Fix SKILL.md frontmatter: add missing domain/subdomain/tags/version/author/license fields, fix name=None entries — all 649 skills now pass CI validation

2026-06-12 06:04:56 +03:00 · 2026-03-11 00:26:05 +01:00
parent c21af3347e
commit 90d93af814
85 changed files with 310 additions and 44 deletions
@@ -5,6 +5,12 @@ description: >
  attacks, rate limit bypass, credential scanning, and injection attempts. Uses pandas
  for statistical analysis of request patterns and anomaly detection. Use when
  investigating API abuse or building API-specific threat detection rules.
+domain: cybersecurity
+subdomain: security-operations
+tags: [analyzing, api, gateway, access]
+version: "1.0"
+author: mahipal
+license: MIT
 ---

 # Analyzing API Gateway Access Logs
@@ -5,6 +5,12 @@ description: >
  detect suspicious administrative operations, impossible travel, privilege escalation,
  and resource modifications. Builds KQL queries for threat hunting in Azure environments.
  Use when investigating suspicious Azure tenant activity or building cloud SIEM detections.
+domain: cybersecurity
+subdomain: security-operations
+tags: [analyzing, azure, activity, logs]
+version: "1.0"
+author: mahipal
+license: MIT
 ---

 # Analyzing Azure Activity Logs for Threats
@@ -1,5 +1,5 @@
 ---
-name: None
+name: analyzing-campaign-attribution-evidence
 description: Campaign attribution analysis involves systematically evaluating evidence to determine which threat actor or group is responsible for a cyber operation. This skill covers collecting and weighting attr
 domain: cybersecurity
 subdomain: threat-intelligence
@@ -5,6 +5,12 @@ description: >-
  Data Events, GCS audit logs, and Azure Storage Analytics. Identifies after-hours bulk downloads,
  access from new IP addresses, unusual API calls (GetObject spikes), and potential data exfiltration
  using statistical baselines and time-series anomaly detection.
+domain: cybersecurity
+subdomain: cloud-security
+tags: [analyzing, cloud, storage, access]
+version: "1.0"
+author: mahipal
+license: MIT
 ---

 ## Instructions
@@ -5,6 +5,12 @@ description: >
  configuration, HTTP communication patterns, and sleep/jitter settings. Combines with
  JARM TLS fingerprinting to detect C2 servers on the network. Use when investigating
  suspected Cobalt Strike infrastructure or building detection signatures for C2 traffic.
+domain: cybersecurity
+subdomain: security-operations
+tags: [analyzing, cobalt, strike, malleable]
+version: "1.0"
+author: mahipal
+license: MIT
 ---

 # Analyzing Cobalt Strike Malleable Profiles
@@ -5,6 +5,12 @@ description: >
  access, RBAC modifications, privileged pod creation, and anonymous API access. Builds
  threat detection rules from audit event patterns. Use when investigating Kubernetes
  cluster compromise or building k8s-specific SIEM detection rules.
+domain: cybersecurity
+subdomain: container-security
+tags: [analyzing, kubernetes, audit, logs]
+version: "1.0"
+author: mahipal
+license: MIT
 ---

 # Analyzing Kubernetes Audit Logs
@@ -5,6 +5,12 @@ description: >
  and analysis with Volatility 3 framework. Extracts process lists, network connections,
  bash history, loaded kernel modules, and injected code from Linux memory images.
  Use when performing incident response on compromised Linux systems.
+domain: cybersecurity
+subdomain: security-operations
+tags: [analyzing, memory, forensics, with]
+version: "1.0"
+author: mahipal
+license: MIT
 ---

 # Analyzing Memory Forensics with LiME and Volatility
@@ -5,6 +5,12 @@ description: >-
  exfiltration, and C2 beaconing patterns. Uses the Python netflow library to decode flow
  records, builds traffic baselines, and applies statistical analysis to identify flows
  with abnormal byte counts, connection durations, and periodic timing patterns.
+domain: cybersecurity
+subdomain: network-security
+tags: [analyzing, network, flow, data]
+version: "1.0"
+author: mahipal
+license: MIT
 ---

 ## Instructions
@@ -5,6 +5,12 @@ description: >-
  commands, encoded payloads, and living-off-the-land techniques. Uses python-evtx to extract and
  reconstruct multi-block scripts, applies entropy analysis and pattern matching for Base64-encoded
  commands, Invoke-Expression abuse, download cradles, and AMSI bypass attempts.
+domain: cybersecurity
+subdomain: security-operations
+tags: [analyzing, powershell, script, block]
+version: "1.0"
+author: mahipal
+license: MIT
 ---

