Cybersecurity Tools — IR, Cloud & Miscellaneous — Secure In Security
Secure In Security — Cybersecurity Tools — IR, Cloud & Miscellaneous Contact About / Policy
Secure In Security
Cybersecurity Tools
In-Depth Technical Reference & Use Case Demonstrations
Incident Response  │  Cloud Security  │  Miscellaneous
About This Document

Introduction

This document provides in-depth technical descriptions, architectural overviews, key feature analyses, and practical use-case demonstrations for 29 cybersecurity tools across three domains: Incident Response  Cloud Security , and Miscellaneous. Each profile includes specific command-line examples, API calls, configuration excerpts, realistic enterprise scenarios, and measurable outcomes — enabling practitioners to understand both what each tool does and precisely how it is applied in real-world environments.

Tools span the full spectrum from free open-source platforms to commercial enterprise solutions, from historical tools of significant educational value to cutting-edge AI-driven detection systems. Command examples use realistic IP addressing, naming conventions, API structures, and operational parameters consistent with production deployment patterns.

Notice
All command examples are for educational purposes and authorised security operations only. Performing security testing, forensic investigation, or any offensive technique against systems without explicit written authorisation is illegal in most jurisdictions.
Section 1  │  Incident Response

Section 1: Incident Response

This section provides comprehensive profiles for 10 incident response tools (Tools 71–80) — architectures, operational capabilities, and real-world application scenarios.

71
TheHive
Open-Source Security Incident Response Platform

Overview

TheHive is a free, open-source Security Incident Response Platform (SIRP) providing SOC analysts and incident response teams with a collaborative, structured case management environment. Every incident is a Case containing Tasks (assigned to analysts with due dates and status tracking), Observables (IoCs automatically enriched via Cortex), and a Timeline. TheHive integrates natively with MISP for bidirectional threat intelligence sharing and Cortex for automated observable analysis through 100-plus analysers including VirusTotal, MISP lookup, Shodan, MaxMind GeoIP, and PassiveTotal.

Alert templates enable automatic case creation from SIEM alerts and email gateways, eliminating manual case setup for high-volume alert types. Cortex analysers can be triggered one-click or automatically — enriching every observable with intelligence from dozens of sources without analyst pivot work. TheHive 5 (commercial successor) adds SLA tracking, executive dashboards, and multi-organisational management.

Key Features & Components

Feature / ComponentDescription
Case and Task ManagementStructured incidents with analyst-assigned tasks, priority levels, due dates, status tracking, and collaborative annotation — complete incident lifecycle in a single shared workspace.
Observable Enrichment via CortexOne-click or automated IoC analysis through 100+ Cortex analysers — VirusTotal, MISP lookup, Shodan, Abuse.ch, PassiveTotal, MaxMind GeoIP — without manual pivoting.
MISP Bidirectional IntegrationImport MISP events as TheHive alerts; export confirmed case observables to MISP as community IoC contributions — closes the investigation-to-intelligence sharing loop.
Alert Ingestion and DeduplicationReceives alerts from SIEM, email, API, and ticketing sources — deduplicates related alerts into unified cases, preventing analyst workload fragmentation.
Multi-Tenant (MSSP) ArchitectureIsolated tenants per client organisation with role-based analyst access — MSSP analysts see only their assigned clients’ cases with complete data separation.
Full REST APIComplete programmatic case, task, observable, and alert management — enables SOAR integration, automated case creation, and custom workflow orchestration.
Scenario
A SOC team manages a coordinated phishing campaign targeting 50 finance staff using TheHive with Cortex and MISP integration. Alert ingestion from the email gateway auto-creates a unified case, Cortex analyses all attachment hashes and phishing URLs automatically, and confirmed IoCs are exported to MISP for community intelligence sharing.
Step-by-Step Command Walkthrough
THEHIVE_URL='https://thehive.corp.local:9000'
API_KEY='YOUR_THEHIVE_API_KEY'

# Step 1: Create phishing campaign case with pre-assigned tasks
curl -s -X POST "$THEHIVE_URL/api/case" \
  -H "Authorization: Bearer $API_KEY" \
  -H 'Content-Type: application/json' \
  -d '{
    "title":       "Phishing Campaign — Finance Dept Jun 2024",
    "description": "DocuSign-lure targeting 50 finance staff",
    "severity":3,"tlp":2,"pap":2,
    "tags":["phishing","finance","credential-harvest"],
    "tasks":[
      {"title":"Identify all recipients","assignee":"analyst1"},
      {"title":"Analyse attachment hashes","assignee":"analyst2"},
      {"title":"Block sender domains at GW","assignee":"analyst1"},
      {"title":"Reset click-through passwords","assignee":"analyst3"},
      {"title":"Export IoCs to MISP","assignee":"analyst2"}
    ]
  }'

# Step 2: Add phishing URL as observable
curl -s -X POST "$THEHIVE_URL/api/case/CASE_ID/artifact" \
  -H "Authorization: Bearer $API_KEY" \
  -H 'Content-Type: application/json' \
  -d '{"dataType":"url","data":"https://docusign-verify.malicious.xyz/login","tlp":2,"ioc":true}'

# Step 3: Trigger VirusTotal Cortex analyser
curl -s -X POST 'https://cortex.corp.local:9001/api/job' \
  -H "Authorization: Bearer $API_KEY" \
  -H 'Content-Type: application/json' \
  -d '{"analyzerId":"VirusTotal_GetReport_3_1","artifactType":"url",
       "artifactDefinition":{"data":"https://docusign-verify.malicious.xyz/login"}}'

# Step 4: Close case with resolution summary
curl -s -X PATCH "$THEHIVE_URL/api/case/CASE_ID" \
  -H "Authorization: Bearer $API_KEY" \
  -H 'Content-Type: application/json' \
  -d '{"status":"Resolved","resolutionStatus":"TruePositive",
       "summary":"Confirmed phishing. 4 click-throughs; passwords reset; 23 IoCs to MISP."}'
Outcome & Analysis
TheHive deduplicates 50 email gateway alerts into one unified campaign case. Cortex automatically analyses all 23 unique observables — 19 confirmed malicious via VirusTotal and PassiveTotal. Four click-through users are flagged for immediate password reset. IoCs are shared to MISP benefiting all connected community members. The entire triage cycle completes in 8 minutes versus 45 minutes manually — an 82% efficiency improvement.
72
MISP
Malware Information Sharing Platform — Open Source

Overview

MISP (Malware Information Sharing Platform) is a free, open-source threat intelligence platform for storing, sharing, and correlating indicators of compromise. Developed by CIRCL and maintained globally, MISP is deployed by national CERTs, ISACs, and enterprises worldwide. The data model organises intelligence into Events containing Attributes (IoCs), Objects, Tags (TLP levels, ATT&CK Galaxy), and Sightings.

MISP’s community sharing model — configurable sharing policies enabling automatic bidirectional intelligence propagation — is its most powerful characteristic. Native STIX 2.1 export and a built-in TAXII 2.1 server integrate with commercial TIPs and SIEMs. The automatic correlation engine surfaces relationships between attributes across all stored events instantly.

Key Features & Components

Feature / ComponentDescription
Rich Event Data ModelEvents with Attributes (IoCs), Objects, Tags (TLP/taxonomy/ATT&CK Galaxy), and Sightings — extensible structure for all intelligence types.
Community Sharing PoliciesConfigurable sharing from community-only to public — automatic bidirectional sync with CERT networks, ISACs, and trusted MISP instances worldwide.
Automatic Correlation EngineSurfaces attribute relationships across all stored events automatically — historical context appears instantly when a new event shares an indicator.
STIX 2.1 / TAXII 2.1 NativeBuilt-in STIX export and TAXII 2.1 server — integrates with ThreatConnect, Anomali, Splunk, QRadar, and Microsoft Sentinel for automated IoC distribution.
External Feed SubscriptionsSubscribes to abuse.ch URLhaus, FeodoTracker, OTX, MalwareBazaar, PhishTank — ingests, deduplicates, and correlates against the existing knowledge base.
MITRE ATT&CK Galaxy TaggingTags events with ATT&CK techniques, threat actor clusters, and malware families — structured adversary context enabling defenders to map intelligence to detection coverage.
Scenario
A national CERT uses MISP to coordinate real-time threat intelligence sharing during an active APT28 phishing campaign across 150 member organisations. A new C2 IP discovered by one member propagates to all 150 within minutes — enabling simultaneous collective defence across the entire community.
Step-by-Step Command Walkthrough
MISP_URL='https://misp.cert.gov'
MISP_KEY='YOUR_MISP_API_KEY'

# Create MISP event for APT28 campaign
curl -s -X POST "$MISP_URL/events" \
  -H "Authorization: $MISP_KEY" -H 'Content-Type: application/json' \
  -d '{"Event":{"info":"APT28 Spear-Phishing — Gov Ministries Jun 2024",
    "threat_level_id":"1","analysis":"2","distribution":"2",
    "Attribute":[
      {"type":"ip-dst","value":"203.0.113.45","to_ids":true,"comment":"APT28 C2 server"},
      {"type":"domain","value":"gov-update.malicious.xyz","to_ids":true},
      {"type":"sha256","value":"a1b2c3d4e5f678...","to_ids":true,"comment":"X-Agent dropper"},
      {"type":"email-src","value":"updates@gov-secure.malicious.xyz","to_ids":true}
    ]}}'

# Apply MITRE ATT&CK Galaxy tag
curl -s -X POST "$MISP_URL/events/addTag/EVENT_ID" \
  -H "Authorization: $MISP_KEY" \
  -d 'tag=misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.001"'

# Search all events for specific IP
curl -s -X POST "$MISP_URL/attributes/restSearch" \
  -H "Authorization: $MISP_KEY" -H 'Content-Type: application/json' \
  -d '{"returnFormat":"json","value":"203.0.113.45","type":"ip-dst","to_ids":true}'

# Export as STIX 2.1 for SIEM ingestion
curl -s "$MISP_URL/events/restSearch/returnFormat:stix2/threat_level_id:1/to_ids:true" \
  -H "Authorization: $MISP_KEY"

# Add Sighting — confirm real-world observation
curl -s -X POST "$MISP_URL/sightings/add" \
  -H "Authorization: $MISP_KEY" -H 'Content-Type: application/json' \
  -d '{"value":"203.0.113.45","type":"0","source":"SIEM_FW_Alert_INC-2024-0847"}'
Outcome & Analysis
Adding the APT28 C2 IP triggers synchronisation to all 150 connected MISP instances within 3 minutes. Each member’s SIEM receives the updated IoC via TAXII — simultaneously adding it to detection rules and firewall blocklists. MISP’s correlation engine identifies the same IP appeared in an event 8 months ago attributed to a different APT28 campaign, confirming infrastructure reuse. The Sighting from INC-2024-0847 propagates community-wide, boosting indicator confidence for all members.
73
SIFT Workstation
SANS Investigative Forensic Toolkit — DFIR Platform

Overview

SIFT (SANS Investigative Forensic Toolkit) Workstation is a free, open-source Ubuntu-based virtual machine providing a standardised, court-admissible forensic investigation environment with 200-plus pre-installed tools. SIFT covers disk forensics, memory forensics, network forensics, timeline generation (correlating events from 50-plus artefact types), YARA malware scanning, and log analysis.

Key tools include Autopsy (graphical forensic case management), Volatility 3 (memory forensics), Plaso/log2timeline (super-timeline generation), YARA (malware pattern matching), bulk_extractor (evidence carving), RegRipper (Windows Registry analysis), NetworkMiner, and Wireshark/tshark. Available as a VMware/VirtualBox VM or Ubuntu 22.04 LTS installation script with WSL2 compatibility.

Key Features & Components

Feature / ComponentDescription
200+ Pre-Installed DFIR ToolsTools for disk, memory, network, timeline, log, and malware forensics — version-controlled, pre-configured to work together without compatibility conflicts.
Autopsy (GUI Case Management)Graphical forensic case management: disk image ingestion, keyword search, file carving, deleted file recovery, browser artefact extraction, and chain-of-custody reporting.
Volatility 3 (Memory Forensics)Plugin-based RAM analysis: process listing, network connections, cmdline reconstruction, injected code detection, credential recovery, and rootkit detection.
Plaso / log2timeline (Supertimeline)Ingests 50+ log/artefact types into a unified chronological supertimeline — Windows Event Logs, prefetch, browser history, MFT, registry, and LNK files correlated in one view.
YARA Pattern MatchingEvaluates YARA rules against memory dumps, disk images, and extracted files — detects known malware families and custom threat actor tooling across evidence.
Standardised Court-Admissible EnvironmentVM or WSL2 installation ensures reproducible, defensible findings — documented tool versions and methodology meeting evidentiary standards for legal proceedings.
Scenario
A DFIR analyst investigates a ransomware incident on a Windows Server 2019 using SIFT — acquiring a memory image and forensic disk image, performing Volatility 3 memory analysis to identify the ransomware process and injected code, and building a supertimeline to reconstruct the complete attack chain from initial access to ransom deployment.
Step-by-Step Command Walkthrough
CASE='/cases/INC-2024-0847'
mkdir -p $CASE/evidence $CASE/analysis $CASE/reports

# PHASE 1: ACQUISITION
scp analyst@victim-srv:/C/memory_VICTIM-SRV_20240617.raw $CASE/evidence/

ewfacquire /dev/sdb \
  -t $CASE/evidence/disk_VICTIM-SRV \
  -C 'INC-2024-0847 Victim Server' \
  -e analyst@corp.com \
  -m fixed -M logical -c best

ewfverify $CASE/evidence/disk_VICTIM-SRV.E01
# MD5 hash verified — acquisition integrity confirmed

# PHASE 2: MEMORY ANALYSIS (Volatility 3)
MEMFILE="$CASE/evidence/memory_VICTIM-SRV_20240617.raw"
vol3 -f $MEMFILE windows.info.Info         | tee $CASE/analysis/os_info.txt
vol3 -f $MEMFILE windows.pslist.PsList     | tee $CASE/analysis/pslist.txt
vol3 -f $MEMFILE windows.malfind.Malfind   | tee $CASE/analysis/malfind.txt
vol3 -f $MEMFILE windows.netscan.NetScan   | grep -v CLOSED | tee $CASE/analysis/netscan.txt
vol3 -f $MEMFILE windows.cmdline.CmdLine   | tee $CASE/analysis/cmdline.txt
vol3 -f $MEMFILE windows.hashdump.Hashdump | tee $CASE/analysis/hashes.txt

# YARA scan for BlackCat ransomware
vol3 -f $MEMFILE windows.vadyarascan.VadYaraScan \
  --yara-rules /opt/yara-rules/ransomware/blackcat.yar

# PHASE 3: SUPERTIMELINE
log2timeline.py -z UTC \
  --storage-file $CASE/analysis/timeline.plaso \
  $CASE/evidence/disk_VICTIM-SRV.E01

psort.py -z UTC -o l2tcsv \
  -w $CASE/analysis/timeline_filtered.csv \
  $CASE/analysis/timeline.plaso \
  "date > '2024-06-12' AND date < '2024-06-18'" 
Outcome & Analysis
SIFT analysis reconstructs the full attack chain: RDP brute-force initial access at 02:17 AM on Day 1 (4,847 failed Event ID 4625 logons then a successful 4624), 4 days of reconnaissance, Active Directory database access (ntds.dit) on Day 3, and BlackCat ransomware deployment from a scheduled task on Day 5. Volatility 3 malfind identifies Cobalt Strike shellcode injected into svchost.exe. The supertimeline provides 847,000 sorted events giving legal counsel precise timing for regulatory notification and law enforcement referral.
74
GRR Rapid Response
Fleet-Scale Remote Forensics Framework — Google

Overview

GRR Rapid Response is an open-source incident response framework developed by Google, enabling remote live forensics at enterprise scale. Analysts can simultaneously query thousands of endpoints for forensic artefacts and IoC presence without physical access or full disk imaging. Flows define specific forensic collection tasks; Hunts extend the same Flow to any number of endpoints simultaneously.

GRR’s fleet-wide YARA scanning enables searching across all endpoint memory and disk files simultaneously for malware signatures without acquiring individual images. The Virtual File System (VFS) browser allows real-time remote file system browsing from the GRR console. The full artefact set covers Registry hives, Event Logs, prefetch, shimcache, amcache, LNK files, and browser history. Google uses GRR internally for incident response across its global infrastructure.

Key Features & Components

Feature / ComponentDescription
Fleet-Scale Remote ForensicsQueries thousands of endpoints simultaneously without physical access or disk imaging — complete incident scoping in minutes across the entire enterprise.
Hunts (Fleet-Wide Queries)Extends any forensic Flow to all enrolled endpoints simultaneously — YARA scanning, file collection, registry hunting, and process analysis fleet-wide with one definition.
Memory and Disk YARA ScanningExecutes YARA rules across all endpoint process memory and disk files simultaneously — fleet-wide malware hunting without individual image acquisition.
Virtual File System (VFS) BrowserReal-time remote file system browsing from the GRR console — navigate directory trees, inspect files, and collect specific items without remote desktop.
Comprehensive Artefact CollectionCollects Registry hives, Event Logs, prefetch, shimcache, amcache, LNK files, browser history, and hundreds of forensically relevant artefacts on demand.
Enterprise-Scale ArchitectureHandles hundreds of thousands of endpoints — stateless server design scales horizontally with additional GRR workers as endpoint count grows.
Scenario
After receiving threat intelligence about a specific BlackCat ransomware loader, the IR team uses GRR to run a YARA Hunt across all 3,000 corporate Windows endpoints simultaneously — identifying every compromised machine in 17 minutes without imaging a single disk.
Step-by-Step Command Walkthrough
from grr_api_client import api as grr_api
import time

grrapi = grr_api.InitHttp(
    api_endpoint='https://grrserver.corp.local:8000',
    auth=('admin', 'GRRAdminPass2024!'))

