In-Depth Technical Reference & Use Case Demonstrations
Introduction
This document provides in-depth technical descriptions, architectural overviews, key feature analyses, and practical use-case demonstrations for 29 cybersecurity tools across three domains: Incident Response Cloud Security , and Miscellaneous. Each profile includes specific command-line examples, API calls, configuration excerpts, realistic enterprise scenarios, and measurable outcomes — enabling practitioners to understand both what each tool does and precisely how it is applied in real-world environments.
Tools span the full spectrum from free open-source platforms to commercial enterprise solutions, from historical tools of significant educational value to cutting-edge AI-driven detection systems. Command examples use realistic IP addressing, naming conventions, API structures, and operational parameters consistent with production deployment patterns.
Section 1: Incident Response
This section provides comprehensive profiles for 10 incident response tools (Tools 71–80) — architectures, operational capabilities, and real-world application scenarios.
Overview
TheHive is a free, open-source Security Incident Response Platform (SIRP) providing SOC analysts and incident response teams with a collaborative, structured case management environment. Every incident is a Case containing Tasks (assigned to analysts with due dates and status tracking), Observables (IoCs automatically enriched via Cortex), and a Timeline. TheHive integrates natively with MISP for bidirectional threat intelligence sharing and Cortex for automated observable analysis through 100-plus analysers including VirusTotal, MISP lookup, Shodan, MaxMind GeoIP, and PassiveTotal.
Alert templates enable automatic case creation from SIEM alerts and email gateways, eliminating manual case setup for high-volume alert types. Cortex analysers can be triggered one-click or automatically — enriching every observable with intelligence from dozens of sources without analyst pivot work. TheHive 5 (commercial successor) adds SLA tracking, executive dashboards, and multi-organisational management.
Key Features & Components
| Feature / Component | Description |
|---|---|
| Case and Task Management | Structured incidents with analyst-assigned tasks, priority levels, due dates, status tracking, and collaborative annotation — complete incident lifecycle in a single shared workspace. |
| Observable Enrichment via Cortex | One-click or automated IoC analysis through 100+ Cortex analysers — VirusTotal, MISP lookup, Shodan, Abuse.ch, PassiveTotal, MaxMind GeoIP — without manual pivoting. |
| MISP Bidirectional Integration | Import MISP events as TheHive alerts; export confirmed case observables to MISP as community IoC contributions — closes the investigation-to-intelligence sharing loop. |
| Alert Ingestion and Deduplication | Receives alerts from SIEM, email, API, and ticketing sources — deduplicates related alerts into unified cases, preventing analyst workload fragmentation. |
| Multi-Tenant (MSSP) Architecture | Isolated tenants per client organisation with role-based analyst access — MSSP analysts see only their assigned clients’ cases with complete data separation. |
| Full REST API | Complete programmatic case, task, observable, and alert management — enables SOAR integration, automated case creation, and custom workflow orchestration. |
THEHIVE_URL='https://thehive.corp.local:9000'
API_KEY='YOUR_THEHIVE_API_KEY'
# Step 1: Create phishing campaign case with pre-assigned tasks
curl -s -X POST "$THEHIVE_URL/api/case" \
-H "Authorization: Bearer $API_KEY" \
-H 'Content-Type: application/json' \
-d '{
"title": "Phishing Campaign — Finance Dept Jun 2024",
"description": "DocuSign-lure targeting 50 finance staff",
"severity":3,"tlp":2,"pap":2,
"tags":["phishing","finance","credential-harvest"],
"tasks":[
{"title":"Identify all recipients","assignee":"analyst1"},
{"title":"Analyse attachment hashes","assignee":"analyst2"},
{"title":"Block sender domains at GW","assignee":"analyst1"},
{"title":"Reset click-through passwords","assignee":"analyst3"},
{"title":"Export IoCs to MISP","assignee":"analyst2"}
]
}'
# Step 2: Add phishing URL as observable
curl -s -X POST "$THEHIVE_URL/api/case/CASE_ID/artifact" \
-H "Authorization: Bearer $API_KEY" \
-H 'Content-Type: application/json' \
-d '{"dataType":"url","data":"https://docusign-verify.malicious.xyz/login","tlp":2,"ioc":true}'
# Step 3: Trigger VirusTotal Cortex analyser
curl -s -X POST 'https://cortex.corp.local:9001/api/job' \
-H "Authorization: Bearer $API_KEY" \
-H 'Content-Type: application/json' \
-d '{"analyzerId":"VirusTotal_GetReport_3_1","artifactType":"url",
"artifactDefinition":{"data":"https://docusign-verify.malicious.xyz/login"}}'
# Step 4: Close case with resolution summary
curl -s -X PATCH "$THEHIVE_URL/api/case/CASE_ID" \
-H "Authorization: Bearer $API_KEY" \
-H 'Content-Type: application/json' \
-d '{"status":"Resolved","resolutionStatus":"TruePositive",
"summary":"Confirmed phishing. 4 click-throughs; passwords reset; 23 IoCs to MISP."}'Overview
MISP (Malware Information Sharing Platform) is a free, open-source threat intelligence platform for storing, sharing, and correlating indicators of compromise. Developed by CIRCL and maintained globally, MISP is deployed by national CERTs, ISACs, and enterprises worldwide. The data model organises intelligence into Events containing Attributes (IoCs), Objects, Tags (TLP levels, ATT&CK Galaxy), and Sightings.
MISP’s community sharing model — configurable sharing policies enabling automatic bidirectional intelligence propagation — is its most powerful characteristic. Native STIX 2.1 export and a built-in TAXII 2.1 server integrate with commercial TIPs and SIEMs. The automatic correlation engine surfaces relationships between attributes across all stored events instantly.
Key Features & Components
| Feature / Component | Description |
|---|---|
| Rich Event Data Model | Events with Attributes (IoCs), Objects, Tags (TLP/taxonomy/ATT&CK Galaxy), and Sightings — extensible structure for all intelligence types. |
| Community Sharing Policies | Configurable sharing from community-only to public — automatic bidirectional sync with CERT networks, ISACs, and trusted MISP instances worldwide. |
| Automatic Correlation Engine | Surfaces attribute relationships across all stored events automatically — historical context appears instantly when a new event shares an indicator. |
| STIX 2.1 / TAXII 2.1 Native | Built-in STIX export and TAXII 2.1 server — integrates with ThreatConnect, Anomali, Splunk, QRadar, and Microsoft Sentinel for automated IoC distribution. |
| External Feed Subscriptions | Subscribes to abuse.ch URLhaus, FeodoTracker, OTX, MalwareBazaar, PhishTank — ingests, deduplicates, and correlates against the existing knowledge base. |
| MITRE ATT&CK Galaxy Tagging | Tags events with ATT&CK techniques, threat actor clusters, and malware families — structured adversary context enabling defenders to map intelligence to detection coverage. |
MISP_URL='https://misp.cert.gov'
MISP_KEY='YOUR_MISP_API_KEY'
# Create MISP event for APT28 campaign
curl -s -X POST "$MISP_URL/events" \
-H "Authorization: $MISP_KEY" -H 'Content-Type: application/json' \
-d '{"Event":{"info":"APT28 Spear-Phishing — Gov Ministries Jun 2024",
"threat_level_id":"1","analysis":"2","distribution":"2",
"Attribute":[
{"type":"ip-dst","value":"203.0.113.45","to_ids":true,"comment":"APT28 C2 server"},
{"type":"domain","value":"gov-update.malicious.xyz","to_ids":true},
{"type":"sha256","value":"a1b2c3d4e5f678...","to_ids":true,"comment":"X-Agent dropper"},
{"type":"email-src","value":"updates@gov-secure.malicious.xyz","to_ids":true}
]}}'
# Apply MITRE ATT&CK Galaxy tag
curl -s -X POST "$MISP_URL/events/addTag/EVENT_ID" \
-H "Authorization: $MISP_KEY" \
-d 'tag=misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.001"'
# Search all events for specific IP
curl -s -X POST "$MISP_URL/attributes/restSearch" \
-H "Authorization: $MISP_KEY" -H 'Content-Type: application/json' \
-d '{"returnFormat":"json","value":"203.0.113.45","type":"ip-dst","to_ids":true}'
# Export as STIX 2.1 for SIEM ingestion
curl -s "$MISP_URL/events/restSearch/returnFormat:stix2/threat_level_id:1/to_ids:true" \
-H "Authorization: $MISP_KEY"
# Add Sighting — confirm real-world observation
curl -s -X POST "$MISP_URL/sightings/add" \
-H "Authorization: $MISP_KEY" -H 'Content-Type: application/json' \
-d '{"value":"203.0.113.45","type":"0","source":"SIEM_FW_Alert_INC-2024-0847"}'Overview
SIFT (SANS Investigative Forensic Toolkit) Workstation is a free, open-source Ubuntu-based virtual machine providing a standardised, court-admissible forensic investigation environment with 200-plus pre-installed tools. SIFT covers disk forensics, memory forensics, network forensics, timeline generation (correlating events from 50-plus artefact types), YARA malware scanning, and log analysis.
Key tools include Autopsy (graphical forensic case management), Volatility 3 (memory forensics), Plaso/log2timeline (super-timeline generation), YARA (malware pattern matching), bulk_extractor (evidence carving), RegRipper (Windows Registry analysis), NetworkMiner, and Wireshark/tshark. Available as a VMware/VirtualBox VM or Ubuntu 22.04 LTS installation script with WSL2 compatibility.
Key Features & Components
| Feature / Component | Description |
|---|---|
| 200+ Pre-Installed DFIR Tools | Tools for disk, memory, network, timeline, log, and malware forensics — version-controlled, pre-configured to work together without compatibility conflicts. |
| Autopsy (GUI Case Management) | Graphical forensic case management: disk image ingestion, keyword search, file carving, deleted file recovery, browser artefact extraction, and chain-of-custody reporting. |
| Volatility 3 (Memory Forensics) | Plugin-based RAM analysis: process listing, network connections, cmdline reconstruction, injected code detection, credential recovery, and rootkit detection. |
| Plaso / log2timeline (Supertimeline) | Ingests 50+ log/artefact types into a unified chronological supertimeline — Windows Event Logs, prefetch, browser history, MFT, registry, and LNK files correlated in one view. |
| YARA Pattern Matching | Evaluates YARA rules against memory dumps, disk images, and extracted files — detects known malware families and custom threat actor tooling across evidence. |
| Standardised Court-Admissible Environment | VM or WSL2 installation ensures reproducible, defensible findings — documented tool versions and methodology meeting evidentiary standards for legal proceedings. |
CASE='/cases/INC-2024-0847' mkdir -p $CASE/evidence $CASE/analysis $CASE/reports # PHASE 1: ACQUISITION scp analyst@victim-srv:/C/memory_VICTIM-SRV_20240617.raw $CASE/evidence/ ewfacquire /dev/sdb \ -t $CASE/evidence/disk_VICTIM-SRV \ -C 'INC-2024-0847 Victim Server' \ -e analyst@corp.com \ -m fixed -M logical -c best ewfverify $CASE/evidence/disk_VICTIM-SRV.E01 # MD5 hash verified — acquisition integrity confirmed # PHASE 2: MEMORY ANALYSIS (Volatility 3) MEMFILE="$CASE/evidence/memory_VICTIM-SRV_20240617.raw" vol3 -f $MEMFILE windows.info.Info | tee $CASE/analysis/os_info.txt vol3 -f $MEMFILE windows.pslist.PsList | tee $CASE/analysis/pslist.txt vol3 -f $MEMFILE windows.malfind.Malfind | tee $CASE/analysis/malfind.txt vol3 -f $MEMFILE windows.netscan.NetScan | grep -v CLOSED | tee $CASE/analysis/netscan.txt vol3 -f $MEMFILE windows.cmdline.CmdLine | tee $CASE/analysis/cmdline.txt vol3 -f $MEMFILE windows.hashdump.Hashdump | tee $CASE/analysis/hashes.txt # YARA scan for BlackCat ransomware vol3 -f $MEMFILE windows.vadyarascan.VadYaraScan \ --yara-rules /opt/yara-rules/ransomware/blackcat.yar # PHASE 3: SUPERTIMELINE log2timeline.py -z UTC \ --storage-file $CASE/analysis/timeline.plaso \ $CASE/evidence/disk_VICTIM-SRV.E01 psort.py -z UTC -o l2tcsv \ -w $CASE/analysis/timeline_filtered.csv \ $CASE/analysis/timeline.plaso \ "date > '2024-06-12' AND date < '2024-06-18'"
Overview
GRR Rapid Response is an open-source incident response framework developed by Google, enabling remote live forensics at enterprise scale. Analysts can simultaneously query thousands of endpoints for forensic artefacts and IoC presence without physical access or full disk imaging. Flows define specific forensic collection tasks; Hunts extend the same Flow to any number of endpoints simultaneously.
GRR’s fleet-wide YARA scanning enables searching across all endpoint memory and disk files simultaneously for malware signatures without acquiring individual images. The Virtual File System (VFS) browser allows real-time remote file system browsing from the GRR console. The full artefact set covers Registry hives, Event Logs, prefetch, shimcache, amcache, LNK files, and browser history. Google uses GRR internally for incident response across its global infrastructure.
Key Features & Components
| Feature / Component | Description |
|---|---|
| Fleet-Scale Remote Forensics | Queries thousands of endpoints simultaneously without physical access or disk imaging — complete incident scoping in minutes across the entire enterprise. |
| Hunts (Fleet-Wide Queries) | Extends any forensic Flow to all enrolled endpoints simultaneously — YARA scanning, file collection, registry hunting, and process analysis fleet-wide with one definition. |
| Memory and Disk YARA Scanning | Executes YARA rules across all endpoint process memory and disk files simultaneously — fleet-wide malware hunting without individual image acquisition. |
| Virtual File System (VFS) Browser | Real-time remote file system browsing from the GRR console — navigate directory trees, inspect files, and collect specific items without remote desktop. |
| Comprehensive Artefact Collection | Collects Registry hives, Event Logs, prefetch, shimcache, amcache, LNK files, browser history, and hundreds of forensically relevant artefacts on demand. |
| Enterprise-Scale Architecture | Handles hundreds of thousands of endpoints — stateless server design scales horizontally with additional GRR workers as endpoint count grows. |
from grr_api_client import api as grr_api
import time
grrapi = grr_api.InitHttp(
api_endpoint='https://grrserver.corp.local:8000',
auth=('admin', 'GRRAdminPass2024!'))
