mining-for-rbac-optimization
+        - building-soc-escalation-matrix
+        - building-soc-metrics-and-kpi-tracking
+        - building-soc-playbook-for-ransomware
+        - building-threat-actor-profile-from-osint
+        - building-threat-feed-aggregation-with-misp
+        - building-threat-hunt-hypothesis-framework
+        - building-threat-intelligence-enrichment-in-splunk
+        - building-threat-intelligence-feed-integration
+        - building-threat-intelligence-platform
+        - building-vulnerability-aging-and-sla-tracking
+        - building-vulnerability-dashboard-with-defectdojo
+        - building-vulnerability-exception-tracking-system
+        - building-vulnerability-scanning-workflow
+        - bypassing-authentication-with-forced-browsing
+        - collecting-indicators-of-compromise
+        - collecting-open-source-intelligence
+        - collecting-threat-intelligence-with-misp
+        - collecting-volatile-evidence-from-compromised-host
+        - conducting-api-security-testing
+        - conducting-cloud-incident-response
+        - conducting-cloud-penetration-testing
+        - conducting-domain-persistence-with-dcsync
+        - conducting-external-reconnaissance-with-osint
+        - conducting-full-scope-red-team-engagement
+        - conducting-internal-network-penetration-test
+        - conducting-internal-reconnaissance-with-bloodhound-ce
+        - conducting-malware-incident-response
+        - conducting-man-in-the-middle-attack-simulation
+        - conducting-memory-forensics-with-volatility
+        - conducting-mobile-app-penetration-test
+        - conducting-network-penetration-test
+        - conducting-pass-the-ticket-attack
+        - conducting-phishing-incident-response
+        - conducting-post-incident-lessons-learned
+        - conducting-social-engineering-penetration-test
+        - conducting-social-engineering-pretext-call
+        - conducting-spearphishing-simulation-campaign
+        - conducting-wireless-network-penetration-test
+        - configuring-active-directory-tiered-model
+        - configuring-aws-verified-access-for-ztna
+        - configuring-certificate-authority-with-openssl
+        - configuring-host-based-intrusion-detection
+        - configuring-hsm-for-key-storage
+        - configuring-identity-aware-proxy-with-google-iap
+        - configuring-ldap-security-hardening
+        - configuring-microsegmentation-for-zero-trust
+        - configuring-multi-factor-authentication-with-duo
+        - configuring-network-segmentation-with-vlans
+        - configuring-oauth2-authorization-flow
+        - configuring-pfsense-firewall-rules
+        - configuring-snort-ids-for-intrusion-detection
+        - configuring-suricata-for-network-monitoring
+        - configuring-tls-1-3-for-secure-communications
+        - configuring-windows-defender-advanced-settings
+        - configuring-windows-event-logging-for-detection
+        - configuring-zscaler-private-access-for-ztna
+        - containing-active-breach
+        - correlating-security-events-in-qradar
+        - correlating-threat-campaigns
+        - deobfuscating-javascript-malware
+        - deobfuscating-powershell-obfuscated-malware
+        - deploying-active-directory-honeytokens
+        - deploying-cloudflare-access-for-zero-trust
+        - deploying-decoy-files-for-ransomware-detection
+        - deploying-edr-agent-with-crowdstrike
+        - deploying-osquery-for-endpoint-monitoring
+        - deploying-palo-alto-prisma-access-zero-trust
+        - deploying-ransomware-canary-files
+        - deploying-software-defined-perimeter
+        - deploying-tailscale-for-zero-trust-vpn
+        - detecting-ai-model-prompt-injection-attacks
+        - detecting-anomalies-in-industrial-control-systems
+        - detecting-anomalous-authentication-patterns
+        - detecting-api-enumeration-attacks
+        - detecting-arp-poisoning-in-network-traffic
+        - detecting-attacks-on-historian-servers
+        - detecting-attacks-on-scada-systems
+        - detecting-aws-cloudtrail-anomalies
+        - detecting-aws-credential-exposure-with-trufflehog
+        - detecting-aws-guardduty-findings-automation
+        - detecting-aws-iam-privilege-escalation
+        - detecting-azure-lateral-movement
+        - detecting-azure-service-principal-abuse
+        - detecting-azure-storage-account-misconfigurations