YARA_RULE = '''
rule BlackCat_ALPHV_Loader {
  meta: author = "CorpSOC"
  strings:
    $s1 = "alphv" nocase wide ascii
    $s2 = { 42 6C 61 63 6B 43 61 74 }
    $s3 = "Salsa20" nocase
  condition: 2 of them
}
'''

hunt = grrapi.CreateHunt(
    flow_name='YaraProcessScan',
    flow_args=grrapi.types.YaraProcessScan(
        yara_signature=YARA_RULE, scan_runtime_us=60000000),
    hunt_runner_args=grrapi.types.HuntRunnerArgs(
        description='BlackCat YARA Hunt Jun2024',
        client_limit=0,
        expiry_time=grrapi.types.Duration(seconds=3600)))
hunt.Start()
print(f'Hunt started: {hunt.hunt_id}')

while True:
    h = grrapi.Hunt(hunt.hunt_id).Get()
    print(f'Clients: {h.data.all_clients_count} | Hits: {h.data.num_clients_with_results}')
    if h.data.state == 3: break
    time.sleep(30)

print('Compromised endpoints:')
for r in grrapi.Hunt(hunt.hunt_id).Results():
    print(f'  YARA MATCH: {r.client_id}')
Outcome & Analysis
The GRR YARA Hunt completes across 3,000 Windows endpoints in 17 minutes. Seven endpoints show BlackCat loader signatures in process memory; the file path hunt finds the loader DLL at C:\Windows\Temp\svchost64.dll on 4 of those 7 hosts. All 7 are immediately network-isolated via automated ACL changes. The IR team delivers a definitive scope — 7 compromised machines — to the CISO for board notification without imaging a single disk.
75
Velociraptor
High-Performance Endpoint DFIR with VQL

Overview

Velociraptor is a free, open-source, high-performance endpoint visibility and digital forensics platform. It introduces VQL (Velociraptor Query Language) — a SQL-like query language purpose-built for endpoint forensics — enabling analysts to write expressive, reusable forensic queries executed simultaneously across thousands of enrolled endpoints. The Go-based architecture handles tens of thousands of concurrent clients on modest infrastructure.

The Velociraptor Artifact Exchange contains 400-plus pre-built Artifacts covering Windows NTFS/MFT forensics, browser history, registry analysis, Linux and macOS forensics, cloud service artefacts (AWS metadata, Azure IMDS), and security tool artefacts. Live Response provides real-time interactive shell access to any enrolled endpoint for surgical file collection, process termination, and immediate remediation without full disk reimaging.

Key Features & Components

Feature / ComponentDescription
VQL (Velociraptor Query Language)SQL-like endpoint forensic query language — selects from endpoint data sources with WHERE clauses, JOINs, and output formatting; complex multi-step queries without custom code.
400+ Artifact Exchange LibraryCommunity-contributed forensic Artifacts for Windows, macOS, Linux — NTFS/MFT, prefetch, shimcache, browser history, registry, cloud metadata, and security tool artefacts.
Fleet-Wide HuntsPushes any VQL Artifact to all enrolled endpoints simultaneously — collects and correlates results in the server notebook without individual endpoint access.
YARA Memory and Disk ScanningExecutes YARA rules against process memory and on-disk files across the entire fleet — fleet-wide malware hunting without individual forensic image acquisition.
Live Response (Interactive Shell)Real-time interactive endpoint access — file system navigation, process management, file upload/download, command execution, and registry access for surgical remediation.
Server-Side NotebooksCollaborative investigation notebooks combining VQL queries, result visualisations, and analyst commentary — structured investigation documentation shared in real time.
Scenario
An IR analyst hunts for Qbot banking trojan persistence across 500 Windows endpoints. Velociraptor simultaneously collects registry Run keys, scheduled tasks, and WMI subscriptions from all endpoints — identifying 5 infected machines in 9 minutes and immediately collecting malicious binaries via Live Response.
Step-by-Step Command Walkthrough
# HUNT 1: Qbot registry Run key persistence (VQL Hunt to all 500 endpoints)
SELECT
  client_info().Hostname AS Hostname,
  Key.ModTime AS LastModified, Key.Name AS RunKeyName, Key.Data.value AS CommandValue
FROM foreach(
  row={SELECT * FROM clients()},
  query={
    SELECT ModTime, Name, Data FROM read_reg_key(
      globs=['HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Run/*',
             'HKCU/SOFTWARE/Microsoft/Windows/CurrentVersion/Run/*'])
    WHERE Data.value =~ '(?i)(regsvr32|rundll32|mshta|wscript)'
    AND   Data.value =~ '(?i)(Temp|AppData|ProgramData)'
  })

# HUNT 2: Qbot scheduled task (random name with base64 cmd)
SELECT client_info().Hostname AS Hostname, Name, Command, Arguments, User, Enabled
FROM Artifact.Windows.System.ScheduledTasks()
WHERE (Command =~ '(?i)(cmd|powershell|wscript)' AND Arguments =~ '(?i)(base64|-enc)')
OR    Name =~ '^[A-Z0-9]{6,10}$'

# HUNT 3: Fleet-wide YARA memory scan for Qbot
SELECT * FROM foreach(
  row={SELECT * FROM clients()},
  query={SELECT * FROM yara(
    rules='''rule Qbot { strings: $s1="qbot" nocase condition: $s1 }''',
    pid='*')})

# LIVE RESPONSE: collect binary and remediate on FINANCE-WS-14
LET binary = upload(accessor='file', filename='C:/Windows/Temp/svchost64.dll')
SELECT * FROM binary
LET kill = execve(argv=['taskkill','/F','/PID','4521'])
SELECT * FROM kill
Outcome & Analysis
Velociraptor completes the fleet-wide hunt across 500 Windows endpoints in 9 minutes. Registry Run key analysis identifies 5 endpoints with base64-encoded Rundll32 persistence entries in AppData. YARA memory scanning confirms Qbot signatures on all 5. Live Response on each host collects the malicious DLL, terminates the malicious process, and removes registry persistence — complete surgical remediation in 25 minutes from hunt completion, without reimaging any disk.
76
Carbon Black Response (VMware Carbon Black EDR)
Continuous Endpoint Telemetry & Retrospective Threat Hunting

Overview

Carbon Black Response (now VMware Carbon Black EDR following Broadcom’s acquisition) is an enterprise EDR platform providing continuous endpoint telemetry recording, real-time threat hunting across historical data, and live response capabilities. Carbon Black’s defining principle is continuous recording: every process execution, file write, registry change, and network connection on every enrolled endpoint is captured and retained in a centralised, searchable database for weeks or months — enabling retroactive forensic investigation of activity that occurred days before any alert was raised.

The threat hunting model uses the cbapi Python library and web-based Threat Hunting interface — analysts write SQL-like queries against the central telemetry database for specific processes, parent-child relationships, command-line patterns, and network connections across all endpoints simultaneously. Binary Reputation automatically classifies executed binaries via Carbon Black’s global threat intelligence network.

Key Features & Components

Feature / ComponentDescription
Continuous Endpoint TelemetryRecords every process, file write, registry change, and network connection on all endpoints — searchable for weeks or months enabling retroactive forensic investigation.
Process Tree VisualisationInteractive process execution tree showing parent-child relationships, command-line arguments, file operations, and network connections for any historical process.
Binary Reputation (Cloud TI)Automatic classification of all executed binaries via Carbon Black’s global threat intelligence network — surfaces unknown-reputation executables before they trigger detections.
Live Response (Remote Shell)Real-time interactive shell, file system access, process management, and file retrieval from any enrolled endpoint — surgical investigation and remediation.
cbapi Python LibraryProgrammatic access to all endpoint telemetry — custom hunt scripts, automated alert triage, SOAR integration, and bulk threat investigation workflows.
Watchlist and Feed IntegrationAutomated alerting on IoC and behavioural pattern matches against continuous telemetry — Carbon Black community feeds and custom watchlists.
Scenario
A threat hunter investigates a SIEM behavioural alert using Carbon Black Response’s retrospective telemetry. Hunting 30-day historical data reveals the Cobalt Strike infection began 12 days before the SIEM alert — identifying patient zero and the complete lateral movement path across 4 hosts.
Step-by-Step Command Walkthrough
from cbapi.response import CbResponseAPI, Process
cb = CbResponseAPI(url='https://cbresponse.corp.local', token='CB_API_TOKEN', ssl_verify=True)

# HUNT 1: PowerShell encoded download cradles (last 30 days)
for proc in cb.select(Process).where(
    'process_name:powershell.exe AND cmdline:encodedcommand AND cmdline:downloadstring'):
    print(f'Host:{proc.hostname} | Time:{proc.start} | Parent:{proc.parent.process_name}')
    print(f'Cmd:{proc.cmdline[:200]}')

# HUNT 2: External network connections from PowerShell
for proc in cb.select(Process).where(
    'process_name:powershell.exe AND netconn_count:[1 TO *]'):
    for nc in proc.netconns:
        if not any(nc.remote_ip.startswith(p) for p in ('10.','172.16.','192.168.','127.')):
            print(f'Host:{proc.hostname} | C2:{nc.remote_ip}:{nc.remote_port}')

# HUNT 3: Office spawning shell processes (macro execution)
for parent in ['winword.exe','excel.exe','powerpnt.exe']:
    for child in ['powershell.exe','cmd.exe','wscript.exe','mshta.exe']:
        for proc in cb.select(Process).where(f'parent_name:{parent} AND process_name:{child}'):
            print(f'SUSPICIOUS: {proc.hostname} | {parent} -> {child}')
            print(f'  CmdLine: {proc.cmdline[:150]}')

# LIVE RESPONSE: collect binary and terminate process
sensor = cb.select('Sensor').where('hostname:DESKTOP-FINANCE-14').first()
with sensor.lr_session() as lr:
    lr.get_file(r'C:\Windows\Temp\svchost64.dll', '/cases/INC-2024-0847/svchost64.dll')
    lr.kill_process(4521)
    lr.delete_file(r'C:\Windows\Temp\svchost64.dll')
Outcome & Analysis
Carbon Black retrospective hunting reveals Cobalt Strike has operated on DESKTOP-FINANCE-14 for 12 days before the SIEM alert. The process tree shows an Excel macro (CVE-2022-30190 Follina) spawned PowerShell on Day 1, downloading and executing the Cobalt Strike reflective DLL loader. Network telemetry reveals the C2 IP and lateral movement to 3 additional hosts via WMI on Day 3 and admin share access to DC-CORP-02 on Day 8. All 4 hosts are isolated with a complete 12-day evidence trail supporting legal and regulatory notifications.
77
Cybereason
AI-Driven EDR & XDR with MalOp Narrative Detection

Overview

Cybereason is an AI-driven EDR and XDR platform presenting security incidents as complete attack narrative stories — MalOps (Malicious Operations) — rather than thousands of individual disconnected alerts. The Cross-Machine Correlation AI engine analyses process execution, file operations, registry activity, network connections, user identity, and DNS queries across all enrolled endpoints simultaneously, correlating related indicators into a single unified MalOp representing the complete attack chain.

The MalOp view surfaces the entire attack story in one interface: affected machines and user accounts, a chronological attack timeline, the root cause process, mapped MITRE ATT&CK techniques, and one-click remediation options. AI-powered prevention uses ML models trained on billions of endpoint behaviours to block novel malware at execution time without signature updates.

Key Features & Components

Feature / ComponentDescription
MalOp Narrative (Complete Attack Story)Groups all related attack indicators into one complete attack story with timeline, affected assets, root cause, ATT&CK mapping, and remediation — eliminates alert fragmentation.
Cross-Machine Correlation AISimultaneously correlates process, file, network, identity, and DNS activity across all endpoints — detects multi-stage attacks spanning multiple machines and accounts.
AI-Powered Behavioural PreventionML models trained on billions of endpoint behaviours detect and block novel malware at execution time — no signature updates required.
Visual Attack TimelineInteractive timeline showing every attacker action from initial compromise through lateral movement and payload delivery — full process and network context at each step.
One-Click RemediationProcess kill, file quarantine, persistence removal, and network isolation suggested and executed directly from the MalOp panel — no separate tool required.
MITRE ATT&CK Auto-MappingEvery MalOp attack step automatically mapped to ATT&CK techniques and sub-techniques — enables immediate control gap analysis from investigation findings.
Scenario
Cybereason detects a multi-stage attack spanning three endpoints within 8 minutes — presenting phishing initial access, Mimikatz credential dumping, and WMI lateral movement to a domain controller as a single MalOp with one-click remediation across all affected hosts.
Step-by-Step Command Walkthrough
# Step 1: Authenticate to Cybereason
curl -s -c /tmp/cyb_cookies.txt -X POST \
  'https://cybereason.corp.local:8443/login.html' \
  -d 'username=admin&password=CybAdminPass2024!'

# Step 2: Query all unresolved MalOps
curl -s -b /tmp/cyb_cookies.txt -X POST \
  'https://cybereason.corp.local:8443/rest/crimes/unified?crimeStatus=UNRESOLVED' \
  -H 'Content-Type: application/json' \
  -d '{"templateContext":"OVERVIEW","filters":[{"fieldName":"malopActivityTypes",
    "operator":"ContainsAnyOf","values":["MALICIOUS_INFECTION","RANSOMWARE","LATERAL_MOVEMENT"]}]}'

# Step 3: Network-isolate ALL machines in the MalOp
curl -s -b /tmp/cyb_cookies.txt -X POST \
  'https://cybereason.corp.local:8443/rest/sensors/action' \
  -H 'Content-Type: application/json' \
  -d '{"action":"ISOLATE","filters":[{"fieldName":"malopGuid",
    "operator":"ContainsAnyOf","values":["MALOP_GUID"]}]}'

# Step 4: Kill processes and remove persistence
curl -s -b /tmp/cyb_cookies.txt -X POST \
  'https://cybereason.corp.local:8443/rest/remediate' \
  -H 'Content-Type: application/json' \
  -d '{"malopId":"MALOP_GUID","remediationItems":[
    {"actionType":"KILL_PROCESS","elementType":"PROCESS","elementValues":["PROC_ID_1","PROC_ID_2"]},
    {"actionType":"DELETE_REGISTRY_KEY","elementType":"REGISTRY_KEY","elementValues":["REG_KEY_GUID_1"]}
  ]}'
Outcome & Analysis
Cybereason presents phishing initial access, Mimikatz credential dumping (T1003.001), and WMI lateral movement (T1021.006) to the domain controller as a single MalOp — 3 machines, complete attack story, 12-minute investigation. One-click remediation simultaneously terminates malicious processes, removes persistence, and isolates all 3 hosts. The ATT&CK auto-mapping immediately reveals a T1003.001 detection gap — no SIEM rule existed for Mimikatz LSASS access — enabling the team to deploy a new detection rule before closing the incident.
78
IBM Resilient (QRadar SOAR)
Security Orchestration, Automation & Response — IBM Security

Overview

IBM Resilient (now IBM Security QRadar SOAR, following IBM’s 2016 acquisition) is the pioneering SOAR platform providing structured case management, dynamic playbook automation, and incident response coordination. Co-founded by Bruce Schneier in 2010, it was among the first platforms to formalise machine-speed, multi-tool response orchestration as a core SOC capability — recognising that effective IR is as much a legal and regulatory process as a technical one.

IBM Resilient’s Dynamic Playbooks are condition-driven — execution paths adapt based on incident type, severity, regulatory jurisdiction, data categories involved, and user-defined conditions. The data privacy module calculates breach notification obligations under GDPR, HIPAA, CCPA, PCI DSS, and 50-plus regulations automatically — converting complex multi-jurisdictional compliance into documented automated decisions.

