Skills Matrix

Cybersecurity Skills & Project Evidence

Search skills by topic, tool, project, attack type, or cybersecurity concept. Each skill explains what it is, what it means, how I use it, and which projects support it.

41

Skills Documented

36

Evidence-Backed Skills

6

Completed Security Projects

25

Strengthened June 2026

Recently Strengthened Skills

New incident response evidence added

June 2026 update: new HSS capstone evidence strengthened incident response, SOC analysis, phishing analysis, PowerShell investigation, lateral movement analysis, MITRE ATT&CK mapping, and executive reporting.

View Incident Response Capstone

Showing 41 skills

Incident Response & SOC Analysis

What it is

The structured process of identifying, containing, eradicating, recovering from, and learning from security incidents.

What it means

A complete response process helps reduce attacker dwell time, preserve evidence, restore operations safely, and improve the security program after the incident.

How I use it

In the HSS capstone, I documented the full lifecycle from phishing detection through containment, eradication, recovery, post-incident review, and long-term improvement planning.

What it is

Investigating suspicious email activity, social engineering techniques, malicious links, sender impersonation, and related indicators of compromise.

What it means

Phishing is one of the most common initial access paths, so analysts need to connect the email evidence to downstream endpoint and network behavior.

How I use it

I analyzed a payroll-themed phishing scenario involving HR impersonation, urgency, a malicious secure-download.com link, and follow-on PowerShell execution on Workstation-23.

What it is

Reviewing PowerShell activity, command execution, downloaded scripts, and Windows process creation evidence to identify suspicious behavior.

What it means

Attackers commonly abuse PowerShell for payload delivery, credential theft, persistence, and command execution, so PowerShell evidence is important during investigations.

How I use it

In the HSS capstone, I tied Event ID 4688 and an Invoke-WebRequest command to the malicious payload download and used that activity to reconstruct the attack sequence.

What it is

Analyzing attempts by an attacker to move from an initially compromised system to other internal systems.

What it means

Lateral movement can turn a single endpoint compromise into a wider enterprise breach, especially when payroll, domain, or development systems are reachable.

How I use it

I analyzed SMB, RDP, PsExec, and SSH activity from Workstation-23 toward HR-SQL01 and DevAppServer to document the attack path and business risk.

What it is

Identifying and organizing suspicious IPs, domains, commands, accounts, files, protocols, and systems connected to attacker activity.

What it means

Good IoC documentation helps responders block malicious infrastructure, scope the incident, search for related activity, and communicate findings clearly.

How I use it

I documented malicious domains, the 45.77.33.88 external IP, payload.ps1, PsExecsvc, Invoke-WebRequest, affected systems, protocols, and targeted accounts in the HSS case study.

What it is

Mapping observed attacker behavior to standardized ATT&CK tactics and techniques.

What it means

ATT&CK mapping makes incident findings easier to compare, report, and turn into detection or control improvements.

How I use it

I mapped the HSS attack chain across Initial Access, Execution, Credential Access, Discovery, Lateral Movement, Command and Control, and attempted privilege escalation.

What it is

Reviewing security alerts and evidence to determine severity, scope, business impact, and next response actions.

What it means

Triage helps separate isolated alerts from real incidents that require containment, escalation, and leadership awareness.

How I use it

I classified the HSS event as high severity based on phishing success, malicious PowerShell execution, outbound suspicious traffic, credential harvesting indicators, and lateral movement attempts.

SIEM & Detection Engineering

What it is

An open-source security monitoring platform for log collection, alerting, intrusion detection, and compliance monitoring.

What it means

It helps detect suspicious activity and gives analysts visibility across systems.

How I use it

I use Wazuh in my lab to collect logs, write custom rules, validate alerts, and document SSH brute-force activity.

What it is

The process of creating, testing, and improving logic that detects attacker behavior.

What it means

It turns raw logs and security events into useful alerts and investigation signals.

How I use it

I create custom Wazuh rules, simulate attacks, test alert behavior, tune detection logic, and connect evidence to incident response reporting.

What it is

Writing detection logic that identifies specific suspicious events or patterns.

What it means

Custom rules help detect activity that default tools may miss.

How I use it

I write and test custom Wazuh rules for attack scenarios such as SSH brute-force attempts and use those detections as evidence in portfolio case studies.

What it is

Reviewing system, application, endpoint, and network logs to understand activity.

What it means

Logs are the evidence behind detection, investigation, incident response, and timeline reconstruction.

