diff --git a/AUTHORS.md b/AUTHORS.md new file mode 100644 index 00000000..b058314c --- /dev/null +++ b/AUTHORS.md @@ -0,0 +1,10 @@ +# Authors and Contributors + +## Maintainer +- **mukul975** — Creator and primary maintainer + +## Contributors + + +## How to Become a Contributor +See [CONTRIBUTING.md](CONTRIBUTING.md) for how to add skills and get listed here. diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 00000000..11fde20e --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,74 @@ +# Contributing to Anthropic-Cybersecurity-Skills + +## How to add a new skill + +1. Create a new directory: `skills/your-skill-name/` +2. Add a `SKILL.md` file with required YAML frontmatter: + ```yaml + --- + name: your-skill-name + description: >- + Clear description of what this skill does and when + an AI agent should activate it. Include keywords. + domain: cybersecurity + subdomain: [category] + tags: [tag1, tag2, tag3] + version: "1.0" + author: your-github-username + license: Apache-2.0 + --- + ``` +3. Write clear, step-by-step instructions in the Markdown body using these sections: + - ## When to Use + - ## Prerequisites + - ## Workflow (numbered steps with real commands) + - ## Key Concepts (table) + - ## Tools & Systems + - ## Common Scenarios + - ## Output Format +4. (Optional) Add supporting files: + - `references/standards.md` — Real standard numbers, CVE refs, NIST/MITRE links + - `references/workflows.md` — Deep technical procedure + - `scripts/process.py` — Real working helper script + - `assets/template.md` — Real filled-in checklist/template +5. Submit a PR with title: `Add skill: your-skill-name` + +## Skill quality checklist +- [ ] Name is lowercase with hyphens (kebab-case), 1–64 characters +- [ ] Description is clear and includes agent-discovery keywords +- [ ] Instructions are actionable with real commands and tool names +- [ ] Domain and subdomain are set correctly +- [ ] Tags include relevant tools, frameworks, and techniques + +## Subdomains +Choose the most appropriate subdomain for your skill: +- web-application-security +- network-security +- penetration-testing +- red-teaming +- digital-forensics +- malware-analysis +- threat-intelligence +- cloud-security +- container-security +- identity-access-management +- cryptography +- vulnerability-management +- compliance-governance +- zero-trust-architecture +- ot-ics-security +- devsecops +- soc-operations +- incident-response +- phishing-defense +- ransomware-defense +- api-security +- mobile-security +- endpoint-security +- threat-hunting + +## Code of Conduct +This project follows the [Contributor Covenant](CODE_OF_CONDUCT.md). By participating, you agree to uphold this code. + +## License +By contributing, you agree that your contributions will be licensed under Apache-2.0. diff --git a/LICENSE b/LICENSE new file mode 100644 index 00000000..d8851182 --- /dev/null +++ b/LICENSE @@ -0,0 +1,201 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to the Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by the Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding any notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. Please do not remove or change + the license header comment from a contributed file except when + necessary. + + Copyright 2026 mukul975 + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/README.md b/README.md index ce27abc6..8f0e2fe6 100644 --- a/README.md +++ b/README.md @@ -1,45 +1,124 @@ -# Anthropic Cybersecurity Skills +

+ Anthropic Cybersecurity Skills +

-An open-source database of 600+ cybersecurity skills for AI agents, practitioners, and security teams. +

+ 611+ cybersecurity skills for AI agents · agentskills.io open standard +

-## Structure +

+ License + Skills Count + Stars + Last Commit + Agent Skills + Platforms +

+ +--- + +The largest open-source collection of cybersecurity skills for AI agents. Every skill follows the [agentskills.io](https://agentskills.io) open standard and works instantly with Claude Code, GitHub Copilot, OpenAI Codex CLI, Cursor, Gemini CLI, and 20+ other platforms. + +## Quick Start (30 seconds) + +```bash +# Add as Claude Code marketplace +/plugin marketplace add mukul975/Anthropic-Cybersecurity-Skills + +# Or clone directly +git clone https://github.com/mukul975/Anthropic-Cybersecurity-Skills .skills/cybersecurity +``` + +## Skill Categories + +| Category | Skills | Example Skills | +|----------|-------:|----------------| +| Cloud Security | 48 | AWS S3 Bucket Audit, Azure AD Configuration, GCP Security Assessment | +| Threat Intelligence | 43 | APT Group Analysis with MITRE Navigator, Campaign Attribution, Dark Web Monitoring | +| Web Application Security | 41 | HTTP Request Smuggling, XSS with Burp Suite, Web Cache Poisoning | +| Threat Hunting | 35 | Credential Dumping Detection, DNS Tunneling with Zeek, Living-off-the-Land Binaries | +| Malware Analysis | 34 | Cobalt Strike Beacon Config, Ghidra Reverse Engineering, YARA Rule Development | +| Digital Forensics | 34 | Disk Imaging with dd/dcfldd, Memory Forensics with Volatility3, Browser Forensics | +| SOC Operations | 33 | Windows Event Log Analysis, Splunk Detection Rules, SIEM Use Case Implementation | +| Network Security | 33 | Wireshark Traffic Analysis, VLAN Segmentation, Suricata IDS Configuration | +| Identity & Access Management | 33 | SAML SSO with Okta, Privileged Access Management, RBAC for Kubernetes | +| OT/ICS Security | 28 | SCADA System Attack Detection, Modbus Anomaly Detection, Purdue Model Segmentation | +| API