Key Features & Components

Feature / ComponentDescription
Dynamic Condition-Driven PlaybooksAdapts execution paths based on incident type, severity, jurisdiction, and data categories — one playbook intelligently handles multiple scenario variants.
200+ Integration Hub ConnectorsPre-built integrations with SIEM (QRadar, Splunk), EDR (CrowdStrike, Carbon Black), TI (Recorded Future, MISP), and ticketing (ServiceNow, Jira) for orchestrated response.
Jurisdiction-Aware Breach NotificationAutomatically calculates regulatory obligations under GDPR, HIPAA, CCPA, PCI DSS, and 50+ regulations — converts complex compliance analysis into documented decisions.
Role-Based Task Assignment with SLAsAssigns response tasks to analysts or roles with SLAs, escalation rules, and completion tracking — structured team coordination for complex incidents.
MTTD / MTTR MetricsTracks Mean Time to Detect, Mean Time to Respond, SLA compliance, incident volume, and analyst performance — management-level SOC programme reporting.
Evidence Chain-of-Custody ManagementFiles, screenshots, exported logs, and analyst notes with timestamp and actor attribution — forensic evidence management for legal and regulatory proceedings.
Scenario
IBM Resilient orchestrates a complete ransomware response across 14 tool integrations — automatically enriching with TI, isolating endpoints, notifying stakeholders, calculating GDPR and PCI DSS obligations, and generating the post-incident legal brief — with only 2 manual decision gates required.
Step-by-Step Command Walkthrough
# Step 1: Authenticate
curl -s -c /tmp/res_cookies.txt -X POST 'https://resilient.corp.local/rest/session' \
  -H 'Content-Type: application/json' \
  -d '{"email":"admin@corp.com","password":"ResilientAdmin2024!"}'

# Step 2: Create ransomware incident with jurisdictional context
INC_ID=$(curl -s -b /tmp/res_cookies.txt \
  -X POST 'https://resilient.corp.local/rest/orgs/201/incidents' \
  -H 'Authorization: HMAC-RESAUTH' -H 'Content-Type: application/json' \
  -d '{"name":"BlackCat Ransomware — Finance Servers Jun2024",
    "incident_type_ids":[17],"severity_code":{"name":"High"},
    "properties":{"affected_countries":["US","UK","DE"],
      "data_compromised":true,"pii_involved":true,"pci_data_involved":true,
      "employee_count":847,"regulatory_exposure":["GDPR","CCPA","PCI_DSS_4"]}}' \
  | python3 -c "import sys,json;print(json.load(sys.stdin)['id'])")
echo "Created incident: INC-$INC_ID"

# Playbook Ransomware_Response_v4 auto-executes:
# Step A (auto): Recorded Future — enrich C2 IPs
# Step B (auto): CrowdStrike — isolate affected endpoints
# Step C (auto): Palo Alto — block C2 IPs at perimeter
# Step D (auto): PagerDuty — page on-call IR lead
# Step E (auto): Slack — notify CISO and #sec-incidents
# Step F (auto): ServiceNow — create P1 ticket
# Step G (MANUAL): IR lead confirms ransom decision
# Step H (auto): Calculate GDPR 72-hr notification clock
# Step I (auto): Calculate PCI DSS forensic investigation timeline
# Step J (auto): Generate breach notification letters (ICO, BfDI)
# Step K (MANUAL): Legal approves draft notifications
# Step L (auto): Preserve forensic evidence to immutable storage
# Step M (auto): Generate complete post-incident report
Outcome & Analysis
IBM Resilient executes 11 automated steps in 95 seconds: all 6 C2 IPs confirmed as BlackCat infrastructure by Recorded Future (scores 92–98), 8 servers isolated via CrowdStrike, perimeter blocks applied via Palo Alto, on-call lead paged, CISO notified, ServiceNow P1 ticket created. The data privacy module calculates GDPR Article 33 notification obligations (UK ICO and German BfDI within 72 hours) and generates draft breach notifications. Only 2 manual gates occur: the ransom decision (declined) and legal’s notification approval. MTTD: 6 minutes. MTTR: 5 hours 41 minutes. Complete multi-jurisdictional regulatory response automated.
79
Cofense Triage
Enterprise Phishing Response Automation Platform

Overview

Cofense Triage is an enterprise phishing response automation platform reducing analyst time required to process, investigate, and respond to employee-reported phishing emails. In large organisations, the Cofense PhishMe Reporter button generates hundreds to thousands of reported emails daily. Cofense Triage automates triage, clustering, analysis, and response using clustering algorithms, YARA rules, URL and file hash reputation lookups, and ML classification.

The Vision feature provides retroactive organisation-wide email search — after identifying a malicious campaign in reported emails, Vision automatically finds all similar unreported emails sent to any employee and quarantines them simultaneously. This is the most operationally impactful capability: eliminating risk from the 85-95% of malicious emails that employees receive but never report.

Key Features & Components

Feature / ComponentDescription
Automated Email ClusteringGroups similar phishing emails by sender infrastructure, URL patterns, and attachment hashes — analysts investigate one cluster representative, not hundreds of individual emails.
YARA and Reputation AnalysisEvaluates reported emails against YARA rules, URL reputation (VirusTotal, PhishTank), and hash databases — automated malicious/safe verdicts for known-bad indicators.
Vision (Retroactive Org-Wide Quarantine)Finds ALL similar emails across the organisation after identifying a malicious campaign — quarantines unreported copies before recipients click harmful links.
Automated Gateway IntegrationIntegrates with Microsoft 365 Defender, Google Workspace, Proofpoint, and Mimecast — quarantines emails from all inboxes simultaneously via API.
IoC Extraction and SIEM SharingExtracts URLs, domains, IPs, hashes, and sender details from malicious emails — automatically shares with MISP, Splunk, and ThreatConnect for fleet-wide detection.
Reporter Risk ScoringTracks per-employee reporting accuracy — identifies employees who repeatedly click phishing vs. accurately report; prioritises high-risk individuals for targeted training.
Scenario
3,200 employee-reported phishing emails arrive during a 4-hour window from a BlackCat ransomware delivery campaign. Cofense Triage clusters the 3,200 reports into 28 unique campaigns, identifies 4 as malicious delivery mechanisms, and uses Vision to find and quarantine 1,200 unreported copies across all employee inboxes.
Step-by-Step Command Walkthrough
TOKEN=$(curl -s -X POST 'https://triage.corp.local/api/oauth/token' \
  -d 'grant_type=client_credentials&client_id=TRIAGE_ID&client_secret=TRIAGE_SECRET' \
  | python3 -c "import sys,json;print(json.load(sys.stdin)['access_token'])")

# Get all unprocessed phishing reports
curl -s 'https://triage.corp.local/api/public/v2/reports?filter[report_type]=phishing&filter[match_priority]=0&page[size]=100' \
  -H "Authorization: Bearer $TOKEN"

# Get all clusters from today
TODAY=$(date -u +%Y-%m-%dT00:00:00Z)
curl -s "https://triage.corp.local/api/public/v2/clusters?filter[created_at_gteq]=$TODAY" \
  -H "Authorization: Bearer $TOKEN" \
  | python3 -c "
import sys, json
clusters = json.load(sys.stdin)['data']
print(f'Clusters today: {len(clusters)}')
for c in clusters:
    a = c['attributes']
    print(f'  ID:{c["id"]} | Priority:{a["match_priority"]} | Reports:{a["report_count"]}')"

# Mark cluster malicious — triggers quarantine + IoC extraction
curl -s -X PATCH 'https://triage.corp.local/api/public/v2/clusters/CLUSTER_ID' \
  -H "Authorization: Bearer $TOKEN" -H 'Content-Type: application/json' \
  -d '{"data":{"type":"clusters","id":"CLUSTER_ID","attributes":{"match_priority":1}}}'

# Vision: find and quarantine ALL similar emails organisation-wide
curl -s -X POST 'https://triage.corp.local/api/public/v2/searches' \
  -H "Authorization: Bearer $TOKEN" -H 'Content-Type: application/json' \
  -d '{"data":{"type":"searches","attributes":{"cluster_id":"CLUSTER_ID","auto_quarantine":true}}}'
Outcome & Analysis
Cofense Triage processes all 3,200 reported emails in 11 minutes — clustering into 28 campaigns. Four confirmed malicious via YARA and VirusTotal (45+ engine detections). Vision quarantines 1,200 additional unreported copies from all inboxes before any recipient clicks. Total analyst time: 34 minutes to review 28 cluster summaries. Without Cofense Triage, 3,200 emails requiring manual triage would take approximately 2,400 analyst-hours. IoCs exported to Splunk and MISP block the delivery infrastructure fleet-wide.
80
D3 Security
Next-Generation SOAR & Smart Incident Management

Overview

D3 Security is a next-generation SOAR and incident management platform delivering end-to-end security operations automation from alert ingestion through investigation, containment, recovery, and post-incident reporting. D3’s Smart SOAR architecture auto-enriches every incoming alert with contextual data from all integrated tools before an analyst sees it — SIEM alert arrives → VirusTotal enrichment → TI lookup → EDR device context → Shodan network intel → single pre-enriched view. This addresses the primary SOC inefficiency where analysts spend 70-80% of alert investigation time gathering context that automation can provide in seconds.

D3’s no-code playbook builder enables analysts without programming backgrounds to create sophisticated multi-step automation workflows. The Global Playbook Library contains 1,000-plus pre-built playbooks covering ransomware, phishing, insider threat, cloud incidents, and compliance workflows. The platform connects to 2,500-plus security tools.

Key Features & Components

Feature / ComponentDescription
Smart SOAR Auto-EnrichmentAutomatically enriches every incoming alert with TI, device context, network intelligence, and user data before analyst review — eliminates manual context gathering.
1,000+ Pre-Built PlaybooksRansomware, phishing, insider threat, cloud, vulnerability, and compliance automation — ready to deploy or customise for specific organisational requirements.
No-Code Playbook BuilderVisual drag-and-drop automation builder enabling analysts without coding skills to create sophisticated multi-step workflows connecting any tools.
2,500+ Native IntegrationsPre-built connectors to SIEM, EDR, TI, firewall, IAM, ticketing, and communication platforms — any tool combination orchestrated without custom development.
Post-Incident ReportingAuto-generated reports with timeline, actions, MTTD/MTTR, regulatory impact, and lessons learned — board, auditor, and insurance ready.
MITRE ATT&CK Coverage TrackingEvery detection and response action mapped to ATT&CK — systematic tracking of coverage gaps across the entire ATT&CK matrix.
Scenario
A financial institution uses D3 Smart SOAR to automate complete ransomware response — from CrowdStrike detection through endpoint isolation, TI enrichment, regulatory analysis, executive notification, and post-incident reporting — with only 2 manual decision gates.
Step-by-Step Command Walkthrough
TOKEN=$(curl -s -X POST 'https://d3soar.corp.local/api/login' \
  -H 'Content-Type: application/json' \
  -d '{"username":"soar_admin","password":"D3SmartSOAR2024!"}' \
  | python3 -c "import sys,json;print(json.load(sys.stdin)['token'])")

INC=$(curl -s -X POST 'https://d3soar.corp.local/api/incidents' \
  -H "Authorization: Bearer $TOKEN" -H 'Content-Type: application/json' \
  -d '{"name":"BlackCat Ransomware — Finance Dept Jun2024","severity":"Critical",
    "category":"Ransomware","source":"CrowdStrike Falcon EDR",
    "assets":["FINANCE-SRV-01","FINANCE-SRV-02"],
    "playbook":"Ransomware_Response_Financial_v4",
    "context":{"pii_involved":true,"pci_involved":true,"jurisdictions":["US","UK","EU"]}}')

# Automated playbook: Ransomware_Response_Financial_v4
# STEP 01 (auto): Recorded Future — enrich C2 IPs/hashes
# STEP 02 (auto): CrowdStrike — isolate affected endpoints
# STEP 03 (auto): Palo Alto NGFW — block all C2 IPs/domains
# STEP 04 (auto): Active Directory — disable affected accounts
# STEP 05 (auto): PagerDuty — page IR lead
# STEP 06 (auto): Slack — notify CISO and exec channel
# STEP 07 (auto): ServiceNow — create P1 ticket
# STEP 08 (MANUAL): IR lead confirms ransom decision
# STEP 09 (auto): Calculate GDPR + PCI notification obligations
# STEP 10 (auto): Draft regulatory letters (ICO, BfDI, SEC 8-K)
# STEP 11 (auto): Generate cyber-insurance claim documentation
# STEP 12 (MANUAL): Legal approves notifications
# STEP 13 (auto): Preserve forensic evidence (immutable S3)
# STEP 14 (auto): Generate post-incident report
Outcome & Analysis
D3 Smart SOAR executes the first 7 automated steps in 108 seconds: all C2 IPs confirmed BlackCat infrastructure by Recorded Future (Risk 95–99), assets isolated via CrowdStrike, C2 blocked by Palo Alto, affected AD accounts disabled, IR lead paged, CISO notified via Slack, ServiceNow P1 ticket created. GDPR notifications calculated (72-hour ICO and BfDI clock started) with draft letters generated. Legal approves in 3 hours. Post-incident report auto-generated. MTTD: 4 minutes. MTTR: 4 hours 51 minutes. 12 automated steps, 2 manual decisions, 9 integrations used.
Section 2  │  Cloud Security

Section 2: Cloud Security

This section provides comprehensive profiles for 10 cloud security tools (Tools 81–90) — architectures, operational capabilities, and real-world application scenarios.

81
AWS Shield
Managed DDoS Protection — Amazon Web Services

Overview

AWS Shield is Amazon Web Services’ managed DDoS protection service with two tiers. AWS Shield Standard is automatically applied free of charge to all AWS customers, providing always-on detection and automatic mitigation against common Layer 3 and Layer 4 attacks: UDP amplification (DNS, NTP, SSDP, Chargen), SYN floods, ACK floods, TCP state exhaustion, ICMP floods, and reflection attacks — using AWS’s globally distributed anycast network.

AWS Shield Advanced extends protection to application-layer (Layer 7) attacks against CloudFront, Application Load Balancers, Route 53, EC2 Elastic IPs, and AWS Global Accelerator. Advanced provides near-real-time attack visibility through Amazon CloudWatch metrics with 1-minute granularity, AWS WAF integration for custom L7 rule deployment during attacks, and access to the AWS Shield Response Team (SRT) — DDoS experts available 24/7. DDoS Cost Protection reimburses CloudFront, Route 53, ELB, and EC2 Auto Scaling charges resulting from volumetric attacks.

Key Features & Components

Feature / ComponentDescription
L3/L4 Standard Protection (Free)Always-on automatic mitigation of volumetric, state exhaustion, and reflection attacks for all AWS resources — no configuration required.
L7 Application Protection (Advanced)HTTP flood, cache-busting, and application-layer attack mitigation — AWS WAF integration with SRT-assisted custom rule deployment during active attacks.
AWS Shield Response Team (SRT)24/7 DDoS expert assistance for Advanced subscribers — SRT proactively engages during large attacks, writes custom WAF rules, and coordinates mitigation.
Near-Real-Time Attack VisibilityCloudWatch metrics with 1-minute granularity showing attack vectors, packet rates, request volumes, and mitigation actions during active DDoS events.
DDoS Cost ProtectionReimburses CloudFront, Route 53, ELB, and EC2 Auto Scaling cost spikes caused by DDoS attack traffic — full financial neutrality from volumetric attacks.
Global Threat IntelligenceUpdated attack signatures and IP reputation data from AWS’s hyperscale global network — visibility into a significant fraction of global internet traffic.
Scenario
A gaming company faces a 600 Gbps UDP amplification + HTTP flood DDoS during a major launch. AWS Shield Advanced absorbs the volumetric attack at the network edge, the SRT deploys WAF rules for the application-layer component, and the company maintains 99.9% availability throughout — with DDoS Cost Protection covering all scaling charges.
Step-by-Step Command Walkthrough
# Terraform: Enable Shield Advanced protection
resource "aws_shield_protection" "game_alb" {
  name         = "GameServer_ApplicationLB"
  resource_arn = aws_lb.game_lb.arn
}
resource "aws_shield_protection" "game_cloudfront" {
  name         = "GameServer_CloudFront"
  resource_arn = aws_cloudfront_distribution.game_cdn.arn
}

# CloudWatch alarm for DDoS detection
resource "aws_cloudwatch_metric_alarm" "shield_ddos" {
  alarm_name          = "Shield_DDoS_Detected"
  metric_name         = "DDoSDetected"
  namespace           = "AWS/DDoSProtection"
  comparison_operator = "GreaterThanThreshold"
  evaluation_periods  = 1
  period              = 60
  statistic           = "Sum"
  threshold           = 0
  alarm_actions       = ["arn:aws:sns:us-east-1:123456789:SecurityAlerts"]
  dimensions = { ResourceArn = aws_lb.game_lb.arn }
}

# CLI: Query active DDoS attacks
aws shield describe-attacks \
  --start-time 2024-06-17T00:00:00Z \
  --end-time 2024-06-17T23:59:59Z \
  | python3 -c "
import sys, json
d = json.load(sys.stdin)
for a in d.get('Attacks', []):
    print(f'Attack: {a["AttackId"]}')
    vecs = [v["VectorType"] for v in a.get('AttackVectors',[])]
    print(f'Vectors: {vecs}')"

# SRT-deployed rate-based WAF rule (during active HTTP flood)
aws wafv2 create-rule-group \
  --name SRT_Emergency_RateLimit --scope CLOUDFRONT --capacity 100 \
  --rules '[{"Name":"RateLimit_GameAPI","Priority":0,"Action":{"Block":{}},
    "Statement":{"RateBasedStatement":{"Limit":2000,"AggregateKeyType":"IP"}},
    "VisibilityConfig":{"SampledRequestsEnabled":true,
      "CloudWatchMetricsEnabled":true,"MetricName":"RateLimit_GameAPI"}}]' \
  --visibility-config SampledRequestsEnabled=true,CloudWatchMetricsEnabled=true,MetricName=SRT
Outcome & Analysis
AWS Shield Advanced detects the 600 Gbps UDP attack within 30 seconds and absorbs it at the network edge. The SRT contacts the on-call engineer within 12 minutes and deploys WAF rate-limiting rules that block the HTTP flood component within 3 minutes of deployment. The company maintains 99.9% player availability throughout a 6-hour sustained attack. DDoS Cost Protection credits $67,000 in CloudFront and Route 53 scaling charges attributable to attack traffic — full financial neutrality from the event.
82
Microsoft Defender for Cloud
Cloud Native Application Protection Platform (CNAPP) — Microsoft Azure

Overview

Microsoft Defender for Cloud (formerly Azure Security Center and Azure Defender, rebranded 2021) is Microsoft’s CNAPP providing unified Cloud Security Posture Management (CSPM) and Cloud Workload Protection (CWP) across Azure, AWS, Google Cloud, and on-premises hybrid environments. The platform continuously assesses resource configurations against Microsoft’s cloud security benchmark, producing a quantified Secure Score (0–100%) that tracks posture improvement as recommendations are remediated.