+        - detecting-beaconing-patterns-with-zeek
+        - detecting-bluetooth-low-energy-attacks
+        - detecting-broken-object-property-level-authorization
+        - detecting-business-email-compromise
+        - detecting-business-email-compromise-with-ai
+        - detecting-cloud-threats-with-guardduty
+        - detecting-command-and-control-over-dns
+        - detecting-compromised-cloud-credentials
+        - detecting-container-drift-at-runtime
+        - detecting-container-escape-attempts
+        - detecting-container-escape-with-falco-rules
+        - detecting-credential-dumping-techniques
+        - detecting-cryptomining-in-cloud
+        - detecting-dcsync-attack-in-active-directory
+        - detecting-deepfake-audio-in-vishing-attacks
+        - detecting-dll-sideloading-attacks
+        - detecting-dnp3-protocol-anomalies
+        - detecting-dns-exfiltration-with-dns-query-analysis
+        - detecting-email-account-compromise
+        - detecting-email-forwarding-rules-attack
+        - detecting-evasion-techniques-in-endpoint-logs
+        - detecting-exfiltration-over-dns-with-zeek
+        - detecting-fileless-attacks-on-endpoints
+        - detecting-fileless-malware-techniques
+        - detecting-golden-ticket-attacks-in-kerberos-logs
+        - detecting-golden-ticket-forgery
+        - detecting-insider-data-exfiltration-via-dlp
+        - detecting-insider-threat-behaviors
+        - detecting-insider-threat-with-ueba
+        - detecting-kerberoasting-attacks
+        - detecting-lateral-movement-in-network
+        - detecting-lateral-movement-with-splunk
+        - detecting-lateral-movement-with-zeek
+        - detecting-living-off-the-land-attacks
+        - detecting-living-off-the-land-with-lolbas
+        - detecting-malicious-scheduled-tasks-with-sysmon
+        - detecting-mimikatz-execution-patterns
+        - detecting-misconfigured-azure-storage
+        - detecting-mobile-malware-behavior
+        - detecting-modbus-command-injection-attacks
+        - detecting-modbus-protocol-anomalies
+        - detecting-network-anomalies-with-zeek
+        - detecting-network-scanning-with-ids-signatures
+        - detecting-ntlm-relay-with-event-correlation
+        - detecting-oauth-token-theft
+        - detecting-pass-the-hash-attacks
+        - detecting-pass-the-ticket-attacks
+        - detecting-port-scanning-with-fail2ban
+        - detecting-privilege-escalation-attempts
+        - detecting-privilege-escalation-in-kubernetes-pods
+        - detecting-process-hollowing-technique
+        - detecting-process-injection-techniques
+        - detecting-qr-code-phishing-with-email-security
+        - detecting-ransomware-encryption-behavior
+        - detecting-ransomware-precursors-in-network
+        - detecting-rdp-brute-force-attacks
+        - detecting-rootkit-activity
+        - detecting-s3-data-exfiltration-attempts
+        - detecting-serverless-function-injection
+        - detecting-service-account-abuse
+        - detecting-shadow-api-endpoints
+        - detecting-shadow-it-cloud-usage
+        - detecting-spearphishing-with-email-gateway
+        - detecting-sql-injection-via-waf-logs
+        - detecting-stuxnet-style-attacks
+        - detecting-supply-chain-attacks-in-ci-cd
+        - detecting-suspicious-oauth-application-consent
+        - detecting-suspicious-powershell-execution
+        - detecting-t1003-credential-dumping-with-edr
+        - detecting-t1055-process-injection-with-sysmon
+        - detecting-t1548-abuse-elevation-control-mechanism
+        - detecting-typosquatting-packages-in-npm-pypi
+        - detecting-wmi-persistence
+        - eradicating-malware-from-infected-systems
+        - evaluating-threat-intelligence-platforms
+        - executing-active-directory-attack-simulation
+        - executing-phishing-simulation-campaign
+        - executing-red-team-engagement-planning
+        - executing-red-team-exercise
+        - exploiting-active-directory-certificate-services-esc1
+        - exploiting-active-directory-with-bloodhound
+        - exploiting-api-injection-vulnerabilities
+        - exploiting-bgp-hijacking-vulnerabilities
+        - exploiting-broken-function-level-authorization
+        - exploiting-broken-link-hijacking
+        - exploiting-constrained-delegation-abuse
+        - exploiting-deeplink-vulnerabilities
+        - exploiting-excessive-data-exposure-in-api
