Fix frontmatter descriptions, duplicate YAML blocks, title headings across 60 files

2026-06-11 13:44:56 +03:00 · 2026-03-19 13:39:29 +01:00
parent b444d348f8
commit 3492302a13
60 changed files with 1108 additions and 52 deletions
@@ -15,6 +15,21 @@ license: Apache-2.0

 # Analyzing API Gateway Access Logs

+
+## When to Use
+
+- When investigating security incidents that require analyzing api gateway access logs
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
+## Prerequisites
+
+- Familiarity with security operations concepts and tools
+- Access to a test or lab environment for safe execution
+- Python 3.8+ with required dependencies installed
+- Appropriate authorization for any testing activities
+
 ## Instructions

 Parse API gateway access logs to identify attack patterns including broken object
@@ -15,6 +15,21 @@ license: Apache-2.0

 # Analyzing Azure Activity Logs for Threats

+
+## When to Use
+
+- When investigating security incidents that require analyzing azure activity logs for threats
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
+## Prerequisites
+
+- Familiarity with security operations concepts and tools
+- Access to a test or lab environment for safe execution
+- Python 3.8+ with required dependencies installed
+- Appropriate authorization for any testing activities
+
 ## Instructions

 Use azure-monitor-query to execute KQL queries against Azure Log Analytics workspaces,
@@ -16,6 +16,21 @@ license: Apache-2.0

 # Analyzing Cloud Storage Access Patterns

+
+## When to Use
+
+- When investigating security incidents that require analyzing cloud storage access patterns
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
+## Prerequisites
+
+- Familiarity with cloud security concepts and tools
+- Access to a test or lab environment for safe execution
+- Python 3.8+ with required dependencies installed
+- Appropriate authorization for any testing activities
+
 ## Instructions

 1. Install dependencies: `pip install boto3 requests`
@@ -15,6 +15,21 @@ license: Apache-2.0

 # Analyzing Kubernetes Audit Logs

+
+## When to Use
+
+- When investigating security incidents that require analyzing kubernetes audit logs
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
+## Prerequisites
+
+- Familiarity with container security concepts and tools
+- Access to a test or lab environment for safe execution
+- Python 3.8+ with required dependencies installed
+- Appropriate authorization for any testing activities
+
 ## Instructions

 Parse Kubernetes audit log files (JSON lines format) to detect security-relevant
@@ -15,6 +15,21 @@ license: Apache-2.0

 # Analyzing Memory Forensics with LiME and Volatility

+
+## When to Use
+
+- When investigating security incidents that require analyzing memory forensics with lime and volatility
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
+## Prerequisites
+
+- Familiarity with security operations concepts and tools
+- Access to a test or lab environment for safe execution
+- Python 3.8+ with required dependencies installed
+- Appropriate authorization for any testing activities
+
 ## Instructions

 Acquire Linux memory using LiME kernel module, then analyze with Volatility 3
@@ -16,6 +16,21 @@ license: Apache-2.0

 # Analyzing Network Flow Data with Netflow

+
+## When to Use
+
+- When investigating security incidents that require analyzing network flow data with netflow
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
+## Prerequisites
+
+- Familiarity with network security concepts and tools
+- Access to a test or lab environment for safe execution
+- Python 3.8+ with required dependencies installed
+- Appropriate authorization for any testing activities
+
 ## Instructions

 1. Install dependencies: `pip install netflow`
@@ -16,6 +16,21 @@ license: Apache-2.0

 # Analyzing PowerShell Script Block Logging

+
+## When to Use
+
+- When investigating security incidents that require analyzing powershell script block logging
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
+## Prerequisites
+
+- Familiarity with security operations concepts and tools
+- Access to a test or lab environment for safe execution
+- Python 3.8+ with required dependencies installed
+- Appropriate authorization for any testing activities
+
 ## Instructions

 1. Install dependencies: `pip install python-evtx lxml`
@@ -17,6 +17,21 @@ license: Apache-2.0

 # Analyzing Threat Landscape with MISP

+
+## When to Use
+
+- When investigating security incidents that require analyzing threat landscape with misp
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
+## Prerequisites
+
+- Familiarity with threat intelligence concepts and tools
+- Access to a test or lab environment for safe execution
+- Python 3.8+ with required dependencies installed
+- Appropriate authorization for any testing activities
+
 ## Instructions

 1. Install dependencies: `pip install pymisp`
@@ -15,6 +15,21 @@ license: Apache-2.0

 # Analyzing TLS Certificate Transparency Logs

+
+## When to Use
+
+- When investigating security incidents that require analyzing tls certificate transparency logs
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
+## Prerequisites
+
+- Familiarity with security operations concepts and tools
+- Access to a test or lab environment for safe execution
+- Python 3.8+ with required dependencies installed
+- Appropriate authorization for any testing activities
+
 ## Instructions

 Query crt.sh Certificate Transparency database to find certificates issued for
@@ -16,6 +16,21 @@ license: Apache-2.0

 # Analyzing Web Server Logs for Intrusion

+
+## When to Use
+
+- When investigating security incidents that require analyzing web server logs for intrusion
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
+## Prerequisites
+
+- Familiarity with security operations concepts and tools
+- Access to a test or lab environment for safe execution
+- Python 3.8+ with required dependencies installed
+- Appropriate authorization for any testing activities
+
 ## Instructions

 1. Install dependencies: `pip install geoip2 user-agents`
@@ -14,6 +14,21 @@ license: Apache-2.0

 Sliver is an open-source, cross-platform adversary emulation framework developed by BishopFox, written in Go. It provides red teams with implant generation, multi-protocol C2 channels (mTLS, HTTP/S, DNS, WireGuard), multi-operator support, and extensive post-exploitation capabilities. Sliver supports beacon (asynchronous) and session (interactive) modes, making it suitable for both long-haul operations and interactive exploitation. A properly architected Sliver infrastructure uses redirectors, domain fronting, and HTTPS certificates to maintain operational resilience and avoid detection.

+
+## When to Use
+
+- When deploying or configuring building c2 infrastructure with sliver framework capabilities in your environment
+- When establishing security controls aligned to compliance requirements
+- When building or improving security architecture for this domain
+- When conducting security assessments that require this implementation
+
+## Prerequisites
+
+- Familiarity with red teaming concepts and tools
+- Access to a test or lab environment for safe execution
+- Python 3.8+ with required dependencies installed
+- Appropriate authorization for any testing activities
+
 ## Objectives

 - Deploy a Sliver team server on hardened cloud infrastructure
@@ -17,6 +17,21 @@ license: Apache-2.0

 DCSync is an attack technique that abuses the Microsoft Directory Replication Service Remote Protocol (MS-DRSR) to impersonate a Domain Controller and request password data from the target DC. The attack was introduced by Benjamin Delpy (Mimikatz author) and Vincent Le Toux, leveraging the DS-Replication-Get-Changes and DS-Replication-Get-Changes-All extended rights. Any principal (user or computer) with these rights can replicate password hashes for any account in the domain, including the KRBTGT account. With the KRBTGT hash, attackers can forge Golden Tickets for indefinite domain persistence. DCSync is categorized as MITRE ATT&CK T1003.006 and is a critical post-exploitation technique used by APT groups including APT28 (Fancy Bear), APT29 (Cozy Bear), and FIN6.