 ## Instructions
@@ -1,5 +1,5 @@
 ---
-name: None
+name: analyzing-threat-actor-ttps-with-mitre-attack
 description: MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics, techniques, and procedures (TTPs) based on real-world observations. This skill covers systematically mapping threat actor beh
 domain: cybersecurity
 subdomain: threat-intelligence
@@ -6,6 +6,12 @@ description: >-
  clusters, and tag trends over time. Uses PyMISP to pull event data, compute
  IOC type breakdowns, identify top threat actors and malware families, and
  generate threat landscape reports with temporal trends.
+domain: cybersecurity
+subdomain: threat-intelligence
+tags: [analyzing, threat, landscape, with]
+version: "1.0"
+author: mahipal
+license: MIT
 ---

 ## Instructions
@@ -5,6 +5,12 @@ description: >
  domains, unauthorized certificate issuance, and shadow IT. Monitors newly issued
  certificates for typosquatting and brand impersonation using Levenshtein distance.
  Use for proactive phishing domain detection and certificate monitoring.
+domain: cybersecurity
+subdomain: security-operations
+tags: [analyzing, tls, certificate, transparency]
+version: "1.0"
+author: mahipal
+license: MIT
 ---

 # Analyzing TLS Certificate Transparency Logs
@@ -5,6 +5,12 @@ description: >-
  directory traversal, web scanner fingerprints, and brute-force patterns. Uses regex-based
  pattern matching against OWASP attack signatures, GeoIP enrichment for source attribution,
  and statistical anomaly detection for request frequency and response size outliers.
+domain: cybersecurity
+subdomain: security-operations
+tags: [analyzing, web, server, logs]
+version: "1.0"
+author: mahipal
+license: MIT
 ---

 ## Instructions
@@ -1,5 +1,5 @@
 ---
-name: None
+name: auditing-kubernetes-rbac-permissions
 description: Kubernetes Role-Based Access Control (RBAC) auditing systematically reviews roles, cluster roles, bindings, and service account permissions to identify overly permissive access, privilege escalation p
 domain: cybersecurity
 subdomain: container-security
@@ -1,5 +1,5 @@
 ---
-name: None
+name: building-ioc-enrichment-pipeline-with-opencti
 description: OpenCTI is an open-source platform for managing cyber threat intelligence knowledge, built on STIX 2.1 as its native data model. This skill covers building an automated IOC enrichment pipeline using O
 domain: cybersecurity
 subdomain: threat-intelligence
@@ -1,5 +1,5 @@
 ---
-name: None
+name: building-threat-intelligence-platform
 description: Building a Threat Intelligence Platform (TIP) involves deploying and integrating multiple CTI tools into a unified system for collecting, analyzing, enriching, and disseminating threat intelligence. T
 domain: cybersecurity
 subdomain: threat-intelligence
@@ -1,5 +1,5 @@
 ---
-name: None
+name: collecting-threat-intelligence-with-misp
 description: MISP (Malware Information Sharing Platform) is an open-source threat intelligence platform for gathering, sharing, storing, and correlating Indicators of Compromise (IOCs) of targeted attacks, threat 
 domain: cybersecurity
 subdomain: threat-intelligence
@@ -1,5 +1,5 @@
 ---
-name: None
+name: configuring-active-directory-tiered-model
 description: Implement Microsoft's Enhanced Security Admin Environment (ESAE) tiered administration model for Active Directory. Covers Tier 0/1/2 separation, privileged access workstations (PAWs), administrative f
 domain: cybersecurity
 subdomain: identity-access-management
@@ -1,5 +1,5 @@
 ---
-name: None
+name: configuring-ldap-security-hardening
 description: Harden LDAP directory services against common attacks including credential harvesting, LDAP injection, anonymous binding, and channel binding bypass. Covers LDAPS enforcement, channel binding, LDAP si
 domain: cybersecurity
 subdomain: identity-access-management
@@ -1,3 +1,14 @@
+---
+name: configuring-microsegmentation-for-zero-trust
+description: Configuring Microsegmentation For Zero Trust
+domain: cybersecurity
+subdomain: security-operations
+tags: [cybersecurity]
+version: "1.0"
+author: mahipal
+license: MIT
+---
+
 # Configuring Microsegmentation for Zero Trust