Defender for Cloud provides multiple workload-specific protection plans: Defender for Servers (OS-level threat detection, vulnerability assessment, JIT VM access), Defender for Containers (Kubernetes vulnerability assessment, runtime threat detection), Defender for SQL (anomaly detection, SQL injection alerts), Defender for Storage (malware scanning of blob uploads), and Defender for Key Vault. All plans feed alerts into the Defender for Cloud console and integrate natively with Microsoft Sentinel.

Key Features & Components

Feature / ComponentDescription
Secure Score (0–100%)Quantified security posture metric tracking improvement as recommendations are remediated — comparison across subscriptions, management groups, and regulatory frameworks.
CSPM (300+ Configuration Checks)Security configuration recommendations for 300+ Azure, AWS, and GCP resource types — each with severity, remediation steps, and compliance framework mapping.
Multi-Cloud CSPM (AWS/GCP)Extends posture management and threat detection to AWS and GCP via agentless connectors — unified security posture across heterogeneous cloud environments.
Defender for Servers / JIT VM AccessOS-level threat detection plus Just-in-Time VM access — opens SSH/RDP only for specific IPs for defined windows, eliminating always-open attack surface.
Defender for ContainersContainer image vulnerability scanning, Kubernetes admission control policy enforcement, and runtime threat detection for GKE, EKS, and AKS clusters.
Microsoft Sentinel IntegrationDefender alerts flow automatically into Sentinel for SIEM investigation, threat hunting, and SOAR playbook-driven automated response.
Scenario
An enterprise uses Microsoft Defender for Cloud to improve Azure Secure Score from 42% to 79% over 90 days, while Defender for Servers detects and responds to a cryptomining attack on a misconfigured VM within 4 minutes of initial miner execution — before any significant billing cost is incurred.
Step-by-Step Command Walkthrough
# Enable Defender plans
az security pricing create --name VirtualMachines --tier Standard
az security pricing create --name Containers --tier Standard

# Query current Secure Score
az security secure-score show --name ascScore \
  --query '{Score:current.percentage,Max:max.percentage}' -o table
# Score: 42.3  |  Max: 100.0

# List all CRITICAL and HIGH recommendations
az security task list \
  --query '[?contains(resourceState,`Active`)].{Title:name,Resource:resourceDetails.resourceName}' \
  -o table | head -20

# Enable Just-in-Time VM Access on web servers
az security jit-policy update \
  --name default --resource-group production-rg --vm-name web-server-prod-01 \
  --ports '[{"number":22,"protocol":"TCP",
    "allowedSourceAddressPrefixes":["10.0.0.0/8"],
    "maxRequestAccessDuration":"PT4H"}]'

# Request JIT access — opens SSH for 2 hours from analyst IP
az security jit-policy initiate \
  --name default --resource-group production-rg --vm-name web-server-prod-01 \
  --vm-requests '[{"virtualMachineId":"/subscriptions/SUB/web-server-prod-01",
    "ports":[{"number":22,"duration":"PT2H","allowedSourceAddressPrefix":"203.0.113.10"}]}]'

# Query Defender security alerts via REST API
curl -s 'https://management.azure.com/subscriptions/SUB_ID/providers/Microsoft.Security/alerts?api-version=2022-01-01' \
  -H "Authorization: Bearer $(az account get-access-token --query accessToken -o tsv)" \
  | python3 -c "
import sys, json
alerts = json.load(sys.stdin)['value']
high = [a for a in alerts if a['properties']['severity']=='High']
print(f'High severity alerts: {len(high)}')" 
Outcome & Analysis
Secure Score improves from 42% to 79% over 90 days — driven by 52 remediated recommendations including disk encryption on 8 VMs (+4.2 points), MFA on 14 privileged accounts (+6.8 points), removing public IPs from 6 VMs (+3.1 points), and enabling JIT access on 22 management-port VMs (+5.4 points). When a cryptominer executes on a VM with an accidentally exposed management port, Defender for Servers alerts within 4 minutes. The Sentinel playbook enables JIT access restriction and blocks the miner pool IP in the NSG — the miner is killed before any billing impact.
83
Google Cloud Security Command Center
Native GCP Security Monitoring & Risk Management

Overview

Google Cloud Security Command Center (SCC) is Google Cloud’s native security monitoring and risk management platform providing continuous visibility into security findings, asset inventory, vulnerability assessments, and threat detection across GCP environments. SCC aggregates findings from Google Cloud’s built-in security services — Web Security Scanner, Cloud Armor, Binary Authorization, Container Threat Detection, Event Threat Detection, Virtual Machine Threat Detection, and Security Health Analytics — alongside partner solutions and custom finding sources via the SCC API.

SCC Premium activates continuous infrastructure vulnerability scanning, compliance posture assessment against CIS GCP Benchmark, PCI DSS, HIPAA, NIST 800-53, and ISO 27001, and automated response integration through Cloud Functions and Pub/Sub notifications. Security Health Analytics evaluates 160-plus configurations — detecting public Cloud Storage buckets, overly permissive IAM bindings, unencrypted disks, and open firewall rules.

Key Features & Components

Feature / ComponentDescription
Unified Security Finding AggregationConsolidates findings from 10+ built-in Google security services and partner integrations — single prioritised security view across the entire GCP organisation.
Security Health Analytics (160+ Checks)Evaluates GCP configurations for 160+ security best practices — public storage buckets, overly permissive IAM, unencrypted disks, and open firewall rules detected continuously.
Container Threat Detection (CTD)Monitors GKE container runtime for reverse shells, unexpected process spawning, binary execution from unusual paths, and container escape attempts.
Event Threat Detection (ETD)ML-based threat detection for GCP audit logs — data exfiltration, cryptomining, brute-force, privilege escalation, and anomalous API call sequences.
Compliance Posture ReportingAutomated compliance assessments against CIS GCP Benchmark, PCI DSS, HIPAA, NIST 800-53, and ISO 27001 with per-control pass/fail and remediation guidance.
Pub/Sub Notification AutomationFinding event notifications via Pub/Sub enable automated response through Cloud Functions, Cloud Run, or third-party SOAR — native GCP-speed automated remediation.
Scenario
A GKE workload is compromised through a vulnerable web container. SCC Container Threat Detection identifies the reverse shell within 45 seconds and triggers an automated Cloud Function that network-isolates the pod via Kubernetes NetworkPolicy — containing the attacker before any data exfiltration succeeds.
Step-by-Step Command Walkthrough
# Enable SCC
gcloud services enable securitycenter.googleapis.com --project=PROJECT_ID

# List CRITICAL and HIGH active findings
gcloud scc findings list --organization=ORG_ID \
  --filter='severity="CRITICAL" OR severity="HIGH" AND state="ACTIVE"' \
  --format='table(finding.name,finding.category,finding.severity,finding.createTime)'

# List public Cloud Storage buckets
gcloud scc findings list --organization=ORG_ID \
  --filter='finding.category="PUBLIC_BUCKET_ACL" AND finding.state="ACTIVE"'

# Set up Pub/Sub notification for CRITICAL findings
gcloud scc notifications create critical-findings-alert \
  --organization=ORG_ID \
  --pubsub-topic=projects/PROJECT_ID/topics/scc-critical-findings \
  --filter='severity = CRITICAL'

# Cloud Function: auto-isolate compromised GKE pod (triggered by Pub/Sub)
def isolate_pod(event, context):
    import base64, json
    finding = json.loads(base64.b64decode(event['data']).decode())
    if finding.get('finding',{}).get('category') == 'REVERSE_SHELL':
        resource  = finding['finding']['resourceName']
        pod_name  = extract_pod_name(resource)
        namespace = extract_namespace(resource)
        # Apply deny-all NetworkPolicy via kubernetes Python client
        network_policy = {
            'apiVersion': 'networking.k8s.io/v1', 'kind': 'NetworkPolicy',
            'metadata': {'name': f'isolate-{pod_name}', 'namespace': namespace},
            'spec': {'podSelector': {'matchLabels': {'app': pod_name}},
                     'policyTypes': ['Ingress','Egress']}
        }
        print(f'NetworkPolicy applied — pod {pod_name} isolated')

# Mark finding resolved via API
curl -s -X POST 'https://securitycenter.googleapis.com/v1/FINDING_NAME:setState' \
  -H "Authorization: Bearer $(gcloud auth print-access-token)" \
  -H 'Content-Type: application/json' \
  -d '{"state":"INACTIVE","startTime":"2024-06-17T12:00:00Z"}'
Outcome & Analysis
SCC Container Threat Detection identifies the reverse shell within 45 seconds of execution. The Pub/Sub notification triggers the Cloud Function, applying a deny-all NetworkPolicy to the pod within 90 seconds of detection. The attacker’s shell becomes unresponsive before any data exfiltration commands succeed. Security Health Analytics simultaneously surfaces 7 contributing misconfigurations — overly permissive service accounts, missing VPC Service Controls, container running as root — providing a complete remediation list to prevent recurrence. Total time from attack to pod isolation: 2 minutes 15 seconds.
84
Cloudflare
Edge Security, DDoS, WAF & Zero Trust — Global Anycast Network

Overview

Cloudflare operates one of the world’s largest anycast networks with 330-plus points of presence globally, providing DDoS mitigation (321 Tbps+ capacity), Web Application Firewall (WAF), API security, bot management, Zero Trust Network Access (ZTNA via Cloudflare Access), Secure Web Gateway (Gateway), DNS security (1.1.1.1), and email security (Area 1). Processing approximately 4.9 million HTTP requests per second and blocking an average of 209 billion cyberthreats daily, Cloudflare generates threat intelligence from visibility into approximately 20% of global internet traffic.

Cloudflare One provides a complete Security Service Edge (SSE) and Zero Trust architecture. Cloudflare Access replaces legacy VPN with identity-aware, policy-driven access — users authenticate through any SAML 2.0 or OIDC identity provider before accessing internal applications, with no inbound firewall rules required at the origin. Magic Transit brings hyperscale DDoS protection to customers’ entire IP space via BGP advertisement.

Key Features & Components

Feature / ComponentDescription
321 Tbps DDoS ProtectionNetwork-level DDoS mitigation at globally distributed edge — volumetric, protocol, and application-layer attacks absorbed before reaching customer infrastructure.
WAF (Managed Rules + Custom)Cloudflare Managed Rules and OWASP CRS protecting against OWASP Top 10 and emerging CVEs — updated by Cloudflare threat research within hours of new vulnerability disclosure.
Zero Trust Network Access (Access)Identity-aware VPN replacement — enforces SSO, device posture, and contextual conditions before any internal application access; no inbound firewall rules at origin.
Bot Management (ML + Behavioural)Classifies every request as verified human, legitimate bot, or malicious bot using ML, device fingerprinting, and behavioural signals — blocks credential stuffing and scraping.
Cloudflare Email Security (Area 1)Pre-delivery phishing and BEC prevention using ML analysis of content, sender behaviour, and link reputation — detects novel campaigns before signatures exist.
Magic Transit (On-Premises DDoS)BGP-advertised DDoS protection for customer IP space — on-premises infrastructure protected by Cloudflare’s hyperscale DDoS capacity without routing changes.
Scenario
A retail e-commerce platform uses Cloudflare to block a credential stuffing attack against the login API, enforce Zero Trust access for 500 remote employees replacing legacy VPN, and deploy an emergency WAF rule for a critical Atlassian Confluence CVE within minutes of its public disclosure.
Step-by-Step Command Walkthrough
CF_ZONE="YOUR_ZONE_ID"
CF_TOKEN="YOUR_API_TOKEN"
CF_ACCOUNT="YOUR_ACCOUNT_ID"

# Block credential stuffing on /api/v1/login
curl -s -X POST "https://api.cloudflare.com/client/v4/zones/$CF_ZONE/firewall/rules" \
  -H "Authorization: Bearer $CF_TOKEN" -H 'Content-Type: application/json' \
  -d '[{"filter":{"expression":"(http.request.uri.path eq \"/api/v1/login\")
    and (http.request.method eq \"POST\")
    and (not cf.bot_management.verified_bot)
    and (rate_requests_minute gt 20)"},
    "action":"challenge",
    "description":"Rate-limit login — block credential stuffing"}]'

# Emergency WAF rule: block CVE-2024-23917 Confluence RCE
curl -s -X POST "https://api.cloudflare.com/client/v4/zones/$CF_ZONE/rulesets/RULESET_ID/rules" \
  -H "Authorization: Bearer $CF_TOKEN" -H 'Content-Type: application/json' \
  -d '{"action":"block",
       "expression":"(http.request.uri.path contains \"/setup/setupadministrator.action\"
         or http.request.uri.path contains \"/server-info.action\")
         and cf.threat_score gt 5",
       "description":"Block CVE-2024-23917 Confluence exploitation"}'

# Zero Trust: create Cloudflare Access app for internal HR portal
curl -s -X POST "https://api.cloudflare.com/client/v4/accounts/$CF_ACCOUNT/access/apps" \
  -H "Authorization: Bearer $CF_TOKEN" -H 'Content-Type: application/json' \
  -d '{"name":"Corporate HR Portal","domain":"hr.corp.internal.example.com",
       "type":"self_hosted","session_duration":"8h",
       "allowed_idps":["OKTA_IDP_ID"],"auto_redirect_to_identity":true}'

# Access Policy: require Okta SSO + managed device posture
curl -s -X POST "https://api.cloudflare.com/client/v4/accounts/$CF_ACCOUNT/access/apps/APP_ID/policies" \
  -H "Authorization: Bearer $CF_TOKEN" -H 'Content-Type: application/json' \
  -d '{"name":"Corp Employees — Managed Device","decision":"allow",
       "include":[{"email_domain":{"domain":"corp.com"}}],
       "require":[{"device_posture":{"integration_uid":"POSTURE_ID"}}]}'
Outcome & Analysis
Cloudflare Bot Management blocks 98.4% of credential stuffing attempts — 52,000 malicious requests per minute reduced to 823 legitimate logins. The emergency CVE-2024-23917 WAF rule deploys within 8 minutes and blocks 4,700 exploitation attempts in the first hour — before any patch is available. Cloudflare Access replaces VPN for 500 remote employees: zero inbound firewall rules at origin, every application access individually authenticated against Okta and device posture. A 450 Gbps DDoS during the holiday sale is absorbed entirely at Cloudflare’s edge.
85
Zscaler
Zero Trust Exchange — Security Service Edge (SSE)

Overview

Zscaler is a cloud-native security platform delivering a Zero Trust Exchange — a globally distributed security service edge (SSE) providing secure internet access, secure private application access, and digital experience monitoring without traffic backhauling through corporate data centres. Zscaler’s 150-plus data centres process all user traffic applying full security inspection inline — SSL/TLS decryption, URL filtering, CASB, DLP, advanced threat prevention, and DNS security.

Zscaler Internet Access (ZIA) replaces on-premises proxies and NGFWs for internet-bound traffic. Zscaler Private Access (ZPA) replaces VPN with a zero-trust broker model: users connect to specific applications through Zscaler’s infrastructure, never joining the corporate network. This completely eliminates lateral movement risk — even a compromised endpoint cannot reach other corporate systems because it is never network-adjacent to them.