Security | 28 | API Enumeration Detection, BOLA Exploitation, GraphQL Security Assessment | +| Container Security | 26 | Trivy Image Scanning, Falco Runtime Detection, Kubernetes Pod Security | +| Vulnerability Management | 24 | DefectDojo Dashboard, CVSS Scoring, Patch Management Workflow | +| Red Teaming | 24 | Sliver C2 Framework, BloodHound AD Analysis, Kerberoasting with Impacket | +| Incident Response | 24 | Ransomware Response, Cloud Incident Containment, Volatile Evidence Collection | +| Penetration Testing | 23 | External Network Pentest, Kubernetes Pentest, Active Directory Pentest | +| Zero Trust Architecture | 17 | HashiCorp Boundary, Zscaler ZTNA, BeyondCorp Access Model | +| Endpoint Security | 16 | CIS Benchmark Hardening, Windows Defender Configuration, Host-Based IDS | +| DevSecOps | 16 | GitLab CI Pipeline, Semgrep Custom SAST Rules, Secret Scanning with Gitleaks | +| Phishing Defense | 16 | Email Header Analysis, GoPhish Simulation, DMARC/DKIM/SPF Configuration | +| Cryptography | 13 | TLS 1.3 Configuration, HSM Key Storage, Certificate Authority with OpenSSL | +| Mobile Security | 12 | iOS App Analysis with Objection, Android Malware Reverse Engineering, Frida Hooking | +| Ransomware Defense | 5 | Ransomware Precursor Detection, Backup Strategy, Honeypot Detection | +| Compliance & Governance | 5 | GDPR Data Protection, ISO 27001 ISMS, PCI DSS Controls | + +## How It Works + +Each skill follows the [agentskills.io](https://agentskills.io) **progressive disclosure** pattern. During discovery, an AI agent reads only the YAML frontmatter (~30-50 tokens) to decide relevance: + +```yaml +--- +name: performing-memory-forensics-with-volatility3 +description: Analyze memory dumps to extract processes, network connections, and malware artifacts using Volatility3. +domain: cybersecurity +subdomain: digital-forensics +tags: [forensics, memory-analysis, volatility3, incident-response] +--- +``` + +If the skill matches the task, the agent loads the full body -- workflow steps, prerequisites, tool commands, and verification checks -- without wasting tokens on irrelevant skills. + +## Compatible Platforms + +These skills work with any tool that supports the agentskills.io standard or can read structured Markdown: + +| Platform | Integration | +|----------|------------| +| **Claude Code** | Native skill loading via `/plugin` | +| **GitHub Copilot** | Workspace context via `.skills/` directory | +| **OpenAI Codex CLI** | File-based context injection | +| **Cursor** | Project rules and docs integration | +| **Gemini CLI** | Context file loading | +| **Amp** | Skill directory mounting | +| **Goose** | Plugin-based skill loading | +| **Windsurf** | Context awareness from project files | +| **Aider** | Repository map integration | +| **Continue** | Custom context providers | +| And 16+ others | Any agent that reads structured Markdown | + +## Skill Anatomy + +Every skill follows a consistent directory structure: ``` -skills/cybersecurity/{skill-name}/ -├── SKILL.md # Skill definition with YAML frontmatter +skills/{skill-name}/ +├── SKILL.md # Skill definition with YAML frontmatter +│ ├── Frontmatter # name, description, domain, subdomain, tags +│ ├── When to Use # Trigger conditions for AI agents +│ ├── Prerequisites # Required tools and access +│ ├── Workflow # Step-by-step execution guide +│ └── Verification # How to confirm success ├── references/ -│ ├── standards.md # Real standard numbers, CVE refs, NIST/MITRE links -│ └── workflows.md # Deep technical procedure reference +│ ├── standards.md # NIST, MITRE ATT&CK, CVE references +│ └── workflows.md # Deep technical procedure reference ├── scripts/ -│ └── process.py # Real practitioner helper script +│ └── process.py # Practitioner helper scripts └── assets/ - └── template.md # Real filled-in checklist/report template + └── template.md # Checklists and report templates ``` -## Domains Covered +## Contributing -- Web Application Security -- Network Security -- Penetration Testing -- Red Teaming -- Digital Forensics & Incident Response (DFIR) -- Malware Analysis -- Threat Intelligence -- Cloud Security -- Container Security -- Identity & Access Management -- Cryptography -- Vulnerability Management -- Compliance & Governance -- Zero Trust Architecture -- OT/ICS Security -- DevSecOps -- And more... - -## Usage - -Each `SKILL.md` follows the agentskills.io open standard with YAML frontmatter and structured Markdown body. +We welcome contributions from the cybersecurity community. See [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines on adding new skills, improving existing ones, and our review process. ## License -MIT +License + +This project is licensed under the Apache License 2.0. See [LICENSE](LICENSE) for details. diff --git a/assets/README.md b/assets/README.md new file mode 100644 index 00000000..0cc21cc3 --- /dev/null +++ b/assets/README.md @@ -0,0 +1,13 @@ +# Assets + +This directory contains repository assets: + +- `banner.png` — Repository social banner (1280×640px) +- `demo.gif` or `demo.svg` — Terminal demo animation + +## Creating the Banner +Recommended: Use [Socialify](https://socialify.git.ci/mukul975/Anthropic-Cybersecurity-Skills) to generate a professional banner. + +## Creating the Demo +Record with asciinema: `asciinema rec demo.cast` +Export as SVG: `svg-term --cast demo.cast --out demo.svg --window` diff --git a/launch/awesome-list-submissions.md b/launch/awesome-list-submissions.md new file mode 100644 index 00000000..71314c05 --- /dev/null +++ b/launch/awesome-list-submissions.md @@ -0,0 +1,206 @@ +# Awesome List Submission Guide + +Structured guide for submitting Anthropic-Cybersecurity-Skills to relevant awesome lists on GitHub. Each entry includes the target repo, PR template, and submission notes. + +--- + +## Priority Order + +### 1. awesome-cybersecurity-agentic-ai (raphabot) -- HIGHEST PRIORITY + +- **Repo:** https://github.com/raphabot/awesome-cybersecurity-agentic-ai +- **Section:** Skills / Knowledge Bases (or most relevant section) +- **Why highest priority:** Exact domain overlap -- cybersecurity + AI agents + +**PR Title:** +``` +Add Anthropic-Cybersecurity-Skills to Skills/Knowledge Bases +``` + +**PR Body:** +```markdown +Adding the first comprehensive cybersecurity skills database for AI agents. +611+ skills following the agentskills.io open standard, compatible with +Claude Code, GitHub Copilot, OpenAI Codex CLI, Cursor, and 20+ platforms. + +**[Anthropic-Cybersecurity-Skills](https://github.com/mukul975/Anthropic-Cybersecurity-Skills)** — 611+ cybersecurity skills for AI agents following the agentskills.io open standard. Covers threat detection, incident response, penetration testing, digital forensics, cloud security, and more. +``` + +**Suggested list entry:** +```markdown +- [Anthropic-Cybersecurity-Skills](https://github.com/mukul975/Anthropic-Cybersecurity-Skills) — 611+ cybersecurity skills for AI agents following the agentskills.io open standard. Covers threat detection, incident response, penetration testing, digital forensics, cloud security, and more. +``` + +**Pre-submission checklist:** +- [ ] Read CONTRIBUTING.md in the target repo +- [ ] Verify the list entry matches their formatting conventions +- [ ] Ensure alphabetical ordering if required +- [ ] Star the awesome list repo before submitting + +--- + +### 2. awesome-ai-security (TalEliyahu) + +- **Repo:** https://github.com/TalEliyahu/awesome-ai-security +- **Section:** Tools / Resources (or AI Security Tools) + +**PR Title:** +``` +Add Anthropic-Cybersecurity-Skills — 611+ cybersecurity skills for AI agents +``` + +**PR Body:** +```markdown +## What is this? + +A comprehensive cybersecurity skills database designed for AI coding agents. Contains 611+ skills covering the full cybersecurity domain: threat detection, incident response, penetration testing, digital forensics, cloud security, network security, malware analysis, and more. + +## Why it fits this list + +- AI agents using these skills can perform real security analysis tasks +- Follows the agentskills.io open standard (SKILL.md format) +- Compatible with Claude Code, GitHub Copilot, Cursor, Windsurf, and 20+ AI platforms +- Open source under MIT license + +**Link:** https://github.com/mukul975/Anthropic-Cybersecurity-Skills +``` + +**Suggested list entry:** +```markdown +- [Anthropic-Cybersecurity-Skills](https://github.com/mukul975/Anthropic-Cybersecurity-Skills) — 611+ cybersecurity skills for AI coding agents. Covers threat detection, incident response, penetration testing, forensics, cloud security. agentskills.io standard. +``` + +--- + +### 3. awesome-security (sindresorhus ecosystem) + +- **Repo:** https://github.com/sbilly/awesome-security +- **Section:** Other / Tools / AI-Assisted Security + +**PR Title:** +``` +Add Anthropic-Cybersecurity-Skills — cybersecurity skill library for AI agents +``` + +**PR Body:** +```markdown +Adding a cybersecurity skills database that enables AI coding agents to perform security tasks. + +- 611+ structured skills across 12 cybersecurity subdomains +- Threat detection, incident response, penetration testing, digital forensics, cloud security, and more +- Follows the agentskills.io open standard (SKILL.md format) +- Compatible with Claude Code, GitHub Copilot, Cursor, and 20+ AI platforms + +**Link:** https://github.com/mukul975/Anthropic-Cybersecurity-Skills +``` + +**Suggested list entry:** +```markdown +- [Anthropic-Cybersecurity-Skills](https://github.com/mukul975/Anthropic-Cybersecurity-Skills) — 611+ cybersecurity skills for AI agents covering threat detection, IR, pentesting, forensics, and cloud security. +``` + +--- + +### 4. awesome-pentest + +- **Repo:** https://github.com/enaqx/awesome-pentest +- **Section:** Tools / AI-Assisted / Knowledge Bases + +**PR Title:** +``` +Add Anthropic-Cybersecurity-Skills — AI agent pentesting skills library +``` + +**PR Body:** +```markdown +A library of 611+ cybersecurity skills structured for AI coding agents. Includes dedicated penetration testing skills covering: + +- Network penetration testing +- Web application security testing +- Wireless security assessment +- Social engineering simulation +- Red team operations +- Exploit development methodology + +Skills follow the agentskills.io open standard and work with Claude Code, GitHub Copilot, Cursor, and 20+ platforms. + +**Link:** https://github.com/mukul975/Anthropic-Cybersecurity-Skills +``` + +--- + +### 5. awesome-incident-response + +- **Repo:** https://github.com/meirwah/awesome-incident-response +- **Section:** Tools / Knowledge Bases / AI-Assisted + +**PR Title:** +``` +Add Anthropic-Cybersecurity-Skills — AI-powered incident response skill library +``` + +**PR Body:** +```markdown +A structured skill library enabling AI agents to assist with incident response workflows. Includes skills for: + +- Incident triage and classification +- Log analysis and correlation +- Forensic evidence collection +- Malware analysis and containment +- Post-incident reporting +- Threat hunting and