 ---
@@ -1,5 +1,5 @@
 ---
-name: None
+name: configuring-multi-factor-authentication-with-duo
 description: Deploy Cisco Duo multi-factor authentication across enterprise applications, VPN, RDP, and SSH access points. This skill covers Duo integration methods, adaptive authentication policies, device trust 
 domain: cybersecurity
 subdomain: identity-access-management
@@ -1,5 +1,5 @@
 ---
-name: None
+name: configuring-oauth2-authorization-flow
 description: Configure secure OAuth 2.0 authorization flows including Authorization Code with PKCE, Client Credentials, and Device Authorization Grant. This skill covers flow selection, PKCE implementation, token 
 domain: cybersecurity
 subdomain: identity-access-management
@@ -1,5 +1,5 @@
 ---
-name: configuring-tls-1.3-for-secure-communications
+name: configuring-tls-1-3-for-secure-communications
 description: TLS 1.3 (RFC 8446) is the latest version of the Transport Layer Security protocol, providing significant improvements over TLS 1.2 in both security and performance. It reduces handshake latency to 1-R
 domain: cybersecurity
 subdomain: cryptography
@@ -1,3 +1,14 @@
+---
+name: deploying-software-defined-perimeter
+description: Deploying Software Defined Perimeter
+domain: cybersecurity
+subdomain: security-operations
+tags: [cybersecurity]
+version: "1.0"
+author: mahipal
+license: MIT
+---
+
 # Deploying Software-Defined Perimeter

 ---
@@ -5,6 +5,12 @@ description: >
  beaconing patterns. Uses the ZAT library to load Zeek logs into Pandas DataFrames,
  calculates inter-arrival time standard deviation, and flags periodic connections
  with low jitter. Use when hunting for command-and-control callbacks in network data.
+domain: cybersecurity
+subdomain: security-operations
+tags: [detecting, beaconing, patterns, with]
+version: "1.0"
+author: mahipal
+license: MIT
 ---

 # Detecting Beaconing Patterns with Zeek
@@ -1,5 +1,5 @@
 ---
-name: None
+name: detecting-container-escape-attempts
 description: Container escape is a critical attack technique where an adversary breaks out of container isolation to access the host system or other containers. Detection involves monitoring for escape indicators 
 domain: cybersecurity
 subdomain: container-security
@@ -5,6 +5,12 @@ description: >-
  TGT usage patterns. Parses Event IDs 4624, 4672, and 4768 from EVTX files to identify tickets
  with abnormal lifetimes, domain SID mismatches, and privilege escalation sequences where
  non-admin accounts receive admin-level privileges without corresponding group membership changes.
+domain: cybersecurity
+subdomain: security-operations
+tags: [detecting, golden, ticket, attacks]
+version: "1.0"
+author: mahipal
+license: MIT
 ---

 ## Instructions
@@ -5,6 +5,12 @@ description: >
  patterns, upload volume anomalies, and off-hours activity in endpoint and cloud logs.
  Uses pandas for behavioral analytics and statistical baselines. Use when investigating
  insider threats or building user behavior analytics for data loss prevention.
+domain: cybersecurity
+subdomain: security-operations
+tags: [detecting, insider, data, exfiltration]
+version: "1.0"
+author: mahipal
+license: MIT
 ---

 # Detecting Insider Data Exfiltration via DLP
@@ -6,6 +6,12 @@ description: >-
  identify SQLi patterns (UNION SELECT, OR 1=1, SLEEP(), BENCHMARK()), tracks
  attack sources, correlates multi-stage injection attempts, and generates
  incident reports with OWASP classification.
+domain: cybersecurity
+subdomain: security-operations
+tags: [detecting, sql, injection, via]
+version: "1.0"
+author: mahipal
+license: MIT
 ---

 ## Instructions
@@ -5,6 +5,12 @@ description: >
  attack vectors including unpinned actions, script injection via expressions, dependency
  confusion, and secrets exposure. Uses PyGithub and YAML parsing for automated audit.
  Use when hardening CI/CD pipelines or investigating compromised build systems.
+domain: cybersecurity
+subdomain: security-operations
+tags: [detecting, supply, chain, attacks]
+version: "1.0"
+author: mahipal
+license: MIT
 ---