+
+## When to Use
+
+- When conducting security assessments that involve conducting domain persistence with dcsync
+- When following incident response procedures for related security events
+- When performing scheduled security testing or auditing activities
+- When validating security controls through hands-on testing
+
+## Prerequisites
+
+- Familiarity with red teaming concepts and tools
+- Access to a test or lab environment for safe execution
+- Python 3.8+ with required dependencies installed
+- Appropriate authorization for any testing activities
+
 ## Objectives

 - Identify accounts with DCSync (replication) rights in Active Directory
@@ -17,6 +17,21 @@ license: Apache-2.0

 BloodHound Community Edition (CE) is a modern, web-based Active Directory reconnaissance platform developed by SpecterOps that uses graph theory to reveal hidden relationships and attack paths within AD environments. Unlike the legacy BloodHound application, BloodHound CE uses a PostgreSQL backend with a dedicated graph database, providing improved performance, a modern web UI, and enhanced API capabilities. Red teams use BloodHound CE to collect AD objects, ACLs, sessions, group memberships, and trust relationships, then visualize attack paths from compromised low-privileged accounts to high-value targets like Domain Admins. The SharpHound collector (v2 for CE) gathers data from Active Directory, while AzureHound collects from Azure AD / Entra ID environments.

+
+## When to Use
+
+- When conducting security assessments that involve conducting internal reconnaissance with bloodhound ce
+- When following incident response procedures for related security events
+- When performing scheduled security testing or auditing activities
+- When validating security controls through hands-on testing
+
+## Prerequisites
+
+- Familiarity with red teaming concepts and tools
+- Access to a test or lab environment for safe execution
+- Python 3.8+ with required dependencies installed
+- Appropriate authorization for any testing activities
+
 ## Objectives

 - Deploy BloodHound CE server using Docker Compose
@@ -17,6 +17,21 @@ license: Apache-2.0

 Pass-the-Ticket (PtT) is a lateral movement technique that uses stolen Kerberos tickets (TGT or TGS) to authenticate to services without knowing the user's password. By extracting Kerberos tickets from memory (LSASS) on a compromised host, an attacker can inject those tickets into their own session to impersonate the ticket owner and access resources as that user.

+
+## When to Use
+
+- When conducting security assessments that involve conducting pass the ticket attack
+- When following incident response procedures for related security events
+- When performing scheduled security testing or auditing activities
+- When validating security controls through hands-on testing
+
+## Prerequisites
+
+- Familiarity with red teaming concepts and tools
+- Access to a test or lab environment for safe execution
+- Python 3.8+ with required dependencies installed
+- Appropriate authorization for any testing activities
+
 ## MITRE ATT&CK Mapping

 - **T1550.003** - Use Alternate Authentication Material: Pass the Ticket
@@ -17,6 +17,21 @@ license: Apache-2.0

 Spearphishing simulation is a targeted social engineering attack vector used by red teams to gain initial access. Unlike broad phishing campaigns, spearphishing uses OSINT-derived intelligence to craft highly personalized messages targeting specific individuals. This skill covers developing pretexts, building payloads, setting up email infrastructure, executing the campaign, and tracking results.

+
+## When to Use
+
+- When conducting security assessments that involve conducting spearphishing simulation campaign
+- When following incident response procedures for related security events
+- When performing scheduled security testing or auditing activities
+- When validating security controls through hands-on testing
+
+## Prerequisites
+
+- Familiarity with red teaming concepts and tools
+- Access to a test or lab environment for safe execution
+- Python 3.8+ with required dependencies installed
+- Appropriate authorization for any testing activities
+
 ## Objectives

 - Develop convincing pretexts tailored to specific target personnel
@@ -24,6 +24,21 @@ Microsegmentation divides a network into granular security zones, enforcing leas

 This skill covers designing microsegmentation policies using workload identity, implementing host-based and network-based enforcement, and validating segmentation effectiveness with tools like Illumio Core and VMware NSX.

+
+## When to Use
+
+- When deploying or configuring configuring microsegmentation for zero trust capabilities in your environment
+- When establishing security controls aligned to compliance requirements
+- When building or improving security architecture for this domain
+- When conducting security assessments that require this implementation
+
+## Prerequisites
+
+- Familiarity with zero trust architecture concepts and tools
+- Access to a test or lab environment for safe execution
+- Python 3.8+ with required dependencies installed
+- Appropriate authorization for any testing activities
+
 ## Architecture

 ### Microsegmentation Models
@@ -13,6 +13,21 @@ license: Apache-2.0
 ## Overview
 Deploy Cisco Duo multi-factor authentication across enterprise applications, VPN, RDP, and SSH access points. This skill covers Duo integration methods, adaptive authentication policies, device trust assessment, and phishing-resistant MFA deployment aligned with NIST 800-63B AAL2/AAL3 requirements.

+
+## When to Use
+
+- When deploying or configuring configuring multi factor authentication with duo capabilities in your environment
+- When establishing security controls aligned to compliance requirements
+- When building or improving security architecture for this domain
+- When conducting security assessments that require this implementation
+
+## Prerequisites
+
+- Familiarity with identity access management concepts and tools
+- Access to a test or lab environment for safe execution
+- Python 3.8+ with required dependencies installed
+- Appropriate authorization for any testing activities
+
 ## Objectives
 - Configure Duo MFA for VPN, RDP, SSH, and web applications
 - Implement adaptive access policies based on user, device, and network context
@@ -13,6 +13,21 @@ license: Apache-2.0
 ## Overview
 Configure secure OAuth 2.0 authorization flows including Authorization Code with PKCE, Client Credentials, and Device Authorization Grant. This skill covers flow selection, PKCE implementation, token lifecycle management, scope design, and alignment with OAuth 2.1 security requirements.

+
+## When to Use
+
+- When deploying or configuring configuring oauth2 authorization flow capabilities in your environment
+- When establishing security controls aligned to compliance requirements
+- When building or improving security architecture for this domain
+- When conducting security assessments that require this implementation
+
+## Prerequisites
+
+- Familiarity with identity access management concepts and tools
+- Access to a test or lab environment for safe execution
+- Python 3.8+ with required dependencies installed
+- Appropriate authorization for any testing activities
+
 ## Objectives
 - Implement Authorization Code flow with PKCE for public and confidential clients
 - Configure Client Credentials flow for machine-to-machine communication
@@ -14,6 +14,21 @@ license: Apache-2.0

 TLS 1.3 (RFC 8446) is the latest version of the Transport Layer Security protocol, providing significant improvements over TLS 1.2 in both security and performance. It reduces handshake latency to 1-RTT (and 0-RTT for resumed sessions), removes obsolete cipher suites, and mandates perfect forward secrecy. This skill covers configuring TLS 1.3 on servers, validating configurations, and testing for common misconfigurations.

+
+## When to Use
+
+- When deploying or configuring configuring tls 1 3 for secure communications capabilities in your environment
+- When establishing security controls aligned to compliance requirements
+- When building or improving security architecture for this domain
+- When conducting security assessments that require this implementation
+
+## Prerequisites
+
+- Familiarity with cryptography concepts and tools
+- Access to a test or lab environment for safe execution
+- Python 3.8+ with required dependencies installed
+- Appropriate authorization for any testing activities
+
 ## Objectives

 - Configure TLS 1.3 on nginx and Apache web servers
@@ -24,6 +24,21 @@ A Software-Defined Perimeter (SDP) implements zero trust by creating a dynamical

 This skill covers deploying SDP using the CSA v2.0 specification, implementing Single Packet Authorization (SPA), configuring the SDP controller and gateway, and validating the deployment against NIST SP 800-207 requirements.