detection + +611+ skills total, with dedicated incident response coverage. agentskills.io open standard, compatible with Claude Code, Copilot, Cursor, and 20+ AI platforms. + +**Link:** https://github.com/mukul975/Anthropic-Cybersecurity-Skills +``` + +--- + +### 6. awesome-threat-intelligence + +- **Repo:** https://github.com/hslatman/awesome-threat-intelligence +- **Section:** Tools / Resources / AI-Assisted + +**PR Title:** +``` +Add Anthropic-Cybersecurity-Skills — threat intelligence skills for AI agents +``` + +**PR Body:** +```markdown +A skill library enabling AI agents to assist with threat intelligence tasks. Includes skills covering: + +- OSINT collection and analysis +- Threat actor profiling +- IOC extraction and enrichment +- MITRE ATT&CK mapping +- Threat landscape assessment +- Intelligence report generation + +Part of a 611+ skill library following the agentskills.io open standard. Compatible with Claude Code, GitHub Copilot, Cursor, and 20+ AI platforms. + +**Link:** https://github.com/mukul975/Anthropic-Cybersecurity-Skills +``` + +--- + +## General Submission Process + +1. **Fork** the target awesome list repository +2. **Read** their CONTRIBUTING.md and follow formatting rules exactly +3. **Add** the entry in the correct section, respecting alphabetical order +4. **Create PR** using the templates above, adjusting as needed +5. **Be patient** -- maintainers are volunteers; follow up politely after 2 weeks if no response +6. **Do not** submit to all lists on the same day; space submissions 2-3 days apart to avoid appearing spammy + +## Tracking + +| List | Submitted | PR Link | Status | Notes | +|------|-----------|---------|--------|-------| +| awesome-cybersecurity-agentic-ai | | | Pending | Highest priority | +| awesome-ai-security | | | Pending | | +| awesome-security | | | Pending | | +| awesome-pentest | | | Pending | | +| awesome-incident-response | | | Pending | | +| awesome-threat-intelligence | | | Pending | | diff --git a/launch/conference-cfp-tracker.md b/launch/conference-cfp-tracker.md new file mode 100644 index 00000000..b08b0049 --- /dev/null +++ b/launch/conference-cfp-tracker.md @@ -0,0 +1,127 @@ +# Conference CFP Tracker + +Track Call for Papers (CFP) deadlines and submission status for presenting Anthropic-Cybersecurity-Skills at security and AI conferences. + +--- + +## Priority Target: Black Hat Arsenal + +- **Event:** Black Hat USA 2026 Arsenal +- **Location:** Las Vegas, NV +- **Dates:** August 2026 (typically first week) +- **Deadline:** ~April 2026 (Arsenal CFP opens spring 2026) +- **Type:** Open-source tool showcase (Arsenal, not Briefings) +- **Requirements:** + - Working demo of the tool/project + - Open-source and publicly available + - Security-focused + - Live demonstration capability +- **Action Items:** + - [ ] Monitor https://www.blackhat.com/us-26/arsenal.html for CFP opening + - [ ] Prepare 2-minute elevator pitch + - [ ] Build live demo showing AI agent using skills for a security task + - [ ] Record backup demo video in case of technical issues + - [ ] Prepare poster/handout with QR code to repo + +--- + +## All Conferences + +| Conference | Type | Location | Estimated Dates | CFP Deadline | Submission Type | Status | +|-----------|------|----------|----------------|--------------|-----------------|--------| +| **Black Hat USA Arsenal** | Tool Demo | Las Vegas, NV | Aug 2026 | ~Apr 2026 | Arsenal submission | Monitoring | +| **DEF CON Demo Labs** | Tool Demo | Las Vegas, NV | Aug 2026 | ~May 2026 | Demo application | Monitoring | +| **BSides Las Vegas** | Talk/Workshop | Las Vegas, NV | Aug 2026 | ~Apr 2026 | CFP talk/workshop | Monitoring | +| **RSA Conference** | Talk/Expo | San Francisco, CA | Apr 2027 | ~Oct 2026 | Innovation Sandbox / talk | Future | +| **SANS Summits** | Talk | Various | Rolling | Rolling | Speaker application | Eligible | +| **ShmooCon** | Talk | Washington, DC | Jan 2027 | ~Oct 2026 | CFP talk | Future | +| **GrrCon** | Talk | Grand Rapids, MI | Oct 2026 | ~Jun 2026 | CFP talk | Monitoring | +| **DerbyCon / Louisville** | Talk | Louisville, KY | TBD | TBD | CFP talk | Check status | +| **Wild West Hackin' Fest** | Talk | Deadwood, SD | Oct 2026 | ~Jul 2026 | CFP talk | Monitoring | +| **Hack In The Box** | Talk | Various | Various | Various | CFP talk | Monitoring | +| **CanSecWest** | Talk | Vancouver, BC | Mar 2027 | ~Dec 2026 | CFP talk | Future | +| **Offensive Con** | Talk | Berlin, DE | Feb 2027 | ~Sep 2026 | CFP talk | Future | +| **NorthSec** | Talk/Workshop | Montreal, QC | May 2026 | ~Feb 2026 | CFP talk | Check if open | +| **AI Village (DEF CON)** | Talk/Demo | Las Vegas, NV | Aug 2026 | ~May 2026 | CFP talk/demo | Monitoring | +| **OWASP Global AppSec** | Talk | Various | Various | Various | CFP talk | Monitoring | + +--- + +## Talk Abstract (Template) + +**Title:** Building 611 Cybersecurity Skills for AI Agents: An Open Standard Approach + +**Abstract:** +``` +AI coding agents are increasingly used for security tasks, but they lack structured +cybersecurity knowledge. We present Anthropic-Cybersecurity-Skills, the first open-source +library of 611+ cybersecurity skills built on the agentskills.io standard. Each skill +is a self-contained SKILL.md file that any compatible AI agent can install and execute. + +We cover the design of the skill format, the taxonomy across 12 cybersecurity subdomains +(threat detection, incident response, penetration testing, digital forensics, cloud +security, network security, malware analysis, and