+        - exploiting-http-request-smuggling
+        - exploiting-idor-vulnerabilities
+        - exploiting-insecure-data-storage-in-mobile
+        - exploiting-insecure-deserialization
+        - exploiting-ipv6-vulnerabilities
+        - exploiting-jwt-algorithm-confusion-attack
+        - exploiting-kerberoasting-with-impacket
+        - exploiting-mass-assignment-in-rest-apis
+        - exploiting-ms17-010-eternalblue-vulnerability
+        - exploiting-nopac-cve-2021-42278-42287
+        - exploiting-nosql-injection-vulnerabilities
+        - exploiting-oauth-misconfiguration
+        - exploiting-prototype-pollution-in-javascript
+        - exploiting-race-condition-vulnerabilities
+        - exploiting-server-side-request-forgery
+        - exploiting-smb-vulnerabilities-with-metasploit
+        - exploiting-sql-injection-vulnerabilities
+        - exploiting-sql-injection-with-sqlmap
+        - exploiting-template-injection-vulnerabilities
+        - exploiting-type-juggling-vulnerabilities
+        - exploiting-vulnerabilities-with-metasploit-framework
+        - exploiting-websocket-vulnerabilities
+        - exploiting-zerologon-vulnerability-cve-2020-1472
+        - extracting-browser-history-artifacts
+        - extracting-config-from-agent-tesla-rat
+        - extracting-credentials-from-memory-dump
+        - extracting-iocs-from-malware-samples
+        - extracting-memory-artifacts-with-rekall
+        - extracting-windows-event-logs-artifacts
+        - generating-threat-intelligence-reports
+        - hardening-docker-containers-for-production
+        - hardening-docker-daemon-configuration
+        - hardening-linux-endpoint-with-cis-benchmark
+        - hardening-windows-endpoint-with-cis-benchmark
+        - hunting-advanced-persistent-threats
+        - hunting-credential-stuffing-attacks
+        - hunting-for-anomalous-powershell-execution
+        - hunting-for-beaconing-with-frequency-analysis
+        - hunting-for-cobalt-strike-beacons
+        - hunting-for-command-and-control-beaconing
+        - hunting-for-data-exfiltration-indicators
+        - hunting-for-data-staging-before-exfiltration
+        - hunting-for-dcom-lateral-movement
+        - hunting-for-dcsync-attacks
+        - hunting-for-defense-evasion-via-timestomping
+        - hunting-for-dns-based-persistence
+        - hunting-for-dns-tunneling-with-zeek
+        - hunting-for-domain-fronting-c2-traffic
+        - hunting-for-lateral-movement-via-wmi
+        - hunting-for-living-off-the-cloud-techniques
+        - hunting-for-living-off-the-land-binaries
+        - hunting-for-lolbins-execution-in-endpoint-logs
+        - hunting-for-ntlm-relay-attacks
+        - hunting-for-persistence-mechanisms-in-windows
+        - hunting-for-persistence-via-wmi-subscriptions
+        - hunting-for-process-injection-techniques
+        - hunting-for-registry-persistence-mechanisms
+        - hunting-for-registry-run-key-persistence
+        - hunting-for-scheduled-task-persistence
+        - hunting-for-shadow-copy-deletion
+        - hunting-for-spearphishing-indicators
+        - hunting-for-startup-folder-persistence
+        - hunting-for-supply-chain-compromise
+        - hunting-for-suspicious-scheduled-tasks
+        - hunting-for-t1098-account-manipulation
+        - hunting-for-unusual-network-connections
+        - hunting-for-unusual-service-installations
+        - hunting-for-webshell-activity
+        - implementing-aes-encryption-for-data-at-rest
+        - implementing-alert-fatigue-reduction
+        - implementing-anti-phishing-training-program
+        - implementing-anti-ransomware-group-policy
+        - implementing-api-abuse-detection-with-rate-limiting
+        - implementing-api-gateway-security-controls
+        - implementing-api-key-security-controls
+        - implementing-api-rate-limiting-and-throttling
+        - implementing-api-schema-validation-security
+        - implementing-api-security-posture-management
+        - implementing-api-security-testing-with-42crunch
+        - implementing-api-threat-protection-with-apigee
+        - implementing-application-whitelisting-with-applocker
+        - implementing-aqua-security-for-container-scanning
+        - implementing-attack-path-analysis-with-xm-cyber
+        - implementing-attack-surface-management
+        - implementing-aws-config-rules-for-compliance
