* Knowledge of computer networking concepts and protocols, and network security methodologies.

* Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).

* Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity.

* Knowledge of cybersecurity principles.

* Knowledge of cyber threats and vulnerabilities.

* Knowledge of specific operational impacts of cybersecurity lapses.

* Knowledge of cloud computing service models Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS).

* Knowledge of cloud computing deployment models in private, public, and hybrid environment and the difference between on-premises and off-premises environments.

Ability to apply tradecraft to minimize risk of detection, mitigate risk, and minimize creation of behavioral signature

Ability to characterize a target admin/user’s technical abilities, habits, and skills.

Ability to communicate operational plans and actions and provide feedback regarding OPSEC and tradecraft during mission pre-brief

Ability to conduct open source research.

Ability to construct a course of action using available exploitation tools and techniques.

Ability to continually research and develop new tools/techniques

Ability to create rules and filters (e.g., Berkeley Packet Filter, Regular Expression).

Ability to ensure collected data is transferred to the appropriate storage locations.

Ability to enumerate a network.

Ability to enumerate user permissions and privileges.

Ability to evade or counter security products or host based defenses.

Ability to exploit vulnerabilities to gain additional access.

Ability to extract credentials from hosts

Ability to identify capability gaps (e.g., insufficient tools, training, or infrastructure)

Ability to identify files containing information critical to operational objectives.

Ability to identify legal, policy, and technical limitations when conducting cyberspace operations.

Ability to identify logging capabilities on host

Ability to identify what tools or Tactics, Techniques, and Procedures (TTPs) are applicable to a given situation

Ability to improve the performance of cyberspace operators by providing constructive (positive and negative) feedback.

Ability to install/modify/uninstall tools on target systems in accordance with current policies and procedures.

Ability to interpret device configurations.

Ability to interpret technical materials such as RFCs and technical manuals.

Ability to maintain situational awareness of target environment.

Ability to model a simulated environment to conduct mission rehearsal and mitigate risk of actions taken during operations.

Ability to operate automated systems to interact with target environment.

Ability to perform masquerade operations.

Ability to perform privilege escalation.

Ability to persist access to a target.

Ability to plan, brief, execute, and debrief a mission.

Ability to promote and enable organizational change.

Ability to provide advice and guidance to various stakeholders regarding technical issues, capabilities, and approaches.

Ability to provide feedback to developers if a tool requires continued development.

Ability to provide technical leadership within an organization.

Ability to read, write, modify, and execute compiled languages (e.g., C).

Ability to recognize and extract salient information from large data set (e.g., critical information, anomalies).

Ability to recognize and report mistakes or poor tradecraft to appropriate leadership in accordance with Standard Operating Procedures (SOPs).

Ability to recognize and respond appropriately to Non-Standard Events.

Ability to redirect and tunnel through target systems.

Ability to remediate indicators of compromise.

Ability to research non-standards within a project.

Ability to retrieve historical operational and open-source data to analyze compatibility with approved capabilities.

Ability to train other cyberspace operators.

Ability to troubleshoot technical problems.

Ability to use core toolset (e.g., implants, remote access tools).

Ability to use dynamic analysis tools (e.g. process monitor, process explorer, and registry analysis)

Ability to use enterprise tools to enumerate target information.

Ability to verify file integrity for both uploads and downloads.

Ability to weaken a target to facilitate/enable future access.

Ability to write and modify markup languages (e.g., HTML, XML).

Ability to write and modify source code (e.g., C).

Knowledge of access control models (Role Based Access Control, Attribute Based Access Control).

Knowledge of advanced redirection techniques.

Knowledge of appropriate/inappropriate information to include in operational documentation (e.g., OPNOTES, technical summaries, action maps, etc.).

Knowledge of basic client software applications and their attack surfaces.

Knowledge of basic cloud-based technologies and concepts.

Knowledge of basic Embedded Systems concepts.

Knowledge of basic redirection techniques (e.g. IP Tables, SSH Tunneling, netsh)

Knowledge of basic server software applications and their attack surfaces.

Knowledge of code injection and its employment in cyberspace operations.

Knowledge of common network administration best practices and the impact to operations.

Knowledge of credential sources and restrictions related to credential usage.

