Skills Matrix
Cybersecurity Skills & Project Evidence
Search skills by topic, tool, project, attack type, or cybersecurity concept. Each skill explains what it is, what it means, how I use it, and which projects support it.
41
Skills Documented
36
Evidence-Backed Skills
6
Completed Security Projects
25
Strengthened June 2026
Recently Strengthened Skills
New incident response evidence added
June 2026 update: new HSS capstone evidence strengthened incident response, SOC analysis, phishing analysis, PowerShell investigation, lateral movement analysis, MITRE ATT&CK mapping, and executive reporting.
Showing 41 skills
Incident Response & SOC Analysis
What it is
The structured process of identifying, containing, eradicating, recovering from, and learning from security incidents.
What it means
A complete response process helps reduce attacker dwell time, preserve evidence, restore operations safely, and improve the security program after the incident.
How I use it
In the HSS capstone, I documented the full lifecycle from phishing detection through containment, eradication, recovery, post-incident review, and long-term improvement planning.
Related Projects
What it is
Investigating suspicious email activity, social engineering techniques, malicious links, sender impersonation, and related indicators of compromise.
What it means
Phishing is one of the most common initial access paths, so analysts need to connect the email evidence to downstream endpoint and network behavior.
How I use it
I analyzed a payroll-themed phishing scenario involving HR impersonation, urgency, a malicious secure-download.com link, and follow-on PowerShell execution on Workstation-23.
Related Projects
What it is
Reviewing PowerShell activity, command execution, downloaded scripts, and Windows process creation evidence to identify suspicious behavior.
What it means
Attackers commonly abuse PowerShell for payload delivery, credential theft, persistence, and command execution, so PowerShell evidence is important during investigations.
How I use it
In the HSS capstone, I tied Event ID 4688 and an Invoke-WebRequest command to the malicious payload download and used that activity to reconstruct the attack sequence.
Related Projects
What it is
Analyzing attempts by an attacker to move from an initially compromised system to other internal systems.
What it means
Lateral movement can turn a single endpoint compromise into a wider enterprise breach, especially when payroll, domain, or development systems are reachable.
How I use it
I analyzed SMB, RDP, PsExec, and SSH activity from Workstation-23 toward HR-SQL01 and DevAppServer to document the attack path and business risk.
Related Projects
What it is
Identifying and organizing suspicious IPs, domains, commands, accounts, files, protocols, and systems connected to attacker activity.
What it means
Good IoC documentation helps responders block malicious infrastructure, scope the incident, search for related activity, and communicate findings clearly.
How I use it
I documented malicious domains, the 45.77.33.88 external IP, payload.ps1, PsExecsvc, Invoke-WebRequest, affected systems, protocols, and targeted accounts in the HSS case study.
Related Projects
What it is
Mapping observed attacker behavior to standardized ATT&CK tactics and techniques.
What it means
ATT&CK mapping makes incident findings easier to compare, report, and turn into detection or control improvements.
How I use it
I mapped the HSS attack chain across Initial Access, Execution, Credential Access, Discovery, Lateral Movement, Command and Control, and attempted privilege escalation.
What it is
Reviewing security alerts and evidence to determine severity, scope, business impact, and next response actions.
What it means
Triage helps separate isolated alerts from real incidents that require containment, escalation, and leadership awareness.
How I use it
I classified the HSS event as high severity based on phishing success, malicious PowerShell execution, outbound suspicious traffic, credential harvesting indicators, and lateral movement attempts.
SIEM & Detection Engineering
What it is
An open-source security monitoring platform for log collection, alerting, intrusion detection, and compliance monitoring.
What it means
It helps detect suspicious activity and gives analysts visibility across systems.
How I use it
I use Wazuh in my lab to collect logs, write custom rules, validate alerts, and document SSH brute-force activity.
Related Projects
What it is
The process of creating, testing, and improving logic that detects attacker behavior.
What it means
It turns raw logs and security events into useful alerts and investigation signals.
How I use it
I create custom Wazuh rules, simulate attacks, test alert behavior, tune detection logic, and connect evidence to incident response reporting.
What it is
Writing detection logic that identifies specific suspicious events or patterns.
What it means
Custom rules help detect activity that default tools may miss.
How I use it
I write and test custom Wazuh rules for attack scenarios such as SSH brute-force attempts and use those detections as evidence in portfolio case studies.
Related Projects
What it is
Reviewing system, application, endpoint, and network logs to understand activity.
What it means
Logs are the evidence behind detection, investigation, incident response, and timeline reconstruction.