+        - implementing-aws-iam-permission-boundaries
+        - implementing-aws-macie-for-data-classification
+        - implementing-aws-nitro-enclave-security
+        - implementing-aws-security-hub
+        - implementing-aws-security-hub-compliance
+        - implementing-azure-ad-privileged-identity-management
+        - implementing-azure-defender-for-cloud
+        - implementing-beyondcorp-zero-trust-access-model
+        - implementing-bgp-security-with-rpki
+        - implementing-browser-isolation-for-zero-trust
+        - implementing-canary-tokens-for-network-intrusion
+        - implementing-cisa-zero-trust-maturity-model
+        - implementing-cloud-dlp-for-data-protection
+        - implementing-cloud-security-posture-management
+        - implementing-cloud-trail-log-analysis
+        - implementing-cloud-vulnerability-posture-management
+        - implementing-cloud-waf-rules
+        - implementing-cloud-workload-protection
+        - implementing-code-signing-for-artifacts
+        - implementing-conditional-access-policies-azure-ad
+        - implementing-conduit-security-for-ot-remote-access
+        - implementing-container-image-minimal-base-with-distroless
+        - implementing-container-network-policies-with-calico
+        - implementing-continuous-security-validation-with-bas
+        - implementing-data-loss-prevention-with-microsoft-purview
+        - implementing-ddos-mitigation-with-cloudflare
+        - implementing-deception-based-detection-with-canarytoken
+        - implementing-delinea-secret-server-for-pam
+        - implementing-device-posture-assessment-in-zero-trust
+        - implementing-devsecops-security-scanning
+        - implementing-diamond-model-analysis
+        - implementing-digital-signatures-with-ed25519
+        - implementing-disk-encryption-with-bitlocker
+        - implementing-dmarc-dkim-spf-email-security
+        - implementing-dragos-platform-for-ot-monitoring
+        - implementing-ebpf-security-monitoring
+        - implementing-email-sandboxing-with-proofpoint
+        - implementing-end-to-end-encryption-for-messaging
+        - implementing-endpoint-detection-with-wazuh
+        - implementing-endpoint-dlp-controls
+        - implementing-envelope-encryption-with-aws-kms
+        - implementing-epss-score-for-vulnerability-prioritization
+        - implementing-file-integrity-monitoring-with-aide
+        - implementing-fuzz-testing-in-cicd-with-aflplusplus
+        - implementing-gcp-binary-authorization
+        - implementing-gcp-organization-policy-constraints
+        - implementing-gcp-vpc-firewall-rules
+        - implementing-gdpr-data-protection-controls
+        - implementing-gdpr-data-subject-access-request
+        - implementing-github-advanced-security-for-code-scanning
+        - implementing-google-workspace-admin-security
+        - implementing-google-workspace-phishing-protection
+        - implementing-google-workspace-sso-configuration
+        - implementing-hardware-security-key-authentication
+        - implementing-hashicorp-vault-dynamic-secrets
+        - implementing-honeypot-for-ransomware-detection
+        - implementing-honeytokens-for-breach-detection
+        - implementing-ics-firewall-with-tofino
+        - implementing-identity-governance-with-sailpoint
+        - implementing-identity-verification-for-zero-trust
+        - implementing-iec-62443-security-zones
+        - implementing-image-provenance-verification-with-cosign
+        - implementing-immutable-backup-with-restic
+        - implementing-infrastructure-as-code-security-scanning
+        - implementing-iso-27001-information-security-management
+        - implementing-just-in-time-access-provisioning
+        - implementing-jwt-signing-and-verification
+        - implementing-kubernetes-network-policy-with-calico
+        - implementing-kubernetes-pod-security-standards
+        - implementing-llm-guardrails-for-security
+        - implementing-log-forwarding-with-fluentd
+        - implementing-log-integrity-with-blockchain
+        - implementing-memory-protection-with-dep-aslr
+        - implementing-microsegmentation-with-guardicore
+        - implementing-mimecast-targeted-attack-protection
+        - implementing-mitre-attack-coverage-mapping
+        - implementing-mobile-application-management
+        - implementing-mtls-for-zero-trust-services