YARA_RULE = '''
rule BlackCat_ALPHV_Loader {
meta: author = "CorpSOC"
strings:
$s1 = "alphv" nocase wide ascii
$s2 = { 42 6C 61 63 6B 43 61 74 }
$s3 = "Salsa20" nocase
condition: 2 of them
}
'''
hunt = grrapi.CreateHunt(
flow_name='YaraProcessScan',
flow_args=grrapi.types.YaraProcessScan(
yara_signature=YARA_RULE, scan_runtime_us=60000000),
hunt_runner_args=grrapi.types.HuntRunnerArgs(
description='BlackCat YARA Hunt Jun2024',
client_limit=0,
expiry_time=grrapi.types.Duration(seconds=3600)))
hunt.Start()
print(f'Hunt started: {hunt.hunt_id}')
while True:
h = grrapi.Hunt(hunt.hunt_id).Get()
print(f'Clients: {h.data.all_clients_count} | Hits: {h.data.num_clients_with_results}')
if h.data.state == 3: break
time.sleep(30)
print('Compromised endpoints:')
for r in grrapi.Hunt(hunt.hunt_id).Results():
print(f' YARA MATCH: {r.client_id}')Overview
Velociraptor is a free, open-source, high-performance endpoint visibility and digital forensics platform. It introduces VQL (Velociraptor Query Language) — a SQL-like query language purpose-built for endpoint forensics — enabling analysts to write expressive, reusable forensic queries executed simultaneously across thousands of enrolled endpoints. The Go-based architecture handles tens of thousands of concurrent clients on modest infrastructure.
The Velociraptor Artifact Exchange contains 400-plus pre-built Artifacts covering Windows NTFS/MFT forensics, browser history, registry analysis, Linux and macOS forensics, cloud service artefacts (AWS metadata, Azure IMDS), and security tool artefacts. Live Response provides real-time interactive shell access to any enrolled endpoint for surgical file collection, process termination, and immediate remediation without full disk reimaging.
Key Features & Components
| Feature / Component | Description |
|---|---|
| VQL (Velociraptor Query Language) | SQL-like endpoint forensic query language — selects from endpoint data sources with WHERE clauses, JOINs, and output formatting; complex multi-step queries without custom code. |
| 400+ Artifact Exchange Library | Community-contributed forensic Artifacts for Windows, macOS, Linux — NTFS/MFT, prefetch, shimcache, browser history, registry, cloud metadata, and security tool artefacts. |
| Fleet-Wide Hunts | Pushes any VQL Artifact to all enrolled endpoints simultaneously — collects and correlates results in the server notebook without individual endpoint access. |
| YARA Memory and Disk Scanning | Executes YARA rules against process memory and on-disk files across the entire fleet — fleet-wide malware hunting without individual forensic image acquisition. |
| Live Response (Interactive Shell) | Real-time interactive endpoint access — file system navigation, process management, file upload/download, command execution, and registry access for surgical remediation. |
| Server-Side Notebooks | Collaborative investigation notebooks combining VQL queries, result visualisations, and analyst commentary — structured investigation documentation shared in real time. |
# HUNT 1: Qbot registry Run key persistence (VQL Hunt to all 500 endpoints)
SELECT
client_info().Hostname AS Hostname,
Key.ModTime AS LastModified, Key.Name AS RunKeyName, Key.Data.value AS CommandValue
FROM foreach(
row={SELECT * FROM clients()},
query={
SELECT ModTime, Name, Data FROM read_reg_key(
globs=['HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Run/*',
'HKCU/SOFTWARE/Microsoft/Windows/CurrentVersion/Run/*'])
WHERE Data.value =~ '(?i)(regsvr32|rundll32|mshta|wscript)'
AND Data.value =~ '(?i)(Temp|AppData|ProgramData)'
})
# HUNT 2: Qbot scheduled task (random name with base64 cmd)
SELECT client_info().Hostname AS Hostname, Name, Command, Arguments, User, Enabled
FROM Artifact.Windows.System.ScheduledTasks()
WHERE (Command =~ '(?i)(cmd|powershell|wscript)' AND Arguments =~ '(?i)(base64|-enc)')
OR Name =~ '^[A-Z0-9]{6,10}$'
# HUNT 3: Fleet-wide YARA memory scan for Qbot
SELECT * FROM foreach(
row={SELECT * FROM clients()},
query={SELECT * FROM yara(
rules='''rule Qbot { strings: $s1="qbot" nocase condition: $s1 }''',
pid='*')})
# LIVE RESPONSE: collect binary and remediate on FINANCE-WS-14
LET binary = upload(accessor='file', filename='C:/Windows/Temp/svchost64.dll')
SELECT * FROM binary
LET kill = execve(argv=['taskkill','/F','/PID','4521'])
SELECT * FROM killOverview
Carbon Black Response (now VMware Carbon Black EDR following Broadcom’s acquisition) is an enterprise EDR platform providing continuous endpoint telemetry recording, real-time threat hunting across historical data, and live response capabilities. Carbon Black’s defining principle is continuous recording: every process execution, file write, registry change, and network connection on every enrolled endpoint is captured and retained in a centralised, searchable database for weeks or months — enabling retroactive forensic investigation of activity that occurred days before any alert was raised.
The threat hunting model uses the cbapi Python library and web-based Threat Hunting interface — analysts write SQL-like queries against the central telemetry database for specific processes, parent-child relationships, command-line patterns, and network connections across all endpoints simultaneously. Binary Reputation automatically classifies executed binaries via Carbon Black’s global threat intelligence network.
Key Features & Components
| Feature / Component | Description |
|---|---|
| Continuous Endpoint Telemetry | Records every process, file write, registry change, and network connection on all endpoints — searchable for weeks or months enabling retroactive forensic investigation. |
| Process Tree Visualisation | Interactive process execution tree showing parent-child relationships, command-line arguments, file operations, and network connections for any historical process. |
| Binary Reputation (Cloud TI) | Automatic classification of all executed binaries via Carbon Black’s global threat intelligence network — surfaces unknown-reputation executables before they trigger detections. |
| Live Response (Remote Shell) | Real-time interactive shell, file system access, process management, and file retrieval from any enrolled endpoint — surgical investigation and remediation. |
| cbapi Python Library | Programmatic access to all endpoint telemetry — custom hunt scripts, automated alert triage, SOAR integration, and bulk threat investigation workflows. |
| Watchlist and Feed Integration | Automated alerting on IoC and behavioural pattern matches against continuous telemetry — Carbon Black community feeds and custom watchlists. |
from cbapi.response import CbResponseAPI, Process
cb = CbResponseAPI(url='https://cbresponse.corp.local', token='CB_API_TOKEN', ssl_verify=True)
# HUNT 1: PowerShell encoded download cradles (last 30 days)
for proc in cb.select(Process).where(
'process_name:powershell.exe AND cmdline:encodedcommand AND cmdline:downloadstring'):
print(f'Host:{proc.hostname} | Time:{proc.start} | Parent:{proc.parent.process_name}')
print(f'Cmd:{proc.cmdline[:200]}')
# HUNT 2: External network connections from PowerShell
for proc in cb.select(Process).where(
'process_name:powershell.exe AND netconn_count:[1 TO *]'):
for nc in proc.netconns:
if not any(nc.remote_ip.startswith(p) for p in ('10.','172.16.','192.168.','127.')):
print(f'Host:{proc.hostname} | C2:{nc.remote_ip}:{nc.remote_port}')
# HUNT 3: Office spawning shell processes (macro execution)
for parent in ['winword.exe','excel.exe','powerpnt.exe']:
for child in ['powershell.exe','cmd.exe','wscript.exe','mshta.exe']:
for proc in cb.select(Process).where(f'parent_name:{parent} AND process_name:{child}'):
print(f'SUSPICIOUS: {proc.hostname} | {parent} -> {child}')
print(f' CmdLine: {proc.cmdline[:150]}')
# LIVE RESPONSE: collect binary and terminate process
sensor = cb.select('Sensor').where('hostname:DESKTOP-FINANCE-14').first()
with sensor.lr_session() as lr:
lr.get_file(r'C:\Windows\Temp\svchost64.dll', '/cases/INC-2024-0847/svchost64.dll')
lr.kill_process(4521)
lr.delete_file(r'C:\Windows\Temp\svchost64.dll')Overview
Cybereason is an AI-driven EDR and XDR platform presenting security incidents as complete attack narrative stories — MalOps (Malicious Operations) — rather than thousands of individual disconnected alerts. The Cross-Machine Correlation AI engine analyses process execution, file operations, registry activity, network connections, user identity, and DNS queries across all enrolled endpoints simultaneously, correlating related indicators into a single unified MalOp representing the complete attack chain.
The MalOp view surfaces the entire attack story in one interface: affected machines and user accounts, a chronological attack timeline, the root cause process, mapped MITRE ATT&CK techniques, and one-click remediation options. AI-powered prevention uses ML models trained on billions of endpoint behaviours to block novel malware at execution time without signature updates.
Key Features & Components
| Feature / Component | Description |
|---|---|
| MalOp Narrative (Complete Attack Story) | Groups all related attack indicators into one complete attack story with timeline, affected assets, root cause, ATT&CK mapping, and remediation — eliminates alert fragmentation. |
| Cross-Machine Correlation AI | Simultaneously correlates process, file, network, identity, and DNS activity across all endpoints — detects multi-stage attacks spanning multiple machines and accounts. |
| AI-Powered Behavioural Prevention | ML models trained on billions of endpoint behaviours detect and block novel malware at execution time — no signature updates required. |
| Visual Attack Timeline | Interactive timeline showing every attacker action from initial compromise through lateral movement and payload delivery — full process and network context at each step. |
| One-Click Remediation | Process kill, file quarantine, persistence removal, and network isolation suggested and executed directly from the MalOp panel — no separate tool required. |
| MITRE ATT&CK Auto-Mapping | Every MalOp attack step automatically mapped to ATT&CK techniques and sub-techniques — enables immediate control gap analysis from investigation findings. |
# Step 1: Authenticate to Cybereason
curl -s -c /tmp/cyb_cookies.txt -X POST \
'https://cybereason.corp.local:8443/login.html' \
-d 'username=admin&password=CybAdminPass2024!'
# Step 2: Query all unresolved MalOps
curl -s -b /tmp/cyb_cookies.txt -X POST \
'https://cybereason.corp.local:8443/rest/crimes/unified?crimeStatus=UNRESOLVED' \
-H 'Content-Type: application/json' \
-d '{"templateContext":"OVERVIEW","filters":[{"fieldName":"malopActivityTypes",
"operator":"ContainsAnyOf","values":["MALICIOUS_INFECTION","RANSOMWARE","LATERAL_MOVEMENT"]}]}'
# Step 3: Network-isolate ALL machines in the MalOp
curl -s -b /tmp/cyb_cookies.txt -X POST \
'https://cybereason.corp.local:8443/rest/sensors/action' \
-H 'Content-Type: application/json' \
-d '{"action":"ISOLATE","filters":[{"fieldName":"malopGuid",
"operator":"ContainsAnyOf","values":["MALOP_GUID"]}]}'
# Step 4: Kill processes and remove persistence
curl -s -b /tmp/cyb_cookies.txt -X POST \
'https://cybereason.corp.local:8443/rest/remediate' \
-H 'Content-Type: application/json' \
-d '{"malopId":"MALOP_GUID","remediationItems":[
{"actionType":"KILL_PROCESS","elementType":"PROCESS","elementValues":["PROC_ID_1","PROC_ID_2"]},
{"actionType":"DELETE_REGISTRY_KEY","elementType":"REGISTRY_KEY","elementValues":["REG_KEY_GUID_1"]}
]}'Overview
IBM Resilient (now IBM Security QRadar SOAR, following IBM’s 2016 acquisition) is the pioneering SOAR platform providing structured case management, dynamic playbook automation, and incident response coordination. Co-founded by Bruce Schneier in 2010, it was among the first platforms to formalise machine-speed, multi-tool response orchestration as a core SOC capability — recognising that effective IR is as much a legal and regulatory process as a technical one.
IBM Resilient’s Dynamic Playbooks are condition-driven — execution paths adapt based on incident type, severity, regulatory jurisdiction, data categories involved, and user-defined conditions. The data privacy module calculates breach notification obligations under GDPR, HIPAA, CCPA, PCI DSS, and 50-plus regulations automatically — converting complex multi-jurisdictional compliance into documented automated decisions.