 # Detecting Supply Chain Attacks in CI/CD
@@ -1,5 +1,5 @@
 ---
-name: None
+name: exploiting-vulnerabilities-with-metasploit-framework
 description: The Metasploit Framework is the world's most widely used penetration testing platform, maintained by Rapid7. It contains over 2,300 exploits, 1,200 auxiliary modules, and 400 post-exploitation modules
 domain: cybersecurity
 subdomain: vulnerability-management
@@ -5,6 +5,12 @@ description: >
  injected code via VAD anomalies, hidden processes, and rootkit detection. Applies
  plugins like pslist, psscan, vadinfo, malfind, and dlllist to extract forensic
  artifacts from Windows memory images. Use during incident response memory analysis.
+domain: cybersecurity
+subdomain: security-operations
+tags: [extracting, memory, artifacts, with]
+version: "1.0"
+author: mahipal
+license: MIT
 ---

 # Extracting Memory Artifacts with Rekall
@@ -1,5 +1,5 @@
 ---
-name: None
+name: hardening-docker-containers-for-production
 description: Hardening Docker containers for production involves applying security best practices aligned with CIS Docker Benchmark v1.8.0 to minimize attack surface, prevent privilege escalation, and enforce leas
 domain: cybersecurity
 subdomain: container-security
@@ -5,6 +5,12 @@ description: >
  anomalies, ASN diversity, password spray patterns, and geographic distribution of failed
  logins. Uses statistical analysis on Splunk or raw log data. Use when investigating
  account takeover campaigns or building detection rules for auth abuse.
+domain: cybersecurity
+subdomain: security-operations
+tags: [hunting, credential, stuffing, attacks]
+version: "1.0"
+author: mahipal
+license: MIT
 ---

 # Hunting Credential Stuffing Attacks
@@ -6,6 +6,12 @@ description: >-
  recently modified files in web roots, and anomalous file sizes. Uses Shannon
  entropy calculation to flag obfuscated payloads and regex pattern matching
  against known webshell signatures.
+domain: cybersecurity
+subdomain: security-operations
+tags: [hunting, for, webshells, web]
+version: "1.0"
+author: mahipal
+license: MIT
 ---

 ## Instructions
@@ -5,6 +5,12 @@ description: >
  regsvr32, and rundll32 in Windows event logs and Sysmon telemetry. Builds detection
  rules by cross-referencing process creation events against the LOLBAS project database.
  Use when threat hunting for fileless attack techniques or building SIEM detection rules.
+domain: cybersecurity
+subdomain: security-operations
+tags: [hunting, living, off, the]
+version: "1.0"
+author: mahipal
+license: MIT
 ---

 # Hunting Living Off The Land Binaries
@@ -5,6 +5,12 @@ description: >
  security monitoring, process anomaly detection, and file integrity checking on EC2/GCE
  instances. Scans for cryptomining, reverse shells, and unauthorized binaries.
  Use when building runtime security controls for cloud compute workloads.
+domain: cybersecurity
+subdomain: cloud-security
+tags: [implementing, cloud, workload, protection]
+version: "1.0"
+author: mahipal
+license: MIT
 ---

 # Implementing Cloud Workload Protection
@@ -1,5 +1,5 @@
 ---
-name: None
+name: implementing-conditional-access-policies-azure-ad
 description: Configure Microsoft Entra ID (Azure AD) Conditional Access policies for zero trust access control. Covers signal-based policy design, device compliance requirements, risk-based authentication, named l
 domain: cybersecurity
 subdomain: identity-access-management
@@ -1,5 +1,5 @@
 ---
-name: None
+name: implementing-diamond-model-analysis
 description: The Diamond Model of Intrusion Analysis provides a structured framework for analyzing cyber intrusions by examining four core features: Adversary, Capability, Infrastructure, and Victim. This skill co
 domain: cybersecurity
 subdomain: threat-intelligence
@@ -1,5 +1,5 @@
 ---
-name: implementing-dmarc,-dkim,-and-spf-email-security
+name: implementing-dmarc-dkim-spf-email-security
 description: SPF, DKIM, and DMARC form the three pillars of email authentication. Together they prevent domain spoofing, validate message integrity, and define policies for handling unauthenticated mail. Proper im
 domain: cybersecurity
 subdomain: phishing-defense
@@ -6,6 +6,12 @@ description: >-
  validates SPF syntax and lookup counts, verifies DKIM selector records,
  parses DMARC policies, and identifies misconfigurations that enable email
  spoofing. Generates remediation recommendations.
+domain: cybersecurity
+subdomain: security-operations
+tags: [implementing, email, security, with]
+version: "1.0"
+author: mahipal
+license: MIT
 ---