+
+## When to Use
+
+- When deploying or configuring deploying software defined perimeter capabilities in your environment
+- When establishing security controls aligned to compliance requirements
+- When building or improving security architecture for this domain
+- When conducting security assessments that require this implementation
+
+## Prerequisites
+
+- Familiarity with zero trust architecture concepts and tools
+- Access to a test or lab environment for safe execution
+- Python 3.8+ with required dependencies installed
+- Appropriate authorization for any testing activities
+
 ## Architecture

 ### SDP Components (CSA Specification)
@@ -15,6 +15,21 @@ license: Apache-2.0

 # Detecting Beaconing Patterns with Zeek

+
+## When to Use
+
+- When investigating security incidents that require detecting beaconing patterns with zeek
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
+## Prerequisites
+
+- Familiarity with security operations concepts and tools
+- Access to a test or lab environment for safe execution
+- Python 3.8+ with required dependencies installed
+- Appropriate authorization for any testing activities
+
 ## Instructions

 Load Zeek conn.log data using ZAT (Zeek Analysis Tools), group connections by
@@ -15,6 +15,21 @@ license: Apache-2.0

 # Detecting Insider Data Exfiltration via DLP

+
+## When to Use
+
+- When investigating security incidents that require detecting insider data exfiltration via dlp
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
+## Prerequisites
+
+- Familiarity with security operations concepts and tools
+- Access to a test or lab environment for safe execution
+- Python 3.8+ with required dependencies installed
+- Appropriate authorization for any testing activities
+
 ## Instructions

 Analyze endpoint activity logs, cloud storage access, and email DLP events to detect
@@ -17,6 +17,21 @@ license: Apache-2.0

 # Detecting SQL Injection via WAF Logs

+
+## When to Use
+
+- When investigating security incidents that require detecting sql injection via waf logs
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
+## Prerequisites
+
+- Familiarity with security operations concepts and tools
+- Access to a test or lab environment for safe execution
+- Python 3.8+ with required dependencies installed
+- Appropriate authorization for any testing activities
+
 ## Instructions

 1. Install dependencies: `pip install requests`
@@ -15,6 +15,21 @@ license: Apache-2.0

 # Detecting Supply Chain Attacks in CI/CD

+
+## When to Use
+
+- When investigating security incidents that require detecting supply chain attacks in ci cd
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
+## Prerequisites
+
+- Familiarity with security operations concepts and tools
+- Access to a test or lab environment for safe execution
+- Python 3.8+ with required dependencies installed
+- Appropriate authorization for any testing activities
+
 ## Instructions

 Scan CI/CD workflow files for supply chain risks by parsing GitHub Actions YAML,
@@ -14,6 +14,21 @@ license: Apache-2.0

 Red team engagement planning is the foundational phase that defines scope, objectives, rules of engagement (ROE), threat model selection, and operational timelines before any offensive testing begins. A well-structured engagement plan ensures the red team simulates realistic adversary behavior while maintaining safety guardrails that prevent unintended business disruption.

+
+## When to Use
+
+- When conducting security assessments that involve executing red team engagement planning
+- When following incident response procedures for related security events
+- When performing scheduled security testing or auditing activities
+- When validating security controls through hands-on testing
+
+## Prerequisites
+
+- Familiarity with red teaming concepts and tools
+- Access to a test or lab environment for safe execution
+- Python 3.8+ with required dependencies installed
+- Appropriate authorization for any testing activities
+
 ## Objectives

 - Define clear engagement scope including in-scope and out-of-scope assets, networks, and personnel
@@ -14,6 +14,21 @@ license: Apache-2.0

 ESC1 (Escalation Scenario 1) is a critical misconfiguration in Active Directory Certificate Services where a certificate template allows a low-privileged user to request a certificate on behalf of any other user, including Domain Admins. The vulnerability exists when a template has the CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT flag enabled (also called "Supply in Request"), combined with an Extended Key Usage (EKU) that permits client authentication (Client Authentication, PKINIT Client Authentication, Smart Card Logon, or Any Purpose). This allows an attacker to specify an arbitrary Subject Alternative Name (SAN) in the certificate request, effectively impersonating any domain user. ESC1 was documented by SpecterOps researchers Will Schroeder and Lee Christensen in their "Certified Pre-Owned" whitepaper (2021) and remains one of the most common AD CS attack paths. The MITRE ATT&CK framework tracks this as T1649 (Steal or Forge Authentication Certificates).

+
+## When to Use
+
+- When performing authorized security testing that involves exploiting active directory certificate services esc1
+- When analyzing malware samples or attack artifacts in a controlled environment
+- When conducting red team exercises or penetration testing engagements
+- When building detection capabilities based on offensive technique understanding
+
+## Prerequisites
+
+- Familiarity with red teaming concepts and tools
+- Access to a test or lab environment for safe execution
+- Python 3.8+ with required dependencies installed
+- Appropriate authorization for any testing activities
+
 ## Objectives

 - Enumerate AD CS infrastructure and certificate templates using Certify or Certipy
@@ -17,6 +17,21 @@ license: Apache-2.0

 BloodHound is a graph-based Active Directory reconnaissance tool that uses graph theory to reveal hidden and unintended relationships within AD environments. Red teams use BloodHound to identify attack paths from compromised accounts to high-value targets such as Domain Admins, identifying privilege escalation chains that would be nearly impossible to find manually. SharpHound is the official data collector that gathers AD objects, relationships, ACLs, sessions, and group memberships.

+
+## When to Use
+
+- When performing authorized security testing that involves exploiting active directory with bloodhound
+- When analyzing malware samples or attack artifacts in a controlled environment
+- When conducting red team exercises or penetration testing engagements
+- When building detection capabilities based on offensive technique understanding
+
+## Prerequisites
+
+- Familiarity with red teaming concepts and tools
+- Access to a test or lab environment for safe execution
+- Python 3.8+ with required dependencies installed
+- Appropriate authorization for any testing activities
+
 ## Objectives

 - Collect Active Directory relationship data using SharpHound or BloodHound.py
@@ -17,6 +17,21 @@ license: Apache-2.0

 Kerberos Constrained Delegation (KCD) is a Windows Active Directory feature that allows a service to impersonate a user and access specific services on their behalf. The delegation targets are defined in the msDS-AllowedToDelegateTo attribute. When an attacker compromises an account configured with Constrained Delegation (particularly with the TRUSTED_TO_AUTH_FOR_DELEGATION flag), they can use the S4U2self and S4U2proxy Kerberos protocol extensions to request service tickets as any user (including Domain Admins) to the delegated services. If the delegation target includes services like CIFS, HTTP, or LDAP on a Domain Controller, this results in full domain compromise. The S4U2self extension requests a forwardable ticket on behalf of any user to the compromised service, and S4U2proxy forwards that ticket to the allowed delegation target.

+
+## When to Use
+
+- When performing authorized security testing that involves exploiting constrained delegation abuse
+- When analyzing malware samples or attack artifacts in a controlled environment
+- When conducting red team exercises or penetration testing engagements
+- When building detection capabilities based on offensive technique understanding
+
+## Prerequisites
+
+- Familiarity with red teaming concepts and tools
+- Access to a test or lab environment for safe execution
+- Python 3.8+ with required dependencies installed
+- Appropriate authorization for any testing activities
+
 ## Objectives

 - Enumerate accounts with Constrained Delegation configured in the domain
@@ -14,6 +14,21 @@ license: Apache-2.0

 MS17-010 (EternalBlue) is a critical vulnerability in Microsoft's SMBv1 implementation that allows remote code execution. Originally discovered by the NSA and leaked by the Shadow Brokers in 2017, it was used in the WannaCry and NotPetya ransomware campaigns. Despite patches being available since March 2017, many organizations still have unpatched systems, making it a viable red team exploitation vector especially in legacy environments.