more), and live demonstrations of +AI agents performing real security tasks using these skills. + +The project is open source (MIT), compatible with 20+ AI platforms including Claude Code, +GitHub Copilot, and Cursor, and designed for community contribution. +``` + +**Duration options:** Lightning talk (10 min), Standard talk (25-30 min), Workshop (60-90 min) + +--- + +## Workshop Abstract (Template) + +**Title:** Hands-On: Teaching AI Agents Cybersecurity with the agentskills.io Standard + +**Abstract:** +``` +In this hands-on workshop, attendees will learn how to create, install, and use +cybersecurity skills for AI coding agents. We start with installing existing skills +from the Anthropic-Cybersecurity-Skills library (611+ skills), then progress to +writing custom skills for specific security workflows. + +Attendees will leave with: +- A working AI agent setup with cybersecurity skills installed +- Understanding of the SKILL.md format and agentskills.io standard +- A custom skill they authored during the workshop +- Knowledge of how to contribute back to the open-source project + +Prerequisites: Laptop with an AI coding agent installed (Claude Code, Cursor, or similar). +``` + +--- + +## CFP Monitoring Resources + +- **cfptime.org** -- Aggregated CFP deadlines across tech conferences +- **sec-deadlines.github.io** -- Security conference deadlines specifically +- **Twitter/X lists** -- Follow @BlackHatEvents, @defaborea, @BSidesLV, @RSAConference +- **Infosec CFP Calendar** -- https://infosec-conferences.com/cfp/ +- **Lanyrd / Sessionize** -- Check for open CFPs + +--- + +## Submission Tracking + +| Conference | Submitted Date | Abstract Used | Status | Accepted? | Presentation Date | Notes | +|-----------|---------------|---------------|--------|-----------|-------------------|-------| +| | | | | | | | + +--- + +## Demo Preparation Checklist + +For any conference demo or Arsenal submission: + +- [ ] Record 2-minute overview video +- [ ] Prepare offline fallback demo (no internet dependency) +- [ ] Create handout with repo QR code, key stats, and contact info +- [ ] Test skill installation flow end-to-end +- [ ] Prepare 3 compelling live demo scenarios: + 1. Threat hunting with AI agent using detection skills + 2. Incident response workflow guided by IR skills + 3. Writing and installing a custom security skill +- [ ] Backup slides in case of demo failure +- [ ] Business cards or contact handouts diff --git a/launch/hacker-news.md b/launch/hacker-news.md new file mode 100644 index 00000000..6e7c5975 --- /dev/null +++ b/launch/hacker-news.md @@ -0,0 +1,49 @@ +# Hacker News - Show HN Post + +## Title + +Show HN: 611+ Cybersecurity Skills for AI Agents (agentskills.io open standard) + +## Body + +I built an open-source database of 611+ cybersecurity skills that AI agents can use to perform real security work -- from malware analysis with Volatility to cloud pen-testing with Pacu. + +Each skill follows a structured format (YAML frontmatter + Markdown body) with: + +- When to use (and when NOT to) +- Prerequisites and tool requirements +- Step-by-step workflows with real commands, not pseudocode +- References to real standards (NIST, MITRE ATT&CK, CIS) +- Practitioner helper scripts and report templates + +The 611 skills cover 24 subdomains: cloud security, threat intelligence, web app security, threat hunting, malware analysis, digital forensics, SOC operations, network security, IAM, OT/ICS security, API security, container security, vulnerability management, red teaming, incident response, penetration testing, zero trust, phishing defense, endpoint security, DevSecOps, cryptography, mobile security, ransomware defense, and compliance/governance. + +Why I built this: AI coding agents (Claude Code, Cursor, Copilot) are great at software engineering but have no structured cybersecurity knowledge. When you ask them to analyze a memory dump or triage a SIEM alert, they give generic advice instead of the precise Volatility plugin sequence or Splunk SPL query a practitioner would use. + +The skills use "progressive disclosure" -- the frontmatter tells the agent WHEN to activate a skill, and the full body provides the HOW with exact commands, flags, and decision trees. + +Format follows the agentskills.io open standard so any agent framework can consume them. + +Repo: https://github.com/mukul975/Anthropic-Cybersecurity-Skills + +Tech details: +- Each skill has SKILL.md + references/ + scripts/ + assets/ +- Skills are tool-specific (not "use a scanner" but "use Nessus with these plugin families") +- Real CVE references, real MITRE ATT&CK technique IDs +- MIT licensed + +Looking for contributors, especially practitioners who want to improve existing skills or add new ones in underrepresented areas (mobile security, OT/ICS, compliance). + +## Timing + +Post at 6:00 AM Pacific (9:00 AM Eastern) for maximum HN visibility. Tuesday through Thursday are optimal days. + +## Engagement Rules + +1. **Respond within 1 hour** of posting. Early engagement signals to the HN algorithm that the post is active and worth ranking higher. +2. **Be technical, not promotional.** Answer questions with specific technical details. Reference actual skill files, tool commands, and MITRE technique IDs. +3. **No vote requests.** Never ask anyone to upvote. This violates HN guidelines and can get the post flagged or penalized. +4. **Engage authentically.