 ## Instructions
@@ -5,6 +5,12 @@ description: >
  beacons, database records) that trigger alerts when accessed by attackers. Uses the
  Canarytokens API and custom webhook integrations for breach detection. Use when
  building deception-based early warning systems for intrusion detection.
+domain: cybersecurity
+subdomain: security-operations
+tags: [implementing, honeytokens, for, breach]
+version: "1.0"
+author: mahipal
+license: MIT
 ---

 # Implementing Honeytokens for Breach Detection
@@ -1,5 +1,5 @@
 ---
-name: None
+name: implementing-identity-governance-with-sailpoint
 description: Deploy SailPoint IdentityNow or IdentityIQ for identity governance and administration. Covers identity lifecycle management, access request workflows, certification campaigns, role mining, SOD policy 
 domain: cybersecurity
 subdomain: identity-access-management
@@ -1,3 +1,14 @@
+---
+name: implementing-identity-verification-for-zero-trust
+description: Implementing Identity Verification For Zero Trust
+domain: cybersecurity
+subdomain: security-operations
+tags: [cybersecurity]
+version: "1.0"
+author: mahipal
+license: MIT
+---
+
 # Implementing Identity Verification for Zero Trust

 ---
@@ -1,5 +1,5 @@
 ---
-name: None
+name: implementing-just-in-time-access-provisioning
 description: Implement Just-In-Time (JIT) access provisioning to eliminate standing privileges by granting temporary, time-bound access only when needed. This skill covers JIT architecture design, approval workflo
 domain: cybersecurity
 subdomain: identity-access-management
@@ -1,5 +1,5 @@
 ---
-name: None
+name: implementing-kubernetes-pod-security-standards
 description: Pod Security Standards (PSS) define three levels of security policies -- Privileged, Baseline, and Restricted -- enforced by the Pod Security Admission (PSA) controller built into Kubernetes 1.25+. PS
 domain: cybersecurity
 subdomain: container-security
@@ -6,6 +6,12 @@ description: >-
  where modifying any entry invalidates all subsequent hashes. Implements log ingestion,
  chain verification, tamper detection with pinpoint identification, and periodic checkpoint
  anchoring to external timestamping services.
+domain: cybersecurity
+subdomain: security-operations
+tags: [implementing, log, integrity, with]
+version: "1.0"
+author: mahipal
+license: MIT
 ---

 ## Instructions
@@ -5,6 +5,12 @@ description: >
  cryptography library for certificate generation and ssl module for TLS verification.
  Validates certificate chains, checks expiration, and audits mTLS deployment status.
  Use when implementing zero-trust service-to-service authentication.
+domain: cybersecurity
+subdomain: security-operations
+tags: [implementing, mtls, for, zero]
+version: "1.0"
+author: mahipal
+license: MIT
 ---

 # Implementing mTLS for Zero Trust Services
@@ -1,5 +1,5 @@
 ---
-name: None
+name: implementing-network-policies-for-kubernetes
 description: Kubernetes NetworkPolicies provide pod-level network segmentation by defining ingress and egress rules that control traffic flow between pods, namespaces, and external endpoints. Combined with CNI plu
 domain: cybersecurity
 subdomain: container-security
@@ -6,6 +6,12 @@ description: >-
  analyze connection patterns, detect beaconing behavior, and identify suspicious
  network flows. Monitors DNS queries, HTTP traffic, and TLS certificate anomalies
  across captured traffic.
+domain: cybersecurity
+subdomain: network-security
+tags: [implementing, network, traffic, analysis]
+version: "1.0"
+author: mahipal
+license: MIT
 ---

 ## Instructions
@@ -5,6 +5,12 @@ description: >-
  network connections, file integrity, and persistence mechanisms. Generates osquery.conf with
  query packs, configures differential result logging, and analyzes query results to detect
  suspicious processes, unauthorized listeners, and file modifications in system directories.
+domain: cybersecurity
+subdomain: security-operations
+tags: [implementing, osquery, for, endpoint]
+version: "1.0"
+author: mahipal
+license: MIT
 ---