+        - implementing-nerc-cip-compliance-controls
+        - implementing-network-access-control
+        - implementing-network-access-control-with-cisco-ise
+        - implementing-network-deception-with-honeypots
+        - implementing-network-intrusion-prevention-with-suricata
+        - implementing-network-policies-for-kubernetes
+        - implementing-network-segmentation-for-ot
+        - implementing-network-segmentation-with-firewall-zones
+        - implementing-network-traffic-analysis-with-arkime
+        - implementing-network-traffic-baselining
+        - implementing-next-generation-firewall-with-palo-alto
+        - implementing-opa-gatekeeper-for-policy-enforcement
+        - implementing-ot-incident-response-playbook
+        - implementing-ot-network-traffic-analysis-with-nozomi
+        - implementing-pam-for-database-access
+        - implementing-passwordless-auth-with-microsoft-entra
+        - implementing-passwordless-authentication-with-fido2
+        - implementing-patch-management-for-ot-systems
+        - implementing-patch-management-workflow
+        - implementing-pci-dss-compliance-controls
+        - implementing-pod-security-admission-controller
+        - implementing-policy-as-code-with-open-policy-agent
+        - implementing-privileged-access-management-with-cyberark
+        - implementing-privileged-access-workstation
+        - implementing-privileged-session-monitoring
+        - implementing-proofpoint-email-security-gateway
+        - implementing-purdue-model-network-segmentation
+        - implementing-ransomware-backup-strategy
+        - implementing-ransomware-kill-switch-detection
+        - implementing-rapid7-insightvm-for-scanning
+        - implementing-rbac-hardening-for-kubernetes
+        - implementing-rsa-key-pair-management
+        - implementing-runtime-application-self-protection
+        - implementing-runtime-security-with-tetragon
+        - implementing-saml-sso-with-okta
+        - implementing-scim-provisioning-with-okta
+        - implementing-secret-scanning-with-gitleaks
+        - implementing-secrets-management-with-vault
+        - implementing-secrets-scanning-in-ci-cd
+        - implementing-security-chaos-engineering
+        - implementing-security-information-sharing-with-stix2
+        - implementing-security-monitoring-with-datadog
+        - implementing-semgrep-for-custom-sast-rules
+        - implementing-siem-correlation-rules-for-apt
+        - implementing-siem-use-case-tuning
+        - implementing-siem-use-cases-for-detection
+        - implementing-sigstore-for-software-signing
+        - implementing-soar-automation-with-phantom
+        - implementing-soar-playbook-for-phishing
+        - implementing-soar-playbook-with-palo-alto-xsoar
+        - implementing-stix-taxii-feed-integration
+        - implementing-supply-chain-security-with-in-toto
+        - implementing-syslog-centralization-with-rsyslog
+        - implementing-taxii-server-with-opentaxii
+        - implementing-threat-intelligence-lifecycle-management
+        - implementing-threat-modeling-with-mitre-attack
+        - implementing-ticketing-system-for-incidents
+        - implementing-usb-device-control-policy
+        - implementing-velociraptor-for-ir-collection
+        - implementing-vulnerability-management-with-greenbone
+        - implementing-vulnerability-remediation-sla
+        - implementing-vulnerability-sla-breach-alerting
+        - implementing-web-application-logging-with-modsecurity
+        - implementing-zero-knowledge-proof-for-authentication
+        - implementing-zero-standing-privilege-with-cyberark
+        - implementing-zero-trust-dns-with-nextdns
+        - implementing-zero-trust-for-saas-applications
+        - implementing-zero-trust-in-cloud
+        - implementing-zero-trust-network-access
+        - implementing-zero-trust-network-access-with-zscaler
+        - implementing-zero-trust-with-beyondcorp
+        - implementing-zero-trust-with-hashicorp-boundary
+        - integrating-dast-with-owasp-zap-in-pipeline
+        - integrating-sast-into-github-actions-pipeline
+        - intercepting-mobile-traffic-with-burpsuite
+        - investigating-insider-threat-indicators
+        - investigating-phishing-email-incident
+        - investigating-ransomware-attack-artifacts
+        - managing-cloud-identity-with-okta
+        - managing-intelligence-lifecycle