How I use it
I review authentication logs, Wazuh alerts, Windows Event Logs, Zeek telemetry, API security logs, command output, and timelines to explain what happened.
What it is
Reviewing network alerts and connection records to understand communication patterns and suspicious traffic.
What it means
Network telemetry helps analysts see attacker movement, external communication, and connections between compromised and targeted systems.
How I use it
In the HSS capstone, I used Snort and Zeek evidence to connect PowerShell execution, outbound HTTP traffic, DNS activity, SMB/RDP attempts, and SSH activity.
Related Projects
What it is
Improving alert rules to reduce false positives and make detections more useful.
What it means
Good tuning helps analysts focus on meaningful alerts.
How I use it
I plan to tune Wazuh alerts by adjusting rules, severity, thresholds, and expected behavior.
Related Projects
Security Architecture & Risk
What it is
The practice of designing systems, networks, applications, and controls so they are secure, resilient, and easier to monitor.
What it means
It helps organizations reduce risk by planning security into the environment instead of adding it later.
How I use it
I use architecture diagrams, segmentation, control mapping, API controls, and risk notes to explain how systems should be protected.
What it is
A process for identifying threats, weaknesses, impact, likelihood, and recommended mitigations.
What it means
It helps prioritize the most important security problems instead of treating every issue the same.
How I use it
I document risks, explain business impact, and recommend practical controls in architecture, API security, and incident response projects.
What it is
A structured way to think through how a system could be attacked.
What it means
It helps security teams identify abuse cases before attackers do.
How I use it
I use it to think through assets, trust boundaries, attack paths, likely attacker goals, and defensive controls for networks and APIs.
What it is
The practice of separating systems into zones so access can be controlled and limited.
What it means
It reduces blast radius if one system is compromised and helps restrict lateral movement toward high-value systems.
How I use it
I use segmentation concepts when designing secure network layouts and when recommending restrictions between Finance, HR, IT, and Development DMZ systems.
What it is
Prioritizing security improvements over time based on risk, visibility gaps, and business impact.
What it means
A roadmap turns an investigation or assessment into practical next steps that improve security maturity.
How I use it
I used the HSS post-incident review to recommend SIEM deployment, MFA, automated offboarding, PowerShell logging, Linux monitoring, segmentation, phishing training, and tabletop exercises.
Related Projects
What it is
A security model based on never automatically trusting users, devices, or networks.
What it means
It requires verification, least privilege, monitoring, segmentation, and strong access control.
How I use it
I plan to build a dedicated project showing identity-aware access, segmentation, and logging strategy.
Related Projects
Cloud, API & Identity
What it is
Testing APIs for authentication, authorization, input validation, abuse prevention, and data exposure issues.
What it means
APIs often expose sensitive business logic and data, so they must be tested and hardened carefully.
How I use it
I built and tested a Node.js/Express API, identified exposed routes, and implemented JWT authentication, RBAC, rate limiting, Zod validation, and security logging.
Related Projects
What it is
Authentication verifies identity, while authorization controls what an authenticated user is allowed to access.
What it means
Strong auth and access control help prevent unauthorized data exposure, privilege abuse, and insecure endpoint access.
How I use it
I implemented JWT-based login and protected API routes, then used role-based access control to restrict an admin endpoint to authorized users only.
Related Projects
What it is
Managing user accounts from creation through role changes, termination, disablement, and periodic access review.
What it means
Weak identity lifecycle controls can leave stale accounts active and create opportunities for attackers to reuse credentials.
How I use it
In the HSS capstone, I identified stale jcampbell credentials and recommended automated offboarding, account audits, MFA, and stronger access governance.
Related Projects
What it is
Giving users and systems only the access they need to perform their job.
What it means
It limits damage if an account or system is compromised.
How I use it
I apply least privilege thinking to network architecture, API role-based access control, and incident response recommendations involving privileged and stale accounts.
What it is
Recording important security events so suspicious behavior can be reviewed and investigated.
What it means
Security logs support detection, troubleshooting, investigation, future SIEM integration, and evidence-based reporting.
How I use it
I logged API security events in my API project and used log evidence from Windows, Zeek, Snort, and honeypots in the HSS incident response capstone.
What it is
Understanding cloud identity, networking, storage, logging, and configuration risks.
What it means
Cloud environments require secure configuration and continuous monitoring.
How I use it
I use cloud security concepts when planning architecture, IAM review, API deployment, and misconfiguration projects.
Related Projects
What it is
Reviewing users, roles, permissions, and access patterns.