Knowledge of device reboots, including when they occur and their impact on tool functionality.

Knowledge of evolving technologies.

Knowledge of factors that would suspend or abort an operation.

Knowledge of historical data relating to particular targets and projects, prior to an operation to include reviewing TECHSUMs, previous OPNOTEs, etc.

Knowledge of how computer programs are executed

Knowledge of how host-based security products, logging, and malware may affect tool functionality

Knowledge of how other actors may affect operations

Knowledge of how race conditions occur and can be employed to compromise shared resources

Knowledge of malware triage.

Knowledge of methods and procedures for sending a payload via an existing implant

Knowledge of methods, strategies, and techniques of evading detection while conducting operations, such as noise, stealth, situational awareness, etc.

Knowledge of methods, tools, and procedures for collecting information, including accessing databases and file systems

Knowledge of methods, tools, and procedures for exploiting target systems

Knowledge of methods, tools, and techniques used to determine the path to a target host/network (e.g., identify satellite hops).

Knowledge of models for examining cyber threats (e.g. cyber kill chain, MITRE ATT&CK).

Knowledge of modes of communication used by a target, such as cable, fiber optic, satellite, microwave, VSAT, or combinations of these.

Knowledge of open source tactics that enable initial access (e.g. social engineering, phishing)

Knowledge of operating system command shells, configuration data.

Knowledge of operational infrastructure

Knowledge of operational security, logging, admin concepts, and troubleshooting.

Knowledge of password cracking techniques.

Knowledge of process migration

Knowledge of system administration concepts for distributed or managed operating environments.

Knowledge of system administration concepts for stand alone operating systems.

Knowledge of system calls

Knowledge of the components of an authentication system.

Knowledge of the concept of an advanced persistent threat (APT)

Knowledge of the location and use of tool documentation.

Knowledge of the methods and procedures for communicating with tools/modules, including the use of listening posts.

Knowledge of the methods of persistence.

Knowledge of the Mission Improvement Process

Knowledge of the Plan, Brief, Execute, and Debrief process

Knowledge of the tactics development process

Knowledge of threats to OPSEC when installing, using, modifying, and uninstalling tools.

Knowledge of tool release/testing process

Knowledge of VPNs, their purpose, and how they can be leveraged.

Skill in enumerating a host (e.g. file systems, host meta data host characteristics).

Skill in manipulating firewall/host based security configuration and rulesets.

Skill in retrieving memory resident data.

Skill in transferring files to target devices (e.g., scp, tftp, http, ftp).

Skill in using network enumeration and analysis tools, both active and passive.

Advise leadership on operational tradecraft, emerging technology, and technical health of the force.

Approve remediation actions.

As authorized, train cyberspace operators at one’s certification level or below.

Assess the technical health of the cyberspace operator work role.

Assess, recommend, and evaluate remediation actions.

Conduct cyber activities to deny, degrade, disrupt, destroy, manipulate, (D4M).

Conduct post-mission actions.

Conduct pre-mission actions

Conduct pre-operation research and prep.

Create/normalize/document/evaluate TTPs in cyberspace operations.

Develop and/or inform risk assessments.

Develop Operational Training Solultions.

Develop remediation actions.

Develop risk assessments for non-standard events and ad hoc tradecraft.

Employ collection TTPs in cyberspace operations.

Employ credential access TTPs in cyberspace operations.

Employ discovery TTPs in cyberspace operations.

Employ exfiltration TTPs in cyberspace operations.

Employ lateral movement TTPs in cyberspace operations.

Employ TTPs in categories at one’s certification level or below.

Evaluate cyberspace operator performance at one’s certification level or below.

Identify targets of opportunity in order to influence operational planning.

Identify the appropriate operating authorities and guidance

Maintain operational and technical situational awareness during operations

Produce strategy to inform commander’s decision making process.

Provide input to mission debrief.

Provide input to operational policy.

Provide input to post mission planning.

Provide input to pre-mission planning.

Provide oversight of operations.

Provide quality control of operations and cyberspace operator products at one’s certification level or below.

Recognize and respond to indicators of compromise (IOC).

Recognize and respond to events that change risk.

Record and document activities during cyberspace operations.

Steward the cyberspace operator work role.

Train cyberspace operators at their certified level or below.