Procux AI Skills Catalog

OWASP Top 10 A07 — review authentication and session management flaws: broken logout, session fixation, weak credentials, MFA bypass.

OWASP Top 10 A01 — review authorization flaws (BOLA, IDOR, privilege escalation, missing role checks).

OWASP Top 10 A02 — audit cryptography usage: weak algorithms, key management, TLS config, at-rest / in-transit encryption gaps.

OWASP Top 10 A03 — SQL injection, cross-site scripting, command injection, and untrusted input handling.

OWASP Top 10 A04 — threat model review for architecture-level security flaws and missing defense in depth.

OWASP Top 10 A09 — audit logging, alerting, and detection coverage for security-relevant events.

OWASP Top 10 A05 — hardening baseline review: default credentials, verbose errors, open ports, cloud service exposure.

OWASP Top 10 A08 — supply chain and update integrity, signed artifacts, deserialization flaws.

OWASP Top 10 A10 — server-side request forgery and XML external entity flaws in parsers and network calls.

OWASP Top 10 A06 — dependency inventory, CVE scan, lifecycle review for third-party components.

Review API gateway authentication, rate limits, throttling, and access logs across AWS, Azure, and GCP providers.

Detection hunts over CloudTrail management + data events: privilege escalation, impossible travel, key exfiltration.

Azure control-plane activity log review for suspicious RBAC changes, resource tampering, and diagnostic drift.

Google Cloud audit log triage: IAM changes, service account abuse, data access events, VPC flow anomalies.

K8s control-plane audit log hunting for exec into pods, service-account token abuse, and privileged workload creation.

GDPR / KVKK 72-hour breach notification workflow: scoping, evidence capture, regulator submission template.

Data Protection Officer operating playbook: DSAR handling, DPIA cadence, records of processing, vendor review.

Generate the TOM (Technical and Organizational Measures) report required under GDPR Article 32 and KVKK Article 12.

Turkish KVKK VERBIS data controller registry readiness check and filing workflow.

Correlate logs, alerts, and artifacts to build a defensible incident timeline for executive briefing and regulator disclosure.

Live and dead-box Linux artifact triage: bash history, systemd units, /tmp, cron, lastlog, suid binaries.

Detect Mimikatz / comsvcs / procdump patterns against LSASS via Sysmon event IDs 10 and 8.

macOS live triage: launchd persistence, TCC database inspection, quarantine xattrs, unified logs.

Volatility / Rekall based memory triage: process tree, injected code, network connections, credentials.

Triage Security / System / Sysmon channels for logon anomalies, service abuse, and persistence traces.

Harden CI/CD: OIDC federation, pinned action SHAs, least-privilege runners, SBOM + signing on release.

Trivy / Grype / Snyk scanning and base-image hygiene; CVE triage workflow gated at build and admission.

CycloneDX / SPDX SBOM generation, consumption, and exploitability triage aligned with NTIA minimum elements.

TruffleHog / Gitleaks / detect-secrets pipeline across branches and history with revocation and rotation playbook.

Map observed TTPs to MITRE ATT&CK, pivot over known APT playbooks, produce adversary emulation plan.

Statistical and JA3 / JARM based detection of command-and-control beacons over HTTPS and DNS.

Detect DNS exfiltration and covert channels via entropy, subdomain length, NXDOMAIN ratios, and query rate.

Hunt RDP / SMB / WMI / WinRM based lateral movement across endpoint + identity telemetry.

Enumerate persistence: run keys, scheduled tasks, services, WMI subscriptions, startup items across OS platforms.

Risk-tier classification under the EU AI Act (Regulation 2024/1689) and obligations checklist for providers / deployers.

DSA obligations mapping (Articles 14, 15, 16, 25, 40) for intermediary and hosting services.

Produce the Article 30 records of processing (ROPA) and associated lawful-basis + transfer impact map.

Classify and score contract clauses across 17 canonical risk categories (liability, IP, termination, indemnity, …).

Prior-art and docket research for patent / trademark / copyright matters across major jurisdictions.

Turkish-language contract review with Borçlar Kanunu clause extraction, risk scoring, and negotiation markup.

Employment contract and workflow review against Turkish Labor Law (İş Kanunu) — overtime, termination, severance, notice.

KVKK (Law 6698) full compliance audit covering data processing, cross-border transfer, and breach workflow.

Turkish Commercial Code (TTK) compliance check for commercial documents, trade registry filings, corporate governance.

California Consumer Privacy Act + CPRA compliance check: consumer rights, opt-out signals, vendor contracts.

HIPAA Privacy + Security Rule audit for covered entities and business associates; PHI flow mapping.

SOC 2 Trust Service Criteria readiness gap analysis with control-by-control evidence matrix.

Design affiliate program economics, onboarding, and tracking infrastructure for partner-driven acquisition.

Structured BD playbook — partner target list, outreach cadence, co-marketing, and revenue share frames.

Community strategy — platform choice, programming calendar, member onboarding, moderation, engagement metrics.

Editorial planning, topic taxonomy, distribution, repurposing, and performance measurement for content-driven growth.

Lifecycle email + newsletter strategy: list hygiene, segmentation, deliverability, A/B testing, revenue attribution.

Build free tools, APIs, or widgets as distribution mechanisms for acquisition and brand equity.

Leverage existing large-audience platforms (app stores, marketplaces, social) as a primary acquisition surface.

OOH, radio, print, TV ad planning with measurable response mechanics and attribution where possible.

Event strategy — dinners, meet-ups, conferences, field marketing — with funnel and ROI framework.

Press and media relations: reporter targeting, pitch writing, embargoes, and newsjacking calendar.

Direct sales motion design — territories, quotas, enablement, pipeline review, and win-loss analysis.

Paid search (Google Ads, Bing Ads) structure, keyword discovery, bidding strategy, and landing page optimization.

Technical SEO, on-page, link building, Core Web Vitals, and programmatic SEO patterns.

Paid social (Meta, LinkedIn, TikTok, X) and display campaign frameworks with creative testing cadence.

Keynote and talk circuit strategy: target conferences, pitch templates, and lead capture post-talk.

Guest post and niche blog outreach playbook — target list, pitch sequences, and performance tracking.

Trade show planning and booth ROI: pre-show marketing, scanning, follow-up sequences, attribution.

Stunts, guerrilla campaigns, and asymmetric PR plays that punch above their budget weight.

K-factor mechanics, referral loops, invite-based onboarding, and viral coefficient measurement.