 ## Instructions
@@ -1,5 +1,5 @@
 ---
-name: None
+name: implementing-pam-for-database-access
 description: Deploy privileged access management for database systems including Oracle, SQL Server, PostgreSQL, and MySQL. Covers session proxy configuration, credential vaulting, query auditing, dynamic credentia
 domain: cybersecurity
 subdomain: identity-access-management
@@ -1,5 +1,5 @@
 ---
-name: None
+name: implementing-passwordless-authentication-with-fido2
 description: Deploy FIDO2/WebAuthn passwordless authentication using security keys and platform authenticators. Covers WebAuthn API integration, FIDO2 server configuration, passkey enrollment, biometric authentica
 domain: cybersecurity
 subdomain: identity-access-management
@@ -1,5 +1,5 @@
 ---
-name: None
+name: implementing-patch-management-workflow
 description: Patch management is the systematic process of identifying, testing, deploying, and verifying software updates to remediate vulnerabilities across an organization's IT infrastructure. An effective patc
 domain: cybersecurity
 subdomain: vulnerability-management
@@ -1,5 +1,5 @@
 ---
-name: None
+name: implementing-privileged-access-management-with-cyberark
 description: Deploy CyberArk Privileged Access Management to discover, vault, rotate, and monitor privileged credentials across enterprise infrastructure. This skill covers vault architecture, session isolation, c
 domain: cybersecurity
 subdomain: identity-access-management
@@ -1,5 +1,5 @@
 ---
-name: None
+name: implementing-rbac-for-kubernetes-cluster
 description: Configure Kubernetes Role-Based Access Control (RBAC) to enforce least-privilege access to cluster resources. This skill covers Role/ClusterRole design, RoleBinding configuration, service account secu
 domain: cybersecurity
 subdomain: identity-access-management
@@ -1,5 +1,5 @@
 ---
-name: None
+name: implementing-saml-sso-with-okta
 description: Implement SAML 2.0 Single Sign-On (SSO) using Okta as the Identity Provider (IdP). This skill covers end-to-end configuration of SAML authentication flows, attribute mapping, certificate management, a
 domain: cybersecurity
 subdomain: identity-access-management
@@ -5,6 +5,12 @@ description: >
  security controls to verify detection and response capabilities. Tests WAF bypass,
  firewall rule removal, log pipeline disruption, and EDR disablement scenarios using
  boto3 and subprocess. Use when validating SOC detection coverage and resilience.
+domain: cybersecurity
+subdomain: security-operations
+tags: [implementing, security, chaos, engineering]
+version: "1.0"
+author: mahipal
+license: MIT
 ---

 # Implementing Security Chaos Engineering
@@ -5,6 +5,12 @@ description: >-
  process execution telemetry, and network connection logs across hosts. Uses Splunk SPL and Sigma rule format
  to correlate Event IDs 4624, 4648, 4688, and Sysmon Events 1/3 within sliding time windows to surface attack
  sequences invisible to single-event detections.
+domain: cybersecurity
+subdomain: security-operations
+tags: [implementing, siem, correlation, rules]
+version: "1.0"
+author: mahipal
+license: MIT
 ---

 ## Instructions
@@ -1,5 +1,5 @@
 ---
-name: None
+name: implementing-stix-taxii-feed-integration
 description: STIX (Structured Threat Information eXpression) and TAXII (Trusted Automated eXchange of Intelligence Information) are OASIS open standards for representing and transporting cyber threat intelligence.
 domain: cybersecurity
 subdomain: threat-intelligence
@@ -5,6 +5,12 @@ description: >-
  and log rotation. Generates server and client configuration files with GnuTLS stream
  drivers, x509 certificate authentication, per-host log segregation, and reliable
  queue settings for high-availability syslog infrastructure.
+domain: cybersecurity
+subdomain: security-operations
+tags: [implementing, syslog, centralization, with]
+version: "1.0"
+author: mahipal
+license: MIT
 ---

 ## Instructions
@@ -5,6 +5,12 @@ description: >-
  correlates events with galaxy clusters, and enriches indicators via VirusTotal and AbuseIPDB.
  Uses PyMISP to create events, add attributes with IDS flags, tag with MITRE ATT&CK techniques,
  and export STIX 2.1 bundles for downstream SIEM consumption.
+domain: cybersecurity
+subdomain: threat-intelligence
+tags: [implementing, threat, intelligence, platform]
+version: "1.0"
+author: mahipal
+license: MIT
 ---

