roodlicht

Evidence collection and packaging for security audits — evidence types (inspection/observation/inquiry/re-performance/automated), cadence per control, chain of custody, period tagging, WORM storage and retention, auditor delivery. Usable for SOC 2, ISO 27001, NIS2, DORA, and internal audits.

Docker and OCI image hardening — base-image selection, USER/caps/read-only FS discipline, distroless migration, build-time scanning with trivy/grype, image signing via sigstore, and runtime guardrails (seccomp, AppArmor).

SOC alert-tuning workflow — false-positive reduction via targeted suppressions (rule-id + reason + expiry), baseline learning, rule retirement, severity recalibration, and metrics (alert volume, mean-time-to-triage, fatigue index). Prevents detection collapse without losing coverage.

Triage dependency vulnerabilities against CISA KEV, EPSS, reachability and compensating controls — turn a raw Dependabot/Snyk/osv-scanner dump into fix-now/sprint/quarter/accept decisions with rationale.

Dynamic Application Security Testing workflow — OWASP ZAP automation (baseline/full/API scans), Burp Suite Professional playbooks, Burp Collaborator for out-of-band detection, auth-state orchestration, and CI integration with scope-safe active scanning.

Django security review — CSRF, ORM-level SQL injection (raw/extra/annotate), template injection via |safe, admin hardening, middleware ordering, settings deploy checklist, and recent Django CVE patterns.

Active Directory attack paths — BloodHound path analysis, Kerberos abuse (Kerberoasting/AS-REP roasting/silver/golden ticket classes), delegation flaws (unconstrained/constrained/RBCD), DCSync, ADCS ESC1-8 at pattern level, and Tier-0 hygiene as a defensive model.

API security review against OWASP API Top 10 2023. Covers auth (OAuth2/JWT/API-keys), object-level authorization (BOLA/IDOR), schema validation, rate-limiting, CORS, SSRF, and GraphQL-specific concerns (introspection, query depth, batching).

Astro security review — render-mode attack surface (SSG/SSR/hybrid), set:html and MDX content collections (XSS + author trust), API routes and middleware (auth, scope), adapter-specific runtime models (Cloudflare/Vercel/Netlify/Node), env-var hygiene (PUBLIC_ prefix), and Decap CMS pairing (OAuth backend, token storage, branch-based editorial workflow).

Command-and-Control infrastructure hygiene for red teams — redirector architecture (HTTP/HTTPS/DNS), traffic shaping (sleep/jitter/staging), TLS-cert and domain aging, OPSEC checklist, and defensive detection opportunities mapped to ATT&CK Command and Control (TA0011).

CI/CD pipeline hardening for GitHub Actions and GitLab CI — trust-model (pull_request_target vs pull_request), action pinning to SHA, OIDC-based cloud access, permissions minimization, runner isolation, and supply-chain gates (SLSA provenance, signing).

Exploit-chain assembly methodology — combining multiple medium-impact findings into one high-impact path (Open Redirect + OAuth = ATO, SSRF + cloud-metadata = creds, IDOR + privilege escalation, prototype pollution + downstream gadget). Pattern-level, with chain-aware CVSS scoring and MITRE ATT&CK mapping.

Incident Response runbook — NIST SP 800-61 phases (Preparation/Detection-Analysis/Containment-Eradication-Recovery/Lessons-Learned), per-scenario playbooks (ransomware, BEC, data exfil, credential compromise, cloud), regulatory reporting (NIS2 24h/72h, AVG breach 72h, DORA), comms templates, and post-incident review.

ISO/IEC 27001:2022 ISMS implementation and certification prep — clauses 4-10 (context, leadership, planning, support, operation, evaluation, improvement), Annex A 93 controls across four themes, Statement of Applicability, Stage 1/Stage 2 audit prep, and the certification cycle.