Key Features & Components
| Feature / Component | Description |
|---|---|
| Dynamic Condition-Driven Playbooks | Adapts execution paths based on incident type, severity, jurisdiction, and data categories — one playbook intelligently handles multiple scenario variants. |
| 200+ Integration Hub Connectors | Pre-built integrations with SIEM (QRadar, Splunk), EDR (CrowdStrike, Carbon Black), TI (Recorded Future, MISP), and ticketing (ServiceNow, Jira) for orchestrated response. |
| Jurisdiction-Aware Breach Notification | Automatically calculates regulatory obligations under GDPR, HIPAA, CCPA, PCI DSS, and 50+ regulations — converts complex compliance analysis into documented decisions. |
| Role-Based Task Assignment with SLAs | Assigns response tasks to analysts or roles with SLAs, escalation rules, and completion tracking — structured team coordination for complex incidents. |
| MTTD / MTTR Metrics | Tracks Mean Time to Detect, Mean Time to Respond, SLA compliance, incident volume, and analyst performance — management-level SOC programme reporting. |
| Evidence Chain-of-Custody Management | Files, screenshots, exported logs, and analyst notes with timestamp and actor attribution — forensic evidence management for legal and regulatory proceedings. |
# Step 1: Authenticate
curl -s -c /tmp/res_cookies.txt -X POST 'https://resilient.corp.local/rest/session' \
-H 'Content-Type: application/json' \
-d '{"email":"admin@corp.com","password":"ResilientAdmin2024!"}'
# Step 2: Create ransomware incident with jurisdictional context
INC_ID=$(curl -s -b /tmp/res_cookies.txt \
-X POST 'https://resilient.corp.local/rest/orgs/201/incidents' \
-H 'Authorization: HMAC-RESAUTH' -H 'Content-Type: application/json' \
-d '{"name":"BlackCat Ransomware — Finance Servers Jun2024",
"incident_type_ids":[17],"severity_code":{"name":"High"},
"properties":{"affected_countries":["US","UK","DE"],
"data_compromised":true,"pii_involved":true,"pci_data_involved":true,
"employee_count":847,"regulatory_exposure":["GDPR","CCPA","PCI_DSS_4"]}}' \
| python3 -c "import sys,json;print(json.load(sys.stdin)['id'])")
echo "Created incident: INC-$INC_ID"
# Playbook Ransomware_Response_v4 auto-executes:
# Step A (auto): Recorded Future — enrich C2 IPs
# Step B (auto): CrowdStrike — isolate affected endpoints
# Step C (auto): Palo Alto — block C2 IPs at perimeter
# Step D (auto): PagerDuty — page on-call IR lead
# Step E (auto): Slack — notify CISO and #sec-incidents
# Step F (auto): ServiceNow — create P1 ticket
# Step G (MANUAL): IR lead confirms ransom decision
# Step H (auto): Calculate GDPR 72-hr notification clock
# Step I (auto): Calculate PCI DSS forensic investigation timeline
# Step J (auto): Generate breach notification letters (ICO, BfDI)
# Step K (MANUAL): Legal approves draft notifications
# Step L (auto): Preserve forensic evidence to immutable storage
# Step M (auto): Generate complete post-incident reportOverview
Cofense Triage is an enterprise phishing response automation platform reducing analyst time required to process, investigate, and respond to employee-reported phishing emails. In large organisations, the Cofense PhishMe Reporter button generates hundreds to thousands of reported emails daily. Cofense Triage automates triage, clustering, analysis, and response using clustering algorithms, YARA rules, URL and file hash reputation lookups, and ML classification.
The Vision feature provides retroactive organisation-wide email search — after identifying a malicious campaign in reported emails, Vision automatically finds all similar unreported emails sent to any employee and quarantines them simultaneously. This is the most operationally impactful capability: eliminating risk from the 85-95% of malicious emails that employees receive but never report.
Key Features & Components
| Feature / Component | Description |
|---|---|
| Automated Email Clustering | Groups similar phishing emails by sender infrastructure, URL patterns, and attachment hashes — analysts investigate one cluster representative, not hundreds of individual emails. |
| YARA and Reputation Analysis | Evaluates reported emails against YARA rules, URL reputation (VirusTotal, PhishTank), and hash databases — automated malicious/safe verdicts for known-bad indicators. |
| Vision (Retroactive Org-Wide Quarantine) | Finds ALL similar emails across the organisation after identifying a malicious campaign — quarantines unreported copies before recipients click harmful links. |
| Automated Gateway Integration | Integrates with Microsoft 365 Defender, Google Workspace, Proofpoint, and Mimecast — quarantines emails from all inboxes simultaneously via API. |
| IoC Extraction and SIEM Sharing | Extracts URLs, domains, IPs, hashes, and sender details from malicious emails — automatically shares with MISP, Splunk, and ThreatConnect for fleet-wide detection. |
| Reporter Risk Scoring | Tracks per-employee reporting accuracy — identifies employees who repeatedly click phishing vs. accurately report; prioritises high-risk individuals for targeted training. |
TOKEN=$(curl -s -X POST 'https://triage.corp.local/api/oauth/token' \
-d 'grant_type=client_credentials&client_id=TRIAGE_ID&client_secret=TRIAGE_SECRET' \
| python3 -c "import sys,json;print(json.load(sys.stdin)['access_token'])")
# Get all unprocessed phishing reports
curl -s 'https://triage.corp.local/api/public/v2/reports?filter[report_type]=phishing&filter[match_priority]=0&page[size]=100' \
-H "Authorization: Bearer $TOKEN"
# Get all clusters from today
TODAY=$(date -u +%Y-%m-%dT00:00:00Z)
curl -s "https://triage.corp.local/api/public/v2/clusters?filter[created_at_gteq]=$TODAY" \
-H "Authorization: Bearer $TOKEN" \
| python3 -c "
import sys, json
clusters = json.load(sys.stdin)['data']
print(f'Clusters today: {len(clusters)}')
for c in clusters:
a = c['attributes']
print(f' ID:{c["id"]} | Priority:{a["match_priority"]} | Reports:{a["report_count"]}')"
# Mark cluster malicious — triggers quarantine + IoC extraction
curl -s -X PATCH 'https://triage.corp.local/api/public/v2/clusters/CLUSTER_ID' \
-H "Authorization: Bearer $TOKEN" -H 'Content-Type: application/json' \
-d '{"data":{"type":"clusters","id":"CLUSTER_ID","attributes":{"match_priority":1}}}'
# Vision: find and quarantine ALL similar emails organisation-wide
curl -s -X POST 'https://triage.corp.local/api/public/v2/searches' \
-H "Authorization: Bearer $TOKEN" -H 'Content-Type: application/json' \
-d '{"data":{"type":"searches","attributes":{"cluster_id":"CLUSTER_ID","auto_quarantine":true}}}'Overview
D3 Security is a next-generation SOAR and incident management platform delivering end-to-end security operations automation from alert ingestion through investigation, containment, recovery, and post-incident reporting. D3’s Smart SOAR architecture auto-enriches every incoming alert with contextual data from all integrated tools before an analyst sees it — SIEM alert arrives → VirusTotal enrichment → TI lookup → EDR device context → Shodan network intel → single pre-enriched view. This addresses the primary SOC inefficiency where analysts spend 70-80% of alert investigation time gathering context that automation can provide in seconds.
D3’s no-code playbook builder enables analysts without programming backgrounds to create sophisticated multi-step automation workflows. The Global Playbook Library contains 1,000-plus pre-built playbooks covering ransomware, phishing, insider threat, cloud incidents, and compliance workflows. The platform connects to 2,500-plus security tools.
Key Features & Components
| Feature / Component | Description |
|---|---|
| Smart SOAR Auto-Enrichment | Automatically enriches every incoming alert with TI, device context, network intelligence, and user data before analyst review — eliminates manual context gathering. |
| 1,000+ Pre-Built Playbooks | Ransomware, phishing, insider threat, cloud, vulnerability, and compliance automation — ready to deploy or customise for specific organisational requirements. |
| No-Code Playbook Builder | Visual drag-and-drop automation builder enabling analysts without coding skills to create sophisticated multi-step workflows connecting any tools. |
| 2,500+ Native Integrations | Pre-built connectors to SIEM, EDR, TI, firewall, IAM, ticketing, and communication platforms — any tool combination orchestrated without custom development. |
| Post-Incident Reporting | Auto-generated reports with timeline, actions, MTTD/MTTR, regulatory impact, and lessons learned — board, auditor, and insurance ready. |
| MITRE ATT&CK Coverage Tracking | Every detection and response action mapped to ATT&CK — systematic tracking of coverage gaps across the entire ATT&CK matrix. |
TOKEN=$(curl -s -X POST 'https://d3soar.corp.local/api/login' \
-H 'Content-Type: application/json' \
-d '{"username":"soar_admin","password":"D3SmartSOAR2024!"}' \
| python3 -c "import sys,json;print(json.load(sys.stdin)['token'])")
INC=$(curl -s -X POST 'https://d3soar.corp.local/api/incidents' \
-H "Authorization: Bearer $TOKEN" -H 'Content-Type: application/json' \
-d '{"name":"BlackCat Ransomware — Finance Dept Jun2024","severity":"Critical",
"category":"Ransomware","source":"CrowdStrike Falcon EDR",
"assets":["FINANCE-SRV-01","FINANCE-SRV-02"],
"playbook":"Ransomware_Response_Financial_v4",
"context":{"pii_involved":true,"pci_involved":true,"jurisdictions":["US","UK","EU"]}}')
# Automated playbook: Ransomware_Response_Financial_v4
# STEP 01 (auto): Recorded Future — enrich C2 IPs/hashes
# STEP 02 (auto): CrowdStrike — isolate affected endpoints
# STEP 03 (auto): Palo Alto NGFW — block all C2 IPs/domains
# STEP 04 (auto): Active Directory — disable affected accounts
# STEP 05 (auto): PagerDuty — page IR lead
# STEP 06 (auto): Slack — notify CISO and exec channel
# STEP 07 (auto): ServiceNow — create P1 ticket
# STEP 08 (MANUAL): IR lead confirms ransom decision
# STEP 09 (auto): Calculate GDPR + PCI notification obligations
# STEP 10 (auto): Draft regulatory letters (ICO, BfDI, SEC 8-K)
# STEP 11 (auto): Generate cyber-insurance claim documentation
# STEP 12 (MANUAL): Legal approves notifications
# STEP 13 (auto): Preserve forensic evidence (immutable S3)
# STEP 14 (auto): Generate post-incident reportSection 2: Cloud Security
This section provides comprehensive profiles for 10 cloud security tools (Tools 81–90) — architectures, operational capabilities, and real-world application scenarios.
Overview
AWS Shield is Amazon Web Services’ managed DDoS protection service with two tiers. AWS Shield Standard is automatically applied free of charge to all AWS customers, providing always-on detection and automatic mitigation against common Layer 3 and Layer 4 attacks: UDP amplification (DNS, NTP, SSDP, Chargen), SYN floods, ACK floods, TCP state exhaustion, ICMP floods, and reflection attacks — using AWS’s globally distributed anycast network.
AWS Shield Advanced extends protection to application-layer (Layer 7) attacks against CloudFront, Application Load Balancers, Route 53, EC2 Elastic IPs, and AWS Global Accelerator. Advanced provides near-real-time attack visibility through Amazon CloudWatch metrics with 1-minute granularity, AWS WAF integration for custom L7 rule deployment during attacks, and access to the AWS Shield Response Team (SRT) — DDoS experts available 24/7. DDoS Cost Protection reimburses CloudFront, Route 53, ELB, and EC2 Auto Scaling charges resulting from volumetric attacks.
Key Features & Components
| Feature / Component | Description |
|---|---|
| L3/L4 Standard Protection (Free) | Always-on automatic mitigation of volumetric, state exhaustion, and reflection attacks for all AWS resources — no configuration required. |
| L7 Application Protection (Advanced) | HTTP flood, cache-busting, and application-layer attack mitigation — AWS WAF integration with SRT-assisted custom rule deployment during active attacks. |
| AWS Shield Response Team (SRT) | 24/7 DDoS expert assistance for Advanced subscribers — SRT proactively engages during large attacks, writes custom WAF rules, and coordinates mitigation. |
| Near-Real-Time Attack Visibility | CloudWatch metrics with 1-minute granularity showing attack vectors, packet rates, request volumes, and mitigation actions during active DDoS events. |
| DDoS Cost Protection | Reimburses CloudFront, Route 53, ELB, and EC2 Auto Scaling cost spikes caused by DDoS attack traffic — full financial neutrality from volumetric attacks. |
| Global Threat Intelligence | Updated attack signatures and IP reputation data from AWS’s hyperscale global network — visibility into a significant fraction of global internet traffic. |
# Terraform: Enable Shield Advanced protection
resource "aws_shield_protection" "game_alb" {
name = "GameServer_ApplicationLB"
resource_arn = aws_lb.game_lb.arn
}
resource "aws_shield_protection" "game_cloudfront" {
name = "GameServer_CloudFront"
resource_arn = aws_cloudfront_distribution.game_cdn.arn
}
# CloudWatch alarm for DDoS detection
resource "aws_cloudwatch_metric_alarm" "shield_ddos" {
alarm_name = "Shield_DDoS_Detected"
metric_name = "DDoSDetected"
namespace = "AWS/DDoSProtection"
comparison_operator = "GreaterThanThreshold"
evaluation_periods = 1
period = 60
statistic = "Sum"
threshold = 0
alarm_actions = ["arn:aws:sns:us-east-1:123456789:SecurityAlerts"]
dimensions = { ResourceArn = aws_lb.game_lb.arn }
}
# CLI: Query active DDoS attacks
aws shield describe-attacks \
--start-time 2024-06-17T00:00:00Z \
--end-time 2024-06-17T23:59:59Z \
| python3 -c "
import sys, json
d = json.load(sys.stdin)
for a in d.get('Attacks', []):
print(f'Attack: {a["AttackId"]}')
vecs = [v["VectorType"] for v in a.get('AttackVectors',[])]
print(f'Vectors: {vecs}')"
# SRT-deployed rate-based WAF rule (during active HTTP flood)
aws wafv2 create-rule-group \
--name SRT_Emergency_RateLimit --scope CLOUDFRONT --capacity 100 \
--rules '[{"Name":"RateLimit_GameAPI","Priority":0,"Action":{"Block":{}},
"Statement":{"RateBasedStatement":{"Limit":2000,"AggregateKeyType":"IP"}},
"VisibilityConfig":{"SampledRequestsEnabled":true,
"CloudWatchMetricsEnabled":true,"MetricName":"RateLimit_GameAPI"}}]' \
--visibility-config SampledRequestsEnabled=true,CloudWatchMetricsEnabled=true,MetricName=SRTOverview
Microsoft Defender for Cloud (formerly Azure Security Center and Azure Defender, rebranded 2021) is Microsoft’s CNAPP providing unified Cloud Security Posture Management (CSPM) and Cloud Workload Protection (CWP) across Azure, AWS, Google Cloud, and on-premises hybrid environments. The platform continuously assesses resource configurations against Microsoft’s cloud security benchmark, producing a quantified Secure Score (0–100%) that tracks posture improvement as recommendations are remediated.
Defender for Cloud provides multiple workload-specific protection plans: Defender for Servers (OS-level threat detection, vulnerability assessment, JIT VM access), Defender for Containers (Kubernetes vulnerability assessment, runtime threat detection), Defender for SQL (anomaly detection, SQL injection alerts), Defender for Storage (malware scanning of blob uploads), and Defender for Key Vault. All plans feed alerts into the Defender for Cloud console and integrate natively with Microsoft Sentinel.