Key Features & Components

Feature / ComponentDescription
Zero Trust Exchange (150+ PoPs)Globally distributed cloud security enforcement — every user connection inspected at the nearest Zscaler PoP; no backhauling or hardware appliances required.
ZIA (Zscaler Internet Access)Full SSL/TLS inspection, URL filtering, inline CASB, DLP, advanced threat prevention, and DNS security — replaces on-premises proxies and NGFWs.
ZPA (Zscaler Private Access)Zero-trust application broker — users connect to applications, never to the corporate network; eliminates lateral movement risk from compromised endpoints.
Full SSL/TLS Inspection at Cloud ScaleDecrypts and inspects all HTTPS traffic elastically — scales automatically without appliance capacity planning or hardware upgrades.
Cloud DLPContent-aware inspection for PII, PHI, PCI data, and custom-defined sensitive content in all cloud traffic — prevents data exfiltration through any cloud service.
Zscaler Digital Experience (ZDX)Monitors application performance from endpoint to app — identifies whether latency originates at the endpoint, ISP, Zscaler, or application server.
Scenario
An enterprise migrates 8,000 remote employees from Cisco AnyConnect VPN to Zscaler Zero Trust Exchange — eliminating VPN infrastructure, reducing application latency by 53 ms, and blocking lateral movement from a compromised endpoint that would have had full corporate network access under VPN.
Step-by-Step Command Walkthrough
# ZIA Authentication
curl -s -c /tmp/zia_cookies.txt -X POST 'https://zsapi.zscaler.net/api/v1/authenticatedSession' \
  -H 'Content-Type: application/json' \
  -d '{"username":"admin@corp.zscaler.net","password":"ZscalerAdmin2024!","apiKey":"ZIA_API_KEY"}'

# ZIA: Create URL filtering rule — block crypto mining sites
curl -s -b /tmp/zia_cookies.txt -X POST 'https://zsapi.zscaler.net/api/v1/urlFilteringRules' \
  -H 'Content-Type: application/json' \
  -d '{"name":"Block_Crypto_Mining","order":1,
       "protocols":["HTTPS_RULE","HTTP_RULE"],
       "urlCategories":["CRYPTO_CURRENCY"],"state":"ENABLED","action":"BLOCK"}'

# ZIA: Enable SSL inspection for all categories
curl -s -b /tmp/zia_cookies.txt -X PUT 'https://zsapi.zscaler.net/api/v1/sslSettings' \
  -H 'Content-Type: application/json' \
  -d '{"enableSSLScan":true,"defaultAction":"DECRYPT"}'

# ZPA: Create application segment for SAP ERP (replaces VPN rule)
curl -s -X POST 'https://config.private.zscaler.com/api/v1/application' \
  -H 'Authorization: Bearer ZPA_API_TOKEN' -H 'Content-Type: application/json' \
  -d '{"name":"Corporate_SAP_ERP","domainNames":["sap-prod.corp.internal"],
       "tcpPortRanges":[{"from":"443","to":"443"}],
       "segmentGroupId":"SEG_GROUP_ID","serverGroups":[{"id":"SERVER_GROUP_ID"}]}'

# ZPA: Access policy — require Okta SSO + managed device
curl -s -X POST 'https://config.private.zscaler.com/api/v1/policySet/POLICY_SET_ID/rule' \
  -H 'Authorization: Bearer ZPA_API_TOKEN' -H 'Content-Type: application/json' \
  -d '{"name":"SAP_FinanceTeam_ManagedDevice","action":"ALLOW",
       "conditions":[
         {"operands":[{"objectType":"SCIM_GROUP","values":["Finance_Team"]}]},
         {"operands":[{"objectType":"POSTURE","values":["MANAGED_DEVICE_ID"]}]}
       ]}'
Outcome & Analysis
Zscaler ZPA migration eliminates VPN infrastructure entirely — 8,000 employees access internal applications via zero-trust broker without being placed on the corporate network. Average application latency drops from 87ms (VPN backhaul) to 34ms (direct Zscaler PoP). When a remote employee’s laptop is compromised, the attacker accesses only that employee’s specific authorised applications — no lateral movement because the device is never on the corporate network. ZIA full SSL inspection catches 34 malware downloads daily that previously bypassed HTTPS inspection on the legacy on-premises proxy.
86
Prisma Cloud
Cloud Native Application Protection Platform (CNAPP) — Palo Alto Networks

Overview

Palo Alto Networks Prisma Cloud is a comprehensive CNAPP providing Cloud Security Posture Management (CSPM), Cloud Workload Protection (CWP), Cloud Infrastructure Entitlement Management (CIEM), Cloud Network Security, Web Application and API Security (WAAS), and Code Security (IaC scanning) in a single unified platform. Prisma Cloud monitors AWS, Azure, Google Cloud, Alibaba Cloud, and Oracle Cloud — unified visibility, threat detection, and compliance governance across multi-cloud environments from one console.

Prisma Cloud’s Code to Cloud approach addresses security across the complete software delivery lifecycle. The CSPM module evaluates 1,500-plus configuration policies. Attack Path Analysis visualises end-to-end exploitable paths from the public internet to sensitive data — prioritising the small number of findings that represent genuine risk among hundreds of theoretical violations. Runtime Security protects containers and serverless functions with behavioural profiling.

Key Features & Components

Feature / ComponentDescription
CSPM (1,500+ Policies)Continuously evaluates all cloud resource configurations against 1,500+ policies — misconfigurations, public exposures, and compliance violations detected in real time.
Cloud Workload Protection (CWP)Vulnerability scanning and runtime threat detection for VMs, containers, and serverless — behavioural profiling blocks anomalous process execution in production.
CIEM (Cloud Identity Entitlement)Analyses IAM permissions — identifies unused, over-permissive, and risky entitlements; calculates effective permissions considering all policy inheritance and federation.
Code Security (IaC Scanning)Scans Terraform, CloudFormation, Kubernetes YAML, and Helm charts in IDE and CI/CD — catches misconfigurations before any cloud resource is created.
Attack Path AnalysisVisualises end-to-end attack paths from internet exposure to sensitive data — prioritises findings by real exploitability, not theoretical risk scores.
WAAS (Application Protection)Cloud-native WAF and API security covering OWASP Top 10 and API-specific attacks — inline protection without hardware appliances across any cloud.
Scenario
Prisma Cloud detects an accidental S3 bucket public access misconfiguration within 90 seconds of creation, automatically remediates it before any data is indexed by crawlers, and uses Attack Path Analysis to prioritise the 3 genuinely exploitable paths to sensitive data among 847 total findings.
Step-by-Step Command Walkthrough
TOKEN=$(curl -s -X POST 'https://api.prismacloud.io/login' \
  -H 'Content-Type: application/json' \
  -d '{"username":"admin@corp.com","password":"PrismaAdmin2024!","customerName":"CorpInc"}' \
  | python3 -c "import sys,json;print(json.load(sys.stdin)['token'])")

# Query all CRITICAL open alerts
curl -s -X POST 'https://api.prismacloud.io/alert' \
  -H "x-redlock-auth: $TOKEN" -H 'Content-Type: application/json' \
  -d '{"filters":[
    {"name":"alert.status","operator":"=","value":"open"},
    {"name":"policy.severity","operator":"=","value":"critical"}],
    "limit":50,"timeRange":{"type":"to_now","value":"epoch"}}' \
  | python3 -c "
import sys, json
alerts = json.load(sys.stdin)['items']
print(f'Critical open alerts: {len(alerts)}')
for a in alerts[:5]:
    print(f'  {a["policy"]["name"]} — {a["resource"]["name"]}')"

# Get PCI DSS compliance posture
curl -s -X POST 'https://api.prismacloud.io/compliance/posture' \
  -H "x-redlock-auth: $TOKEN" -H 'Content-Type: application/json' \
  -d '{"filters":[{"name":"policy.complianceStandard","operator":"=","value":"PCI DSS v3.2.1"}],
       "timeRange":{"type":"to_now","value":"epoch"}}'

# Automated Lambda remediation for public S3 bucket
import boto3
def remediate_public_s3(event, context):
    s3 = boto3.client('s3')
    bucket = event['resource']['name']
    s3.put_public_access_block(Bucket=bucket, PublicAccessBlockConfiguration={
        'BlockPublicAcls':True,'IgnorePublicAcls':True,
        'BlockPublicPolicy':True,'RestrictPublicBuckets':True})
    print(f'Public access blocked on s3://{bucket}')
Outcome & Analysis
Prisma Cloud CSPM detects the public S3 bucket within 90 seconds. The Lambda remediation function blocks public access within 2.5 minutes — before any crawler indexes the bucket. Attack Path Analysis identifies only 3 of 847 total findings as genuine end-to-end attack paths from the internet to PCI cardholder data. Those 3 are escalated to P1 for immediate remediation; the remaining 844 proceed through normal patch cycles. PCI DSS compliance shows 89.3% passing controls — the 3 critical attack path findings map directly to PCI DSS Requirements 6.4, 8.6, and 10.6.
87
Dome9 (Check Point CloudGuard CSPM)
Cloud Security Posture Management & Compliance — Check Point

Overview

Dome9 (now Check Point CloudGuard CSPM, following Check Point’s 2018 acquisition) is a CSPM platform providing continuous compliance monitoring, misconfiguration detection, intelligent network topology visualisation, and automated remediation for AWS, Azure, Google Cloud, and Kubernetes environments. CloudGuard CSPM evaluates configurations against 2,500-plus built-in rules covering CIS Benchmarks, NIST SP 800-53, PCI DSS, HIPAA, SOC 2, GDPR, and custom organisational policies.

CloudGuard’s Effective Permissions Analysis calculates the complete set of permissions available to each IAM entity by resolving all policy inheritance, trust relationships, permission boundaries, and service control policies — revealing truly over-privileged accounts. CloudGuard GSL (Governance Specification Language) enables human-readable custom security policy definition without code. CloudBots provide pre-built automated remediation scripts triggered on policy violations.

Key Features & Components

Feature / ComponentDescription
2,500+ Built-In Compliance RulesContinuous evaluation against CIS, NIST, PCI DSS, HIPAA, SOC 2, GDPR, and custom policies — quantified per-control pass/fail posture with remediation guidance.
Effective Permissions AnalysisResolves all IAM inheritance, trust relationships, permission boundaries, and SCPs — reveals truly over-privileged accounts invisible to simple IAM policy review.
CloudBots (Automated Remediation)Pre-built automated remediation scripts triggered on policy violations — fixes open security groups, unencrypted volumes, and other common misconfigurations automatically.
GSL (Governance Specification Language)Human-readable custom policy language — cloud architects write bespoke security rules without coding; rules target any cloud resource attribute.
Network Topology VisualisationInteractive cloud network graph showing security groups, routes, and public exposure — makes complex multi-account cloud network configurations understandable.
Kubernetes Security (CloudGuard WorkLoad)CIS Kubernetes Benchmark compliance, admission controller policies, runtime anomaly detection, and network policy visualisation for Kubernetes workloads.
Scenario
A financial services organisation uses CloudGuard CSPM to maintain PCI DSS compliance across a multi-cloud environment. CloudBots automatically remediate security group misconfigurations within 3 minutes of detection, and a quarterly auditor report is generated automatically from continuous assessment history.
Step-by-Step Command Walkthrough
TOKEN=$(curl -s -X POST 'https://api.dome9.com/v2/access-token' \
  -u 'API_KEY_ID:API_KEY_SECRET' \
  | python3 -c "import sys,json;print(json.load(sys.stdin)['token'])")

# Run PCI DSS assessment
ASSESS_ID=$(curl -s -X POST 'https://api.dome9.com/v2/assessment/bundleV2' \
  -H "Authorization: Bearer $TOKEN" -H 'Content-Type: application/json' \
  -d '{"id":16,"cloudAccountIds":["AWS_ACCOUNT_ID"],"cloudAccountType":"aws"}' \
  | python3 -c "import sys,json;print(json.load(sys.stdin)['id'])")

sleep 60
curl -s "https://api.dome9.com/v2/assessment/$ASSESS_ID" -H "Authorization: Bearer $TOKEN" \
  | python3 -c "
import sys, json
r = json.load(sys.stdin)
print(f'Tests passed: {r.get("passedCount")}')
print(f'Tests failed: {r.get("failedCount")}')
print(f'Score: {r.get("score")}%')"

# GSL custom rule — detect unrestricted SSH (0.0.0.0/0 on port 22)
curl -s -X POST 'https://api.dome9.com/v2/Compliance/Ruleset' \
  -H "Authorization: Bearer $TOKEN" -H 'Content-Type: application/json' \
  -d '{"name":"PCI_No_Unrestricted_SSH","cloudVendor":"aws",
    "rules":[{"name":"Block public SSH access","severity":"Critical",
      "logic":"SecurityGroup should not have inboundRules with [port=22 and source=\"0.0.0.0/0\"]",
      "remediationSteps":"Remove 0.0.0.0/0 from SSH ingress rule."}]}'

# Enable CloudBot auto-remediation
# Dome9 > Settings > CloudBots > Enable: sg-delete-rule
# Trigger: Policy violation 'Block public SSH access'

# Generate PDF compliance report
curl -s -X POST 'https://api.dome9.com/v2/assessment/export/pdf' \
  -H "Authorization: Bearer $TOKEN" \
  -d "{\"assessmentId\":\"$ASSESS_ID\"}" \
  -o 'PCI_DSS_Assessment_Q2_2024.pdf'
Outcome & Analysis
CloudGuard detects a 0.0.0.0/0 SSH security group rule within 75 seconds of creation. The CloudBot executes automatically, removing the inbound rule within 3 minutes — the public SSH exposure exists for under 4 minutes. PCI DSS compliance posture is maintained at 94.7% throughout the quarter. The quarterly auditor report — previously requiring 40 hours of manual evidence gathering — is generated automatically in 3 minutes from CloudGuard’s continuous assessment history, satisfying the audit requirement with zero additional analyst effort.
88
Netskope
CASB, NG-SWG, ZTNA & Cloud DLP — Security Service Edge

Overview

Netskope is a cloud-native security platform providing industry-leading Cloud Access Security Broker (CASB), Next-Generation Secure Web Gateway (NG-SWG), Zero Trust Network Access (ZTNA), and Data Loss Prevention (DLP) as an integrated Security Service Edge (SSE) solution. Netskope’s NewEdge network — a purpose-built private security cloud with 50-plus data centres globally — provides inline inspection of all cloud application traffic with sub-5ms additional latency.

Netskope’s Cloud Confidence Index (CCI) evaluates 68,000-plus cloud applications across 50 attributes covering security certifications, data protection, auditability, and financial viability. The content-aware DLP engine performs deep content inspection of all cloud traffic for PII, PHI, PCI cardholder data, source code, financial models, and custom-defined sensitive patterns. Netskope’s UEBA module uses ML to detect anomalous cloud activity.

Key Features & Components

Feature / ComponentDescription
CASB (68,000+ Cloud Apps)Inline and API-based visibility and control for 68,000+ cloud apps — sanctioned app governance and shadow IT discovery with activity-level policy enforcement.
Cloud Confidence Index (CCI)Risk scores for 68,000+ cloud apps across 50 attributes — data-driven cloud application policy decisions with documented risk justification.
NG-SWG with SSL/TLS InspectionNext-gen SWG applying threat protection, URL filtering, DLP, and app controls to all web and cloud traffic — full HTTPS decryption without appliance constraints.
Cloud DLP (Content-Aware)Deep content inspection for PII, PHI, PCI, source code, and custom patterns in cloud uploads and downloads — prevents inadvertent and malicious data exfiltration.
ZTNA (Netskope Private Access)Zero-trust application access — users authenticate to specific applications without being placed on the corporate network.
UEBA (Cloud Activity Analytics)ML anomaly detection: impossible travel, bulk downloads, suspicious API calls, and account compromise indicators in cloud application activity.
Scenario
A legal firm discovers employees uploading confidential M&A documents to personal Dropbox accounts. Netskope CASB API-based DLP scanning identifies 1,247 files with sensitive content already uploaded to personal accounts and implements activity-level controls preventing future uploads while allowing corporate Dropbox use.
Step-by-Step Command Walkthrough
# Query personal Dropbox upload events (last 90 days)
curl -s 'https://corp.goskope.com/api/v1/events/data?token=API_TOKEN&type=application
  &query=app eq "Dropbox" and activity eq "Upload" and from_user not like "%corp.com"
  &starttime=1704067200' \
  | python3 -c "
import sys, json
events = json.load(sys.stdin).get('data',[])
print(f'Personal Dropbox uploads: {len(events)}')
print(f'Unique uploading users: {len(set(e.get("user") for e in events))}')"

# Get Cloud Confidence Index for personal Dropbox
curl -s 'https://corp.goskope.com/api/v1/app/cci?token=API_TOKEN&appName=Dropbox+Personal' \
  | python3 -c "
import sys, json
d = json.load(sys.stdin).get('data',{})
print(f'CCI Score: {d.get("cci_score")}/100 | Risk: {d.get("risk_level")}')"

# DLP Policy: block M&A content upload to personal cloud storage
# Netskope GUI: Policies > Real-time Protection > New Policy
# Type: Cloud Storage | Activity: Upload
# Destination: All Personal Cloud Storage (CCI < 70)
# DLP Profile: MA_Confidential (patterns: 'non-public','transaction value','deal team')
# Action: Block + Notify user + Alert SOC

# Query DLP incidents
curl -s 'https://corp.goskope.com/api/v1/alerts?token=API_TOKEN&type=DLP' \
  | python3 -c "
import sys, json
alerts = json.load(sys.stdin).get('data',[])
print(f'DLP violations: {len(alerts)}')
for a in alerts[:5]:
    print(f'  User:{a.get("user")} File:{a.get("object")}')" 
Outcome & Analysis
Netskope CASB identifies 1,247 M&A-classified files across 23 personal Dropbox accounts belonging to 14 employees. The real-time DLP policy immediately blocks future uploads of M&A-classified content to personal cloud storage while allowing corporate Dropbox use. Legal initiates remediation procedures to delete the already-uploaded files. Netskope’s UEBA flags 3 employees for additional investigation based on impossible travel indicators in their cloud activity.
89
Trend Micro Cloud One
Cloud Security Services Platform — DevOps Integrated

Overview

Trend Micro Cloud One is a security services platform for cloud builders — a unified suite covering workload security (Workload Security), container and Kubernetes security (Container Security), file storage security (File Storage Security), cloud network security (Network Security), web application security (Application Security), and Cloud Security Posture Management (Conformity). Each service integrates natively into DevOps workflows.

Cloud One Workload Security provides agent-based protection with six security modules: Anti-Malware, Integrity Monitoring, Log Inspection, IPS (virtual patching for unpatched vulnerabilities), Application Control, and Web Reputation. Conformity (CSPM) provides 1,000-plus real-time configuration checks for CIS, PCI DSS, HIPAA, NIST, and Well-Architected Frameworks. The virtual patching capability — IPS rules protecting against known CVEs on running workloads — is operationally significant for protecting systems between vulnerability disclosure and scheduled maintenance patching.