Post-exploitation methodology mapped to MITRE ATT&CK tactics — privilege escalation, credential access, discovery, lateral movement, persistence and defense evasion across Windows/Linux/cloud. Pattern-level technique categories with D3FEND defensive counters and a detection opportunity per step.

Detect and remediate leaked credentials in code and git-history — entropy/regex scanning with gitleaks/trufflehog/detect-secrets, rotate-first incident response, and pre-commit/CI gating to prevent reoccurrence.

Web vulnerability triage — JWT flaws (alg confusion, none alg, kid injection), deserialization (Java/Python/PHP/Ruby/Node), prototype pollution, OAuth misconfigs (redirect_uri, PKCE, scope), CSRF, DOM XSS, SSRF. Classification, impact assessment at pattern level, and handoff to remediation.

EU Digital Operational Resilience Act (2022/2554) compliance — scope (financial entities + critical ICT TPPs), five pillars (ICT risk management, incident reporting, resilience testing incl. TLPT, third-party risk, information sharing), and Dutch oversight via DNB/AFM.

Pentest report builder — executive summary, methodology, finding template with CVSS v3.1/v4.0 scoring, reproduction steps, impact and remediation per finding, remediation roadmap, retest sign-off, and appendices. Works for web-app, network, red-team, and bug-bounty reports.

Security review workflow for a PR, feature or codebase — scope, automated scans, manual OWASP/CWE pattern-check, prioritize and report. Uses secure-coding as pattern library.

Symfony / PHP webapp security review — Security Component (firewalls, voters, access_control, role hierarchies), Doctrine ORM injection patterns (raw DQL, QueryBuilder, expr()), Twig auto-escape and |raw, CSRF + session, PHP-specific RCE classes (unserialize, include/require, system/exec, eval, type juggling), configuration discipline (.env, secrets vault, profiler in prod), and recent Symfony CVE

Structured red-team pass over your own output — surface assumptions, gaps, failure modes and security red flags before shipping.

Digital-forensics assistant for IR context — memory analysis via Volatility 3, disk-imaging hygiene (write-blocker, hash validation), timeline reconstruction via plaso/log2timeline, file-system artifacts per OS. Audit-grade evidence; courtroom-grade chain of custody requires additional specialized forensics work.

Data Protection Impact Assessment (DPIA / GEB) workflow against AVG Art 35 — trigger check (AP criteria and WP 248), systematic description, necessity, risk analysis from the data subject's perspective, measures and residual risk, prior consultation with the Autoriteit Persoonsgegevens.

Threat-intel IOC workflow — feed curation (MISP/OpenCTI/vendor/ENISA/CISA), deduplication, confidence scoring (TLP, source reputation, age, sightings), enrichment pipeline to SIEM/EDR, retro-hunt over an N-day window, and lifecycle (expiry + retirement).

Pattern-level payload library for XSS, SSTI, LFI, SSRF, and command injection — context detection (HTML body/attribute/JS/CSS/URL), encoding-bypass shapes (URL/HTML/Unicode/double), polyglots, WAF-bypass patterns at syntax level. No version-specific weaponized exploits.

Phishing-simulation campaign workflow — RoE and ethical-scope template, population segmentation, pretexting patterns (HR/IT/finance/vendor/calendar), infrastructure (sender domain, SPF/DKIM/DMARC, tracking), click-rate and credential-success metrics, opt-out and duty of care, NL/EU AVG context for employee monitoring.

Policy-drafting workflow for security policies — AUP, Incident Response Plan, Access Control, Data Classification, BCP, Change Management, Vendor Management, Crypto, and Remote Work. Structure with Purpose/Scope/Statement/Roles/Enforcement/Review, ISO 27001 Annex A.5 alignment, NL/EN drafting.

Rails security review — Brakeman integration, mass-assignment via strong_parameters, SQL injection in ActiveRecord, template injection via html_safe/raw, Devise hardening, credentials.yml.enc, force_ssl and CSP config, recent Rails/Rack CVE patterns.