 ## Instructions
@@ -1,5 +1,5 @@
 ---
-name: None
+name: implementing-vulnerability-remediation-sla
 description: Vulnerability remediation SLAs define mandatory timeframes for patching or mitigating identified vulnerabilities based on severity, asset criticality, and exploit availability. Effective SLA programs 
 domain: cybersecurity
 subdomain: vulnerability-management
@@ -1,3 +1,14 @@
+---
+name: implementing-zero-trust-network-access-with-zscaler
+description: Implementing Zero Trust Network Access With Zscaler
+domain: cybersecurity
+subdomain: security-operations
+tags: [cybersecurity]
+version: "1.0"
+author: mahipal
+license: MIT
+---
+
 # Implementing Zero Trust Network Access with Zscaler

 ---
@@ -1,5 +1,5 @@
 ---
-name: None
+name: performing-access-review-and-certification
 description: Conduct systematic access reviews and certifications to ensure users have appropriate access rights aligned with their roles. This skill covers review campaign design, reviewer selection, risk-based p
 domain: cybersecurity
 subdomain: identity-access-management
@@ -1,5 +1,5 @@
 ---
-name: None
+name: performing-authenticated-vulnerability-scan
 description: Authenticated (credentialed) vulnerability scanning uses valid system credentials to log into target hosts and perform deep inspection of installed software, patches, configurations, and security sett
 domain: cybersecurity
 subdomain: vulnerability-management
@@ -5,6 +5,12 @@ description: >
  monitoring syscalls for shell spawns, file tampering, network anomalies, and privilege
  escalation. Manages Falco rules via the Falco gRPC API and parses Falco alert output.
  Use when building container runtime security or investigating k8s cluster compromises.
+domain: cybersecurity
+subdomain: cloud-security
+tags: [performing, cloud, native, forensics]
+version: "1.0"
+author: mahipal
+license: MIT
 ---

 # Performing Cloud Native Forensics with Falco
@@ -5,6 +5,12 @@ description: >
  container checks, dangerous capability assignments, and host path mounts using the
  kubernetes Python client. Identifies CVE-2022-0492 style escapes via cgroup abuse.
  Use when auditing container security posture or investigating escape attempts.
+domain: cybersecurity
+subdomain: container-security
+tags: [performing, container, escape, detection]
+version: "1.0"
+author: mahipal
+license: MIT
 ---

 # Performing Container Escape Detection
@@ -1,5 +1,5 @@
 ---
-name: None
+name: performing-dark-web-monitoring-for-threats
 description: Dark web monitoring involves systematically scanning Tor hidden services, underground forums, paste sites, and dark web marketplaces to identify threats targeting an organization, including leaked cre
 domain: cybersecurity
 subdomain: threat-intelligence
@@ -5,6 +5,12 @@ description: >
  query length distributions, inspecting TXT record payloads, and identifying high
  subdomain cardinality. Uses scapy for packet capture analysis and statistical methods
  to distinguish legitimate DNS from covert channels. Use when hunting for data exfiltration.
+domain: cybersecurity
+subdomain: security-operations
+tags: [performing, dns, tunneling, detection]
+version: "1.0"
+author: mahipal
+license: MIT
 ---

 # Performing DNS Tunneling Detection
@@ -1,5 +1,5 @@
 ---
-name: None
+name: performing-docker-bench-security-assessment
 description: Docker Bench for Security is an open-source script that checks dozens of common best practices around deploying Docker containers in production. Based on the CIS Docker Benchmark, it audits host confi
 domain: cybersecurity
 subdomain: container-security
@@ -1,5 +1,5 @@
 ---
-name: None
+name: performing-indicator-lifecycle-management
 description: Indicator lifecycle management tracks IOCs from initial discovery through validation, enrichment, deployment, monitoring, and eventual retirement. This skill covers implementing systematic processes f
 domain: cybersecurity
 subdomain: threat-intelligence
@@ -1,5 +1,5 @@
 ---
-name: None
+name: performing-kubernetes-penetration-testing
 description: Kubernetes penetration testing systematically evaluates cluster security by simulating attacker techniques against the API server, kubelet, etcd, pods, RBAC, network policies, and secrets. Using tools
 domain: cybersecurity
 subdomain: container-security
@@ -1,5 +1,5 @@
 ---
-name: None
+name: performing-malware-ioc-extraction
 description: Malware IOC extraction is the process of analyzing malicious software to identify actionable indicators of compromise including file hashes, network indicators (C2 domains, IP addresses, URLs), regist
 domain: cybersecurity
 subdomain: threat-intelligence
@@ -1,5 +1,5 @@
 ---
-name: None
+name: performing-privileged-account-discovery
 description: Discover and inventory all privileged accounts across enterprise infrastructure including domain admins, local admins, service accounts, database admins, cloud IAM roles, and application admin account
 domain: cybersecurity
 subdomain: identity-access-management
@@ -5,6 +5,12 @@ description: >-
  templates with tracking pixels, configures SMTP sending profiles, builds target groups from
  CSV, launches campaigns, and analyzes results including open rates, click rates, and credential
  submission statistics for security awareness assessment.
+domain: cybersecurity
+subdomain: security-operations
+tags: [performing, red, team, phishing]
+version: "1.0"
+author: mahipal
+license: MIT
 ---