+
+## When to Use
+
+- When performing authorized security testing that involves exploiting ms17 010 eternalblue vulnerability
+- When analyzing malware samples or attack artifacts in a controlled environment
+- When conducting red team exercises or penetration testing engagements
+- When building detection capabilities based on offensive technique understanding
+
+## Prerequisites
+
+- Familiarity with red teaming concepts and tools
+- Access to a test or lab environment for safe execution
+- Python 3.8+ with required dependencies installed
+- Appropriate authorization for any testing activities
+
 ## MITRE ATT&CK Mapping

 - **T1210** - Exploitation of Remote Services
@@ -17,6 +17,21 @@ license: Apache-2.0

 noPac is a critical exploit chain combining two Active Directory vulnerabilities: CVE-2021-42278 (sAMAccountName spoofing) and CVE-2021-42287 (KDC PAC confusion). Together, they allow any authenticated domain user to escalate to Domain Admin privileges, potentially achieving full domain compromise in under 60 seconds. CVE-2021-42278 allows an attacker to modify a machine account's sAMAccountName attribute to match a Domain Controller's name (minus the trailing $). CVE-2021-42287 exploits a flaw in the Kerberos PAC validation where the KDC, unable to find the renamed account, falls back to appending $ and issues a ticket for the Domain Controller account. Microsoft patched both vulnerabilities in November 2021 (KB5008380 and KB5008602), but many environments remain unpatched. The exploit was publicly released by cube0x0 and Ridter in December 2021.

+
+## When to Use
+
+- When performing authorized security testing that involves exploiting nopac cve 2021 42278 42287
+- When analyzing malware samples or attack artifacts in a controlled environment
+- When conducting red team exercises or penetration testing engagements
+- When building detection capabilities based on offensive technique understanding
+
+## Prerequisites
+
+- Familiarity with red teaming concepts and tools
+- Access to a test or lab environment for safe execution
+- Python 3.8+ with required dependencies installed
+- Appropriate authorization for any testing activities
+
 ## Objectives

 - Scan the target domain for noPac vulnerability (CVE-2021-42278/42287)
@@ -15,6 +15,21 @@ license: Apache-2.0

 # Extracting Memory Artifacts with Rekall

+
+## When to Use
+
+- When performing authorized security testing that involves extracting memory artifacts with rekall
+- When analyzing malware samples or attack artifacts in a controlled environment
+- When conducting red team exercises or penetration testing engagements
+- When building detection capabilities based on offensive technique understanding
+
+## Prerequisites
+
+- Familiarity with security operations concepts and tools
+- Access to a test or lab environment for safe execution
+- Python 3.8+ with required dependencies installed
+- Appropriate authorization for any testing activities
+
 ## Instructions

 Use Rekall to analyze memory dumps for signs of compromise including process
@@ -15,6 +15,21 @@ license: Apache-2.0

 # Hunting Credential Stuffing Attacks

+
+## When to Use
+
+- When investigating security incidents that require hunting credential stuffing attacks
+- When building detection rules or threat hunting queries for this domain
+- When SOC analysts need structured procedures for this analysis type
+- When validating security monitoring coverage for related attack techniques
+
+## Prerequisites
+
+- Familiarity with security operations concepts and tools
+- Access to a test or lab environment for safe execution
+- Python 3.8+ with required dependencies installed
+- Appropriate authorization for any testing activities
+
 ## Instructions

 Analyze authentication logs to detect credential stuffing by identifying patterns
@@ -14,6 +14,21 @@ license: Apache-2.0

 AES (Advanced Encryption Standard) is a symmetric block cipher standardized by NIST (FIPS 197) used to protect classified and sensitive data. This skill covers implementing AES-256 encryption in GCM mode for encrypting files and data stores at rest, including proper key derivation, IV/nonce management, and authenticated encryption.

+
+## When to Use
+
+- When deploying or configuring implementing aes encryption for data at rest capabilities in your environment
+- When establishing security controls aligned to compliance requirements
+- When building or improving security architecture for this domain
+- When conducting security assessments that require this implementation
+
+## Prerequisites
+
+- Familiarity with cryptography concepts and tools
+- Access to a test or lab environment for safe execution
+- Python 3.8+ with required dependencies installed
+- Appropriate authorization for any testing activities
+
 ## Objectives

 - Implement AES-256-GCM encryption and decryption for files
@@ -15,6 +15,21 @@ license: Apache-2.0

 # Implementing Cloud Workload Protection

+
+## When to Use
+
+- When deploying or configuring implementing cloud workload protection capabilities in your environment
+- When establishing security controls aligned to compliance requirements
+- When building or improving security architecture for this domain
+- When conducting security assessments that require this implementation
+
+## Prerequisites
+
+- Familiarity with cloud security concepts and tools
+- Access to a test or lab environment for safe execution
+- Python 3.8+ with required dependencies installed
+- Appropriate authorization for any testing activities
+
 ## Instructions

 Monitor cloud workloads for runtime threats by checking process lists, network
@@ -15,6 +15,21 @@ license: Apache-2.0

 # Implementing Honeytokens for Breach Detection

+
+## When to Use
+
+- When deploying or configuring implementing honeytokens for breach detection capabilities in your environment
+- When establishing security controls aligned to compliance requirements
+- When building or improving security architecture for this domain
+- When conducting security assessments that require this implementation
+
+## Prerequisites
+
+- Familiarity with security operations concepts and tools
+- Access to a test or lab environment for safe execution
+- Python 3.8+ with required dependencies installed
+- Appropriate authorization for any testing activities
+
 ## Instructions

 Deploy honeytokens across critical systems to detect unauthorized access. Each token
@@ -24,6 +24,21 @@ Identity is the foundational pillar of zero trust architecture. NIST SP 800-207

 This skill covers implementing phishing-resistant MFA, continuous identity verification, risk-based conditional access, and identity governance aligned with the CISA Zero Trust Maturity Model Identity Pillar.

+
+## When to Use
+
+- When deploying or configuring implementing identity verification for zero trust capabilities in your environment
+- When establishing security controls aligned to compliance requirements
+- When building or improving security architecture for this domain
+- When conducting security assessments that require this implementation
+
+## Prerequisites
+
+- Familiarity with zero trust architecture concepts and tools
+- Access to a test or lab environment for safe execution
+- Python 3.8+ with required dependencies installed
+- Appropriate authorization for any testing activities
+
 ## Architecture

 ### Identity Verification Flow
@@ -13,6 +13,21 @@ license: Apache-2.0
 ## Overview
 Implement Just-In-Time (JIT) access provisioning to eliminate standing privileges by granting temporary, time-bound access only when needed. This skill covers JIT architecture design, approval workflows, automatic expiration, integration with PAM and IGA platforms, and alignment with zero trust principles.