+        - mapping-mitre-attack-techniques
+        - monitoring-darkweb-sources
+        - monitoring-scada-modbus-traffic-anomalies
+        - performing-access-recertification-with-saviynt
+        - performing-access-review-and-certification
+        - performing-active-directory-bloodhound-analysis
+        - performing-active-directory-compromise-investigation
+        - performing-active-directory-forest-trust-attack
+        - performing-active-directory-penetration-test
+        - performing-active-directory-vulnerability-assessment
+        - performing-adversary-in-the-middle-phishing-detection
+        - performing-agentless-vulnerability-scanning
+        - performing-ai-driven-osint-correlation
+        - performing-alert-triage-with-elastic-siem
+        - performing-android-app-static-analysis-with-mobsf
+        - performing-api-fuzzing-with-restler
+        - performing-api-inventory-and-discovery
+        - performing-api-rate-limiting-bypass
+        - performing-api-security-testing-with-postman
+        - performing-arp-spoofing-attack-simulation
+        - performing-asset-criticality-scoring-for-vulns
+        - performing-authenticated-scan-with-openvas
+        - performing-authenticated-vulnerability-scan
+        - performing-automated-malware-analysis-with-cape
+        - performing-aws-account-enumeration-with-scout-suite
+        - performing-aws-privilege-escalation-assessment
+        - performing-bandwidth-throttling-attack-simulation
+        - performing-binary-exploitation-analysis
+        - performing-blind-ssrf-exploitation
+        - performing-bluetooth-security-assessment
+        - performing-brand-monitoring-for-impersonation
+        - performing-clickjacking-attack-test
+        - performing-cloud-asset-inventory-with-cartography
+        - performing-cloud-forensics-investigation
+        - performing-cloud-forensics-with-aws-cloudtrail
+        - performing-cloud-incident-containment-procedures
+        - performing-cloud-log-forensics-with-athena
+        - performing-cloud-native-forensics-with-falco
+        - performing-cloud-native-threat-hunting-with-aws-detective
+        - performing-cloud-penetration-testing-with-pacu
+        - performing-cloud-storage-forensic-acquisition
+        - performing-container-escape-detection
+        - performing-container-image-hardening
+        - performing-container-security-scanning-with-trivy
+        - performing-content-security-policy-bypass
+        - performing-credential-access-with-lazagne
+        - performing-cryptographic-audit-of-application
+        - performing-csrf-attack-simulation
+        - performing-cve-prioritization-with-kev-catalog
+        - performing-dark-web-monitoring-for-threats
+        - performing-deception-technology-deployment
+        - performing-directory-traversal-testing
+        - performing-disk-forensics-investigation
+        - performing-dmarc-policy-enforcement-rollout
+        - performing-dns-enumeration-and-zone-transfer
+        - performing-dns-tunneling-detection
+        - performing-docker-bench-security-assessment
+        - performing-dynamic-analysis-of-android-app
+        - performing-dynamic-analysis-with-any-run
+        - performing-endpoint-forensics-investigation
+        - performing-endpoint-vulnerability-remediation
+        - performing-entitlement-review-with-sailpoint-iiq
+        - performing-external-network-penetration-test
+        - performing-false-positive-reduction-in-siem
+        - performing-file-carving-with-foremost
+        - performing-firmware-extraction-with-binwalk
+        - performing-firmware-malware-analysis
+        - performing-fuzzing-with-aflplusplus
+        - performing-gcp-penetration-testing-with-gcpbucketbrute
+        - performing-gcp-security-assessment-with-forseti
+        - performing-graphql-depth-limit-attack
+        - performing-graphql-introspection-attack
+        - performing-graphql-security-assessment
+        - performing-hardware-security-module-integration
+        - performing-hash-cracking-with-hashcat
+        - performing-http-parameter-pollution-attack
+        - performing-ics-asset-discovery-with-claroty
+        - performing-indicator-lifecycle-management
+        - performing-initial-access-with-evilginx3
+        - performing-insider-threat-investigation
+        - performing-ioc-enrichment-automation
+        - performing-ios-app-security-assessment