How I use it

I review authentication logs, Wazuh alerts, Windows Event Logs, Zeek telemetry, API security logs, command output, and timelines to explain what happened.

What it is

Reviewing network alerts and connection records to understand communication patterns and suspicious traffic.

What it means

Network telemetry helps analysts see attacker movement, external communication, and connections between compromised and targeted systems.

How I use it

In the HSS capstone, I used Snort and Zeek evidence to connect PowerShell execution, outbound HTTP traffic, DNS activity, SMB/RDP attempts, and SSH activity.

What it is

Improving alert rules to reduce false positives and make detections more useful.

What it means

Good tuning helps analysts focus on meaningful alerts.

How I use it

I plan to tune Wazuh alerts by adjusting rules, severity, thresholds, and expected behavior.

Related Projects

Security Architecture & Risk

What it is

The practice of designing systems, networks, applications, and controls so they are secure, resilient, and easier to monitor.

What it means

It helps organizations reduce risk by planning security into the environment instead of adding it later.

How I use it

I use architecture diagrams, segmentation, control mapping, API controls, and risk notes to explain how systems should be protected.

What it is

A process for identifying threats, weaknesses, impact, likelihood, and recommended mitigations.

What it means

It helps prioritize the most important security problems instead of treating every issue the same.

How I use it

I document risks, explain business impact, and recommend practical controls in architecture, API security, and incident response projects.

What it is

A structured way to think through how a system could be attacked.

What it means

It helps security teams identify abuse cases before attackers do.

How I use it

I use it to think through assets, trust boundaries, attack paths, likely attacker goals, and defensive controls for networks and APIs.

What it is

The practice of separating systems into zones so access can be controlled and limited.

What it means

It reduces blast radius if one system is compromised and helps restrict lateral movement toward high-value systems.

How I use it

I use segmentation concepts when designing secure network layouts and when recommending restrictions between Finance, HR, IT, and Development DMZ systems.

What it is

Prioritizing security improvements over time based on risk, visibility gaps, and business impact.

What it means

A roadmap turns an investigation or assessment into practical next steps that improve security maturity.

How I use it

I used the HSS post-incident review to recommend SIEM deployment, MFA, automated offboarding, PowerShell logging, Linux monitoring, segmentation, phishing training, and tabletop exercises.

What it is

A security model based on never automatically trusting users, devices, or networks.

What it means

It requires verification, least privilege, monitoring, segmentation, and strong access control.

How I use it

I plan to build a dedicated project showing identity-aware access, segmentation, and logging strategy.

Related Projects

Cloud, API & Identity

What it is

Testing APIs for authentication, authorization, input validation, abuse prevention, and data exposure issues.

What it means

APIs often expose sensitive business logic and data, so they must be tested and hardened carefully.

How I use it

I built and tested a Node.js/Express API, identified exposed routes, and implemented JWT authentication, RBAC, rate limiting, Zod validation, and security logging.

Related Projects

What it is

Authentication verifies identity, while authorization controls what an authenticated user is allowed to access.

What it means

Strong auth and access control help prevent unauthorized data exposure, privilege abuse, and insecure endpoint access.

How I use it

I implemented JWT-based login and protected API routes, then used role-based access control to restrict an admin endpoint to authorized users only.

Related Projects

What it is

Managing user accounts from creation through role changes, termination, disablement, and periodic access review.

What it means

Weak identity lifecycle controls can leave stale accounts active and create opportunities for attackers to reuse credentials.

How I use it

In the HSS capstone, I identified stale jcampbell credentials and recommended automated offboarding, account audits, MFA, and stronger access governance.

What it is

Giving users and systems only the access they need to perform their job.

What it means

It limits damage if an account or system is compromised.

How I use it

I apply least privilege thinking to network architecture, API role-based access control, and incident response recommendations involving privileged and stale accounts.

What it is

Recording important security events so suspicious behavior can be reviewed and investigated.

What it means

Security logs support detection, troubleshooting, investigation, future SIEM integration, and evidence-based reporting.

How I use it

I logged API security events in my API project and used log evidence from Windows, Zeek, Snort, and honeypots in the HSS incident response capstone.

What it is

Understanding cloud identity, networking, storage, logging, and configuration risks.

What it means

Cloud environments require secure configuration and continuous monitoring.

How I use it

I use cloud security concepts when planning architecture, IAM review, API deployment, and misconfiguration projects.

What it is

Reviewing users, roles, permissions, and access patterns.