SAST orchestration for Semgrep, CodeQL and SonarQube. Covers tool selection, ruleset curation, PR-comment integration, noise reduction with baselines, and language-specific linters (bandit, gosec, brakeman, eslint-security) when they add coverage.

SIEM query-builder workflow — Splunk SPL, Microsoft Sentinel/Defender KQL, Elastic EQL/KQL, with cross-translation patterns, performance tuning (data models, summary indexes, CCS), and query-by-detection-need. Source layer for detection-engineer, log-triage, and threat-hunt.

Spring Boot security review — Spring Security config (SecurityFilterChain), OAuth2/OIDC client and resource-server, method-level @PreAuthorize, JWT validation, actuator endpoint lockdown, CSRF model for web vs API, and recent Spring CVE patterns (Spring4Shell, SpEL injection, authorization bypasses).

Software supply-chain defense — SBOM generation (CycloneDX/SPDX), SLSA build provenance, artifact signing with sigstore/cosign, dependency-confusion and typosquat defense, and consumer-side verification of what you pull in.

Kubernetes security review — RBAC discipline, Pod Security Standards (baseline/restricted), NetworkPolicy default-deny, admission controllers (Kyverno/Gatekeeper/VAP), External Secrets Operator, and runtime monitoring via Falco and audit logs.

Malware triage workflow — sandbox output analysis (CAPE/Hybrid-Analysis/ANY.RUN/Joe Sandbox), YARA rule scaffolding at pattern level, IOC extraction, and TTP mapping to MITRE ATT&CK. Sandbox-only discipline; do not detonate in production or without an isolated runtime.

Purple-team operations — structured detection validation against MITRE ATT&CK through planned emulation, measured coverage gaps, joint red+blue debrief, and tracked closure via D3FEND mapping. Bridge between the pentest bundle and the blue bundle.

Risk-management workflow — risk identification, qualitative and quantitative analysis (likelihood × impact, FAIR basis), evaluation against risk appetite, treatment (avoid/mitigate/transfer/accept), heatmaps and trend, with ISO 31000 and ISO 27005 as the methodology base.

SOC 2 Type II prep — AICPA Trust Services Criteria (Security required plus Availability/Confidentiality/Processing Integrity/Privacy), Common Criteria CC1–CC9, Type I vs Type II choice, evidence-collection rhythm, auditor-friendly packaging, Complementary User Entity Controls.

IaC misconfig scanning and cloud-aware review for Terraform, CloudFormation, Ansible and Pulumi. Covers tool orchestration (checkov/tfsec/kics/cfn-nag), policy-as-code (OPA/Conftest), CIS benchmark mapping, IAM over-permission detection, drift monitoring.

Identity-log triage workflow — anomaly patterns per provider (AWS CloudTrail, Azure AD/Entra, Google Workspace, Okta), session and token misuse, MFA-bypass signals, conditional-access evasion, and cross-provider correlation. Produces a prioritized finding list routed to ir-runbook or detection-engineer.

Next.js security review — middleware auth-bypass patterns (CVE-2025-29927), Server Actions auth/CSRF, Server/Client Component boundary and SSR data leaks, auth.js (NextAuth) config, route handlers as API, Image Optimization SSRF, security headers via middleware.

EU NIS2 Directive (2022/2555) gap analysis — scope determination (essential vs important entities across 18 sectors), governance obligations (Art 20), 10 baseline risk-management measures (Art 21), incident reporting timelines (Art 23), and Dutch implementation via the Cyberbeveiligingswet.

Language-agnostic secure-coding patterns — input validation, injection-safe APIs, authN/authZ, crypto, secrets, dependency hygiene. The default lens when no framework-specific skill applies.

Vendor security questionnaire workflow — vendor tiering, standardized questionnaires (CAIQ, SIG-Lite/Core, VSA), custom authoring, evidence reuse against existing attestations (SOC 2, ISO 27001), and ongoing vendor-risk monitoring.