1 Perimeter defense & network security
Edge protection
CloudFront WAF
DDoS mitigation
Bot management
Geo-blocking
Rate limiting
Network segmentation
VPC isolation
Private subnets
Security groups
NACLs (stateless)
VPC flow logs
API security
mTLS (service mesh)
API key rotation
OAuth 2.0 / OIDC
CORS policies
Request signing
DNS security
DNSSEC enabled
DNS filtering
Certificate pinning
CT log monitoring
Domain monitoring
Firewall rules
OWASP Top 10 ✓
SQL injection block
XSS prevention
SSRF protection
Custom rule sets
2 Identity & access management (IAM)
Authentication
MFA (mandatory)
Biometric (mobile)
SSO (Okta)
Passkeys (WebAuthn)
Session management
Authorization
RBAC (role-based)
ABAC (attribute)
Least privilege
Just-in-time access
Permission boundaries
Service identity
IAM roles (AWS)
Service accounts
Pod identity (K8s)
Workload identity
Token rotation
Privileged access
PAM (CyberArk)
Break-glass procedure
Session recording
Approval workflow
Time-boxed access
Access reviews
Quarterly review
Orphan detection
Excessive privilege
Auto-revocation
Compliance report
3 Data protection & encryption
Encryption at rest
AES-256-GCM
KMS managed keys
Envelope encryption
Key rotation (annual)
HSM-backed (FIPS)
Encryption in transit
TLS 1.3 (min 1.2)
Perfect forward secrecy
Certificate management
Internal mTLS
VPN (admin access)
Secrets management
AWS Secrets Manager
Auto-rotation
No secrets in code
Vault integration
Audit trail
Data classification
Restricted (PII/PCI)
Confidential (internal)
Internal use
Public
Auto-classification
DLP controls
Outbound scanning
Email DLP rules
Cloud storage scan
Endpoint DLP
AI output scanning
4 Threat detection & monitoring
SIEM / SOC
Datadog SIEM
Log aggregation
Correlation rules
ML-based anomaly
24/7 monitoring
AWS security services
GuardDuty
Security Hub
Inspector
Macie (data)
Detective
Application security
RASP (runtime)
Dependency scanning
Container scanning
SAST / DAST
Supply chain audit
Fraud detection
Transaction anomaly
Account takeover
Synthetic identity
Velocity checks
Device intelligence
Threat intelligence
IOC feeds
Dark web monitoring
Phishing detection
Credential leaks
Sector-specific intel
5 Incident response & recovery
Response playbooks
Data breach
Ransomware
Account compromise
DDoS attack
Insider threat
Response phases
1. Detect & triage
2. Contain
3. Eradicate
4. Recover
5. Post-mortem
Communication
PagerDuty alerts
War room (Slack)
Executive briefing
Customer notice
Regulator notify
Recovery
Backup restore
Failover activation
Credential reset
Service restoration
Validation testing
6 Compliance certifications & audit
Certifications
SOC 2 Type II ✓
PCI DSS Level 1 ✓
ISO 27001 ✓
SOC 1 (in progress)
Regulatory
GLBA compliant ✓
GDPR compliant ✓
CCPA / CPRA
NYDFS 500
Testing
Annual pen test
Quarterly vuln scan
Red team exercise
Tabletop exercise
Security culture
Security training
Phishing simulation
Bug bounty program
Security champions