Key Features & Components
| Feature / Component | Description |
|---|---|
| Secure Score (0–100%) | Quantified security posture metric tracking improvement as recommendations are remediated — comparison across subscriptions, management groups, and regulatory frameworks. |
| CSPM (300+ Configuration Checks) | Security configuration recommendations for 300+ Azure, AWS, and GCP resource types — each with severity, remediation steps, and compliance framework mapping. |
| Multi-Cloud CSPM (AWS/GCP) | Extends posture management and threat detection to AWS and GCP via agentless connectors — unified security posture across heterogeneous cloud environments. |
| Defender for Servers / JIT VM Access | OS-level threat detection plus Just-in-Time VM access — opens SSH/RDP only for specific IPs for defined windows, eliminating always-open attack surface. |
| Defender for Containers | Container image vulnerability scanning, Kubernetes admission control policy enforcement, and runtime threat detection for GKE, EKS, and AKS clusters. |
| Microsoft Sentinel Integration | Defender alerts flow automatically into Sentinel for SIEM investigation, threat hunting, and SOAR playbook-driven automated response. |
# Enable Defender plans
az security pricing create --name VirtualMachines --tier Standard
az security pricing create --name Containers --tier Standard
# Query current Secure Score
az security secure-score show --name ascScore \
--query '{Score:current.percentage,Max:max.percentage}' -o table
# Score: 42.3 | Max: 100.0
# List all CRITICAL and HIGH recommendations
az security task list \
--query '[?contains(resourceState,`Active`)].{Title:name,Resource:resourceDetails.resourceName}' \
-o table | head -20
# Enable Just-in-Time VM Access on web servers
az security jit-policy update \
--name default --resource-group production-rg --vm-name web-server-prod-01 \
--ports '[{"number":22,"protocol":"TCP",
"allowedSourceAddressPrefixes":["10.0.0.0/8"],
"maxRequestAccessDuration":"PT4H"}]'
# Request JIT access — opens SSH for 2 hours from analyst IP
az security jit-policy initiate \
--name default --resource-group production-rg --vm-name web-server-prod-01 \
--vm-requests '[{"virtualMachineId":"/subscriptions/SUB/web-server-prod-01",
"ports":[{"number":22,"duration":"PT2H","allowedSourceAddressPrefix":"203.0.113.10"}]}]'
# Query Defender security alerts via REST API
curl -s 'https://management.azure.com/subscriptions/SUB_ID/providers/Microsoft.Security/alerts?api-version=2022-01-01' \
-H "Authorization: Bearer $(az account get-access-token --query accessToken -o tsv)" \
| python3 -c "
import sys, json
alerts = json.load(sys.stdin)['value']
high = [a for a in alerts if a['properties']['severity']=='High']
print(f'High severity alerts: {len(high)}')" Overview
Google Cloud Security Command Center (SCC) is Google Cloud’s native security monitoring and risk management platform providing continuous visibility into security findings, asset inventory, vulnerability assessments, and threat detection across GCP environments. SCC aggregates findings from Google Cloud’s built-in security services — Web Security Scanner, Cloud Armor, Binary Authorization, Container Threat Detection, Event Threat Detection, Virtual Machine Threat Detection, and Security Health Analytics — alongside partner solutions and custom finding sources via the SCC API.
SCC Premium activates continuous infrastructure vulnerability scanning, compliance posture assessment against CIS GCP Benchmark, PCI DSS, HIPAA, NIST 800-53, and ISO 27001, and automated response integration through Cloud Functions and Pub/Sub notifications. Security Health Analytics evaluates 160-plus configurations — detecting public Cloud Storage buckets, overly permissive IAM bindings, unencrypted disks, and open firewall rules.
Key Features & Components
| Feature / Component | Description |
|---|---|
| Unified Security Finding Aggregation | Consolidates findings from 10+ built-in Google security services and partner integrations — single prioritised security view across the entire GCP organisation. |
| Security Health Analytics (160+ Checks) | Evaluates GCP configurations for 160+ security best practices — public storage buckets, overly permissive IAM, unencrypted disks, and open firewall rules detected continuously. |
| Container Threat Detection (CTD) | Monitors GKE container runtime for reverse shells, unexpected process spawning, binary execution from unusual paths, and container escape attempts. |
| Event Threat Detection (ETD) | ML-based threat detection for GCP audit logs — data exfiltration, cryptomining, brute-force, privilege escalation, and anomalous API call sequences. |
| Compliance Posture Reporting | Automated compliance assessments against CIS GCP Benchmark, PCI DSS, HIPAA, NIST 800-53, and ISO 27001 with per-control pass/fail and remediation guidance. |
| Pub/Sub Notification Automation | Finding event notifications via Pub/Sub enable automated response through Cloud Functions, Cloud Run, or third-party SOAR — native GCP-speed automated remediation. |
# Enable SCC
gcloud services enable securitycenter.googleapis.com --project=PROJECT_ID
# List CRITICAL and HIGH active findings
gcloud scc findings list --organization=ORG_ID \
--filter='severity="CRITICAL" OR severity="HIGH" AND state="ACTIVE"' \
--format='table(finding.name,finding.category,finding.severity,finding.createTime)'
# List public Cloud Storage buckets
gcloud scc findings list --organization=ORG_ID \
--filter='finding.category="PUBLIC_BUCKET_ACL" AND finding.state="ACTIVE"'
# Set up Pub/Sub notification for CRITICAL findings
gcloud scc notifications create critical-findings-alert \
--organization=ORG_ID \
--pubsub-topic=projects/PROJECT_ID/topics/scc-critical-findings \
--filter='severity = CRITICAL'
# Cloud Function: auto-isolate compromised GKE pod (triggered by Pub/Sub)
def isolate_pod(event, context):
import base64, json
finding = json.loads(base64.b64decode(event['data']).decode())
if finding.get('finding',{}).get('category') == 'REVERSE_SHELL':
resource = finding['finding']['resourceName']
pod_name = extract_pod_name(resource)
namespace = extract_namespace(resource)
# Apply deny-all NetworkPolicy via kubernetes Python client
network_policy = {
'apiVersion': 'networking.k8s.io/v1', 'kind': 'NetworkPolicy',
'metadata': {'name': f'isolate-{pod_name}', 'namespace': namespace},
'spec': {'podSelector': {'matchLabels': {'app': pod_name}},
'policyTypes': ['Ingress','Egress']}
}
print(f'NetworkPolicy applied — pod {pod_name} isolated')
# Mark finding resolved via API
curl -s -X POST 'https://securitycenter.googleapis.com/v1/FINDING_NAME:setState' \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H 'Content-Type: application/json' \
-d '{"state":"INACTIVE","startTime":"2024-06-17T12:00:00Z"}'Overview
Cloudflare operates one of the world’s largest anycast networks with 330-plus points of presence globally, providing DDoS mitigation (321 Tbps+ capacity), Web Application Firewall (WAF), API security, bot management, Zero Trust Network Access (ZTNA via Cloudflare Access), Secure Web Gateway (Gateway), DNS security (1.1.1.1), and email security (Area 1). Processing approximately 4.9 million HTTP requests per second and blocking an average of 209 billion cyberthreats daily, Cloudflare generates threat intelligence from visibility into approximately 20% of global internet traffic.
Cloudflare One provides a complete Security Service Edge (SSE) and Zero Trust architecture. Cloudflare Access replaces legacy VPN with identity-aware, policy-driven access — users authenticate through any SAML 2.0 or OIDC identity provider before accessing internal applications, with no inbound firewall rules required at the origin. Magic Transit brings hyperscale DDoS protection to customers’ entire IP space via BGP advertisement.
Key Features & Components
| Feature / Component | Description |
|---|---|
| 321 Tbps DDoS Protection | Network-level DDoS mitigation at globally distributed edge — volumetric, protocol, and application-layer attacks absorbed before reaching customer infrastructure. |
| WAF (Managed Rules + Custom) | Cloudflare Managed Rules and OWASP CRS protecting against OWASP Top 10 and emerging CVEs — updated by Cloudflare threat research within hours of new vulnerability disclosure. |
| Zero Trust Network Access (Access) | Identity-aware VPN replacement — enforces SSO, device posture, and contextual conditions before any internal application access; no inbound firewall rules at origin. |
| Bot Management (ML + Behavioural) | Classifies every request as verified human, legitimate bot, or malicious bot using ML, device fingerprinting, and behavioural signals — blocks credential stuffing and scraping. |
| Cloudflare Email Security (Area 1) | Pre-delivery phishing and BEC prevention using ML analysis of content, sender behaviour, and link reputation — detects novel campaigns before signatures exist. |
| Magic Transit (On-Premises DDoS) | BGP-advertised DDoS protection for customer IP space — on-premises infrastructure protected by Cloudflare’s hyperscale DDoS capacity without routing changes. |
CF_ZONE="YOUR_ZONE_ID"
CF_TOKEN="YOUR_API_TOKEN"
CF_ACCOUNT="YOUR_ACCOUNT_ID"
# Block credential stuffing on /api/v1/login
curl -s -X POST "https://api.cloudflare.com/client/v4/zones/$CF_ZONE/firewall/rules" \
-H "Authorization: Bearer $CF_TOKEN" -H 'Content-Type: application/json' \
-d '[{"filter":{"expression":"(http.request.uri.path eq \"/api/v1/login\")
and (http.request.method eq \"POST\")
and (not cf.bot_management.verified_bot)
and (rate_requests_minute gt 20)"},
"action":"challenge",
"description":"Rate-limit login — block credential stuffing"}]'
# Emergency WAF rule: block CVE-2024-23917 Confluence RCE
curl -s -X POST "https://api.cloudflare.com/client/v4/zones/$CF_ZONE/rulesets/RULESET_ID/rules" \
-H "Authorization: Bearer $CF_TOKEN" -H 'Content-Type: application/json' \
-d '{"action":"block",
"expression":"(http.request.uri.path contains \"/setup/setupadministrator.action\"
or http.request.uri.path contains \"/server-info.action\")
and cf.threat_score gt 5",
"description":"Block CVE-2024-23917 Confluence exploitation"}'
# Zero Trust: create Cloudflare Access app for internal HR portal
curl -s -X POST "https://api.cloudflare.com/client/v4/accounts/$CF_ACCOUNT/access/apps" \
-H "Authorization: Bearer $CF_TOKEN" -H 'Content-Type: application/json' \
-d '{"name":"Corporate HR Portal","domain":"hr.corp.internal.example.com",
"type":"self_hosted","session_duration":"8h",
"allowed_idps":["OKTA_IDP_ID"],"auto_redirect_to_identity":true}'
# Access Policy: require Okta SSO + managed device posture
curl -s -X POST "https://api.cloudflare.com/client/v4/accounts/$CF_ACCOUNT/access/apps/APP_ID/policies" \
-H "Authorization: Bearer $CF_TOKEN" -H 'Content-Type: application/json' \
-d '{"name":"Corp Employees — Managed Device","decision":"allow",
"include":[{"email_domain":{"domain":"corp.com"}}],
"require":[{"device_posture":{"integration_uid":"POSTURE_ID"}}]}'Overview
Zscaler is a cloud-native security platform delivering a Zero Trust Exchange — a globally distributed security service edge (SSE) providing secure internet access, secure private application access, and digital experience monitoring without traffic backhauling through corporate data centres. Zscaler’s 150-plus data centres process all user traffic applying full security inspection inline — SSL/TLS decryption, URL filtering, CASB, DLP, advanced threat prevention, and DNS security.
Zscaler Internet Access (ZIA) replaces on-premises proxies and NGFWs for internet-bound traffic. Zscaler Private Access (ZPA) replaces VPN with a zero-trust broker model: users connect to specific applications through Zscaler’s infrastructure, never joining the corporate network. This completely eliminates lateral movement risk — even a compromised endpoint cannot reach other corporate systems because it is never network-adjacent to them.
Key Features & Components
| Feature / Component | Description |
|---|---|
| Zero Trust Exchange (150+ PoPs) | Globally distributed cloud security enforcement — every user connection inspected at the nearest Zscaler PoP; no backhauling or hardware appliances required. |
| ZIA (Zscaler Internet Access) | Full SSL/TLS inspection, URL filtering, inline CASB, DLP, advanced threat prevention, and DNS security — replaces on-premises proxies and NGFWs. |
| ZPA (Zscaler Private Access) | Zero-trust application broker — users connect to applications, never to the corporate network; eliminates lateral movement risk from compromised endpoints. |
| Full SSL/TLS Inspection at Cloud Scale | Decrypts and inspects all HTTPS traffic elastically — scales automatically without appliance capacity planning or hardware upgrades. |
| Cloud DLP | Content-aware inspection for PII, PHI, PCI data, and custom-defined sensitive content in all cloud traffic — prevents data exfiltration through any cloud service. |
| Zscaler Digital Experience (ZDX) | Monitors application performance from endpoint to app — identifies whether latency originates at the endpoint, ISP, Zscaler, or application server. |
# ZIA Authentication
curl -s -c /tmp/zia_cookies.txt -X POST 'https://zsapi.zscaler.net/api/v1/authenticatedSession' \
-H 'Content-Type: application/json' \
-d '{"username":"admin@corp.zscaler.net","password":"ZscalerAdmin2024!","apiKey":"ZIA_API_KEY"}'
# ZIA: Create URL filtering rule — block crypto mining sites
curl -s -b /tmp/zia_cookies.txt -X POST 'https://zsapi.zscaler.net/api/v1/urlFilteringRules' \
-H 'Content-Type: application/json' \
-d '{"name":"Block_Crypto_Mining","order":1,
"protocols":["HTTPS_RULE","HTTP_RULE"],
"urlCategories":["CRYPTO_CURRENCY"],"state":"ENABLED","action":"BLOCK"}'
# ZIA: Enable SSL inspection for all categories
curl -s -b /tmp/zia_cookies.txt -X PUT 'https://zsapi.zscaler.net/api/v1/sslSettings' \
-H 'Content-Type: application/json' \
-d '{"enableSSLScan":true,"defaultAction":"DECRYPT"}'
# ZPA: Create application segment for SAP ERP (replaces VPN rule)
curl -s -X POST 'https://config.private.zscaler.com/api/v1/application' \
-H 'Authorization: Bearer ZPA_API_TOKEN' -H 'Content-Type: application/json' \
-d '{"name":"Corporate_SAP_ERP","domainNames":["sap-prod.corp.internal"],
"tcpPortRanges":[{"from":"443","to":"443"}],
"segmentGroupId":"SEG_GROUP_ID","serverGroups":[{"id":"SERVER_GROUP_ID"}]}'
# ZPA: Access policy — require Okta SSO + managed device
curl -s -X POST 'https://config.private.zscaler.com/api/v1/policySet/POLICY_SET_ID/rule' \
-H 'Authorization: Bearer ZPA_API_TOKEN' -H 'Content-Type: application/json' \
-d '{"name":"SAP_FinanceTeam_ManagedDevice","action":"ALLOW",
"conditions":[
{"operands":[{"objectType":"SCIM_GROUP","values":["Finance_Team"]}]},
{"operands":[{"objectType":"POSTURE","values":["MANAGED_DEVICE_ID"]}]}
]}'Overview
Palo Alto Networks Prisma Cloud is a comprehensive CNAPP providing Cloud Security Posture Management (CSPM), Cloud Workload Protection (CWP), Cloud Infrastructure Entitlement Management (CIEM), Cloud Network Security, Web Application and API Security (WAAS), and Code Security (IaC scanning) in a single unified platform. Prisma Cloud monitors AWS, Azure, Google Cloud, Alibaba Cloud, and Oracle Cloud — unified visibility, threat detection, and compliance governance across multi-cloud environments from one console.