+        - performing-iot-security-assessment
+        - performing-ip-reputation-analysis-with-shodan
+        - performing-jwt-none-algorithm-attack
+        - performing-kerberoasting-attack
+        - performing-kubernetes-cis-benchmark-with-kube-bench
+        - performing-kubernetes-etcd-security-assessment
+        - performing-kubernetes-penetration-testing
+        - performing-lateral-movement-detection
+        - performing-lateral-movement-with-wmiexec
+        - performing-linux-log-forensics-investigation
+        - performing-log-analysis-for-forensic-investigation
+        - performing-log-source-onboarding-in-siem
+        - performing-malware-hash-enrichment-with-virustotal
+        - performing-malware-ioc-extraction
+        - performing-malware-persistence-investigation
+        - performing-malware-triage-with-yara
+        - performing-memory-forensics-with-volatility3
+        - performing-memory-forensics-with-volatility3-plugins
+        - performing-mobile-app-certificate-pinning-bypass
+        - performing-mobile-device-forensics-with-cellebrite
+        - performing-network-forensics-with-wireshark
+        - performing-network-packet-capture-analysis
+        - performing-network-traffic-analysis-with-tshark
+        - performing-network-traffic-analysis-with-zeek
+        - performing-nist-csf-maturity-assessment
+        - performing-oauth-scope-minimization-review
+        - performing-oil-gas-cybersecurity-assessment
+        - performing-open-source-intelligence-gathering
+        - performing-osint-with-spiderfoot
+        - performing-ot-network-security-assessment
+        - performing-ot-vulnerability-assessment-with-claroty
+        - performing-ot-vulnerability-scanning-safely
+        - performing-packet-injection-attack
+        - performing-paste-site-monitoring-for-credentials
+        - performing-phishing-simulation-with-gophish
+        - performing-physical-intrusion-assessment
+        - performing-plc-firmware-security-analysis
+        - performing-post-quantum-cryptography-migration
+        - performing-power-grid-cybersecurity-assessment
+        - performing-privacy-impact-assessment
+        - performing-privilege-escalation-assessment
+        - performing-privilege-escalation-on-linux
+        - performing-privileged-account-access-review
+        - performing-privileged-account-discovery
+        - performing-purple-team-atomic-testing
+        - performing-purple-team-exercise
+        - performing-ransomware-response
+        - performing-ransomware-tabletop-exercise
+        - performing-red-team-phishing-with-gophish
+        - performing-red-team-with-covenant
+        - performing-s7comm-protocol-security-analysis
+        - performing-sca-dependency-scanning-with-snyk
+        - performing-scada-hmi-security-assessment
+        - performing-second-order-sql-injection
+        - performing-security-headers-audit
+        - performing-serverless-function-security-review
+        - performing-service-account-audit
+        - performing-service-account-credential-rotation
+        - performing-soap-web-service-security-testing
+        - performing-soc-tabletop-exercise
+        - performing-soc2-type2-audit-preparation
+        - performing-sqlite-database-forensics
+        - performing-ssl-certificate-lifecycle-management
+        - performing-ssl-stripping-attack
+        - performing-ssl-tls-inspection-configuration
+        - performing-ssl-tls-security-assessment
+        - performing-ssrf-vulnerability-exploitation
+        - performing-static-malware-analysis-with-pe-studio
+        - performing-steganography-detection
+        - performing-subdomain-enumeration-with-subfinder
+        - performing-supply-chain-attack-simulation
+        - performing-thick-client-application-penetration-test
+        - performing-threat-emulation-with-atomic-red-team
+        - performing-threat-hunting-with-elastic-siem
+        - performing-threat-hunting-with-yara-rules
+        - performing-threat-intelligence-sharing-with-misp
+        - performing-threat-landscape-assessment-for-sector
+        - performing-threat-modeling-with-owasp-threat-dragon
+        - performing-timeline-reconstruction-with-plaso
+        - performing-user-behavior-analytics
+        - performing-vlan-hopping-attack
+        - performing-vulnerability-scanning-with-nessus
+        - performing-web-application-firewall-bypass
