Domain 6 - Index

# Domain 6 - Index Domain 6 covers planning and performing security assessments, testing technical and process controls, reporting findings, and driving remediation/verification. ## Concepts 1. [[Assessment Strategy and Test Planning]] 2. [[Security Test Types (Black White Grey Box)]] 3. [[Vulnerability Management Lifecycle]] 4. [[Risk-Based Prioritization (CVSS EPSS Business Impact)]] 5. [[Penetration Testing Process and Ethics]] 6. [[Threat Modeling (STRIDE DREAD PASTA))]] 7. [[Security Requirements and Testability]] 8. [[Secure Code Review (Manual and Assisted)]] 9. [[Static Analysis (SAST)]] 10. [[Dynamic Analysis (DAST)]] 11. [[Interactive Application Security Testing (IAST)]] 12. [[Software Composition Analysis (SCA) and SBOM]] 13. [[Fuzz Testing (Generation and Mutation)]] 14. [[Configuration Review and Benchmarks]] 15. [[Network Vulnerability Scanning (Internal External)]] 16. [[Web Application Testing (OWASP Top 10)]] 17. [[API Security Testing (OWASP API Top 10)]] 18. [[Cloud Security Assessment (Shared Responsibility)]] 19. [[Container and Kubernetes Security Testing]] 20. [[Wireless Security Testing (802.11)]] 21. [[Social Engineering Assessments]] 22. [[Physical Security Assessments and Walkthroughs]] 23. [[Log Review and Security Monitoring Validation]] 24. [[Red Team vs Blue Team vs Purple Team]] 25. [[Security Metrics for Testing Programs]] 26. [[Testing in CI CD (Shift Left and Right)]] 27. [[User Acceptance Security Criteria (UAT Security Gates)]] 28. [[Remediation Verification and Regression Testing]] 29. [[Reporting and Executive Summaries]] 30. [[Third-Party Assessment and Vendor Risk Testing]] 31. [[Audit Sampling and Evidence Collection]] 32. [[Chain of Custody for Digital Evidence]] 33. [[Test Data Management and Data Masking]] 34. [[Data Discovery Validation (PII PCI PHI)]] 35. [[Continuous Control Validation (CCV) Programs]] 36. [[Breach and Attack Simulation (BAS) Use Cases]] 37. [[MITRE ATT&CK Mapping for Testing]] 38. [[NIST SP 800-115 Overview]] 39. [[Control Framework Alignment (NIST 800-53 ISO 27001) for Testing]] 40. [[Control Maturity Models (CMMI SOC-CMM) in Testing Programs]] 41. [[Tabletop Exercises (TTX) and Crisis Simulations]] 42. [[Purple Teaming Methodology and Kill Chain]] 43. [[Red Team Operations and OPSEC]] 44. [[Threat Intelligence–Led Testing (TIBER CBEST Style)]] 45. [[Test Environment Segregation and Safety Controls]] 46. [[Test Data Generation and Synthetic Data]] 47. [[Privacy Impact Assessments (PIA) in Testing]] 48. [[Data Loss Prevention (DLP) Testing (Email Web Endpoint)]] 49. [[Endpoint EDR Detection Validation]] 50. [[Ransomware Readiness Assessment]] 51. [[Phishing Program Design and Metrics]] 52. [[Configuration Drift Detection and Continuous Compliance]] 53. [[IaC Security Testing and Policy-as-Code]] 54. [[Secure Baseline Validation for Endpoints and Servers]] 55. [[Security Dashboards and Executive Metrics]] 56. [[Lessons Learned and Continuous Improvement Loop]] 57. [[Audit Closure CAPs and Evidence Repositories]] 58. [[Legal Holds and Evidence Retention for Security Tests]] 59. [[Ethics Safety and Communication Templates]] > Also see: [[MOC - CISSP]]