Recon: nmap --script ssl-enum-ciphers—cipher audit.
Exploit: sqlmap -u target --tamper=space2comment—SQLi bypass.
Harden: sysctl -w net.ipv4.conf.all.rp_filter=1—spoof block.
Monitor: Prometheus—node_cpu_seconds_total{mode="idle"}.
Respond: TheHive—case API triggers.