Key Features & Components

Feature / ComponentDescription
Workload Security (6 Modules)Anti-malware, integrity monitoring, log inspection, IPS/virtual patching, application control, and web reputation in one agent — cloud and hybrid workload protection.
Container Security (Image Scan + Runtime)CI/CD pipeline image scanning plus Kubernetes admission controller — blocks vulnerable images from deployment; detects runtime container threats.
File Storage SecurityEvent-driven malware scanning of files uploaded to S3, Azure Blob, and GCS — triggered on object creation via Lambda/Azure Functions without always-on polling.
Conformity CSPM (1,000+ Checks)Real-time configuration monitoring against CIS, PCI DSS, HIPAA, NIST, and Well-Architected — automated Jira/Slack remediation workflow with trend analytics.
Virtual Patching (IPS)IPS rules protect unpatched vulnerabilities on running workloads — coverage from CVE disclosure until the patch can be applied in a maintenance window.
API-First / IaC IntegrationTerraform provider and CloudFormation integration — Conformity checks as IaC quality gates; misconfigurations caught before resources are created.
Scenario
A cloud-native startup embeds Trend Micro Cloud One into their AWS pipeline — Container Security blocks vulnerable image deployments in CI/CD, Workload Security virtual patching protects EC2 instances from a critical CVE during the 9-day window before the official patch, and Conformity catches IaC misconfigurations before they reach production.
Step-by-Step Command Walkthrough
TOKEN=$(curl -s -X POST 'https://cloudone.trendmicro.com/api/authenticate' \
  -H 'Content-Type: application/json' \
  -d '{"userid":"admin@corp.com","secret":"CloudOneSecret2024!"}' \
  | python3 -c "import sys,json;print(json.load(sys.stdin)['AuthenticationResult']['Token'])")

# Container Security: scan an ECR image for vulnerabilities
SCAN_ID=$(curl -s -X POST 'https://cloudone.trendmicro.com/api/container/images/scan' \
  -H "Authorization: ApiKey $TOKEN" -H 'Content-Type: application/json' \
  -d '{"name":"myapp","tag":"v2.3.0","registry":"123456789.dkr.ecr.us-east-1.amazonaws.com"}' \
  | python3 -c "import sys,json;print(json.load(sys.stdin)['id'])")

sleep 120
curl -s "https://cloudone.trendmicro.com/api/container/images/$SCAN_ID/vulnerabilities" \
  -H "Authorization: ApiKey $TOKEN" \
  | python3 -c "
import sys, json
vulns = json.load(sys.stdin)['vulnerabilities']
critical = [v for v in vulns if v.get('severity')=='critical']
print(f'Total: {len(vulns)} | Critical: {len(critical)}')
for v in critical[:5]:
    print(f'  {v["cve_id"]}: {v["package_name"]} {v["version"]}')"

# Conformity: get CRITICAL failed checks
curl -s 'https://cloudone.trendmicro.com/api/conformity/checks?filter[status]=FAILURE&filter[riskLevel]=CRITICAL' \
  -H "Authorization: ApiKey $TOKEN" \
  | python3 -c "
import sys, json
checks = json.load(sys.stdin)['data']
print(f'Critical failures: {len(checks)}')
for c in checks[:5]:
    print(f'  {c["attributes"]["rule"]["title"]} — {c["attributes"]["resource"]["name"]}')"

# Workload Security: apply IPS virtual patch for CVE-2024-21762
curl -s -X POST 'https://cloudone.trendmicro.com/api/policies/POLICY_ID/intrusion-prevention/rules' \
  -H "Authorization: ApiKey $TOKEN" -H 'Content-Type: application/json' \
  -d '{"ruleIDs": [49125]}'  # IPS rule ID for CVE-2024-21762
Outcome & Analysis
Container Security blocks 14 container image deployments with Critical CVEs over 30 days — preventing 14 vulnerable images from reaching production. The CVE-2024-21762 IPS virtual patching rule protects 23 EC2 instances during the 9-day window between disclosure and scheduled patching — no exploitation attempts succeed. Conformity identifies a publicly accessible RDS instance within 45 seconds of creation via an incorrect Terraform apply — a Slack notification triggers the cloud team to fix it before any external connection is attempted. Zero security incidents across the period compared to 3 in the preceding quarter without Cloud One.
90
McAfee MVISION Cloud (Skyhigh Security)
Enterprise CASB & Security Service Edge

Overview

McAfee MVISION Cloud (now Skyhigh Security CASB, following the McAfee Enterprise divestiture through Symphony Technology Group) is an enterprise Cloud Access Security Broker (CASB) and Security Service Edge (SSE) platform providing shadow IT discovery, data security, threat protection, and compliance for cloud applications. Shadow IT Discovery analyses firewall and proxy logs to identify all cloud services in use — assessing risk and usage patterns for 40,000-plus cloud applications through the Cloud Trust Rating system.

MVISION Cloud’s data security capabilities include API-based DLP inspecting content already stored in sanctioned cloud applications (Microsoft 365, Salesforce, Box, AWS S3) without inline proxy interception, and inline DLP for all cloud application traffic. Collaboration Security monitors sharing activities in Microsoft 365 and Google Workspace. UEBA provides ML-based cloud activity anomaly detection for impossible travel, bulk downloads, sensitive data access outside normal hours, and administrative API calls from new locations.

Key Features & Components

Feature / ComponentDescription
Shadow IT Discovery (40,000+ Apps)Analyses firewall/proxy logs for all cloud services — risk scores for 40,000+ apps; unsanctioned app usage by user, department, volume, and risk level.
API-Based DLP (Microsoft 365/Salesforce)Inspects content in sanctioned cloud apps via API — detects sensitive data at rest in collaboration workflows without inline traffic redirection.
Collaboration SecurityMonitors sharing in Microsoft 365 and Google Workspace — detects externally shared sensitive files, public links, overly permissive sites, and personal account sharing.
UEBA (Cloud Activity Analytics)ML anomaly detection: impossible travel, bulk downloads, sensitive data access anomalies, and account compromise indicators in cloud application activity.
Zero-Day Threat ProtectionSandboxes files uploaded to cloud applications — detects novel malware in cloud collaboration platforms before signature coverage exists.
Compliance ReportingPre-built compliance reports for SOC 2, PCI DSS, HIPAA, GDPR, and ISO 27001 mapped to cloud application data handling controls.
Scenario
A healthcare organisation discovers employees using 287 unsanctioned cloud applications including file conversion services retaining uploaded PHI indefinitely. MVISION Cloud DLP identifies 5,400 files with PHI shared externally in Microsoft 365 and automatically removes public sharing permissions — limiting HIPAA exposure before the audit.
Step-by-Step Command Walkthrough
TOKEN=$(curl -s -X POST 'https://mvisioncloudasc.mcafee.com/api/v1/user/login' \
  -H 'Content-Type: application/json' \
  -d '{"username":"admin@corp.com","password":"MVisionAdmin2024!"}' \
  | python3 -c "import sys,json;print(json.load(sys.stdin)['token'])")

# Shadow IT discovery — top high-risk unsanctioned apps
curl -s 'https://mvisioncloudasc.mcafee.com/api/v1/cloud-services/shadow-it' \
  -H "Authorization: Bearer $TOKEN" \
  | python3 -c "
import sys, json
apps = json.load(sys.stdin).get('services',[])
high = sorted([a for a in apps if a.get('riskScore',0)>=7], key=lambda x:x['riskScore'],reverse=True)
print(f'Unsanctioned apps: {len(apps)} | High-risk (7-10): {len(high)}')
for a in high[:5]:
    print(f'  {a["name"]}: {a["riskScore"]}/10 | Users:{a.get("userCount",0)}')"

# DLP violations — PHI shared externally in M365
curl -s 'https://mvisioncloudasc.mcafee.com/api/v1/dlp/violations?service=Office365&classification=PHI&sharing=external' \
  -H "Authorization: Bearer $TOKEN" \
  | python3 -c "
import sys, json
v = json.load(sys.stdin).get('violations',[])
print(f'PHI files shared externally: {len(v)}')
public = [x for x in v if x.get('sharing')=='PUBLIC_LINK']
print(f'  Via public links: {len(public)}')"

# Auto-quarantine policy: remove public sharing from PHI files
curl -s -X POST 'https://mvisioncloudasc.mcafee.com/api/v1/dlp/policies' \
  -H "Authorization: Bearer $TOKEN" -H 'Content-Type: application/json' \
  -d '{"name":"HIPAA_Block_PHI_External","classification":"PHI",
       "action":"QUARANTINE","condition":"SHARED_EXTERNALLY",
       "services":["Office365","Google_Workspace"],
       "notify_user":true,"notify_admin":true}'
Outcome & Analysis
MVISION Cloud Shadow IT discovers 287 unsanctioned cloud services — 22 high-risk, including 4 file conversion services explicitly retaining uploaded documents indefinitely in their terms of service. API-based DLP scanning finds 5,400 M365 files with PHI shared externally — 2,847 via public links. The DLP quarantine policy removes public sharing permissions from all 2,847 files within 4 hours. HIPAA compliance exposure is contained: the organisation documents the remediation timeline as evidence of the Breach Risk Assessment’s ‘low probability of PHI compromise’ determination — avoiding mandatory notification for 12,400 patient records.
Section 3  │  Miscellaneous

Section 3: Miscellaneous

This section provides comprehensive profiles for 9 miscellaneous tools (Tools 91–99) — architectures, operational capabilities, and real-world application scenarios.

91
Paros Proxy
Legacy Web Application Intercepting Proxy — Historical Reference

Overview

Paros Proxy is a legacy Java-based web application security testing tool developed by Chinotec Technologies and released in 2003 as one of the earliest open-source intercepting proxy tools. Paros operates as a man-in-the-middle HTTP/HTTPS proxy — the tester’s browser routes traffic through Paros, which intercepts and displays every HTTP request and response, enabling analysts to inspect session tokens, modify POST parameters, manipulate cookies, replay requests, and inject payloads.

Though superseded by OWASP ZAP (which began as a Paros fork in 2010) and Burp Suite Professional, Paros holds significant historical importance as the tool that established the intercepting proxy architecture for web application security testing that all modern equivalents follow. Understanding Paros is valuable for practitioners learning web security testing fundamentals and forensic investigators examining legacy testing documentation.

Key Features & Components

Feature / ComponentDescription
HTTP/HTTPS Intercepting ProxyRoutes browser traffic through Paros for request/response inspection, modification, and replay — the foundational web testing model that OWASP ZAP and Burp Suite evolved from.
Spider (Web Crawler)Automated crawling to discover all pages, forms, and endpoints — builds site map for systematic security testing coverage of the application attack surface.
Active Vulnerability ScannerAutomated checks for SQL injection, XSS, path traversal, and insecure cookies — the predecessor to modern DAST automated scanning capabilities.
HTTP Request EditorManual editing of intercepted requests including headers, parameters, and body content — enables injection testing and parameter tampering.
Session Management AnalysisInspects session token entropy, cookie security flags (Secure, HttpOnly), and session fixation vulnerabilities in web applications.
Historical SignificanceDirect predecessor to OWASP ZAP (forked 2010) — established the intercepting proxy architecture now universal in web application security testing tools.
Scenario
A security training instructor uses Paros Proxy in an educational lab to demonstrate the foundational mechanics of web application interception testing to junior penetration testers — illustrating how the intercepting proxy model works before introducing modern tools like OWASP ZAP and Burp Suite.
Step-by-Step Command Walkthrough
# Note: Paros is deprecated (last release 2006).
# Use OWASP ZAP or Burp Suite for production security testing.
# This demonstration is for educational and historical understanding only.

# Step 1: Configure browser proxy settings
# Firefox: Settings > Network > Manual Proxy Configuration
#   HTTP Proxy:  127.0.0.1  Port: 8080
#   HTTPS Proxy: 127.0.0.1  Port: 8080

# Step 2: Launch Paros (Java application)
java -jar paros.jar &
# GUI opens — listening on localhost:8080

# Step 3: Install Paros CA certificate in browser
# Tools > Root CA > Export Certificate
# Firefox: Settings > Certificates > Import paros_ca.cer

# Step 4: Intercept a login request
# Paros > Trap > Trap Request
# Navigate to login page — Paros intercepts the POST request:
# POST /login HTTP/1.1
# username=admin&password=password123

# Step 5: SQL injection test via request editor
# Edit intercepted parameter:
# username=admin'--&password=anything
# Click Continue — observe if login succeeds (auth bypass)

# Step 6: Run Paros scanner
# Analyse > Spider  (discovers all pages and forms)
# Analyse > Active Scan  (tests SQLi, XSS, path traversal)

# Step 7: Compare with OWASP ZAP (modern equivalent)
./zap.sh -quickurl http://vulnerable-app.local -quickout report.html
# ZAP: 42 vulnerabilities found (vs Paros: 8 detections)
# ZAP additionally finds: DOM XSS, SSRF, IDOR, modern auth flaws
Outcome & Analysis
The Paros lab demonstration teaches junior penetration testers the core mechanics of intercepting proxy operation — how browser traffic flows through the proxy, how POST parameters can be modified in transit, and how automated scanners test for injection flaws. The direct comparison with OWASP ZAP shows that ZAP detects 42 vulnerabilities on the same target versus Paros’s 8 — including DOM-based XSS, SSRF, and IDOR findings that Paros’s passive-era engine cannot detect. The educational exercise establishes the foundational mental model before introducing the complete modern web application testing toolchain.
92
WebTitan
Cloud DNS Filtering & Web Security Platform — TitanHQ

Overview

WebTitan is a cloud-based DNS filtering and web security platform from TitanHQ providing URL filtering, malware protection, phishing prevention, and content policy enforcement for organisations of all sizes. WebTitan operates at the DNS resolution layer — DNS queries from enrolled devices are routed through WebTitan’s resolvers, which evaluate each queried domain against category databases, malware blacklists, phishing intelligence, and custom policies before resolving the address. DNS-layer filtering blocks malicious connections before any HTTP connection is established.

WebTitan maintains category databases covering 200-plus URL categories and integrates with real-time threat intelligence feeds to block newly registered malicious domains within hours of their first observed malicious activity. WebTitan OTG (Off The Grid) provides a lightweight agent for laptops operating outside the corporate network, enforcing DNS filtering through WebTitan’s cloud resolvers on roaming devices.

Key Features & Components

Feature / ComponentDescription
DNS-Layer Malware and Phishing BlockingBlocks malicious domains at DNS resolution before any connection — stops malware downloads, phishing sites, and C2 communication at the fastest possible layer.
200+ URL Category FilteringGranular web content policy controls by department, user group, time of day, or network segment — enforces acceptable use policies with detailed reporting.
Real-Time Threat IntelligenceIntegrates threat intelligence feeds to block newly registered malicious domains within hours of first observed malicious activity.
WebTitan OTG (Off-Network Protection)Lightweight agent for laptops outside the corporate network — DNS filtering enforced on roaming devices through WebTitan’s cloud resolvers.
BYOD and Guest WiFi FilteringEnforces content policies on guest WiFi and BYOD devices without installing agents — DNS enforcement covers any device on the network.
SIEM and API IntegrationLogs all DNS queries and blocked events for SIEM integration — API enables programmatic policy management and threat event retrieval.
Scenario
An MSP deploys WebTitan across 250 SMB clients. When Log4Shell is disclosed, WebTitan’s threat intelligence blocks exploitation callback domains across all 250 client networks within 4 hours of the first malicious domain registration — before any client patches a single vulnerable server.
Step-by-Step Command Walkthrough
TOKEN=$(curl -s -X POST 'https://api.webtitan.com/api/v2/auth/token' \
  -H 'Content-Type: application/json' \
  -d '{"username":"admin@msp.com","password":"WebTitanMSP2024!"}' \
  | python3 -c "import sys,json;print(json.load(sys.stdin)['token'])")

# List all managed client networks
curl -s 'https://api.webtitan.com/api/v2/networks' -H "Authorization: Bearer $TOKEN" \
  | python3 -c "import sys,json;print(f'Managed networks: {len(json.load(sys.stdin)["networks"])}')"

# Add Log4Shell callback domains to global blocklist (all clients)
curl -s -X POST 'https://api.webtitan.com/api/v2/lists/blacklist/domains' \
  -H "Authorization: Bearer $TOKEN" -H 'Content-Type: application/json' \
  -d '{"domains":["log4j-test.dnslog.cn","ldap.rce.cyou","interactsh.com"],
       "reason":"Log4Shell CVE-2021-44228 callback domains",
       "apply_to_all_networks":true}'

# Query blocked events for a specific client
curl -s 'https://api.webtitan.com/api/v2/reporting/dns-queries?network_id=CLIENT_NETWORK_ID&action=BLOCKED&category=Malware&start_date=2024-06-01T00:00:00Z' \
  -H "Authorization: Bearer $TOKEN" \
  | python3 -c "
import sys, json
e = json.load(sys.stdin)['events']
print(f'Blocked malware DNS queries: {len(e)}')
domains = set(x.get('domain') for x in e)
print(f'Unique blocked domains: {len(domains)}')
for d in list(domains)[:10]:
    print(f'  Blocked: {d}')"

# Create per-client custom policy for high-risk client
curl -s -X PUT 'https://api.webtitan.com/api/v2/policies/POLICY_ID' \
  -H "Authorization: Bearer $TOKEN" -H 'Content-Type: application/json' \
  -d '{"blocked_categories":["Malware","Phishing","Botnet","Proxy_Avoidance","Newly_Registered_Domains"],
       "safe_search_enforced":true}'
Outcome & Analysis
WebTitan adds 47 Log4Shell callback domains to the global blocklist within 4 hours of the first exploitation campaign. All 250 client networks simultaneously block LDAP and DNS callback attempts before any of the 250 SMB clients patches a single vulnerable Java application. Over 30 days, WebTitan logs 23,847 blocked Log4Shell callback attempts across client networks. The MSP deploys the emergency blocklist to all 250 clients through a single API call — a change that would have required individual firewall updates on each client’s network without WebTitan’s centralised multi-tenant architecture.
93
SiteLock
Website Security & Malware Protection for SMBs

Overview

SiteLock is a cloud-based website security platform providing automated malware scanning, vulnerability detection, web application firewall (WAF), DDoS protection, and reputation monitoring — primarily targeting SMBs and individual website owners managing CMS-based sites (WordPress, Joomla, Drupal, Magento). SiteLock performs daily automated scanning of website files, databases, and code for malware infections, injected scripts, backdoors, SEO spam, and Trojans across PHP, JavaScript, HTML, and CSS code.