 ## Instructions
@@ -1,5 +1,5 @@
 ---
-name: None
+name: performing-service-account-audit
 description: Audit service accounts across enterprise infrastructure to identify orphaned, over-privileged, and non-compliant accounts. This skill covers discovery of service accounts in Active Directory, cloud pl
 domain: cybersecurity
 subdomain: identity-access-management
@@ -5,6 +5,12 @@ description: >-
  internal network services, and protocol handlers through user-controllable URL parameters.
  Tests AWS/GCP/Azure metadata APIs (169.254.169.254), internal port scanning via HTTP,
  URL scheme bypass techniques, and DNS rebinding detection.
+domain: cybersecurity
+subdomain: security-operations
+tags: [performing, ssrf, vulnerability, exploitation]
+version: "1.0"
+author: mahipal
+license: MIT
 ---

 ## Instructions
@@ -5,6 +5,12 @@ description: >
  atomic-operator Python framework. Loads test definitions from YAML atomics, runs
  attack simulations, and validates detection coverage. Use when testing SIEM detection
  rules, validating EDR coverage, or conducting purple team exercises.
+domain: cybersecurity
+subdomain: threat-intelligence
+tags: [performing, threat, emulation, with]
+version: "1.0"
+author: mahipal
+license: MIT
 ---

 # Performing Threat Emulation with Atomic Red Team
@@ -1,5 +1,5 @@
 ---
-name: None
+name: performing-web-application-scanning-with-nikto
 description: Nikto is an open-source web server and web application scanner that tests against over 7,000 potentially dangerous files/programs, checks for outdated versions of over 1,250 servers, and identifies ve
 domain: cybersecurity
 subdomain: vulnerability-management
@@ -1,5 +1,5 @@
 ---
-name: None
+name: prioritizing-vulnerabilities-with-cvss-scoring
 description: The Common Vulnerability Scoring System (CVSS) is the industry standard framework maintained by FIRST (Forum of Incident Response and Security Teams) for assessing vulnerability severity. CVSS v4.0 (r
 domain: cybersecurity
 subdomain: vulnerability-management
@@ -1,5 +1,5 @@
 ---
-name: None
+name: scanning-docker-images-with-trivy
 description: Trivy is a comprehensive open-source vulnerability scanner by Aqua Security that detects vulnerabilities in OS packages, language-specific dependencies, misconfigurations, secrets, and license violati
 domain: cybersecurity
 subdomain: container-security
@@ -1,5 +1,5 @@
 ---
-name: None
+name: scanning-infrastructure-with-nessus
 description: Tenable Nessus is the industry-leading vulnerability scanner used to identify security weaknesses across network infrastructure including servers, workstations, network devices, and operating systems.
 domain: cybersecurity
 subdomain: vulnerability-management
@@ -1,5 +1,5 @@
 ---
-name: None
+name: securing-container-registry-with-harbor
 description: Harbor is an open-source container registry that provides security features including vulnerability scanning (integrated Trivy), image signing (Notary/Cosign), RBAC, content trust policies, replicatio
 domain: cybersecurity
 subdomain: container-security
@@ -1,5 +1,5 @@
 ---
-name: None
+name: tracking-threat-actor-infrastructure
 description: Threat actor infrastructure tracking involves monitoring and mapping adversary-controlled assets including command-and-control (C2) servers, phishing domains, exploit kit hosts, bulletproof hosting, a
 domain: cybersecurity
 subdomain: threat-intelligence