Prisma Cloud’s Code to Cloud approach addresses security across the complete software delivery lifecycle. The CSPM module evaluates 1,500-plus configuration policies. Attack Path Analysis visualises end-to-end exploitable paths from the public internet to sensitive data — prioritising the small number of findings that represent genuine risk among hundreds of theoretical violations. Runtime Security protects containers and serverless functions with behavioural profiling.
Key Features & Components
| Feature / Component | Description |
|---|---|
| CSPM (1,500+ Policies) | Continuously evaluates all cloud resource configurations against 1,500+ policies — misconfigurations, public exposures, and compliance violations detected in real time. |
| Cloud Workload Protection (CWP) | Vulnerability scanning and runtime threat detection for VMs, containers, and serverless — behavioural profiling blocks anomalous process execution in production. |
| CIEM (Cloud Identity Entitlement) | Analyses IAM permissions — identifies unused, over-permissive, and risky entitlements; calculates effective permissions considering all policy inheritance and federation. |
| Code Security (IaC Scanning) | Scans Terraform, CloudFormation, Kubernetes YAML, and Helm charts in IDE and CI/CD — catches misconfigurations before any cloud resource is created. |
| Attack Path Analysis | Visualises end-to-end attack paths from internet exposure to sensitive data — prioritises findings by real exploitability, not theoretical risk scores. |
| WAAS (Application Protection) | Cloud-native WAF and API security covering OWASP Top 10 and API-specific attacks — inline protection without hardware appliances across any cloud. |
TOKEN=$(curl -s -X POST 'https://api.prismacloud.io/login' \
-H 'Content-Type: application/json' \
-d '{"username":"admin@corp.com","password":"PrismaAdmin2024!","customerName":"CorpInc"}' \
| python3 -c "import sys,json;print(json.load(sys.stdin)['token'])")
# Query all CRITICAL open alerts
curl -s -X POST 'https://api.prismacloud.io/alert' \
-H "x-redlock-auth: $TOKEN" -H 'Content-Type: application/json' \
-d '{"filters":[
{"name":"alert.status","operator":"=","value":"open"},
{"name":"policy.severity","operator":"=","value":"critical"}],
"limit":50,"timeRange":{"type":"to_now","value":"epoch"}}' \
| python3 -c "
import sys, json
alerts = json.load(sys.stdin)['items']
print(f'Critical open alerts: {len(alerts)}')
for a in alerts[:5]:
print(f' {a["policy"]["name"]} — {a["resource"]["name"]}')"
# Get PCI DSS compliance posture
curl -s -X POST 'https://api.prismacloud.io/compliance/posture' \
-H "x-redlock-auth: $TOKEN" -H 'Content-Type: application/json' \
-d '{"filters":[{"name":"policy.complianceStandard","operator":"=","value":"PCI DSS v3.2.1"}],
"timeRange":{"type":"to_now","value":"epoch"}}'
# Automated Lambda remediation for public S3 bucket
import boto3
def remediate_public_s3(event, context):
s3 = boto3.client('s3')
bucket = event['resource']['name']
s3.put_public_access_block(Bucket=bucket, PublicAccessBlockConfiguration={
'BlockPublicAcls':True,'IgnorePublicAcls':True,
'BlockPublicPolicy':True,'RestrictPublicBuckets':True})
print(f'Public access blocked on s3://{bucket}')Overview
Dome9 (now Check Point CloudGuard CSPM, following Check Point’s 2018 acquisition) is a CSPM platform providing continuous compliance monitoring, misconfiguration detection, intelligent network topology visualisation, and automated remediation for AWS, Azure, Google Cloud, and Kubernetes environments. CloudGuard CSPM evaluates configurations against 2,500-plus built-in rules covering CIS Benchmarks, NIST SP 800-53, PCI DSS, HIPAA, SOC 2, GDPR, and custom organisational policies.
CloudGuard’s Effective Permissions Analysis calculates the complete set of permissions available to each IAM entity by resolving all policy inheritance, trust relationships, permission boundaries, and service control policies — revealing truly over-privileged accounts. CloudGuard GSL (Governance Specification Language) enables human-readable custom security policy definition without code. CloudBots provide pre-built automated remediation scripts triggered on policy violations.
Key Features & Components
| Feature / Component | Description |
|---|---|
| 2,500+ Built-In Compliance Rules | Continuous evaluation against CIS, NIST, PCI DSS, HIPAA, SOC 2, GDPR, and custom policies — quantified per-control pass/fail posture with remediation guidance. |
| Effective Permissions Analysis | Resolves all IAM inheritance, trust relationships, permission boundaries, and SCPs — reveals truly over-privileged accounts invisible to simple IAM policy review. |
| CloudBots (Automated Remediation) | Pre-built automated remediation scripts triggered on policy violations — fixes open security groups, unencrypted volumes, and other common misconfigurations automatically. |
| GSL (Governance Specification Language) | Human-readable custom policy language — cloud architects write bespoke security rules without coding; rules target any cloud resource attribute. |
| Network Topology Visualisation | Interactive cloud network graph showing security groups, routes, and public exposure — makes complex multi-account cloud network configurations understandable. |
| Kubernetes Security (CloudGuard WorkLoad) | CIS Kubernetes Benchmark compliance, admission controller policies, runtime anomaly detection, and network policy visualisation for Kubernetes workloads. |
TOKEN=$(curl -s -X POST 'https://api.dome9.com/v2/access-token' \
-u 'API_KEY_ID:API_KEY_SECRET' \
| python3 -c "import sys,json;print(json.load(sys.stdin)['token'])")
# Run PCI DSS assessment
ASSESS_ID=$(curl -s -X POST 'https://api.dome9.com/v2/assessment/bundleV2' \
-H "Authorization: Bearer $TOKEN" -H 'Content-Type: application/json' \
-d '{"id":16,"cloudAccountIds":["AWS_ACCOUNT_ID"],"cloudAccountType":"aws"}' \
| python3 -c "import sys,json;print(json.load(sys.stdin)['id'])")
sleep 60
curl -s "https://api.dome9.com/v2/assessment/$ASSESS_ID" -H "Authorization: Bearer $TOKEN" \
| python3 -c "
import sys, json
r = json.load(sys.stdin)
print(f'Tests passed: {r.get("passedCount")}')
print(f'Tests failed: {r.get("failedCount")}')
print(f'Score: {r.get("score")}%')"
# GSL custom rule — detect unrestricted SSH (0.0.0.0/0 on port 22)
curl -s -X POST 'https://api.dome9.com/v2/Compliance/Ruleset' \
-H "Authorization: Bearer $TOKEN" -H 'Content-Type: application/json' \
-d '{"name":"PCI_No_Unrestricted_SSH","cloudVendor":"aws",
"rules":[{"name":"Block public SSH access","severity":"Critical",
"logic":"SecurityGroup should not have inboundRules with [port=22 and source=\"0.0.0.0/0\"]",
"remediationSteps":"Remove 0.0.0.0/0 from SSH ingress rule."}]}'
# Enable CloudBot auto-remediation
# Dome9 > Settings > CloudBots > Enable: sg-delete-rule
# Trigger: Policy violation 'Block public SSH access'
# Generate PDF compliance report
curl -s -X POST 'https://api.dome9.com/v2/assessment/export/pdf' \
-H "Authorization: Bearer $TOKEN" \
-d "{\"assessmentId\":\"$ASSESS_ID\"}" \
-o 'PCI_DSS_Assessment_Q2_2024.pdf'Overview
Netskope is a cloud-native security platform providing industry-leading Cloud Access Security Broker (CASB), Next-Generation Secure Web Gateway (NG-SWG), Zero Trust Network Access (ZTNA), and Data Loss Prevention (DLP) as an integrated Security Service Edge (SSE) solution. Netskope’s NewEdge network — a purpose-built private security cloud with 50-plus data centres globally — provides inline inspection of all cloud application traffic with sub-5ms additional latency.
Netskope’s Cloud Confidence Index (CCI) evaluates 68,000-plus cloud applications across 50 attributes covering security certifications, data protection, auditability, and financial viability. The content-aware DLP engine performs deep content inspection of all cloud traffic for PII, PHI, PCI cardholder data, source code, financial models, and custom-defined sensitive patterns. Netskope’s UEBA module uses ML to detect anomalous cloud activity.
Key Features & Components
| Feature / Component | Description |
|---|---|
| CASB (68,000+ Cloud Apps) | Inline and API-based visibility and control for 68,000+ cloud apps — sanctioned app governance and shadow IT discovery with activity-level policy enforcement. |
| Cloud Confidence Index (CCI) | Risk scores for 68,000+ cloud apps across 50 attributes — data-driven cloud application policy decisions with documented risk justification. |
| NG-SWG with SSL/TLS Inspection | Next-gen SWG applying threat protection, URL filtering, DLP, and app controls to all web and cloud traffic — full HTTPS decryption without appliance constraints. |
| Cloud DLP (Content-Aware) | Deep content inspection for PII, PHI, PCI, source code, and custom patterns in cloud uploads and downloads — prevents inadvertent and malicious data exfiltration. |
| ZTNA (Netskope Private Access) | Zero-trust application access — users authenticate to specific applications without being placed on the corporate network. |
| UEBA (Cloud Activity Analytics) | ML anomaly detection: impossible travel, bulk downloads, suspicious API calls, and account compromise indicators in cloud application activity. |
# Query personal Dropbox upload events (last 90 days)
curl -s 'https://corp.goskope.com/api/v1/events/data?token=API_TOKEN&type=application
&query=app eq "Dropbox" and activity eq "Upload" and from_user not like "%corp.com"
&starttime=1704067200' \
| python3 -c "
import sys, json
events = json.load(sys.stdin).get('data',[])
print(f'Personal Dropbox uploads: {len(events)}')
print(f'Unique uploading users: {len(set(e.get("user") for e in events))}')"
# Get Cloud Confidence Index for personal Dropbox
curl -s 'https://corp.goskope.com/api/v1/app/cci?token=API_TOKEN&appName=Dropbox+Personal' \
| python3 -c "
import sys, json
d = json.load(sys.stdin).get('data',{})
print(f'CCI Score: {d.get("cci_score")}/100 | Risk: {d.get("risk_level")}')"
# DLP Policy: block M&A content upload to personal cloud storage
# Netskope GUI: Policies > Real-time Protection > New Policy
# Type: Cloud Storage | Activity: Upload
# Destination: All Personal Cloud Storage (CCI < 70)
# DLP Profile: MA_Confidential (patterns: 'non-public','transaction value','deal team')
# Action: Block + Notify user + Alert SOC
# Query DLP incidents
curl -s 'https://corp.goskope.com/api/v1/alerts?token=API_TOKEN&type=DLP' \
| python3 -c "
import sys, json
alerts = json.load(sys.stdin).get('data',[])
print(f'DLP violations: {len(alerts)}')
for a in alerts[:5]:
print(f' User:{a.get("user")} File:{a.get("object")}')" Overview
Trend Micro Cloud One is a security services platform for cloud builders — a unified suite covering workload security (Workload Security), container and Kubernetes security (Container Security), file storage security (File Storage Security), cloud network security (Network Security), web application security (Application Security), and Cloud Security Posture Management (Conformity). Each service integrates natively into DevOps workflows.
Cloud One Workload Security provides agent-based protection with six security modules: Anti-Malware, Integrity Monitoring, Log Inspection, IPS (virtual patching for unpatched vulnerabilities), Application Control, and Web Reputation. Conformity (CSPM) provides 1,000-plus real-time configuration checks for CIS, PCI DSS, HIPAA, NIST, and Well-Architected Frameworks. The virtual patching capability — IPS rules protecting against known CVEs on running workloads — is operationally significant for protecting systems between vulnerability disclosure and scheduled maintenance patching.