The SMART (Secure Malware Alert and Removal Tool) automated malware removal service detects and removes infections without requiring manual intervention. SiteLock’s TrueShield WAF protects against SQL injection, XSS, CSRF, and OWASP Top 10 attacks. The platform monitors 40-plus domain reputation blacklists and alerts when a domain is flagged for hosting malware or phishing content.

Key Features & Components

Feature / ComponentDescription
Automated Daily Malware ScanningScans all website files and database content for malware, backdoors, injected scripts, and SEO spam — covering PHP, JavaScript, HTML across all major CMS platforms.
SMART (Automated Malware Removal)Automatically removes detected malware without manual intervention — addresses most infections within hours of detection without requiring technical knowledge.
TrueShield WAFCloud-based WAF protecting against SQLi, XSS, CSRF, and OWASP Top 10 — globally distributed reverse proxy providing DDoS mitigation alongside application protection.
CMS Vulnerability ScanningIdentifies outdated WordPress core, plugin, and theme versions with known CVEs — specific vulnerability reporting for installed CMS components.
Blacklist and Reputation MonitoringMonitors 40+ domain blacklists continuously — alerts when the domain is flagged for malware or phishing content by major reputation services.
SiteLock Trust SealDynamic badge displaying current scan status — confidence signal for visitors confirming daily security check results.
Scenario
A WooCommerce e-commerce site is infected with a card-skimming script injected via a vulnerable Stripe plugin. SiteLock SMART detects and removes the skimmer, TrueShield WAF blocks further injection attempts, and the vulnerability scanner identifies 7 additional outdated plugins — the entire detection-to-remediation cycle completing without the site owner writing a line of code.
Step-by-Step Command Walkthrough
TOKEN=$(curl -s -X POST 'https://api.sitelock.com/v1/auth/token' \
  -H 'Content-Type: application/json' \
  -d '{"username":"admin@store.com","password":"SiteLockAdmin2024!"}' \
  | python3 -c "import sys,json;print(json.load(sys.stdin)['access_token'])")

# Get current security status for all monitored sites
curl -s 'https://api.sitelock.com/v1/sites' -H "Authorization: Bearer $TOKEN" \
  | python3 -c "
import sys, json
for s in json.load(sys.stdin)['sites']:
    print(f'Domain: {s["domain"]} | Status: {s["security_status"]} | Malware: {s.get("malware_detected",False)}')"

# Trigger immediate high-priority malware scan
curl -s -X POST 'https://api.sitelock.com/v1/sites/SITE_ID/scans' \
  -H "Authorization: Bearer $TOKEN" -H 'Content-Type: application/json' \
  -d '{"scan_type":"malware","priority":"high"}'

# Get scan results with malware findings
curl -s 'https://api.sitelock.com/v1/sites/SITE_ID/findings?type=malware&status=active' \
  -H "Authorization: Bearer $TOKEN" \
  | python3 -c "
import sys, json
findings = json.load(sys.stdin)['findings']
print(f'Active malware findings: {len(findings)}')
for f in findings:
    print(f'  {f["file_path"]}: {f["malware_type"]} | Auto-removed: {f.get("auto_removed",False)}')"

# Request SMART automated malware removal
curl -s -X POST 'https://api.sitelock.com/v1/sites/SITE_ID/remediation/smart' \
  -H "Authorization: Bearer $TOKEN" -d '{"auto_remove":true}'

# Get CMS vulnerability report (WordPress)
curl -s 'https://api.sitelock.com/v1/sites/SITE_ID/vulnerabilities?cms=wordpress' \
  -H "Authorization: Bearer $TOKEN" \
  | python3 -c "
import sys, json
vulns = json.load(sys.stdin)['vulnerabilities']
print(f'CMS vulnerabilities: {len(vulns)}')
for v in vulns:
    print(f'  {v.get("component")}: {v.get("cve_id")} CVSS:{v.get("cvss")}')" 
Outcome & Analysis
SiteLock SMART detects the card-skimming JavaScript injected into checkout.php and automatically removes it within 47 minutes — restoring the checkout page without any manual action from the site owner. The CMS scanner identifies 7 outdated plugins including the vulnerable Stripe plugin (CVE-2024-12345, CVSS 9.8) through which the infection occurred. TrueShield WAF blocks 12 subsequent re-injection attempts with virtual patching. Google Safe Browsing blacklist status is cleared within 24 hours of malware removal. The site owner receives the complete resolution without writing any code or accessing the server.
94
Maltego
OSINT & Visual Link Analysis Investigation Platform

Overview

Maltego is a comprehensive intelligence and investigation platform providing visual link analysis for OSINT gathering, threat intelligence research, digital forensics, and cyber investigation. Developed by Paterva (acquired by Maltego Technologies in 2019), Maltego represents relationships between data entities — people, organisations, domains, IP addresses, email addresses, social media accounts, cryptocurrency wallets, phone numbers, and infrastructure components — as an interactive visual graph, making hidden connections discoverable that text-based research cannot reveal.

Maltego’s Transform system is its operational core: Transforms are API connectors to external data sources that automatically query services and add discovered information to the graph. The Transform Hub provides 60-plus data providers including Shodan, VirusTotal, HaveIBeenPwned, Censys, PassiveTotal, ThreatMiner, LinkedIn, social media platforms, and specialised OSINT databases.

Key Features & Components

Feature / ComponentDescription
Visual Link Analysis GraphInteractive relationship visualisation between entities — people, domains, IPs, organisations, social accounts — making complex multi-entity connections understandable.
Transform Hub (60+ Data Sources)API connectors to Shodan, VirusTotal, HaveIBeenPwned, Censys, PassiveTotal, LinkedIn, blockchain, and OSINT databases — automated multi-source enrichment.
OSINT Investigation TemplatesPre-built investigation workflows for phishing attribution, threat actor infrastructure mapping, domain/IP analysis, person OSINT, and social network analysis.
Threat Infrastructure MappingMaps malware C2 infrastructure and phishing hosting networks through domain registration, passive DNS, and certificate transparency data.
Maltego XL (Large-Scale Graphs)Handles 1,000,000+ entity graphs for law enforcement and national CERT investigations — suitable for large-scale cyber investigation and attribution operations.
Custom Transform DevelopmentPython and Java Transform APIs — organisations build custom Transforms connecting to proprietary data sources, internal databases, or specialised intelligence feeds.
Scenario
A threat intelligence analyst uses Maltego to map the complete infrastructure of a ransomware group starting from a Bitcoin wallet in a ransom note — discovering shared infrastructure across 12 previously unattributed campaigns through shared certificate fingerprints, registrar accounts, and cryptocurrency wallet clusters.
Step-by-Step Command Walkthrough
# Maltego Python Transform — custom Bitcoin OSINT
from maltego_trx.transform import DiscoverableTransform
import requests

class BitcoinWalletTransactions(DiscoverableTransform):
    @classmethod
    def create_entities(cls, request, response):
        btc_address = request.Value
        data = requests.get(f'https://blockchain.info/rawaddr/{btc_address}', timeout=10).json()
        for tx in data.get('txs', [])[:10]:
            for output in tx.get('out', []):
                addr = output.get('addr', '')
                if addr and addr != btc_address:
                    entity = response.addEntity('maltego.BitcoinAddress', addr)
                    entity.addProperty('Amount BTC', value=str(output.get('value',0)/1e8))

# Maltego GUI investigation workflow:

# STEP 1: Start with ransom note Bitcoin wallet
# New Graph > Add Entity: BitcoinAddress
# Value: 1BvBMSEYstWetqTFn5Au4m4GFg7xJaNVN2

# STEP 2: Bitcoin Transforms
# Right-click > Run Transform: Wallet to Transactions
# Graph expands to transaction partners

# STEP 3: Pivot to Tor .onion negotiation URL
# Add Entity: URL (from ransom note)
# Run Transforms: URL > Domain > IP > Shodan open ports

# STEP 4: Certificate transparency analysis
# Run Transform: Domain to SSL Certificates (crt.sh)
# Shared cert fingerprint reveals other domains

# STEP 5: WHOIS pivoting on all discovered domains
# Run Transform: Domain to WHOIS
# Filter: shared registrar email across domains

# STEP 6: Breach record lookup
# Run Transform: Email to HaveIBeenPwned
Outcome & Analysis
Starting from the ransom note Bitcoin wallet, Maltego expands to 847 connected entities in 35 minutes. Certificate transparency analysis reveals 12 domains sharing the same self-signed TLS fingerprint — all previously unattributed ransomware negotiation sites from campaigns over 18 months. WHOIS pivoting on the registrar email discovers 23 additional registered domains. Bitcoin wallet cluster analysis shows $2.3M in ransom payments routed through an identical mixing pattern to 3 cryptocurrency exchange deposit addresses. The complete threat actor infrastructure map — 23 campaigns, 34 domains, 8 IP ranges, 12 Bitcoin wallets — is shared with law enforcement as a Maltego graph export.
95
BluVector
AI/ML Network Threat Detection — Comcast Technology Solutions

Overview

BluVector is an AI-driven network threat detection platform from Comcast Technology Solutions providing network-based advanced malware detection using supervised machine learning models trained on the semantic structure of executable files and documents — not signatures. BluVector analyses network traffic in real time, extracting and classifying executable files, documents, and scripts traversing monitored network flows based on structural and statistical properties learned from training on millions of malware and benign samples.

BluVector’s ML approach provides a fundamental advantage over signature-based detection for zero-day and novel malware: completely new malware samples share structural properties with their malware family — enabling detection without any prior knowledge of the specific sample. BluVector operates as a passive out-of-band network sensor from mirrored traffic, without impacting production network performance. Retroactive analysis capability allows previously captured traffic to be re-analysed against updated models.

Key Features & Components

Feature / ComponentDescription
AI/ML Zero-Day Malware DetectionSupervised ML classifies executables and documents by structural properties — detects novel malware variants without signatures based on semantic analysis.
Network File Extraction and AnalysisReconstructs files from monitored network traffic (HTTP, SMTP, FTP, SMB) for ML classification — passive network sensor without performance impact.
Multi-Protocol CoverageAnalyses file transfers across HTTP, HTTPS (with SSL inspection), SMTP, FTP, SMB, and other protocols — comprehensive network visibility for file-borne threats.
Retroactive AnalysisRe-analyses previously captured network traffic against updated models — identifies malware that evaded detection at capture time when better models become available.
PCAP-Based Forensic InvestigationFull packet capture with file extraction enables forensic investigation — complete evidence chain from network capture to malware file analysis.
SIEM IntegrationExports detection events and malware metadata to Splunk, QRadar, and SIEM platforms — integrates network ML detection into broader SOC alert workflows.
Scenario
BluVector detects a zero-day PDF dropper delivered via spear-phishing with zero VirusTotal detections — a novel malware loader that bypasses all signature-based controls. The ML model classifies it as malicious with 94% confidence based on structural characteristics shared with the SUNBURST malware family.
Step-by-Step Command Walkthrough
TOKEN=$(curl -s -X POST 'https://bluvector.corp.local:8443/api/v1/auth/login' \
  -H 'Content-Type: application/json' \
  -d '{"username":"admin","password":"BluVectorAdmin2024!"}' \
  | python3 -c "import sys,json;print(json.load(sys.stdin)['token'])")

# Query high-confidence malicious detections (last 24h)
curl -s 'https://bluvector.corp.local:8443/api/v1/detections?severity=HIGH,CRITICAL&confidence_min=0.85&start_time=2024-06-16T00:00:00Z' \
  -H "Authorization: Bearer $TOKEN" \
  | python3 -c "
import sys, json
dets = json.load(sys.stdin)['detections']
print(f'High-confidence detections: {len(dets)}')
for d in dets[:5]:
    print(f'  File:{d["filename"]} | SHA256:{d["sha256"]} | ML Score:{d["confidence"]:.2%}')
    print(f'    Source: {d["src_ip"]} -> {d["dst_ip"]}')"

# Get detailed detection report
curl -s 'https://bluvector.corp.local:8443/api/v1/detections/DETECTION_ID' \
  -H "Authorization: Bearer $TOKEN" \
  | python3 -c "
import sys, json
d = json.load(sys.stdin)
print(f'Classification: {d["classification"]}')
print(f'ML Confidence:  {d["confidence"]:.2%}')
print(f'Similar Family: {d["closest_family"]}')"

# Download reconstructed file for sandbox analysis
curl -s 'https://bluvector.corp.local:8443/api/v1/detections/DETECTION_ID/file' \
  -H "Authorization: Bearer $TOKEN" \
  -o '/cases/INC-2024-0847/bluvector_sample.pdf'

# Retroactive analysis — re-scan last 30 days with updated models
curl -s -X POST 'https://bluvector.corp.local:8443/api/v1/retroactive-scan' \
  -H "Authorization: Bearer $TOKEN" \
  -d '{"pcap_start_date":"2024-05-17","pcap_end_date":"2024-06-17","model_version":"latest"}'
Outcome & Analysis
BluVector detects the zero-day PDF dropper with 94% ML confidence — VirusTotal shows zero engine detections, confirming it is a previously unknown sample. The ML model classifies it as structurally similar to SUNBURST/Solorigate based on PE header characteristics, obfuscation patterns, and entropy distribution. Retroactive analysis of 30 days of stored captures identifies 3 additional instances where the same variant traversed the email gateway on earlier dates — all missed by signature-based controls. The recovered PDF is submitted to sandbox analysis, confirming Cobalt Strike second-stage delivery via DNS C2.
96
Magnet AXIOM Cyber
Multi-Source Digital Forensics & IR Platform — Magnet Forensics

Overview

Magnet AXIOM Cyber is a comprehensive digital forensics and incident response platform from Magnet Forensics providing a unified investigation environment combining disk forensics, memory forensics, cloud evidence acquisition (Microsoft 365, Google Workspace, Slack, Teams, Box, Dropbox, AWS, Azure), remote endpoint collection, and advanced artefact analysis within a single application. AXIOM Cyber is specifically designed for enterprise IR scenarios where evidence spans multiple types across a heterogeneous investigation.

Magnet AXIOM Cyber’s remote evidence acquisition capability deploys a lightweight collection agent to remote endpoints over the network, collecting targeted forensic artefacts, memory dumps, and cloud account data without physical access — enabling global enterprise IR without shipping laptops to analysts. The Magnet.AI categorisation engine uses ML to automatically tag and prioritise collected artefacts. Integration with Magnet AUTOMATE enables policy-driven automated evidence collection triggered by SIEM alerts.

Key Features & Components

Feature / ComponentDescription
Unified Multi-Source InvestigationSingle platform combining disk, memory, cloud (M365, Google Workspace, AWS), collaboration (Slack, Teams), and remote endpoint evidence — complete IR picture in one workspace.
Remote Endpoint CollectionLightweight agent collects targeted artefacts, registry, event logs, and memory from remote endpoints without physical access — global enterprise IR coverage.
Cloud Evidence AcquisitionAuthenticates to Microsoft 365, Google Workspace, Slack, Teams, Box, Dropbox, AWS, and Azure — collecting emails, files, messages, and audit logs as forensic evidence.
Magnet.AI Artefact CategorisationML-based artefact categorisation and prioritisation — automatically surfaces investigatively significant evidence from large collections to reduce review time.
Unified Timeline AnalysisChronological timeline from all evidence sources — Windows event logs, file system timestamps, browser history, and cloud activity in one scrollable timeline.
Magnet AUTOMATE IntegrationPolicy-driven automated evidence collection triggered by SIEM alerts — preserves evidence at incident declaration before attacker activity is obscured.
Scenario
A CFO’s Microsoft 365 account is compromised in a BEC attack. AXIOM Cyber acquires the complete email history, OneDrive files, and Teams messages from M365 and simultaneously collects endpoint forensic artefacts from the CFO’s laptop — building a unified timeline that reconstructs exactly when the account was compromised, which emails were monitored, and how the fraud attempt was staged.
Step-by-Step Command Walkthrough
# Magnet AUTOMATE: trigger collection on SIEM P1 BEC alert
from flask import Flask, request
import subprocess

app = Flask(__name__)

@app.route('/axiom-automate', methods=['POST'])
def trigger_collection():
    alert = request.json
    if alert.get('severity') == 'P1' and 'BEC' in alert.get('tags', []):
        subprocess.run(['MagnetAutomate', '--trigger', 'collect',
            '--case', alert['incident_id'],
            '--host', alert['affected_host'],
            '--user', alert['affected_user'],
            '--profile', 'BEC_Investigation_Profile',
            '--output', f'/cases/{alert["incident_id"]}/evidence/'])
    return {'status': 'collection_triggered'}, 200

# AXIOM Cyber GUI investigation workflow:

# STEP 1: Create case — File > New Case > BEC_CFO_Jun2024

# STEP 2: Acquire Microsoft 365 mailbox evidence
# Add Evidence > Cloud > Microsoft 365
#   Target:     cfo@corp.com
#   Evidence:   Email, Calendar, OneDrive, SharePoint, Teams Messages
#   Date range: All available (12 months)

# STEP 3: Remote endpoint collection (CFO laptop at 10.50.14.22)
# Add Evidence > Remote Computer > 10.50.14.22
#   Profile: IR_Standard
#     Windows Event Logs (Security, System, Sysmon)
#     Browser history (Chrome, Edge)
#     Prefetch, shimcache, amcache
#     Registry hives (NTUSER.DAT, SAM, SYSTEM)
#     Recent files (LNK, Jump Lists, Shellbags)

# STEP 4: Process with Magnet.AI
# Process > Process Evidence
# Enable: Magnet.AI Categorisation, Timeline, Connections

# STEP 5: Review unified timeline
# Timeline > 2024-05-01 to 2024-06-17
# Filter: User=cfo@corp.com | Sort: chronological
Outcome & Analysis
AXIOM Cyber’s M365 acquisition recovers 14,287 emails, 847 OneDrive files, and 2,341 Teams messages. The unified timeline reveals: AiTM phishing compromised the account on Day 1 at 11:43 AM; two inbox rules forwarding emails with ‘wire’, ‘transfer’, ‘payment’, ‘invoice’ keywords were created at 11:47 AM; the attacker monitored vendor correspondence for 8 days; and impersonated the CFO to redirect a $2.1M payment on Day 9. The endpoint artefacts show no malware — AiTM phishing used legitimate Microsoft session cookies. The complete forensic timeline is exported as a court-admissible report with chain-of-custody affidavit for law enforcement referral.
97
Prelude Detect
Adversary Emulation & Continuous Security Validation

Overview

Prelude Detect is an adversary emulation and continuous security validation platform testing whether an organisation’s defences actually detect and respond to real adversary techniques. Prelude executes production-safe Verified Security Tests (VSTs) — atomic technique tests mapped to MITRE ATT&CK — against live endpoints and automatically validates whether the SIEM, EDR, and security stack generated expected detections. This continuous validation answers the question most security programmes cannot: ‘Do our controls actually detect what they claim to detect?’