What it means
Strong IAM reduces the chance of privilege abuse and unauthorized access.
How I use it
I plan to build a dedicated IAM review project focused on least privilege, excessive permissions, and account access risks.
Related Projects
System Hardening & Infrastructure
What it is
Protecting SSH access through secure configuration, monitoring, and authentication controls.
What it means
SSH is commonly targeted, so it needs strong protection, monitoring, and account hygiene.
How I use it
I use SSH logs in my Wazuh lab to detect brute-force attempts and analyzed SSH attempts toward DevAppServer in the HSS capstone.
What it is
Collecting and reviewing Linux authentication, process, file integrity, and endpoint telemetry.
What it means
Linux systems in DMZ or development environments can be high-value targets and need strong visibility.
How I use it
The HSS capstone identified limited Linux monitoring around DevAppServer and recommended expanded EDR, SSH auditing, and centralized logging.
Related Projects
What it is
Securing Windows systems through account controls, logging, policies, baselines, and defensive configuration.
What it means
Windows endpoints are common initial compromise points, and logging is critical for detection and investigation.
How I use it
The HSS capstone identified disabled PowerShell logging as a visibility gap and recommended standardized endpoint telemetry across Windows systems.
Related Projects
What it is
Reviewing firewall rules and allowed protocols to ensure only necessary traffic is permitted.
What it means
Firewall and access reviews help reduce exposure and restrict lateral movement paths.
How I use it
In the HSS capstone, I recommended restricting SMB, RDP, and SSH traffic between zones and tightening segmentation around Finance, HR, and DMZ systems.
What it is
Using tools to identify known weaknesses, outdated software, exposed services, and misconfigurations.
What it means
It helps prioritize remediation before attackers exploit weaknesses.
How I use it
I plan to run scans, validate results, rank risk, and document remediation steps.
Related Projects
What it is
Securing an Nginx web server through configuration, headers, TLS, logging, and access controls.
What it means
Web servers are exposed to the internet and need careful configuration.
How I use it
I plan to review Nginx security settings and document hardening recommendations.
Related Projects
Tools & Lab Environment
What it is
A local virtualization setup for running isolated lab machines.
What it means
VM labs let security learners safely simulate attacks, collect evidence, and test defenses.
How I use it
I use VirtualBox to run Kali, Linux, Windows, and Wazuh lab systems for detection and security testing projects.
What it is
A Linux distribution commonly used for security testing and lab simulations.
What it means
It provides tools used for scanning, testing, and controlled attack simulation.
How I use it
I use Kali in my lab to simulate attacker activity against test systems.
Related Projects
What it is
A tool used to test login brute-force scenarios in controlled environments.
What it means
It helps defenders understand what brute-force activity looks like in logs.
How I use it
I used Hydra to generate SSH brute-force activity for Wazuh detection testing.
Related Projects
What it is
A VS Code extension used to test API requests and responses.
What it means
It helps validate how APIs behave, including authentication, headers, request bodies, and security responses.
How I use it
I used Thunder Client to test login, JWT-protected routes, admin access controls, rate limiting, input validation, and security logging evidence.
Related Projects
What it is
A JavaScript runtime and web framework used to build backend APIs.
What it means
Understanding backend API development helps identify where security controls must be implemented.
How I use it
I built a REST API in Node.js/Express and then hardened it with authentication, authorization, validation, rate limiting, and logging.
Related Projects
What it is
A network scanning tool used to discover hosts, ports, and services.
What it means
It helps identify exposed services and possible attack surface.
How I use it
I use Nmap concepts for discovery, validation, and vulnerability scan planning.
Related Projects
Security Communication & Documentation
What it is
Explaining security findings in a way that connects technical evidence to business risk and practical decisions.
What it means
Security work becomes more valuable when leaders can understand what happened, why it matters, and what should happen next.
How I use it
I produced an executive-ready incident response report, a 12-slide presentation, and an expanded project pitch for the HSS capstone.
What it is
Documenting the work performed, evidence reviewed, decisions made, and results produced.
What it means
Good documentation helps reviewers understand both the technical result and the reasoning process behind it.
How I use it
I document each completed project as a case study with objectives, scenario, evidence, findings, troubleshooting, and recommendations.
What it is
Connecting technical security findings to operational, financial, regulatory, and reputational impact.
What it means
Business impact helps prioritize response actions and communicate why security controls matter.
How I use it
In the HSS capstone, I connected phishing, credential exposure, payroll systems, PII, healthcare assets, and development systems to organizational risk.
Related Projects