+
+## When to Use
+
+- When deploying or configuring implementing just in time access provisioning capabilities in your environment
+- When establishing security controls aligned to compliance requirements
+- When building or improving security architecture for this domain
+- When conducting security assessments that require this implementation
+
+## Prerequisites
+
+- Familiarity with identity access management concepts and tools
+- Access to a test or lab environment for safe execution
+- Python 3.8+ with required dependencies installed
+- Appropriate authorization for any testing activities
+
 ## Objectives
 - Design JIT access request and approval workflows
 - Implement time-bound access grants with automatic expiration
@@ -17,6 +17,21 @@ license: Apache-2.0

 # Implementing Log Integrity with Blockchain

+
+## When to Use
+
+- When deploying or configuring implementing log integrity with blockchain capabilities in your environment
+- When establishing security controls aligned to compliance requirements
+- When building or improving security architecture for this domain
+- When conducting security assessments that require this implementation
+
+## Prerequisites
+
+- Familiarity with security operations concepts and tools
+- Access to a test or lab environment for safe execution
+- Python 3.8+ with required dependencies installed
+- Appropriate authorization for any testing activities
+
 ## Instructions

 1. Install dependencies: `pip install requests`
@@ -15,6 +15,21 @@ license: Apache-2.0

 # Implementing mTLS for Zero Trust Services

+
+## When to Use
+
+- When deploying or configuring implementing mtls for zero trust services capabilities in your environment
+- When establishing security controls aligned to compliance requirements
+- When building or improving security architecture for this domain
+- When conducting security assessments that require this implementation
+
+## Prerequisites
+
+- Familiarity with security operations concepts and tools
+- Access to a test or lab environment for safe execution
+- Python 3.8+ with required dependencies installed
+- Appropriate authorization for any testing activities
+
 ## Instructions

 Generate CA certificates, issue service certificates, and configure mutual TLS
@@ -17,6 +17,21 @@ license: Apache-2.0

 # Implementing Network Traffic Analysis with Arkime

+
+## When to Use
+
+- When deploying or configuring implementing network traffic analysis with arkime capabilities in your environment
+- When establishing security controls aligned to compliance requirements
+- When building or improving security architecture for this domain
+- When conducting security assessments that require this implementation
+
+## Prerequisites
+
+- Familiarity with network security concepts and tools
+- Access to a test or lab environment for safe execution
+- Python 3.8+ with required dependencies installed
+- Appropriate authorization for any testing activities
+
 ## Instructions

 1. Install dependencies: `pip install requests`
@@ -13,6 +13,21 @@ license: Apache-2.0
 ## Overview
 Deploy CyberArk Privileged Access Management to discover, vault, rotate, and monitor privileged credentials across enterprise infrastructure. This skill covers vault architecture, session isolation, credential rotation policies, and integration with NIST 800-53 access control requirements.

+
+## When to Use
+
+- When deploying or configuring implementing privileged access management with cyberark capabilities in your environment
+- When establishing security controls aligned to compliance requirements
+- When building or improving security architecture for this domain
+- When conducting security assessments that require this implementation
+
+## Prerequisites
+
+- Familiarity with identity access management concepts and tools
+- Access to a test or lab environment for safe execution
+- Python 3.8+ with required dependencies installed
+- Appropriate authorization for any testing activities
+
 ## Objectives
 - Design CyberArk vault architecture with high availability
 - Implement automated privileged credential discovery and onboarding
@@ -13,6 +13,21 @@ license: Apache-2.0
 ## Overview
 Implement SAML 2.0 Single Sign-On (SSO) using Okta as the Identity Provider (IdP). This skill covers end-to-end configuration of SAML authentication flows, attribute mapping, certificate management, and security hardening for enterprise SSO deployments.

+
+## When to Use
+
+- When deploying or configuring implementing saml sso with okta capabilities in your environment
+- When establishing security controls aligned to compliance requirements
+- When building or improving security architecture for this domain
+- When conducting security assessments that require this implementation
+
+## Prerequisites
+
+- Familiarity with identity access management concepts and tools
+- Access to a test or lab environment for safe execution
+- Python 3.8+ with required dependencies installed
+- Appropriate authorization for any testing activities
+
 ## Objectives
 - Configure Okta as a SAML 2.0 Identity Provider
 - Implement SP-initiated and IdP-initiated SSO flows
@@ -15,6 +15,21 @@ license: Apache-2.0

 # Implementing Security Chaos Engineering

+
+## When to Use
+
+- When deploying or configuring implementing security chaos engineering capabilities in your environment
+- When establishing security controls aligned to compliance requirements
+- When building or improving security architecture for this domain
+- When conducting security assessments that require this implementation
+
+## Prerequisites
+
+- Familiarity with security operations concepts and tools
+- Access to a test or lab environment for safe execution
+- Python 3.8+ with required dependencies installed
+- Appropriate authorization for any testing activities
+
 ## Instructions

 Design and execute security chaos experiments that intentionally break security
@@ -16,6 +16,21 @@ license: Apache-2.0

 # Implementing SIEM Correlation Rules for APT

+
+## When to Use
+
+- When deploying or configuring implementing siem correlation rules for apt capabilities in your environment
+- When establishing security controls aligned to compliance requirements
+- When building or improving security architecture for this domain
+- When conducting security assessments that require this implementation
+
+## Prerequisites
+
+- Familiarity with security operations concepts and tools
+- Access to a test or lab environment for safe execution
+- Python 3.8+ with required dependencies installed
+- Appropriate authorization for any testing activities
+
 ## Instructions

 1. Install dependencies: `pip install requests pyyaml sigma-cli`
@@ -16,6 +16,21 @@ license: Apache-2.0

 # Implementing Syslog Centralization with Rsyslog

+
+## When to Use
+
+- When deploying or configuring implementing syslog centralization with rsyslog capabilities in your environment
+- When establishing security controls aligned to compliance requirements
+- When building or improving security architecture for this domain
+- When conducting security assessments that require this implementation
+
+## Prerequisites
+
+- Familiarity with security operations concepts and tools
+- Access to a test or lab environment for safe execution
+- Python 3.8+ with required dependencies installed
+- Appropriate authorization for any testing activities
+
 ## Instructions

 1. Install dependencies: `pip install jinja2 paramiko`
@@ -1,61 +1,232 @@
 #!/usr/bin/env python3
-"""Vulnerability remediation SLA tracking."""
-import argparse, json
-from datetime import datetime, timezone
-try:
-    import requests
-except ImportError:
-    requests = None
+"""Vulnerability remediation SLA tracking agent.