Prelude Detect differs from traditional Breach and Attack Simulation (BAS) tools through its automated verification model — tests are not just executed but the platform queries connected detection tools to confirm the technique actually triggered an alert. If a technique executes without generating a detection, Prelude identifies the coverage gap and provides specific SIEM query suggestions, Sigma rules, and EDR policy configurations to close it.

Key Features & Components

Feature / ComponentDescription
MITRE ATT&CK Mapped VSTsProduction-safe technique tests mapped to ATT&CK — executed on real endpoints to validate actual detection coverage, not theoretical rule existence.
Automated Detection VerificationQueries connected SIEM and EDR to confirm tests generated expected alerts — distinguishes ‘we have a rule’ from ‘the rule actually fires on real technique execution’.
ATT&CK Coverage Gap IdentificationIdentifies specific techniques not detected by current controls — evidence-based detection coverage map with systematic gap analysis.
Continuous Validation SchedulingRe-validates after rule changes, SIEM updates, or EDR policy deployments — confirms controls remain effective after configuration changes.
Specific Remediation GuidanceFor each gap, provides SIEM SPL/AQL queries, Sigma rule templates, and EDR policy configurations to close the specific detection gap.
Operator Framework IntegrationIntegrates with the open-source Operator C2 framework — red team validation testing using the same platform as continuous defensive validation.
Scenario
A SOC uses Prelude Detect to validate that Splunk ES rules and CrowdStrike EDR policy actually detect the 10 most common ransomware operator techniques — discovering 4 of 10 execute without generating any alert, including the most common technique (T1059.001 PowerShell encoded execution).
Step-by-Step Command Walkthrough
TOKEN=$(curl -s -X POST 'https://api.prelude.org/detect/authenticate' \
  -H 'Content-Type: application/json' \
  -d '{"account_id":"ACCT_ID","handle":"admin","password":"PreludeDetect2024!"}' \
  | python3 -c "import sys,json;print(json.load(sys.stdin)['token'])")

# List VSTs mapped to ransomware ATT&CK techniques
curl -s 'https://api.prelude.org/detect/tests' -H "Token: $TOKEN" \
  | python3 -c "
import sys, json
tests = json.load(sys.stdin)['tests']
ransomware_ttps = ['T1059.001','T1003.001','T1082','T1486','T1490']
relevant = [t for t in tests if t.get('technique_id') in ransomware_ttps]
print(f'Ransomware TTP tests available: {len(relevant)}')
for t in relevant:
    print(f'  {t["technique_id"]}: {t["name"]}')"

# Deploy VST to a Windows test endpoint
curl -s -X POST 'https://api.prelude.org/detect/queue' -H "Token: $TOKEN" \
  -H 'Content-Type: application/json' \
  -d '{"test":"T1059.001_POWERSHELL_ENCODED","endpoint":"ENDPOINT_ID_WINDOWS_TESTHOST"}'

sleep 120

# Check results
curl -s 'https://api.prelude.org/detect/activity' -H "Token: $TOKEN" \
  | python3 -c "
import sys, json
for a in json.load(sys.stdin)['activity'][:10]:
    print(f'Test: {a["test"]} | Technique: {a["technique_id"]}')
    print(f'  Executed: {a["executed"]} | Detected: {a["detected"]}')
    if a.get('status') == 'GAP':
        print(f'  GAP: No detection — controls need remediation')"

# Get ATT&CK coverage visualisation
curl -s 'https://api.prelude.org/detect/coverage' -H "Token: $TOKEN" \
  | python3 -c "
import sys, json
c = json.load(sys.stdin)
print(f'Techniques tested:   {c["tested_techniques"]}')
print(f'Detected:            {c["detected_techniques"]}')
print(f'Coverage gaps:       {c["gap_count"]}')
print(f'Coverage %:          {c["coverage_percentage"]}%')" 
Outcome & Analysis
Prelude Detect runs all 10 ransomware TTP tests and verifies detection against Splunk ES and CrowdStrike. Six tests are detected; 4 are confirmed gaps: T1059.001 (PowerShell Encoded Command) generates no Splunk alert despite a rule existing — analysis reveals the rule uses the wrong EventCode field. T1003.001 (LSASS Memory Access) detects via CrowdStrike but not Splunk. T1490 (Shadow Copy Deletion) is detected by neither tool. Prelude provides specific remediation: corrected SPL query for T1059.001, NTDLL hook policy for T1003.001, vssadmin Sysmon rule for T1490. Re-run 48 hours later confirms all 4 gaps closed — proven, verified detection coverage.
98
Varonis for Active Directory
Data Security & AD Threat Detection Platform

Overview

Varonis for Active Directory (Varonis Data Security Platform — Active Directory module) is a data security and threat detection platform specialising in understanding and securing access to Active Directory, file systems, SharePoint, Exchange, and other enterprise data stores. Varonis maps the complete data access topology — who has access to what data, whether that access is actually used, which access paths are excessive or misconfigured, and which authentication patterns represent threat indicators.

Varonis automatically discovers Active Directory security misconfigurations: accounts with non-expiring passwords, password-not-required flags, stale accounts, nested group shadow admin paths enabling unintended privilege escalation, service accounts with unconstrained Kerberos delegation, and domain controller misconfigurations. The DatAlert (now Varonis Threat Detection and Response) module provides pre-built detection rules for Kerberoasting, AS-REP Roasting, Golden Ticket attacks, DCSync, LSASS memory access, and lateral movement.

Key Features & Components

Feature / ComponentDescription
AD Misconfiguration DiscoveryIdentifies stale accounts, non-expiring passwords, password-not-required flags, nested group shadow admin paths, and unconstrained Kerberos delegation automatically.
DatAlert AD Attack DetectionPre-built detection for Kerberoasting, AS-REP Roasting, Golden Ticket, DCSync, LSASS access, and lateral movement patterns in AD authentication events.
Data Access Topology MappingMaps who has access to every file share, SharePoint site, and Exchange mailbox — identifies over-permissioned accounts and excessive inherited access.
Behavioural Baseline AnalyticsBuilds per-user access baselines — detects anomalous data access patterns, unusual authentication times, and privilege escalation attempts.
Automated Stale Access RemediationIdentifies permissions unused for configurable time periods — optionally removes stale access automatically to enforce least-privilege without manual review.
Privilege Escalation Path VisualisationMaps AD group membership privilege escalation paths — shows how a low-privilege account can reach Domain Admin through nested group chains.
Scenario
Varonis detects a Kerberoasting attack in real time — a compromised service desk account enumerates SPNs and requests TGS tickets for 23 service accounts. Varonis fires the alert within 4 minutes based on abnormal SPN enumeration behaviour and automatically disables the compromised account.
Step-by-Step Command Walkthrough
TOKEN=$(curl -s -X POST 'https://varonis.corp.local/api/v1/auth/token' \
  -H 'Content-Type: application/json' \
  -d '{"username":"varonis_api","password":"VaronisAPI2024!"}' \
  | python3 -c "import sys,json;print(json.load(sys.stdin)['access_token'])")

# Query all CRITICAL active alerts (last 24h)
curl -s 'https://varonis.corp.local/api/v1/alerts?severity=CRITICAL,HIGH&status=OPEN&start_time=2024-06-16T00:00:00Z' \
  -H "Authorization: Bearer $TOKEN" \
  | python3 -c "
import sys, json
alerts = json.load(sys.stdin)['alerts']
print(f'Critical/High alerts: {len(alerts)}')
for a in alerts[:5]:
    print(f'  {a["rule_name"]}: {a["affected_user"]}')"

# Get AD misconfiguration risk report
curl -s 'https://varonis.corp.local/api/v1/reports/ad-risk' \
  -H "Authorization: Bearer $TOKEN" \
  | python3 -c "
import sys, json
r = json.load(sys.stdin)
print('Active Directory Risk Summary:')
print(f'  Stale user accounts:      {r.get("stale_users",0)}')
print(f'  Non-expiring passwords:   {r.get("non_expiring_passwords",0)}')
print(f'  Unconstrained delegation: {r.get("unconstrained_delegation",0)}')
print(f'  Shadow admin paths:       {r.get("shadow_admin_paths",0)}')"

# Get Kerberoasting alert details (SPNs targeted)
curl -s 'https://varonis.corp.local/api/v1/alerts/ALERT_ID/events' \
  -H "Authorization: Bearer $TOKEN" \
  | python3 -c "
import sys, json
events = json.load(sys.stdin)['events']
spns = [e.get('target_spn') for e in events if e.get('event_type')=='TGS_REQUEST']
print(f'SPNs targeted: {len(spns)}')
for s in spns[:10]: print(f'  {s}')"

# Automated response: disable compromised account
curl -s -X POST 'https://varonis.corp.local/api/v1/alerts/ALERT_ID/actions' \
  -H "Authorization: Bearer $TOKEN" -H 'Content-Type: application/json' \
  -d '{"action":"DISABLE_USER","target_user":"helpdesk.user@corp.com",
       "reason":"Kerberoasting attack detected INC-2024-0847"}'
Outcome & Analysis
Varonis DatAlert fires the ‘Abnormal SPN Enumeration’ rule 4 minutes after the attacker begins — the helpdesk account issued 23 TGS requests across 14 minutes, 47× above its 6-month baseline of zero. The automated response disables the helpdesk account immediately. The AD risk report simultaneously surfaces a critical finding: 8 of the 23 targeted service accounts have passwords set in 2016 and unchanged since. Varonis’s shadow admin path analysis shows 3 of the 23 targeted accounts would provide a path to Domain Admin if cracked. All 23 service account passwords are rotated as priority remediation.
99
Intercept X Advanced
Next-Gen Endpoint Protection with CryptoGuard & XDR — Sophos

Overview

Sophos Intercept X Advanced with XDR (Extended Detection and Response) is a comprehensive endpoint protection platform combining next-generation antivirus (NGAV), exploit prevention (25-plus techniques), anti-ransomware technology (CryptoGuard), deep learning malware detection, active adversary mitigations, and XDR data lake investigation capabilities. Sophos Intercept X consistently achieves top rankings in MITRE ATT&CK Evaluations, SE Labs, and AV-TEST benchmarks.

CryptoGuard is Intercept X’s signature ransomware prevention module — it monitors file system activity in real time for the rapid, systematic file encryption patterns characteristic of ransomware. When CryptoGuard detects ransomware behaviour (mass file modification with entropy increases), it immediately terminates the ransomware process, rolls back already-encrypted files from Volume Shadow Copies or Sophos’s own file copies, and alerts the SOC. Sophos XDR extends detection across endpoints, servers, firewalls, and email through a unified cloud data lake.

Key Features & Components

Feature / ComponentDescription
CryptoGuard (Anti-Ransomware)Real-time behavioural ransomware detection by file system encryption patterns — terminates ransomware and rolls back encrypted files before significant data loss.
Deep Learning Malware DetectionDeep neural network classifying files as malicious based on millions of structural features — detects novel malware with no prior signatures required.
Exploit Prevention (25+ Techniques)Blocks ROP, heap spray, memory allocation abuse, and reflective DLL loading — protects against exploitation of unpatched vulnerabilities.
Active Adversary MitigationsDetects credential harvesting, lateral movement, Cobalt Strike activity, AMSI bypass, and PowerShell abuse — disrupts post-exploitation attacks mid-execution.
Sophos XDR (Cross-Product Data Lake)Correlates detection data from Endpoint, Server, Firewall, Email, and Cloud in a centralised data lake — unified threat investigation without multiple tool consoles.
Sophos MDR (Managed DR)Optional 24/7 Sophos threat hunting and response service — fully managed SOC capability for organisations without dedicated security analysts.
Scenario
CryptoGuard detects LockBit 3.0 ransomware 4 seconds after it begins encrypting files on a file server — terminating the ransomware process, rolling back 847 already-encrypted files, and alerting the SOC. Without CryptoGuard, LockBit would have encrypted the entire 500,000-file server volume within 7 minutes.
Step-by-Step Command Walkthrough
# Authenticate (OAuth2 client credentials)
AUTH=$(curl -s -X POST 'https://id.sophos.com/api/v2/oauth2/token' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -d 'grant_type=client_credentials&client_id=SOPHOS_CLIENT_ID&client_secret=SOPHOS_CLIENT_SECRET&scope=token')
ACCESS_TOKEN=$(echo $AUTH | python3 -c "import sys,json;print(json.load(sys.stdin)['access_token'])")
TENANT_ID="YOUR_TENANT_ID"

# Query critical endpoint alerts (last 24h)
curl -s 'https://api.central.sophos.com/endpoint/v1/alerts?severity=critical&from=2024-06-16T00:00:00.000Z' \
  -H "Authorization: Bearer $ACCESS_TOKEN" -H "X-Tenant-ID: $TENANT_ID" \
  | python3 -c "
import sys, json
alerts = json.load(sys.stdin).get('items',[])
print(f'Critical alerts (24h): {len(alerts)}')
for a in alerts[:5]:
    print(f'  [{a["type"]}] {a["description"]}')
    print(f'    Host: {a["managedAgent"]["hostname"]}')"

# Network-isolate a compromised endpoint
curl -s -X POST 'https://api.central.sophos.com/endpoint/v1/endpoints/ENDPOINT_ID/isolate' \
  -H "Authorization: Bearer $ACCESS_TOKEN" -H "X-Tenant-ID: $TENANT_ID" \
  -H 'Content-Type: application/json' \
  -d '{"comment":"LockBit detected — isolating for investigation"}'

# Query CryptoGuard rollback events
curl -s 'https://api.central.sophos.com/endpoint/v1/events?eventTypes=crypto_guard&from=2024-06-16T00:00:00.000Z' \
  -H "Authorization: Bearer $ACCESS_TOKEN" -H "X-Tenant-ID: $TENANT_ID" \
  | python3 -c "
import sys, json
events = json.load(sys.stdin).get('items',[])
print(f'CryptoGuard events: {len(events)}')
for e in events[:3]:
    print(f'  Host:{e["source"]["hostname"]} | Files rolled back:{e.get("filesRestored",0)} | Threat:{e["name"]}')"

# Sophos XDR: hunt for LockBit lateral movement in data lake
curl -s -X POST 'https://api.central.sophos.com/xdr-query/v1/queries/runs' \
  -H "Authorization: Bearer $ACCESS_TOKEN" -H "X-Tenant-ID: $TENANT_ID" \
  -H 'Content-Type: application/json' \
  -d '{"adHocQuery":{"template":"SELECT filePath,userName,spawnedProcessName,time
    FROM xdr_data.endpoint.process.start WHERE time > ago(1d)
    AND (spawnedProcessName LIKE \'%wmic%\' OR spawnedProcessName LIKE \'%psexec%\')
    ORDER BY time DESC LIMIT 100"},
    "from":"2024-06-16T00:00:00.000Z"}'
Outcome & Analysis
CryptoGuard detects LockBit 3.0 precisely 4 seconds after the first batch of files is encrypted. The ransomware process (svchost.exe, PID 8847) is terminated immediately. CryptoGuard rolls back all 847 already-encrypted files with zero data loss on the file server. The Sophos Central alert fires simultaneously, and the endpoint is automatically isolated within 8 seconds via the API. Sophos XDR data lake querying identifies LockBit’s lateral movement pattern across 4 additional endpoints from the preceding 2 hours — all 4 are isolated before any ransomware execution reaches them. Total outcome: 4 seconds to detection, 847 files recovered, zero permanent data loss from an attack that would have destroyed 500,000 files in 7 minutes.
References & Further Reading

References