Key Features & Components
| Feature / Component | Description |
|---|---|
| Workload Security (6 Modules) | Anti-malware, integrity monitoring, log inspection, IPS/virtual patching, application control, and web reputation in one agent — cloud and hybrid workload protection. |
| Container Security (Image Scan + Runtime) | CI/CD pipeline image scanning plus Kubernetes admission controller — blocks vulnerable images from deployment; detects runtime container threats. |
| File Storage Security | Event-driven malware scanning of files uploaded to S3, Azure Blob, and GCS — triggered on object creation via Lambda/Azure Functions without always-on polling. |
| Conformity CSPM (1,000+ Checks) | Real-time configuration monitoring against CIS, PCI DSS, HIPAA, NIST, and Well-Architected — automated Jira/Slack remediation workflow with trend analytics. |
| Virtual Patching (IPS) | IPS rules protect unpatched vulnerabilities on running workloads — coverage from CVE disclosure until the patch can be applied in a maintenance window. |
| API-First / IaC Integration | Terraform provider and CloudFormation integration — Conformity checks as IaC quality gates; misconfigurations caught before resources are created. |
TOKEN=$(curl -s -X POST 'https://cloudone.trendmicro.com/api/authenticate' \
-H 'Content-Type: application/json' \
-d '{"userid":"admin@corp.com","secret":"CloudOneSecret2024!"}' \
| python3 -c "import sys,json;print(json.load(sys.stdin)['AuthenticationResult']['Token'])")
# Container Security: scan an ECR image for vulnerabilities
SCAN_ID=$(curl -s -X POST 'https://cloudone.trendmicro.com/api/container/images/scan' \
-H "Authorization: ApiKey $TOKEN" -H 'Content-Type: application/json' \
-d '{"name":"myapp","tag":"v2.3.0","registry":"123456789.dkr.ecr.us-east-1.amazonaws.com"}' \
| python3 -c "import sys,json;print(json.load(sys.stdin)['id'])")
sleep 120
curl -s "https://cloudone.trendmicro.com/api/container/images/$SCAN_ID/vulnerabilities" \
-H "Authorization: ApiKey $TOKEN" \
| python3 -c "
import sys, json
vulns = json.load(sys.stdin)['vulnerabilities']
critical = [v for v in vulns if v.get('severity')=='critical']
print(f'Total: {len(vulns)} | Critical: {len(critical)}')
for v in critical[:5]:
print(f' {v["cve_id"]}: {v["package_name"]} {v["version"]}')"
# Conformity: get CRITICAL failed checks
curl -s 'https://cloudone.trendmicro.com/api/conformity/checks?filter[status]=FAILURE&filter[riskLevel]=CRITICAL' \
-H "Authorization: ApiKey $TOKEN" \
| python3 -c "
import sys, json
checks = json.load(sys.stdin)['data']
print(f'Critical failures: {len(checks)}')
for c in checks[:5]:
print(f' {c["attributes"]["rule"]["title"]} — {c["attributes"]["resource"]["name"]}')"
# Workload Security: apply IPS virtual patch for CVE-2024-21762
curl -s -X POST 'https://cloudone.trendmicro.com/api/policies/POLICY_ID/intrusion-prevention/rules' \
-H "Authorization: ApiKey $TOKEN" -H 'Content-Type: application/json' \
-d '{"ruleIDs": [49125]}' # IPS rule ID for CVE-2024-21762Overview
McAfee MVISION Cloud (now Skyhigh Security CASB, following the McAfee Enterprise divestiture through Symphony Technology Group) is an enterprise Cloud Access Security Broker (CASB) and Security Service Edge (SSE) platform providing shadow IT discovery, data security, threat protection, and compliance for cloud applications. Shadow IT Discovery analyses firewall and proxy logs to identify all cloud services in use — assessing risk and usage patterns for 40,000-plus cloud applications through the Cloud Trust Rating system.
MVISION Cloud’s data security capabilities include API-based DLP inspecting content already stored in sanctioned cloud applications (Microsoft 365, Salesforce, Box, AWS S3) without inline proxy interception, and inline DLP for all cloud application traffic. Collaboration Security monitors sharing activities in Microsoft 365 and Google Workspace. UEBA provides ML-based cloud activity anomaly detection for impossible travel, bulk downloads, sensitive data access outside normal hours, and administrative API calls from new locations.
Key Features & Components
| Feature / Component | Description |
|---|---|
| Shadow IT Discovery (40,000+ Apps) | Analyses firewall/proxy logs for all cloud services — risk scores for 40,000+ apps; unsanctioned app usage by user, department, volume, and risk level. |
| API-Based DLP (Microsoft 365/Salesforce) | Inspects content in sanctioned cloud apps via API — detects sensitive data at rest in collaboration workflows without inline traffic redirection. |
| Collaboration Security | Monitors sharing in Microsoft 365 and Google Workspace — detects externally shared sensitive files, public links, overly permissive sites, and personal account sharing. |
| UEBA (Cloud Activity Analytics) | ML anomaly detection: impossible travel, bulk downloads, sensitive data access anomalies, and account compromise indicators in cloud application activity. |
| Zero-Day Threat Protection | Sandboxes files uploaded to cloud applications — detects novel malware in cloud collaboration platforms before signature coverage exists. |
| Compliance Reporting | Pre-built compliance reports for SOC 2, PCI DSS, HIPAA, GDPR, and ISO 27001 mapped to cloud application data handling controls. |
TOKEN=$(curl -s -X POST 'https://mvisioncloudasc.mcafee.com/api/v1/user/login' \
-H 'Content-Type: application/json' \
-d '{"username":"admin@corp.com","password":"MVisionAdmin2024!"}' \
| python3 -c "import sys,json;print(json.load(sys.stdin)['token'])")
# Shadow IT discovery — top high-risk unsanctioned apps
curl -s 'https://mvisioncloudasc.mcafee.com/api/v1/cloud-services/shadow-it' \
-H "Authorization: Bearer $TOKEN" \
| python3 -c "
import sys, json
apps = json.load(sys.stdin).get('services',[])
high = sorted([a for a in apps if a.get('riskScore',0)>=7], key=lambda x:x['riskScore'],reverse=True)
print(f'Unsanctioned apps: {len(apps)} | High-risk (7-10): {len(high)}')
for a in high[:5]:
print(f' {a["name"]}: {a["riskScore"]}/10 | Users:{a.get("userCount",0)}')"
# DLP violations — PHI shared externally in M365
curl -s 'https://mvisioncloudasc.mcafee.com/api/v1/dlp/violations?service=Office365&classification=PHI&sharing=external' \
-H "Authorization: Bearer $TOKEN" \
| python3 -c "
import sys, json
v = json.load(sys.stdin).get('violations',[])
print(f'PHI files shared externally: {len(v)}')
public = [x for x in v if x.get('sharing')=='PUBLIC_LINK']
print(f' Via public links: {len(public)}')"
# Auto-quarantine policy: remove public sharing from PHI files
curl -s -X POST 'https://mvisioncloudasc.mcafee.com/api/v1/dlp/policies' \
-H "Authorization: Bearer $TOKEN" -H 'Content-Type: application/json' \
-d '{"name":"HIPAA_Block_PHI_External","classification":"PHI",
"action":"QUARANTINE","condition":"SHARED_EXTERNALLY",
"services":["Office365","Google_Workspace"],
"notify_user":true,"notify_admin":true}'Section 3: Miscellaneous
This section provides comprehensive profiles for 9 miscellaneous tools (Tools 91–99) — architectures, operational capabilities, and real-world application scenarios.
Overview
Paros Proxy is a legacy Java-based web application security testing tool developed by Chinotec Technologies and released in 2003 as one of the earliest open-source intercepting proxy tools. Paros operates as a man-in-the-middle HTTP/HTTPS proxy — the tester’s browser routes traffic through Paros, which intercepts and displays every HTTP request and response, enabling analysts to inspect session tokens, modify POST parameters, manipulate cookies, replay requests, and inject payloads.
Though superseded by OWASP ZAP (which began as a Paros fork in 2010) and Burp Suite Professional, Paros holds significant historical importance as the tool that established the intercepting proxy architecture for web application security testing that all modern equivalents follow. Understanding Paros is valuable for practitioners learning web security testing fundamentals and forensic investigators examining legacy testing documentation.
Key Features & Components
| Feature / Component | Description |
|---|---|
| HTTP/HTTPS Intercepting Proxy | Routes browser traffic through Paros for request/response inspection, modification, and replay — the foundational web testing model that OWASP ZAP and Burp Suite evolved from. |
| Spider (Web Crawler) | Automated crawling to discover all pages, forms, and endpoints — builds site map for systematic security testing coverage of the application attack surface. |
| Active Vulnerability Scanner | Automated checks for SQL injection, XSS, path traversal, and insecure cookies — the predecessor to modern DAST automated scanning capabilities. |
| HTTP Request Editor | Manual editing of intercepted requests including headers, parameters, and body content — enables injection testing and parameter tampering. |
| Session Management Analysis | Inspects session token entropy, cookie security flags (Secure, HttpOnly), and session fixation vulnerabilities in web applications. |
| Historical Significance | Direct predecessor to OWASP ZAP (forked 2010) — established the intercepting proxy architecture now universal in web application security testing tools. |
# Note: Paros is deprecated (last release 2006). # Use OWASP ZAP or Burp Suite for production security testing. # This demonstration is for educational and historical understanding only. # Step 1: Configure browser proxy settings # Firefox: Settings > Network > Manual Proxy Configuration # HTTP Proxy: 127.0.0.1 Port: 8080 # HTTPS Proxy: 127.0.0.1 Port: 8080 # Step 2: Launch Paros (Java application) java -jar paros.jar & # GUI opens — listening on localhost:8080 # Step 3: Install Paros CA certificate in browser # Tools > Root CA > Export Certificate # Firefox: Settings > Certificates > Import paros_ca.cer # Step 4: Intercept a login request # Paros > Trap > Trap Request # Navigate to login page — Paros intercepts the POST request: # POST /login HTTP/1.1 # username=admin&password=password123 # Step 5: SQL injection test via request editor # Edit intercepted parameter: # username=admin'--&password=anything # Click Continue — observe if login succeeds (auth bypass) # Step 6: Run Paros scanner # Analyse > Spider (discovers all pages and forms) # Analyse > Active Scan (tests SQLi, XSS, path traversal) # Step 7: Compare with OWASP ZAP (modern equivalent) ./zap.sh -quickurl http://vulnerable-app.local -quickout report.html # ZAP: 42 vulnerabilities found (vs Paros: 8 detections) # ZAP additionally finds: DOM XSS, SSRF, IDOR, modern auth flaws
Overview
WebTitan is a cloud-based DNS filtering and web security platform from TitanHQ providing URL filtering, malware protection, phishing prevention, and content policy enforcement for organisations of all sizes. WebTitan operates at the DNS resolution layer — DNS queries from enrolled devices are routed through WebTitan’s resolvers, which evaluate each queried domain against category databases, malware blacklists, phishing intelligence, and custom policies before resolving the address. DNS-layer filtering blocks malicious connections before any HTTP connection is established.
WebTitan maintains category databases covering 200-plus URL categories and integrates with real-time threat intelligence feeds to block newly registered malicious domains within hours of their first observed malicious activity. WebTitan OTG (Off The Grid) provides a lightweight agent for laptops operating outside the corporate network, enforcing DNS filtering through WebTitan’s cloud resolvers on roaming devices.
Key Features & Components
| Feature / Component | Description |
|---|---|
| DNS-Layer Malware and Phishing Blocking | Blocks malicious domains at DNS resolution before any connection — stops malware downloads, phishing sites, and C2 communication at the fastest possible layer. |
| 200+ URL Category Filtering | Granular web content policy controls by department, user group, time of day, or network segment — enforces acceptable use policies with detailed reporting. |
| Real-Time Threat Intelligence | Integrates threat intelligence feeds to block newly registered malicious domains within hours of first observed malicious activity. |
| WebTitan OTG (Off-Network Protection) | Lightweight agent for laptops outside the corporate network — DNS filtering enforced on roaming devices through WebTitan’s cloud resolvers. |
| BYOD and Guest WiFi Filtering | Enforces content policies on guest WiFi and BYOD devices without installing agents — DNS enforcement covers any device on the network. |
| SIEM and API Integration | Logs all DNS queries and blocked events for SIEM integration — API enables programmatic policy management and threat event retrieval. |
TOKEN=$(curl -s -X POST 'https://api.webtitan.com/api/v2/auth/token' \
-H 'Content-Type: application/json' \
-d '{"username":"admin@msp.com","password":"WebTitanMSP2024!"}' \
| python3 -c "import sys,json;print(json.load(sys.stdin)['token'])")
# List all managed client networks
curl -s 'https://api.webtitan.com/api/v2/networks' -H "Authorization: Bearer $TOKEN" \
| python3 -c "import sys,json;print(f'Managed networks: {len(json.load(sys.stdin)["networks"])}')"
# Add Log4Shell callback domains to global blocklist (all clients)
curl -s -X POST 'https://api.webtitan.com/api/v2/lists/blacklist/domains' \
-H "Authorization: Bearer $TOKEN" -H 'Content-Type: application/json' \
-d '{"domains":["log4j-test.dnslog.cn","ldap.rce.cyou","interactsh.com"],
"reason":"Log4Shell CVE-2021-44228 callback domains",
"apply_to_all_networks":true}'
# Query blocked events for a specific client
curl -s 'https://api.webtitan.com/api/v2/reporting/dns-queries?network_id=CLIENT_NETWORK_ID&action=BLOCKED&category=Malware&start_date=2024-06-01T00:00:00Z' \
-H "Authorization: Bearer $TOKEN" \
| python3 -c "
import sys, json
e = json.load(sys.stdin)['events']
print(f'Blocked malware DNS queries: {len(e)}')
domains = set(x.get('domain') for x in e)
print(f'Unique blocked domains: {len(domains)}')
for d in list(domains)[:10]:
print(f' Blocked: {d}')"
# Create per-client custom policy for high-risk client
curl -s -X PUT 'https://api.webtitan.com/api/v2/policies/POLICY_ID' \
-H "Authorization: Bearer $TOKEN" -H 'Content-Type: application/json' \
-d '{"blocked_categories":["Malware","Phishing","Botnet","Proxy_Avoidance","Newly_Registered_Domains"],
"safe_search_enforced":true}'Overview
SiteLock is a cloud-based website security platform providing automated malware scanning, vulnerability detection, web application firewall (WAF), DDoS protection, and reputation monitoring — primarily targeting SMBs and individual website owners managing CMS-based sites (WordPress, Joomla, Drupal, Magento). SiteLock performs daily automated scanning of website files, databases, and code for malware infections, injected scripts, backdoors, SEO spam, and Trojans across PHP, JavaScript, HTML, and CSS code.
The SMART (Secure Malware Alert and Removal Tool) automated malware removal service detects and removes infections without requiring manual intervention. SiteLock’s TrueShield WAF protects against SQL injection, XSS, CSRF, and OWASP Top 10 attacks. The platform monitors 40-plus domain reputation blacklists and alerts when a domain is flagged for hosting malware or phishing content.