-def audit_config(target, token):
-    findings = []
-    if not requests: return [{"error": "requests required"}]
-    headers = {"Authorization": f"Bearer {token}"}
-    try:
-        resp = requests.get(f"{target}/api/v1/status", headers=headers, timeout=10)
-        if resp.status_code == 200:
-            data = resp.json()
-            if not data.get("enabled", True):
-                findings.append({"check": "Service Status", "status": "DISABLED", "severity": "CRITICAL"})
-        elif resp.status_code == 401:
-            findings.append({"check": "Authentication", "status": "UNAUTHORIZED", "severity": "HIGH"})
-    except requests.RequestException as e:
-        findings.append({"error": str(e)})
-    return findings
+Tracks vulnerability remediation against defined SLA targets based on
+severity. Ingests vulnerability data from scanners (JSON/CSV format),
+calculates SLA compliance, identifies overdue items, and generates
+remediation priority reports.
+"""
+import argparse
+import csv
+import json
+import os
+import sys
+from datetime import datetime, timezone, timedelta
+
+
+DEFAULT_SLA_DAYS = {
+    "CRITICAL": 7,
+    "HIGH": 30,
+    "MEDIUM": 90,
+    "LOW": 180,
+}
+
+
+def load_vulnerabilities(source_path):
+    """Load vulnerabilities from a JSON or CSV file."""
+    ext = os.path.splitext(source_path)[1].lower()
+    if ext == ".json":
+        with open(source_path, "r") as f:
+            data = json.load(f)
+        if isinstance(data, list):
+            return data
+        return data.get("vulnerabilities", data.get("findings", data.get("results", [])))
+    elif ext == ".csv":
+        vulns = []
+        with open(source_path, "r", newline="") as f:
+            reader = csv.DictReader(f)
+            for row in reader:
+                vulns.append(row)
+        return vulns
+    else:
+        print(f"[!] Unsupported file format: {ext}", file=sys.stderr)
+        return []
+
+
+def normalize_vulnerability(vuln):
+    """Normalize vulnerability fields from various scanner formats."""
+    return {
+        "id": (vuln.get("id") or vuln.get("vulnerability_id") or
+               vuln.get("cve_id") or vuln.get("CVE") or vuln.get("plugin_id") or "unknown"),
+        "severity": (vuln.get("severity") or vuln.get("risk") or
+                     vuln.get("Severity") or "MEDIUM").upper(),
+        "title": (vuln.get("title") or vuln.get("name") or
+                  vuln.get("vulnerability_name") or vuln.get("Title") or "Unknown"),
+        "asset": (vuln.get("asset") or vuln.get("host") or
+                  vuln.get("ip") or vuln.get("hostname") or "unknown"),
+        "discovered_date": (vuln.get("discovered_date") or vuln.get("first_found") or
+                           vuln.get("discovered") or vuln.get("date_found") or
+                           datetime.now(timezone.utc).isoformat()),
+        "status": (vuln.get("status") or vuln.get("state") or "open").lower(),
+        "remediation": (vuln.get("remediation") or vuln.get("fix") or
+                       vuln.get("solution") or ""),
+    }
+
+
+def calculate_sla_status(vulns, sla_days=None):
+    """Calculate SLA compliance for each vulnerability."""
+    if sla_days is None:
+        sla_days = DEFAULT_SLA_DAYS
+
+    now = datetime.now(timezone.utc)
+    results = []
+
+    for vuln in vulns:
+        norm = normalize_vulnerability(vuln)
+        if norm["status"] not in ("open", "new", "active", "unresolved"):
+            norm["sla_status"] = "RESOLVED"
+            norm["sla_days_remaining"] = None
+            results.append(norm)
+            continue
+
+        severity = norm["severity"]
+        target_days = sla_days.get(severity, sla_days.get("MEDIUM", 90))
+
+        try:
+            disc_str = norm["discovered_date"]
+            if "T" in disc_str:
+                discovered = datetime.fromisoformat(disc_str.replace("Z", "+00:00"))
+            else:
+                discovered = datetime.strptime(disc_str[:10], "%Y-%m-%d").replace(tzinfo=timezone.utc)
+        except (ValueError, TypeError):
+            discovered = now
+            norm["parse_warning"] = "Could not parse discovered_date"
+
+        age_days = (now - discovered).days
+        sla_deadline = discovered + timedelta(days=target_days)
+        days_remaining = (sla_deadline - now).days
+
+        norm["age_days"] = age_days
+        norm["sla_target_days"] = target_days
+        norm["sla_deadline"] = sla_deadline.isoformat()
+        norm["sla_days_remaining"] = days_remaining
+
+        if days_remaining < 0:
+            norm["sla_status"] = "BREACHED"
+            norm["sla_overdue_days"] = abs(days_remaining)
+        elif days_remaining <= 7:
+            norm["sla_status"] = "AT_RISK"
+        else:
+            norm["sla_status"] = "ON_TRACK"
+
+        results.append(norm)
+
+    return results
+
+
+def generate_metrics(results):
+    """Generate SLA compliance metrics."""
+    open_vulns = [r for r in results if r.get("sla_status") != "RESOLVED"]
+    breached = [r for r in open_vulns if r.get("sla_status") == "BREACHED"]
+    at_risk = [r for r in open_vulns if r.get("sla_status") == "AT_RISK"]
+    on_track = [r for r in open_vulns if r.get("sla_status") == "ON_TRACK"]
+
+    compliance_rate = ((len(on_track) + len(at_risk)) / len(open_vulns) * 100) if open_vulns else 100.0
+
+    by_severity = {}
+    for r in open_vulns:
+        sev = r.get("severity", "MEDIUM")
+        by_severity.setdefault(sev, {"total": 0, "breached": 0, "at_risk": 0})
+        by_severity[sev]["total"] += 1
+        if r.get("sla_status") == "BREACHED":
+            by_severity[sev]["breached"] += 1
+        elif r.get("sla_status") == "AT_RISK":
+            by_severity[sev]["at_risk"] += 1
+
+    oldest_breach = None
+    if breached:
+        oldest = max(breached, key=lambda r: r.get("sla_overdue_days", 0))
+        oldest_breach = {
+            "id": oldest["id"],
+            "severity": oldest["severity"],
+            "overdue_days": oldest.get("sla_overdue_days", 0),
+            "asset": oldest["asset"],
+        }
+
+    return {
+        "total_open": len(open_vulns),
+        "breached": len(breached),
+        "at_risk": len(at_risk),
+        "on_track": len(on_track),
+        "resolved": len(results) - len(open_vulns),
+        "compliance_rate": round(compliance_rate, 1),
+        "by_severity": by_severity,
+        "oldest_breach": oldest_breach,
+    }
+
+
+def format_summary(metrics, results):
+    """Print SLA tracking summary."""
+    print(f"\n{'='*60}")
+    print(f"  Vulnerability Remediation SLA Report")
+    print(f"{'='*60}")
+    print(f"  Open Vulnerabilities : {metrics['total_open']}")
+    print(f"  SLA Breached         : {metrics['breached']}")
+    print(f"  At Risk (<7 days)    : {metrics['at_risk']}")
+    print(f"  On Track             : {metrics['on_track']}")
+    print(f"  Resolved             : {metrics['resolved']}")
+    print(f"  Compliance Rate      : {metrics['compliance_rate']}%")
+
+    print(f"\n  By Severity:")
+    for sev in ["CRITICAL", "HIGH", "MEDIUM", "LOW"]:
+        data = metrics["by_severity"].get(sev, {})
+        if data.get("total", 0) > 0:
+            print(f"    {sev:10s}: {data['total']} open, {data['breached']} breached, {data['at_risk']} at-risk")
+
+    breached = [r for r in results if r.get("sla_status") == "BREACHED"]
+    if breached:
+        print(f"\n  SLA Breached ({len(breached)}):")
+        for r in sorted(breached, key=lambda x: -x.get("sla_overdue_days", 0))[:15]:
+            print(f"    [{r['severity']:8s}] {r['id']:20s} | {r['asset']:20s} | "
+                  f"{r.get('sla_overdue_days', 0)}d overdue | {r['title'][:30]}")
+
+    if metrics.get("oldest_breach"):
+        ob = metrics["oldest_breach"]
+        print(f"\n  Worst Breach: {ob['id']} ({ob['severity']}) on {ob['asset']} - "
+              f"{ob['overdue_days']} days overdue")