What it means

Strong IAM reduces the chance of privilege abuse and unauthorized access.

How I use it

I plan to build a dedicated IAM review project focused on least privilege, excessive permissions, and account access risks.

Related Projects

System Hardening & Infrastructure

What it is

Protecting SSH access through secure configuration, monitoring, and authentication controls.

What it means

SSH is commonly targeted, so it needs strong protection, monitoring, and account hygiene.

How I use it

I use SSH logs in my Wazuh lab to detect brute-force attempts and analyzed SSH attempts toward DevAppServer in the HSS capstone.

What it is

Collecting and reviewing Linux authentication, process, file integrity, and endpoint telemetry.

What it means

Linux systems in DMZ or development environments can be high-value targets and need strong visibility.

How I use it

The HSS capstone identified limited Linux monitoring around DevAppServer and recommended expanded EDR, SSH auditing, and centralized logging.

What it is

Securing Windows systems through account controls, logging, policies, baselines, and defensive configuration.

What it means

Windows endpoints are common initial compromise points, and logging is critical for detection and investigation.

How I use it

The HSS capstone identified disabled PowerShell logging as a visibility gap and recommended standardized endpoint telemetry across Windows systems.

What it is

Reviewing firewall rules and allowed protocols to ensure only necessary traffic is permitted.

What it means

Firewall and access reviews help reduce exposure and restrict lateral movement paths.

How I use it

In the HSS capstone, I recommended restricting SMB, RDP, and SSH traffic between zones and tightening segmentation around Finance, HR, and DMZ systems.

What it is

Using tools to identify known weaknesses, outdated software, exposed services, and misconfigurations.

What it means

It helps prioritize remediation before attackers exploit weaknesses.

How I use it

I plan to run scans, validate results, rank risk, and document remediation steps.

Related Projects

What it is

Securing an Nginx web server through configuration, headers, TLS, logging, and access controls.

What it means

Web servers are exposed to the internet and need careful configuration.

How I use it

I plan to review Nginx security settings and document hardening recommendations.

Related Projects

Tools & Lab Environment

What it is

A local virtualization setup for running isolated lab machines.

What it means

VM labs let security learners safely simulate attacks, collect evidence, and test defenses.

How I use it

I use VirtualBox to run Kali, Linux, Windows, and Wazuh lab systems for detection and security testing projects.

What it is

A Linux distribution commonly used for security testing and lab simulations.

What it means

It provides tools used for scanning, testing, and controlled attack simulation.

How I use it

I use Kali in my lab to simulate attacker activity against test systems.

What it is

A tool used to test login brute-force scenarios in controlled environments.

What it means

It helps defenders understand what brute-force activity looks like in logs.

How I use it

I used Hydra to generate SSH brute-force activity for Wazuh detection testing.

What it is

A VS Code extension used to test API requests and responses.

What it means

It helps validate how APIs behave, including authentication, headers, request bodies, and security responses.

How I use it

I used Thunder Client to test login, JWT-protected routes, admin access controls, rate limiting, input validation, and security logging evidence.

Related Projects

What it is

A JavaScript runtime and web framework used to build backend APIs.

What it means

Understanding backend API development helps identify where security controls must be implemented.

How I use it

I built a REST API in Node.js/Express and then hardened it with authentication, authorization, validation, rate limiting, and logging.

Related Projects

What it is

A network scanning tool used to discover hosts, ports, and services.

What it means

It helps identify exposed services and possible attack surface.

How I use it

I use Nmap concepts for discovery, validation, and vulnerability scan planning.

Security Communication & Documentation

What it is

Explaining security findings in a way that connects technical evidence to business risk and practical decisions.

What it means

Security work becomes more valuable when leaders can understand what happened, why it matters, and what should happen next.

How I use it

I produced an executive-ready incident response report, a 12-slide presentation, and an expanded project pitch for the HSS capstone.

What it is

Documenting the work performed, evidence reviewed, decisions made, and results produced.

What it means

Good documentation helps reviewers understand both the technical result and the reasoning process behind it.

How I use it

I document each completed project as a case study with objectives, scenario, evidence, findings, troubleshooting, and recommendations.

What it is

Connecting technical security findings to operational, financial, regulatory, and reputational impact.

What it means

Business impact helps prioritize response actions and communicate why security controls matter.

How I use it

In the HSS capstone, I connected phishing, credential exposure, payroll systems, PII, healthcare assets, and development systems to organizational risk.

Contact Me