** If someone raises a valid criticism (e.g., "these skills are too shallow for real practitioners"), acknowledge it and explain the contribution model. +5. **Link to specific skills** when answering questions. For example: "Here's the actual Volatility skill that covers that -- [link to SKILL.md]" +6. **Avoid marketing language.** No "revolutionary," "game-changing," or "disrupting." Stick to factual descriptions of what the repo contains. +7. **Be prepared for skepticism.** HN users will question whether AI agents can actually do security work. Have concrete examples ready showing how an agent uses a skill file. diff --git a/launch/metrics-tracker.md b/launch/metrics-tracker.md new file mode 100644 index 00000000..38e1b311 --- /dev/null +++ b/launch/metrics-tracker.md @@ -0,0 +1,129 @@ +# 30-Day Launch Metrics + +Track key growth metrics for the first 30 days after public launch. + +--- + +## Targets from Playbook + +| Metric | Week 1 | Week 2 | Week 3 | Week 4 | +|--------|--------|--------|--------|--------| +| Stars | 150-400 | 400-800 | 800-1,200 | 1,200-2,000 | +| Forks | 15-40 | 40-80 | 80-120 | 120-200 | +| Contributors | 1-3 | 3-8 | 8-15 | 15-25 | +| Unique Visitors | 500-1,000 | 1,000-2,500 | 2,000-4,000 | 3,000-6,000 | +| Clones | 50-150 | 150-400 | 300-700 | 500-1,000 | +| Issues Opened | 5-15 | 15-30 | 25-50 | 40-75 | +| PRs Opened | 1-5 | 5-15 | 10-25 | 20-40 | +| Awesome List PRs Accepted | 0-1 | 1-2 | 2-4 | 3-6 | + +--- + +## Daily Actuals + +| Date | Day | Stars | Forks | Contributors | Unique Visitors | Clones | Issues | PRs | Notes | +|------|-----|-------|-------|--------------|-----------------|--------|--------|-----|-------| +| | 1 | | | | | | | | Launch day | +| | 2 | | | | | | | | | +| | 3 | | | | | | | | | +| | 4 | | | | | | | | | +| | 5 | | | | | | | | | +| | 6 | | | | | | | | | +| | 7 | | | | | | | | End of Week 1 | +| | 8 | | | | | | | | | +| | 9 | | | | | | | | | +| | 10 | | | | | | | | | +| | 11 | | | | | | | | | +| | 12 | | | | | | | | | +| | 13 | | | | | | | | | +| | 14 | | | | | | | | End of Week 2 | +| | 15 | | | | | | | | | +| | 16 | | | | | | | | | +| | 17 | | | | | | | | | +| | 18 | | | | | | | | | +| | 19 | | | | | | | | | +| | 20 | | | | | | | | | +| | 21 | | | | | | | | End of Week 3 | +| | 22 | | | | | | | | | +| | 23 | | | | | | | | | +| | 24 | | | | | | | | | +| | 25 | | | | | | | | | +| | 26 | | | | | | | | | +| | 27 | | | | | | | | | +| | 28 | | | | | | | | End of Week 4 | +| | 29 | | | | | | | | | +| | 30 | | | | | | | | 30-day mark | + +--- + +## Weekly Summary + +| Week | Stars (Total) | Stars (Delta) | Forks (Total) | Forks (Delta) | Contributors | Top Referrer | Notes | +|------|--------------|---------------|---------------|----------------|--------------|-------------|-------| +| 1 | | | | | | | | +| 2 | | | | | | | | +| 3 | | | | | | | | +| 4 | | | | | | | | + +--- + +## Traffic Sources + +Track where visitors come from (GitHub Insights > Traffic): + +| Source | Week 1 | Week 2 | Week 3 | Week 4 | +|--------|--------|--------|--------|--------| +| GitHub Search | | | | | +| Direct / Bookmark | | | | | +| Reddit | | | | | +| Twitter/X | | | | | +| Hacker News | | | | | +| Awesome Lists | | | | | +| LinkedIn | | | | | +| Other | | | | | + +--- + +## Content & Outreach Tracking + +| Action | Date | Platform | Link | Engagement | Notes | +|--------|------|----------|------|------------|-------| +| Launch post | | Reddit r/cybersecurity | | | | +| Launch post | | Reddit r/netsec | | | | +| Launch post | | Hacker News | | | | +| Launch tweet | | Twitter/X | | | | +| LinkedIn post | | LinkedIn | | | | +| awesome-cybersecurity-agentic-ai PR | | GitHub | | | | +| awesome-ai-security PR | | GitHub | | | | +| awesome-security PR | | GitHub | | | | +| Demo video 1 | | YouTube | | | | +| Demo video 2 | | YouTube | | | | +| Demo video 3 | | YouTube | | | | + +--- + +## Milestones + +| Milestone | Target Date | Actual Date | Notes | +|-----------|------------|-------------|-------| +| First external star | Day 1 | | | +| First external fork | Day 1-2 | | | +| 100 stars | Week 1 | | | +| First external issue | Week 1 | | | +| First external PR | Week 1-2 | | | +| First awesome list acceptance | Week 2 | | | +| 500 stars | Week 2-3 | | | +| First external contributor merged | Week 2-3 | | | +| 1,000 stars | Week 3-4 | | | +| Featured in newsletter/blog | Week 2-4 | | | +| Conference talk accepted | Month 2+ | | | + +--- + +## How to Collect Metrics + +- **Stars/Forks:** GitHub repo page or `gh api repos/mukul975/Anthropic-Cybersecurity-Skills` +- **Unique Visitors/Clones:** GitHub Insights > Traffic (Settings > Insights, requires admin) +- **Referrers:** GitHub Insights > Traffic > Referring sites +- **Issues/PRs:** GitHub Issues/PR tabs or `gh issue list` / `gh pr list` +- **Contributors:** `git shortlog -sn --all` or GitHub Insights > Contributors diff --git a/launch/reddit-posts.md b/launch/reddit-posts.md new file mode 100644 index 00000000..67470b20 --- /dev/null +++ b/launch/reddit-posts.md @@ -0,0 +1,196 @@ +# Reddit Launch Posts + +## Timing Guidance + +- Space posts **2 hours apart** to avoid spam detection and maximize individual post visibility. +- Post **Tuesday through Thursday** for best engagement. +- Optimal window: **9:00 AM - 12:00 PM EST**. +- Suggested schedule: first post at 9:00 AM EST, second at 11:00 AM EST, third at 1:00 PM EST, then remaining posts over the following day. +- Do NOT cross-post (use Reddit's crosspost feature). Write unique copy for each subreddit. + +--- + +## 1. r/netsec (~540K subscribers) -- Technical Focus + +**Title:** Open-source database of 611+ structured cybersecurity skills for AI agents -- covers DFIR, malware analysis, cloud pentesting, and more + +**Body:** + +I've been building an open-source database of cybersecurity skills formatted for AI agent consumption. There are 611 skills across 24 subdomains, each following a structured YAML + Markdown format. + +What makes this different from a wiki or cheat sheet: + +- **Progressive disclosure architecture**: YAML frontmatter tells the agent WHEN to activate (trigger conditions, prerequisites), and the Markdown body provides the HOW (exact commands, tool flags, decision trees). +- **Tool-specific, not generic**: Skills reference specific tools with real commands. "Analyzing Memory Dumps with Volatility" includes the actual `vol3` plugin sequence, not "use a memory forensics tool." +- **Real references**: MITRE ATT&CK technique IDs, NIST control mappings, actual CVE numbers, CIS benchmark references. +- **Practitioner scripts and templates**: Each skill can include helper scripts and filled-in report/checklist templates. + +Subdomain breakdown: +- Cloud Security (48 skills) -- AWS, Azure, GCP specific +- Threat Intelligence (43) -- STIX/TAXII, MISP, diamond model +- Web App Security (41) -- OWASP Top 10, specific injection types +- Threat Hunting (35) -- hypothesis-driven, ATT&CK-mapped +- Malware Analysis (34) -- static, dynamic, reverse engineering +- Digital Forensics (34) -- disk, memory, network, mobile +- Plus 18 more subdomains + +Repo: https://github.com/mukul975/Anthropic-Cybersecurity-Skills + +Format follows the agentskills.io open standard. MIT licensed. Looking for practitioner contributors. + +--- + +## 2. r/cybersecurity (~1M+ subscribers) -- Broader Audience + +**Title:** I built an open-source library of 611 cybersecurity skills that AI agents can actually use -- from memory forensics to cloud pentesting + +**Body:** + +AI coding agents like Claude Code and GitHub Copilot are increasingly used for security tasks, but they lack structured cybersecurity knowledge. When you ask them to analyze a suspicious process or triage a SIEM alert, you get generic advice instead of the specific Volatility plugin, Splunk query, or Nessus configuration a practitioner would use. + +I built an open-source database of 611 cybersecurity skills designed to give AI agents real practitioner-level knowledge. + +**What each skill includes:** +- When to use it (and when NOT to) +- Tool-specific prerequisites +- Step-by-step workflows with exact commands +- References to MITRE ATT&CK, NIST, CIS benchmarks +- Helper scripts and report templates + +**Coverage across 24 subdomains:** +Cloud Security, Threat Intelligence, Web App Security, Threat Hunting, Malware Analysis, Digital Forensics, SOC Operations, Network Security, IAM, OT/ICS Security, API Security, Container Security, Vulnerability Management, Red Teaming, Incident Response, Penetration Testing, Zero Trust, Phishing Defense, Endpoint Security, DevSecOps, Cryptography, Mobile Security, Ransomware Defense, Compliance & Governance. + +The skills use a "progressive disclosure" format -- the YAML frontmatter gives the agent enough context to know when to activate, and the full body has the detailed procedure. + +Repo: https://github.com/mukul975/Anthropic-Cybersecurity-Skills + +MIT licensed. Looking for contributors, especially from practitioners who want to encode their expertise into a format AI agents can use. + +--- + +## 3. r/blueteamsec (~34K subscribers) -- Defensive Focus + +**Title:** Open-source skill library for AI-assisted blue team operations -- 611 skills covering DFIR, threat hunting, SOC operations, and detection engineering + +**Body:** + +Built an open-source database of 611 cybersecurity skills structured for AI agent consumption, with strong coverage of defensive operations: + +**Blue team coverage:** +- **Threat Hunting (35 skills)**: Hypothesis-driven hunts for beaconing, LOLBins, persistence mechanisms, DNS tunneling, lateral movement, supply chain compromise +- **SOC Operations (33 skills)**: Alert triage, detection rule building (Sigma, Splunk SPL), SOAR playbooks, escalation matrices, metrics/KPI tracking +- **Incident Response (24 skills)**: Containment procedures, forensic collection, timeline reconstruction, ransomware response, lessons learned +- **Digital Forensics (34 skills)**: Memory forensics with Volatility, disk analysis with Autopsy, network forensics with Wireshark/Zeek, timeline analysis with Plaso +- **Threat Intelligence (43 skills)**: STIX/TAXII integration, MISP feeds, IOC enrichment, threat actor profiling, diamond model analysis +- **Detection Engineering**: Sigma rules, Splunk SPL queries, Suricata rules, Zeek scripts + +Each skill includes the exact tool commands, decision trees, and real framework references (MITRE ATT&CK techniques, NIST controls) that a practitioner would use. + +The format is designed so AI agents (Claude Code, Copilot, etc.) can use these skills to assist with real security work -- not replace analysts, but give them an AI assistant that actually knows the right Volatility plugin or Splunk query. + +Repo: https://github.com/mukul975/Anthropic-Cybersecurity-Skills + +MIT licensed. Contributions welcome -- especially from SOC analysts and IR practitioners. + +--- + +## 4. r/hacking + +**Title:** 611 cybersecurity skills structured for AI agents -- open-source, covers pentesting, red teaming, malware analysis, forensics, and more + +**Body:** + +Open-sourced a database of 611 cybersecurity skills that AI agents