-def check_compliance(target, token):
-    findings = []
-    if not requests: return []
-    headers = {"Authorization": f"Bearer {token}"}
-    try:
-        resp = requests.get(f"{target}/api/v1/compliance", headers=headers, timeout=10)
-        if resp.status_code == 200:
-            for item in resp.json().get("checks", []):
-                if item.get("status") != "PASS":
-                    findings.append({"check": item.get("name"), "status": item.get("status"),
-                                     "severity": item.get("severity", "MEDIUM")})
-    except requests.RequestException:
-        pass
-    return findings

 def main():
-    p = argparse.ArgumentParser(description="Vulnerability remediation SLA tracking")
-    p.add_argument("--target", required=True, help="Target URL")
-    p.add_argument("--token", required=True, help="API token")
-    p.add_argument("--output", "-o", help="Output JSON report")
-    p.add_argument("--verbose", "-v", action="store_true")
-    a = p.parse_args()
-    print("[*] Vulnerability remediation SLA tracking")
-    report = {"timestamp": datetime.now(timezone.utc).isoformat(), "findings": []}
-    report["findings"].extend(audit_config(a.target, a.token))
-    report["findings"].extend(check_compliance(a.target, a.token))
-    high = sum(1 for f in report["findings"] if f.get("severity") in ("HIGH", "CRITICAL"))
-    report["risk_level"] = "HIGH" if high else "MEDIUM" if report["findings"] else "LOW"
-    print(f"[*] {len(report['findings'])} findings, risk: {report['risk_level']}")
-    if a.output:
-        with open(a.output, "w") as f: json.dump(report, f, indent=2)
-    else:
+    parser = argparse.ArgumentParser(description="Vulnerability remediation SLA tracking agent")
+    parser.add_argument("--source", required=True, help="Vulnerability data file (JSON or CSV)")
+    parser.add_argument("--sla-critical", type=int, default=7, help="SLA days for CRITICAL (default: 7)")
+    parser.add_argument("--sla-high", type=int, default=30, help="SLA days for HIGH (default: 30)")
+    parser.add_argument("--sla-medium", type=int, default=90, help="SLA days for MEDIUM (default: 90)")
+    parser.add_argument("--sla-low", type=int, default=180, help="SLA days for LOW (default: 180)")
+    parser.add_argument("--output", "-o", help="Output JSON report")
+    parser.add_argument("--verbose", "-v", action="store_true")
+    args = parser.parse_args()
+
+    sla_days = {
+        "CRITICAL": args.sla_critical,
+        "HIGH": args.sla_high,
+        "MEDIUM": args.sla_medium,
+        "LOW": args.sla_low,
+    }
+
+    vulns = load_vulnerabilities(args.source)
+    print(f"[*] Loaded {len(vulns)} vulnerabilities from {args.source}")
+
+    results = calculate_sla_status(vulns, sla_days)
+    metrics = generate_metrics(results)
+    format_summary(metrics, results)
+
+    report = {
+        "timestamp": datetime.now(timezone.utc).isoformat(),
+        "tool": "Vulnerability SLA Tracker",
+        "source": args.source,
+        "sla_targets": sla_days,
+        "metrics": metrics,
+        "vulnerabilities": results,
+    }
+
+    if args.output:
+        with open(args.output, "w") as f:
+            json.dump(report, f, indent=2)
+        print(f"\n[+] Report saved to {args.output}")
+    elif args.verbose:
        print(json.dumps(report, indent=2))

+
 if __name__ == "__main__":
    main()
@@ -24,6 +24,21 @@ Zero Trust Network Access (ZTNA) replaces traditional VPN architectures by enfor

 This skill covers end-to-end deployment of ZPA including connector setup, application segmentation, policy configuration, and integration with identity providers for continuous verification.

+
+## When to Use
+
+- When deploying or configuring implementing zero trust network access with zscaler capabilities in your environment
+- When establishing security controls aligned to compliance requirements
+- When building or improving security architecture for this domain
+- When conducting security assessments that require this implementation
+
+## Prerequisites
+
+- Familiarity with zero trust architecture concepts and tools
+- Access to a test or lab environment for safe execution
+- Python 3.8+ with required dependencies installed
+- Appropriate authorization for any testing activities
+
 ## Architecture

 ### Zscaler Private Access Components
@@ -13,6 +13,21 @@ license: Apache-2.0
 ## Overview
 Conduct systematic access reviews and certifications to ensure users have appropriate access rights aligned with their roles. This skill covers review campaign design, reviewer selection, risk-based prioritization, micro-certification strategies, and remediation tracking for compliance with SOX, HIPAA, and PCI DSS requirements.

+
+## When to Use
+
+- When conducting security assessments that involve performing access review and certification
+- When following incident response procedures for related security events
+- When performing scheduled security testing or auditing activities
+- When validating security controls through hands-on testing
+
+## Prerequisites
+
+- Familiarity with identity access management concepts and tools
+- Access to a test or lab environment for safe execution
+- Python 3.8+ with required dependencies installed
+- Appropriate authorization for any testing activities
+
 ## Objectives
 - Design and execute access review campaigns across enterprise applications
 - Implement risk-based prioritization for review scope
@@ -15,6 +15,21 @@ license: Apache-2.0

 # Performing Cloud Native Forensics with Falco

+
+## When to Use
+
+- When conducting security assessments that involve performing cloud native forensics with falco
+- When following incident response procedures for related security events
+- When performing scheduled security testing or auditing activities
+- When validating security controls through hands-on testing
+
+## Prerequisites
+
+- Familiarity with cloud security concepts and tools
+- Access to a test or lab environment for safe execution
+- Python 3.8+ with required dependencies installed
+- Appropriate authorization for any testing activities
+
 ## Instructions

 Deploy and manage Falco rules for runtime security detection in containerized
@@ -15,6 +15,21 @@ license: Apache-2.0

 # Performing Container Escape Detection

+
+## When to Use
+
+- When conducting security assessments that involve performing container escape detection
+- When following incident response procedures for related security events
+- When performing scheduled security testing or auditing activities
+- When validating security controls through hands-on testing
+
+## Prerequisites
+
+- Familiarity with container security concepts and tools
+- Access to a test or lab environment for safe execution
+- Python 3.8+ with required dependencies installed
+- Appropriate authorization for any testing activities
+
 ## Instructions

 Audit Kubernetes pods for container escape vectors including privileged mode,
@@ -14,6 +14,21 @@ license: Apache-2.0

 LaZagne is an open-source post-exploitation tool designed to retrieve credentials stored on local systems. It supports Windows, Linux, and macOS, with the most extensive module library for Windows. LaZagne recovers passwords from browsers (Chrome, Firefox, Edge, Opera), email clients (Outlook, Thunderbird), databases (PostgreSQL, MySQL, SQLite), system stores (Windows Credential Manager, LSA secrets, DPAPI), Wi-Fi profiles, Git credentials, and dozens of other applications. The tool is categorized under MITRE ATT&CK T1555 (Credentials from Password Stores) and is listed as software S0349. Red teams use LaZagne after gaining initial access to harvest stored credentials that enable lateral movement and privilege escalation.