Key Features & Components
| Feature / Component | Description |
|---|---|
| Automated Daily Malware Scanning | Scans all website files and database content for malware, backdoors, injected scripts, and SEO spam — covering PHP, JavaScript, HTML across all major CMS platforms. |
| SMART (Automated Malware Removal) | Automatically removes detected malware without manual intervention — addresses most infections within hours of detection without requiring technical knowledge. |
| TrueShield WAF | Cloud-based WAF protecting against SQLi, XSS, CSRF, and OWASP Top 10 — globally distributed reverse proxy providing DDoS mitigation alongside application protection. |
| CMS Vulnerability Scanning | Identifies outdated WordPress core, plugin, and theme versions with known CVEs — specific vulnerability reporting for installed CMS components. |
| Blacklist and Reputation Monitoring | Monitors 40+ domain blacklists continuously — alerts when the domain is flagged for malware or phishing content by major reputation services. |
| SiteLock Trust Seal | Dynamic badge displaying current scan status — confidence signal for visitors confirming daily security check results. |
TOKEN=$(curl -s -X POST 'https://api.sitelock.com/v1/auth/token' \
-H 'Content-Type: application/json' \
-d '{"username":"admin@store.com","password":"SiteLockAdmin2024!"}' \
| python3 -c "import sys,json;print(json.load(sys.stdin)['access_token'])")
# Get current security status for all monitored sites
curl -s 'https://api.sitelock.com/v1/sites' -H "Authorization: Bearer $TOKEN" \
| python3 -c "
import sys, json
for s in json.load(sys.stdin)['sites']:
print(f'Domain: {s["domain"]} | Status: {s["security_status"]} | Malware: {s.get("malware_detected",False)}')"
# Trigger immediate high-priority malware scan
curl -s -X POST 'https://api.sitelock.com/v1/sites/SITE_ID/scans' \
-H "Authorization: Bearer $TOKEN" -H 'Content-Type: application/json' \
-d '{"scan_type":"malware","priority":"high"}'
# Get scan results with malware findings
curl -s 'https://api.sitelock.com/v1/sites/SITE_ID/findings?type=malware&status=active' \
-H "Authorization: Bearer $TOKEN" \
| python3 -c "
import sys, json
findings = json.load(sys.stdin)['findings']
print(f'Active malware findings: {len(findings)}')
for f in findings:
print(f' {f["file_path"]}: {f["malware_type"]} | Auto-removed: {f.get("auto_removed",False)}')"
# Request SMART automated malware removal
curl -s -X POST 'https://api.sitelock.com/v1/sites/SITE_ID/remediation/smart' \
-H "Authorization: Bearer $TOKEN" -d '{"auto_remove":true}'
# Get CMS vulnerability report (WordPress)
curl -s 'https://api.sitelock.com/v1/sites/SITE_ID/vulnerabilities?cms=wordpress' \
-H "Authorization: Bearer $TOKEN" \
| python3 -c "
import sys, json
vulns = json.load(sys.stdin)['vulnerabilities']
print(f'CMS vulnerabilities: {len(vulns)}')
for v in vulns:
print(f' {v.get("component")}: {v.get("cve_id")} CVSS:{v.get("cvss")}')" Overview
Maltego is a comprehensive intelligence and investigation platform providing visual link analysis for OSINT gathering, threat intelligence research, digital forensics, and cyber investigation. Developed by Paterva (acquired by Maltego Technologies in 2019), Maltego represents relationships between data entities — people, organisations, domains, IP addresses, email addresses, social media accounts, cryptocurrency wallets, phone numbers, and infrastructure components — as an interactive visual graph, making hidden connections discoverable that text-based research cannot reveal.
Maltego’s Transform system is its operational core: Transforms are API connectors to external data sources that automatically query services and add discovered information to the graph. The Transform Hub provides 60-plus data providers including Shodan, VirusTotal, HaveIBeenPwned, Censys, PassiveTotal, ThreatMiner, LinkedIn, social media platforms, and specialised OSINT databases.
Key Features & Components
| Feature / Component | Description |
|---|---|
| Visual Link Analysis Graph | Interactive relationship visualisation between entities — people, domains, IPs, organisations, social accounts — making complex multi-entity connections understandable. |
| Transform Hub (60+ Data Sources) | API connectors to Shodan, VirusTotal, HaveIBeenPwned, Censys, PassiveTotal, LinkedIn, blockchain, and OSINT databases — automated multi-source enrichment. |
| OSINT Investigation Templates | Pre-built investigation workflows for phishing attribution, threat actor infrastructure mapping, domain/IP analysis, person OSINT, and social network analysis. |
| Threat Infrastructure Mapping | Maps malware C2 infrastructure and phishing hosting networks through domain registration, passive DNS, and certificate transparency data. |
| Maltego XL (Large-Scale Graphs) | Handles 1,000,000+ entity graphs for law enforcement and national CERT investigations — suitable for large-scale cyber investigation and attribution operations. |
| Custom Transform Development | Python and Java Transform APIs — organisations build custom Transforms connecting to proprietary data sources, internal databases, or specialised intelligence feeds. |
# Maltego Python Transform — custom Bitcoin OSINT
from maltego_trx.transform import DiscoverableTransform
import requests
class BitcoinWalletTransactions(DiscoverableTransform):
@classmethod
def create_entities(cls, request, response):
btc_address = request.Value
data = requests.get(f'https://blockchain.info/rawaddr/{btc_address}', timeout=10).json()
for tx in data.get('txs', [])[:10]:
for output in tx.get('out', []):
addr = output.get('addr', '')
if addr and addr != btc_address:
entity = response.addEntity('maltego.BitcoinAddress', addr)
entity.addProperty('Amount BTC', value=str(output.get('value',0)/1e8))
# Maltego GUI investigation workflow:
# STEP 1: Start with ransom note Bitcoin wallet
# New Graph > Add Entity: BitcoinAddress
# Value: 1BvBMSEYstWetqTFn5Au4m4GFg7xJaNVN2
# STEP 2: Bitcoin Transforms
# Right-click > Run Transform: Wallet to Transactions
# Graph expands to transaction partners
# STEP 3: Pivot to Tor .onion negotiation URL
# Add Entity: URL (from ransom note)
# Run Transforms: URL > Domain > IP > Shodan open ports
# STEP 4: Certificate transparency analysis
# Run Transform: Domain to SSL Certificates (crt.sh)
# Shared cert fingerprint reveals other domains
# STEP 5: WHOIS pivoting on all discovered domains
# Run Transform: Domain to WHOIS
# Filter: shared registrar email across domains
# STEP 6: Breach record lookup
# Run Transform: Email to HaveIBeenPwnedOverview
BluVector is an AI-driven network threat detection platform from Comcast Technology Solutions providing network-based advanced malware detection using supervised machine learning models trained on the semantic structure of executable files and documents — not signatures. BluVector analyses network traffic in real time, extracting and classifying executable files, documents, and scripts traversing monitored network flows based on structural and statistical properties learned from training on millions of malware and benign samples.
BluVector’s ML approach provides a fundamental advantage over signature-based detection for zero-day and novel malware: completely new malware samples share structural properties with their malware family — enabling detection without any prior knowledge of the specific sample. BluVector operates as a passive out-of-band network sensor from mirrored traffic, without impacting production network performance. Retroactive analysis capability allows previously captured traffic to be re-analysed against updated models.
Key Features & Components
| Feature / Component | Description |
|---|---|
| AI/ML Zero-Day Malware Detection | Supervised ML classifies executables and documents by structural properties — detects novel malware variants without signatures based on semantic analysis. |
| Network File Extraction and Analysis | Reconstructs files from monitored network traffic (HTTP, SMTP, FTP, SMB) for ML classification — passive network sensor without performance impact. |
| Multi-Protocol Coverage | Analyses file transfers across HTTP, HTTPS (with SSL inspection), SMTP, FTP, SMB, and other protocols — comprehensive network visibility for file-borne threats. |
| Retroactive Analysis | Re-analyses previously captured network traffic against updated models — identifies malware that evaded detection at capture time when better models become available. |
| PCAP-Based Forensic Investigation | Full packet capture with file extraction enables forensic investigation — complete evidence chain from network capture to malware file analysis. |
| SIEM Integration | Exports detection events and malware metadata to Splunk, QRadar, and SIEM platforms — integrates network ML detection into broader SOC alert workflows. |
TOKEN=$(curl -s -X POST 'https://bluvector.corp.local:8443/api/v1/auth/login' \
-H 'Content-Type: application/json' \
-d '{"username":"admin","password":"BluVectorAdmin2024!"}' \
| python3 -c "import sys,json;print(json.load(sys.stdin)['token'])")
# Query high-confidence malicious detections (last 24h)
curl -s 'https://bluvector.corp.local:8443/api/v1/detections?severity=HIGH,CRITICAL&confidence_min=0.85&start_time=2024-06-16T00:00:00Z' \
-H "Authorization: Bearer $TOKEN" \
| python3 -c "
import sys, json
dets = json.load(sys.stdin)['detections']
print(f'High-confidence detections: {len(dets)}')
for d in dets[:5]:
print(f' File:{d["filename"]} | SHA256:{d["sha256"]} | ML Score:{d["confidence"]:.2%}')
print(f' Source: {d["src_ip"]} -> {d["dst_ip"]}')"
# Get detailed detection report
curl -s 'https://bluvector.corp.local:8443/api/v1/detections/DETECTION_ID' \
-H "Authorization: Bearer $TOKEN" \
| python3 -c "
import sys, json
d = json.load(sys.stdin)
print(f'Classification: {d["classification"]}')
print(f'ML Confidence: {d["confidence"]:.2%}')
print(f'Similar Family: {d["closest_family"]}')"
# Download reconstructed file for sandbox analysis
curl -s 'https://bluvector.corp.local:8443/api/v1/detections/DETECTION_ID/file' \
-H "Authorization: Bearer $TOKEN" \
-o '/cases/INC-2024-0847/bluvector_sample.pdf'
# Retroactive analysis — re-scan last 30 days with updated models
curl -s -X POST 'https://bluvector.corp.local:8443/api/v1/retroactive-scan' \
-H "Authorization: Bearer $TOKEN" \
-d '{"pcap_start_date":"2024-05-17","pcap_end_date":"2024-06-17","model_version":"latest"}'Overview
Magnet AXIOM Cyber is a comprehensive digital forensics and incident response platform from Magnet Forensics providing a unified investigation environment combining disk forensics, memory forensics, cloud evidence acquisition (Microsoft 365, Google Workspace, Slack, Teams, Box, Dropbox, AWS, Azure), remote endpoint collection, and advanced artefact analysis within a single application. AXIOM Cyber is specifically designed for enterprise IR scenarios where evidence spans multiple types across a heterogeneous investigation.
Magnet AXIOM Cyber’s remote evidence acquisition capability deploys a lightweight collection agent to remote endpoints over the network, collecting targeted forensic artefacts, memory dumps, and cloud account data without physical access — enabling global enterprise IR without shipping laptops to analysts. The Magnet.AI categorisation engine uses ML to automatically tag and prioritise collected artefacts. Integration with Magnet AUTOMATE enables policy-driven automated evidence collection triggered by SIEM alerts.
Key Features & Components
| Feature / Component | Description |
|---|---|
| Unified Multi-Source Investigation | Single platform combining disk, memory, cloud (M365, Google Workspace, AWS), collaboration (Slack, Teams), and remote endpoint evidence — complete IR picture in one workspace. |
| Remote Endpoint Collection | Lightweight agent collects targeted artefacts, registry, event logs, and memory from remote endpoints without physical access — global enterprise IR coverage. |
| Cloud Evidence Acquisition | Authenticates to Microsoft 365, Google Workspace, Slack, Teams, Box, Dropbox, AWS, and Azure — collecting emails, files, messages, and audit logs as forensic evidence. |
| Magnet.AI Artefact Categorisation | ML-based artefact categorisation and prioritisation — automatically surfaces investigatively significant evidence from large collections to reduce review time. |
| Unified Timeline Analysis | Chronological timeline from all evidence sources — Windows event logs, file system timestamps, browser history, and cloud activity in one scrollable timeline. |
| Magnet AUTOMATE Integration | Policy-driven automated evidence collection triggered by SIEM alerts — preserves evidence at incident declaration before attacker activity is obscured. |
# Magnet AUTOMATE: trigger collection on SIEM P1 BEC alert
from flask import Flask, request
import subprocess
app = Flask(__name__)
@app.route('/axiom-automate', methods=['POST'])
def trigger_collection():
alert = request.json
if alert.get('severity') == 'P1' and 'BEC' in alert.get('tags', []):
subprocess.run(['MagnetAutomate', '--trigger', 'collect',
'--case', alert['incident_id'],
'--host', alert['affected_host'],
'--user', alert['affected_user'],
'--profile', 'BEC_Investigation_Profile',
'--output', f'/cases/{alert["incident_id"]}/evidence/'])
return {'status': 'collection_triggered'}, 200
# AXIOM Cyber GUI investigation workflow:
# STEP 1: Create case — File > New Case > BEC_CFO_Jun2024
# STEP 2: Acquire Microsoft 365 mailbox evidence
# Add Evidence > Cloud > Microsoft 365
# Target: cfo@corp.com
# Evidence: Email, Calendar, OneDrive, SharePoint, Teams Messages
# Date range: All available (12 months)
# STEP 3: Remote endpoint collection (CFO laptop at 10.50.14.22)
# Add Evidence > Remote Computer > 10.50.14.22
# Profile: IR_Standard
# Windows Event Logs (Security, System, Sysmon)
# Browser history (Chrome, Edge)
# Prefetch, shimcache, amcache
# Registry hives (NTUSER.DAT, SAM, SYSTEM)
# Recent files (LNK, Jump Lists, Shellbags)
# STEP 4: Process with Magnet.AI
# Process > Process Evidence
# Enable: Magnet.AI Categorisation, Timeline, Connections
# STEP 5: Review unified timeline
# Timeline > 2024-05-01 to 2024-06-17
# Filter: User=cfo@corp.com | Sort: chronologicalOverview
Prelude Detect is an adversary emulation and continuous security validation platform testing whether an organisation’s defences actually detect and respond to real adversary techniques. Prelude executes production-safe Verified Security Tests (VSTs) — atomic technique tests mapped to MITRE ATT&CK — against live endpoints and automatically validates whether the SIEM, EDR, and security stack generated expected detections. This continuous validation answers the question most security programmes cannot: ‘Do our controls actually detect what they claim to detect?’
Prelude Detect differs from traditional Breach and Attack Simulation (BAS) tools through its automated verification model — tests are not just executed but the platform queries connected detection tools to confirm the technique actually triggered an alert. If a technique executes without generating a detection, Prelude identifies the coverage gap and provides specific SIEM query suggestions, Sigma rules, and EDR policy configurations to close it.
