| Vulnerability assessment, pen-test methodology, OWASP Top 10 testing | ../security-pen-testing/ | Ships vulnerability_scanner.py + dependency_auditor.py with exit-code contracts |
| Incident triage, SEV classification, forensics, containment | ../incident-response/ | SEV1–SEV4 taxonomy, NIST SP 800-61 phases, incident_triage.py |
| Production outage command (non-security incidents) | ../incident-commander/ | Severity classifier + timeline + postmortem tools |
| Security monitoring, CVE triage SLAs, compliance checks (SOC 2 etc.), security headers | ../senior-secops/ | security_scanner.py + compliance_checker.py, CVE SLA table |
| Hostile/adversarial code review | ../adversarial-reviewer/ | 3-persona review with BLOCK/CONCERNS/CLEAN verdict |
| Secure code review as part of general review | ../code-reviewer/ | Language dispatch + regression fixtures |
| Cloud IAM escalation paths, S3 exposure, security groups | ../cloud-security/ | cloud_posture_check.py with per-check exit codes |
| Threat hunting, IOC sweeps, anomaly detection | ../threat-detection/ | z-score anomaly + IOC staleness tooling |
| Red-team engagement planning, ATT&CK kill chains | ../red-team/ | engagement_planner.py with authorization gate |
| LLM/AI attack surface (prompt injection, poisoning) | ../ai-security/ | ATLAS-mapped ai_threat_scanner.py |