+
+## When to Use
+
+- When conducting security assessments that involve performing credential access with lazagne
+- When following incident response procedures for related security events
+- When performing scheduled security testing or auditing activities
+- When validating security controls through hands-on testing
+
+## Prerequisites
+
+- Familiarity with red teaming concepts and tools
+- Access to a test or lab environment for safe execution
+- Python 3.8+ with required dependencies installed
+- Appropriate authorization for any testing activities
+
 ## Objectives

 - Deploy LaZagne on compromised Windows, Linux, or macOS endpoints
@@ -15,6 +15,21 @@ license: Apache-2.0

 # Performing DNS Tunneling Detection

+
+## When to Use
+
+- When conducting security assessments that involve performing dns tunneling detection
+- When following incident response procedures for related security events
+- When performing scheduled security testing or auditing activities
+- When validating security controls through hands-on testing
+
+## Prerequisites
+
+- Familiarity with security operations concepts and tools
+- Access to a test or lab environment for safe execution
+- Python 3.8+ with required dependencies installed
+- Appropriate authorization for any testing activities
+
 ## Instructions

 Analyze DNS traffic for indicators of DNS tunneling using entropy analysis and
@@ -14,6 +14,21 @@ license: Apache-2.0

 EvilGinx3 is a man-in-the-middle attack framework used for phishing login credentials along with session cookies, enabling bypass of multi-factor authentication (MFA). Unlike traditional credential phishing that only captures usernames and passwords, EvilGinx3 operates as a transparent reverse proxy between the victim and the legitimate authentication service, intercepting the full authentication flow including MFA tokens and session cookies. This makes it the primary tool for red teams demonstrating the risk of adversary-in-the-middle (AiTM) attacks against organizations relying solely on MFA for protection.

+
+## When to Use
+
+- When conducting security assessments that involve performing initial access with evilginx3
+- When following incident response procedures for related security events
+- When performing scheduled security testing or auditing activities
+- When validating security controls through hands-on testing
+
+## Prerequisites
+
+- Familiarity with red teaming concepts and tools
+- Access to a test or lab environment for safe execution
+- Python 3.8+ with required dependencies installed
+- Appropriate authorization for any testing activities
+
 ## Objectives

 - Deploy EvilGinx3 with custom phishlets targeting authorized scope
@@ -17,6 +17,21 @@ license: Apache-2.0

 Kerberoasting is a post-exploitation technique that targets service accounts in Active Directory by requesting Kerberos TGS (Ticket Granting Service) tickets for accounts with Service Principal Names (SPNs) set. These tickets are encrypted with the service account's NTLM hash, allowing offline brute-force cracking without generating failed login events. It is one of the most common privilege escalation paths in AD environments because any domain user can request TGS tickets.

+
+## When to Use
+
+- When conducting security assessments that involve performing kerberoasting attack
+- When following incident response procedures for related security events
+- When performing scheduled security testing or auditing activities
+- When validating security controls through hands-on testing
+
+## Prerequisites
+
+- Familiarity with red teaming concepts and tools
+- Access to a test or lab environment for safe execution
+- Python 3.8+ with required dependencies installed
+- Appropriate authorization for any testing activities
+
 ## MITRE ATT&CK Mapping

 - **T1558.003** - Steal or Forge Kerberos Tickets: Kerberoasting
@@ -17,6 +17,21 @@ license: Apache-2.0

 WMI (Windows Management Instrumentation) is a legitimate Windows administration framework that red teams abuse for lateral movement because it provides remote command execution without deploying additional services or leaving obvious artifacts like PsExec. Impacket's wmiexec.py creates a semi-interactive shell over WMI by executing commands through Win32_Process.Create and reading output via temporary files on ADMIN$ share. Unlike PsExec, WMIExec does not install a service on the target, making it stealthier and less likely to trigger security alerts. WMI-based lateral movement maps to MITRE ATT&CK T1047 (Windows Management Instrumentation) and is used by threat actors including APT29, APT32, and Lazarus Group.

+
+## When to Use
+
+- When conducting security assessments that involve performing lateral movement with wmiexec
+- When following incident response procedures for related security events
+- When performing scheduled security testing or auditing activities
+- When validating security controls through hands-on testing
+
+## Prerequisites
+
+- Familiarity with red teaming concepts and tools
+- Access to a test or lab environment for safe execution
+- Python 3.8+ with required dependencies installed
+- Appropriate authorization for any testing activities
+
 ## Objectives

 - Execute remote commands on Windows targets using WMI-based techniques
@@ -17,6 +17,21 @@ license: Apache-2.0

 Open Source Intelligence (OSINT) gathering is the first active phase of a red team engagement, where operators collect publicly available information about the target organization to identify attack surfaces, potential targets for social engineering, technology stacks, and credential exposures. Effective OSINT directly shapes initial access strategies and reduces operational risk.

+
+## When to Use
+
+- When conducting security assessments that involve performing open source intelligence gathering
+- When following incident response procedures for related security events
+- When performing scheduled security testing or auditing activities
+- When validating security controls through hands-on testing
+
+## Prerequisites
+
+- Familiarity with red teaming concepts and tools
+- Access to a test or lab environment for safe execution
+- Python 3.8+ with required dependencies installed
+- Appropriate authorization for any testing activities
+
 ## Objectives

 - Enumerate the target organization's external attack surface (domains, IPs, cloud assets)
@@ -13,6 +13,21 @@ author: mahipal
 license: Apache-2.0
 ---

+
+## When to Use
+
+- When conducting security assessments that involve performing red team phishing with gophish
+- When following incident response procedures for related security events
+- When performing scheduled security testing or auditing activities
+- When validating security controls through hands-on testing
+
+## Prerequisites
+
+- Familiarity with security operations concepts and tools
+- Access to a test or lab environment for safe execution
+- Python 3.8+ with required dependencies installed
+- Appropriate authorization for any testing activities
+
 ## Instructions

 1. Install dependencies: `pip install gophish requests`
@@ -13,6 +13,21 @@ license: Apache-2.0
 ## Overview
 Audit service accounts across enterprise infrastructure to identify orphaned, over-privileged, and non-compliant accounts. This skill covers discovery of service accounts in Active Directory, cloud platforms, databases, and applications, assessing privilege levels, identifying missing owners, and enforcing lifecycle policies.

+
+## When to Use
+
+- When conducting security assessments that involve performing service account audit
+- When following incident response procedures for related security events
+- When performing scheduled security testing or auditing activities
+- When validating security controls through hands-on testing
+
+## Prerequisites
+
+- Familiarity with identity access management concepts and tools
+- Access to a test or lab environment for safe execution
+- Python 3.8+ with required dependencies installed
+- Appropriate authorization for any testing activities
+
 ## Objectives
 - Discover all service accounts across AD, cloud, databases, and applications
 - Identify orphaned accounts with no valid owner or associated application
@@ -13,6 +13,21 @@ author: mahipal
 license: Apache-2.0
 ---

+
+## When to Use
+
+- When conducting security assessments that involve performing ssrf vulnerability exploitation
+- When following incident response procedures for related security events
+- When performing scheduled security testing or auditing activities
+- When validating security controls through hands-on testing
+
+## Prerequisites
+
+- Familiarity with security operations concepts and tools
+- Access to a test or lab environment for safe execution
+- Python 3.8+ with required dependencies installed
+- Appropriate authorization for any testing activities
+
 ## Instructions

 1. Install dependencies: `pip install requests`
@@ -15,6 +15,21 @@ license: Apache-2.0

 # Performing Threat Emulation with Atomic Red Team

+
+## When to Use
+
+- When conducting security assessments that involve performing threat emulation with atomic red team
+- When following incident response procedures for related security events
+- When performing scheduled security testing or auditing activities
+- When validating security controls through hands-on testing
+
+## Prerequisites
+
+- Familiarity with threat intelligence concepts and tools
+- Access to a test or lab environment for safe execution
+- Python 3.8+ with required dependencies installed
+- Appropriate authorization for any testing activities
+
 ## Instructions

 Use atomic-operator to execute Atomic Red Team tests and validate detection coverage