Key Features & Components
| Feature / Component | Description |
|---|---|
| MITRE ATT&CK Mapped VSTs | Production-safe technique tests mapped to ATT&CK — executed on real endpoints to validate actual detection coverage, not theoretical rule existence. |
| Automated Detection Verification | Queries connected SIEM and EDR to confirm tests generated expected alerts — distinguishes ‘we have a rule’ from ‘the rule actually fires on real technique execution’. |
| ATT&CK Coverage Gap Identification | Identifies specific techniques not detected by current controls — evidence-based detection coverage map with systematic gap analysis. |
| Continuous Validation Scheduling | Re-validates after rule changes, SIEM updates, or EDR policy deployments — confirms controls remain effective after configuration changes. |
| Specific Remediation Guidance | For each gap, provides SIEM SPL/AQL queries, Sigma rule templates, and EDR policy configurations to close the specific detection gap. |
| Operator Framework Integration | Integrates with the open-source Operator C2 framework — red team validation testing using the same platform as continuous defensive validation. |
TOKEN=$(curl -s -X POST 'https://api.prelude.org/detect/authenticate' \
-H 'Content-Type: application/json' \
-d '{"account_id":"ACCT_ID","handle":"admin","password":"PreludeDetect2024!"}' \
| python3 -c "import sys,json;print(json.load(sys.stdin)['token'])")
# List VSTs mapped to ransomware ATT&CK techniques
curl -s 'https://api.prelude.org/detect/tests' -H "Token: $TOKEN" \
| python3 -c "
import sys, json
tests = json.load(sys.stdin)['tests']
ransomware_ttps = ['T1059.001','T1003.001','T1082','T1486','T1490']
relevant = [t for t in tests if t.get('technique_id') in ransomware_ttps]
print(f'Ransomware TTP tests available: {len(relevant)}')
for t in relevant:
print(f' {t["technique_id"]}: {t["name"]}')"
# Deploy VST to a Windows test endpoint
curl -s -X POST 'https://api.prelude.org/detect/queue' -H "Token: $TOKEN" \
-H 'Content-Type: application/json' \
-d '{"test":"T1059.001_POWERSHELL_ENCODED","endpoint":"ENDPOINT_ID_WINDOWS_TESTHOST"}'
sleep 120
# Check results
curl -s 'https://api.prelude.org/detect/activity' -H "Token: $TOKEN" \
| python3 -c "
import sys, json
for a in json.load(sys.stdin)['activity'][:10]:
print(f'Test: {a["test"]} | Technique: {a["technique_id"]}')
print(f' Executed: {a["executed"]} | Detected: {a["detected"]}')
if a.get('status') == 'GAP':
print(f' GAP: No detection — controls need remediation')"
# Get ATT&CK coverage visualisation
curl -s 'https://api.prelude.org/detect/coverage' -H "Token: $TOKEN" \
| python3 -c "
import sys, json
c = json.load(sys.stdin)
print(f'Techniques tested: {c["tested_techniques"]}')
print(f'Detected: {c["detected_techniques"]}')
print(f'Coverage gaps: {c["gap_count"]}')
print(f'Coverage %: {c["coverage_percentage"]}%')" Overview
Varonis for Active Directory (Varonis Data Security Platform — Active Directory module) is a data security and threat detection platform specialising in understanding and securing access to Active Directory, file systems, SharePoint, Exchange, and other enterprise data stores. Varonis maps the complete data access topology — who has access to what data, whether that access is actually used, which access paths are excessive or misconfigured, and which authentication patterns represent threat indicators.
Varonis automatically discovers Active Directory security misconfigurations: accounts with non-expiring passwords, password-not-required flags, stale accounts, nested group shadow admin paths enabling unintended privilege escalation, service accounts with unconstrained Kerberos delegation, and domain controller misconfigurations. The DatAlert (now Varonis Threat Detection and Response) module provides pre-built detection rules for Kerberoasting, AS-REP Roasting, Golden Ticket attacks, DCSync, LSASS memory access, and lateral movement.
Key Features & Components
| Feature / Component | Description |
|---|---|
| AD Misconfiguration Discovery | Identifies stale accounts, non-expiring passwords, password-not-required flags, nested group shadow admin paths, and unconstrained Kerberos delegation automatically. |
| DatAlert AD Attack Detection | Pre-built detection for Kerberoasting, AS-REP Roasting, Golden Ticket, DCSync, LSASS access, and lateral movement patterns in AD authentication events. |
| Data Access Topology Mapping | Maps who has access to every file share, SharePoint site, and Exchange mailbox — identifies over-permissioned accounts and excessive inherited access. |
| Behavioural Baseline Analytics | Builds per-user access baselines — detects anomalous data access patterns, unusual authentication times, and privilege escalation attempts. |
| Automated Stale Access Remediation | Identifies permissions unused for configurable time periods — optionally removes stale access automatically to enforce least-privilege without manual review. |
| Privilege Escalation Path Visualisation | Maps AD group membership privilege escalation paths — shows how a low-privilege account can reach Domain Admin through nested group chains. |
TOKEN=$(curl -s -X POST 'https://varonis.corp.local/api/v1/auth/token' \
-H 'Content-Type: application/json' \
-d '{"username":"varonis_api","password":"VaronisAPI2024!"}' \
| python3 -c "import sys,json;print(json.load(sys.stdin)['access_token'])")
# Query all CRITICAL active alerts (last 24h)
curl -s 'https://varonis.corp.local/api/v1/alerts?severity=CRITICAL,HIGH&status=OPEN&start_time=2024-06-16T00:00:00Z' \
-H "Authorization: Bearer $TOKEN" \
| python3 -c "
import sys, json
alerts = json.load(sys.stdin)['alerts']
print(f'Critical/High alerts: {len(alerts)}')
for a in alerts[:5]:
print(f' {a["rule_name"]}: {a["affected_user"]}')"
# Get AD misconfiguration risk report
curl -s 'https://varonis.corp.local/api/v1/reports/ad-risk' \
-H "Authorization: Bearer $TOKEN" \
| python3 -c "
import sys, json
r = json.load(sys.stdin)
print('Active Directory Risk Summary:')
print(f' Stale user accounts: {r.get("stale_users",0)}')
print(f' Non-expiring passwords: {r.get("non_expiring_passwords",0)}')
print(f' Unconstrained delegation: {r.get("unconstrained_delegation",0)}')
print(f' Shadow admin paths: {r.get("shadow_admin_paths",0)}')"
# Get Kerberoasting alert details (SPNs targeted)
curl -s 'https://varonis.corp.local/api/v1/alerts/ALERT_ID/events' \
-H "Authorization: Bearer $TOKEN" \
| python3 -c "
import sys, json
events = json.load(sys.stdin)['events']
spns = [e.get('target_spn') for e in events if e.get('event_type')=='TGS_REQUEST']
print(f'SPNs targeted: {len(spns)}')
for s in spns[:10]: print(f' {s}')"
# Automated response: disable compromised account
curl -s -X POST 'https://varonis.corp.local/api/v1/alerts/ALERT_ID/actions' \
-H "Authorization: Bearer $TOKEN" -H 'Content-Type: application/json' \
-d '{"action":"DISABLE_USER","target_user":"helpdesk.user@corp.com",
"reason":"Kerberoasting attack detected INC-2024-0847"}'Overview
Sophos Intercept X Advanced with XDR (Extended Detection and Response) is a comprehensive endpoint protection platform combining next-generation antivirus (NGAV), exploit prevention (25-plus techniques), anti-ransomware technology (CryptoGuard), deep learning malware detection, active adversary mitigations, and XDR data lake investigation capabilities. Sophos Intercept X consistently achieves top rankings in MITRE ATT&CK Evaluations, SE Labs, and AV-TEST benchmarks.
CryptoGuard is Intercept X’s signature ransomware prevention module — it monitors file system activity in real time for the rapid, systematic file encryption patterns characteristic of ransomware. When CryptoGuard detects ransomware behaviour (mass file modification with entropy increases), it immediately terminates the ransomware process, rolls back already-encrypted files from Volume Shadow Copies or Sophos’s own file copies, and alerts the SOC. Sophos XDR extends detection across endpoints, servers, firewalls, and email through a unified cloud data lake.
Key Features & Components
| Feature / Component | Description |
|---|---|
| CryptoGuard (Anti-Ransomware) | Real-time behavioural ransomware detection by file system encryption patterns — terminates ransomware and rolls back encrypted files before significant data loss. |
| Deep Learning Malware Detection | Deep neural network classifying files as malicious based on millions of structural features — detects novel malware with no prior signatures required. |
| Exploit Prevention (25+ Techniques) | Blocks ROP, heap spray, memory allocation abuse, and reflective DLL loading — protects against exploitation of unpatched vulnerabilities. |
| Active Adversary Mitigations | Detects credential harvesting, lateral movement, Cobalt Strike activity, AMSI bypass, and PowerShell abuse — disrupts post-exploitation attacks mid-execution. |
| Sophos XDR (Cross-Product Data Lake) | Correlates detection data from Endpoint, Server, Firewall, Email, and Cloud in a centralised data lake — unified threat investigation without multiple tool consoles. |
| Sophos MDR (Managed DR) | Optional 24/7 Sophos threat hunting and response service — fully managed SOC capability for organisations without dedicated security analysts. |
# Authenticate (OAuth2 client credentials)
AUTH=$(curl -s -X POST 'https://id.sophos.com/api/v2/oauth2/token' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'grant_type=client_credentials&client_id=SOPHOS_CLIENT_ID&client_secret=SOPHOS_CLIENT_SECRET&scope=token')
ACCESS_TOKEN=$(echo $AUTH | python3 -c "import sys,json;print(json.load(sys.stdin)['access_token'])")
TENANT_ID="YOUR_TENANT_ID"
# Query critical endpoint alerts (last 24h)
curl -s 'https://api.central.sophos.com/endpoint/v1/alerts?severity=critical&from=2024-06-16T00:00:00.000Z' \
-H "Authorization: Bearer $ACCESS_TOKEN" -H "X-Tenant-ID: $TENANT_ID" \
| python3 -c "
import sys, json
alerts = json.load(sys.stdin).get('items',[])
print(f'Critical alerts (24h): {len(alerts)}')
for a in alerts[:5]:
print(f' [{a["type"]}] {a["description"]}')
print(f' Host: {a["managedAgent"]["hostname"]}')"
# Network-isolate a compromised endpoint
curl -s -X POST 'https://api.central.sophos.com/endpoint/v1/endpoints/ENDPOINT_ID/isolate' \
-H "Authorization: Bearer $ACCESS_TOKEN" -H "X-Tenant-ID: $TENANT_ID" \
-H 'Content-Type: application/json' \
-d '{"comment":"LockBit detected — isolating for investigation"}'
# Query CryptoGuard rollback events
curl -s 'https://api.central.sophos.com/endpoint/v1/events?eventTypes=crypto_guard&from=2024-06-16T00:00:00.000Z' \
-H "Authorization: Bearer $ACCESS_TOKEN" -H "X-Tenant-ID: $TENANT_ID" \
| python3 -c "
import sys, json
events = json.load(sys.stdin).get('items',[])
print(f'CryptoGuard events: {len(events)}')
for e in events[:3]:
print(f' Host:{e["source"]["hostname"]} | Files rolled back:{e.get("filesRestored",0)} | Threat:{e["name"]}')"
# Sophos XDR: hunt for LockBit lateral movement in data lake
curl -s -X POST 'https://api.central.sophos.com/xdr-query/v1/queries/runs' \
-H "Authorization: Bearer $ACCESS_TOKEN" -H "X-Tenant-ID: $TENANT_ID" \
-H 'Content-Type: application/json' \
-d '{"adHocQuery":{"template":"SELECT filePath,userName,spawnedProcessName,time
FROM xdr_data.endpoint.process.start WHERE time > ago(1d)
AND (spawnedProcessName LIKE \'%wmic%\' OR spawnedProcessName LIKE \'%psexec%\')
ORDER BY time DESC LIMIT 100"},
"from":"2024-06-16T00:00:00.000Z"}'References
- TheHive Project — TheHive Documentation — docs.thehive-project.org
- CIRCL / MISP — MISP Project Documentation — misp-project.org/documentation
- SANS Institute — SIFT Workstation — sans.org/tools/sift-workstation
- Google — GRR Rapid Response — github.com/google/grr
- Velociraptor — Velociraptor Documentation — docs.velociraptor.app
- VMware/Broadcom — Carbon Black EDR — developer.vmware.com/apis/cb-liveresponse
- Cybereason — Cybereason REST API — nest.cybereason.com
- IBM Security — QRadar SOAR Documentation — ibm.com/docs/en/qsp
- Cofense — Triage API Documentation — cofense.com/knowledge-base
- D3 Security — D3 Smart SOAR — d3security.com
- Amazon Web Services — AWS Shield — docs.aws.amazon.com/shield
- Microsoft — Defender for Cloud — docs.microsoft.com — Defender for Cloud
- Google Cloud — Security Command Center — cloud.google.com/security-command-center/docs
- Cloudflare — Cloudflare API — api.cloudflare.com
- Zscaler — Zscaler API — help.zscaler.com/zia/api
- Palo Alto Networks — Prisma Cloud — docs.prismacloud.io
- Check Point — CloudGuard CSPM API — api.dome9.com/v2
- Netskope — Netskope REST API — docs.netskope.com
- Trend Micro — Cloud One API — cloudone.trendmicro.com/docs
- Skyhigh Security — MVISION Cloud — docs.trellix.com
- TitanHQ — WebTitan API — webtitan.com
- Maltego Technologies — Maltego Documentation — docs.maltego.com
- Magnet Forensics — AXIOM Cyber — magnetforensics.com/documentation
- Prelude Security — Prelude Detect — docs.prelude.org
- Varonis — DatAdvantage Documentation — varonis.com/resources
- Sophos — Intercept X / Central API — developer.sophos.com
- NIST — SP 800-61 Rev. 2 Computer Security Incident Handling Guide — csrc.nist.gov
- MITRE — ATT&CK Framework — attack.mitre.org
- CSA — Cloud Security Alliance — cloudsecurityalliance.org/research