+        - performing-web-application-penetration-test
+        - performing-web-application-scanning-with-nikto
+        - performing-web-application-vulnerability-triage
+        - performing-web-cache-deception-attack
+        - performing-web-cache-poisoning-attack
+        - performing-wifi-password-cracking-with-aircrack
+        - performing-windows-artifact-analysis-with-eric-zimmerman-tools
+        - performing-wireless-network-penetration-test
+        - performing-wireless-security-assessment-with-kismet
+        - performing-yara-rule-development-for-detection
+        - prioritizing-vulnerabilities-with-cvss-scoring
+        - processing-stix-taxii-feeds
+        - profiling-threat-actor-groups
+        - recovering-deleted-files-with-photorec
+        - recovering-from-ransomware-attack
+        - remediating-s3-bucket-misconfiguration
+        - reverse-engineering-android-malware-with-jadx
+        - reverse-engineering-dotnet-malware-with-dnspy
+        - reverse-engineering-ios-app-with-frida
+        - reverse-engineering-malware-with-ghidra
+        - reverse-engineering-ransomware-encryption-routine
+        - reverse-engineering-rust-malware
+        - scanning-container-images-with-grype
+        - scanning-containers-with-trivy-in-cicd
+        - scanning-docker-images-with-trivy
+        - scanning-infrastructure-with-nessus
+        - scanning-kubernetes-manifests-with-kubesec
+        - scanning-network-with-nmap-advanced
+        - securing-api-gateway-with-aws-waf
+        - securing-aws-iam-permissions
+        - securing-aws-lambda-execution-roles
+        - securing-azure-with-microsoft-defender
+        - securing-container-registry-images
+        - securing-container-registry-with-harbor
+        - securing-github-actions-workflows
+        - securing-helm-chart-deployments
+        - securing-historian-server-in-ot-environment
+        - securing-kubernetes-on-cloud
+        - securing-remote-access-to-ot-environment
+        - securing-serverless-functions
+        - testing-android-intents-for-vulnerabilities
+        - testing-api-authentication-weaknesses
+        - testing-api-for-broken-object-level-authorization
+        - testing-api-for-mass-assignment-vulnerability
+        - testing-api-security-with-owasp-top-10
+        - testing-cors-misconfiguration
+        - testing-for-broken-access-control
+        - testing-for-business-logic-vulnerabilities
+        - testing-for-email-header-injection
+        - testing-for-host-header-injection
+        - testing-for-json-web-token-vulnerabilities
+        - testing-for-open-redirect-vulnerabilities
+        - testing-for-sensitive-data-exposure
+        - testing-for-xml-injection-vulnerabilities
+        - testing-for-xss-vulnerabilities
+        - testing-for-xss-vulnerabilities-with-burpsuite
+        - testing-for-xxe-injection-vulnerabilities
+        - testing-jwt-token-security
+        - testing-mobile-api-authentication
+        - testing-oauth2-implementation-flaws
+        - testing-ransomware-recovery-procedures
+        - testing-websocket-api-security
+        - tracking-threat-actor-infrastructure
+        - triaging-security-alerts-in-splunk
+        - triaging-security-incident
+        - triaging-security-incident-with-ir-playbook
+        - triaging-vulnerabilities-with-ssvc-framework
+        - validating-backup-integrity-for-recovery
+    # Discovered gems from `cue discover install` — these came in earlier under
+    # the wrong upstream (mukul975/Anthropic-Cybersecurity-Skills). They actually
+    # live in separate repos, one skill per repo.
+    - repo: Zandereins/hydra
+      skills:
+        - hydra
+    - repo: elementalsouls/Claude-OSINT
+      skills:
+        - Claude-OSINT
+
+mcps:
+  - agentshield    # AgentShield scanner — audit .claude/, settings.json, mcp.json, hooks, agents (scan / scan_summary / list_rules tools)
+  - mitre-attack    # MITRE ATT&CK knowledge base — 50+ tools for techniques, tactics, threat actors, malware, navigator layers
+  - cve-search      # Public CVE-Search API (CIRCL) — vendor/product lookup, CVE-by-ID, last-30-days feed
+  # Note: shodan/virustotal/urlscan/abuseipdb need free-tier API keys.
+  # Add them to a `cybersecurity-soc` child profile that sets the env vars, e.g.:
+  #   cue new cybersecurity-soc --inherits cybersecurity
+  #   then add `- shodan`, `- virustotal`, etc.