can use to assist with real security work. + +Skills cover both offensive and defensive domains: +- **Penetration Testing (23 skills)**: Web app, network, cloud, mobile, AD, wireless +- **Red Teaming (24 skills)**: C2 infrastructure, lateral movement, persistence, AD attack paths +- **Malware Analysis (34 skills)**: Reverse engineering with Ghidra, dynamic analysis with CAPE/Cuckoo, packed malware unpacking +- **Web App Security (41 skills)**: SQLi, XSS, SSRF, deserialization, race conditions, request smuggling +- **Network Security (33 skills)**: Nmap, Wireshark, Suricata, Zeek, ARP spoofing, VLAN hopping + +Each skill has real commands, not pseudocode. The Metasploit skill has actual `msfconsole` commands. The SQLMap skill has actual flags and tamper scripts. The Bloodhound skill has actual Cypher queries. + +Format: YAML frontmatter + structured Markdown. Follows the agentskills.io open standard. + +Repo: https://github.com/mukul975/Anthropic-Cybersecurity-Skills + +MIT licensed. PRs welcome. + +--- + +## 5. r/redteamsec + +**Title:** Open-source AI agent skills for red team operations -- AD attack paths, C2 infrastructure, lateral movement, persistence techniques + +**Body:** + +I built a structured skill database for AI agents that includes significant red team coverage: + +- **Red Teaming (24 skills)**: C2 with Sliver/Havoc, AD attack simulation, engagement planning, purple team exercises +- **Penetration Testing (23 skills)**: Full-scope pentesting, AD pentesting, cloud pentesting with Pacu/ScoutSuite, wireless with Aircrack-ng +- **Active Directory**: Bloodhound CE, Kerberoasting with Impacket, DCSync, constrained delegation abuse, NoPac, Zerologon, certificate services ESC1 +- **Web exploitation**: SQLi, SSRF, deserialization, template injection, prototype pollution, request smuggling, race conditions + +Each skill is structured with YAML frontmatter (triggers, prerequisites, tags) and a Markdown body with exact tool commands, decision trees, and MITRE ATT&CK mappings. + +The idea: give AI agents the structured knowledge to assist with authorized security testing, not replace operators but augment them with instant recall of the right tool flag or attack chain. + +Repo: https://github.com/mukul975/Anthropic-Cybersecurity-Skills + +MIT licensed. Would especially appreciate contributions from red teamers on evasion techniques and emerging TTPs. + +--- + +## 6. r/artificial + +**Title:** Built 611 cybersecurity skills for AI agents -- how structured knowledge databases can make AI actually useful for specialized domains + +**Body:** + +AI coding agents (Claude Code, Cursor, GitHub Copilot) are powerful at general software engineering, but they struggle with specialized domains like cybersecurity. Ask them to analyze a memory dump and you get vague advice. Give them a structured skill file with the exact Volatility plugin sequence and decision tree, and they become genuinely useful. + +I built an open-source database of 611 cybersecurity skills structured for AI agent consumption: + +**The core insight: progressive disclosure** + +The skills use a two-layer architecture: +1. **YAML frontmatter** -- Tells the agent WHEN to activate: skill name, description, domain/subdomain, tags. This is what gets indexed and matched against user queries. +2. **Markdown body** -- The HOW: step-by-step workflows with exact commands, tool flags, decision trees, validation steps. Only loaded when the skill activates. + +This mirrors how human expertise works -- a senior analyst doesn't consciously think through every step of memory forensics until they need to, but they know instantly when it's the right approach. + +**24 subdomains, 611 skills** covering cloud security, malware analysis, threat hunting, incident response, penetration testing, red teaming, and more. + +The format follows the agentskills.io open standard, so any agent framework can index and use these skills. + +Repo: https://github.com/mukul975/Anthropic-Cybersecurity-Skills + +Interested in the broader question: how do we build domain-specific knowledge layers for AI agents? Cybersecurity is just one domain -- the same pattern could work for medicine, law, finance, etc. + +--- + +## 7. r/opensource + +**Title:** Open-sourced 611 cybersecurity skills for AI agents -- MIT licensed, structured for any agent framework + +**Body:** + +I've open-sourced a database of 611 cybersecurity skills designed for AI agent consumption. + +**Why this exists:** AI agents are increasingly used for security tasks, but they lack the structured, tool-specific knowledge that practitioners have. This database encodes that knowledge in a format any AI agent can use. + +**What's in it:** +- 611 skills across 24 cybersecurity subdomains +- Each skill: YAML frontmatter + structured Markdown with real commands +- References to MITRE ATT&CK, NIST, CIS benchmarks +- Helper scripts and report templates +- Follows the agentskills.io open standard + +**Tech stack:** Pure Markdown + YAML. No build system, no dependencies. Any tool that can read files can use these skills. + +**License:** MIT + +**Contributing:** Looking for cybersecurity practitioners who want to improve existing skills or add new ones. The format is simple -- if you can write a runbook, you can contribute a skill. + +Repo: https://github.com/mukul975/Anthropic-Cybersecurity-Skills diff --git a/launch/twitter-thread.md b/launch/twitter-thread.md new file mode 100644 index 00000000..609b871f --- /dev/null +++ b/launch/twitter-thread.md @@ -0,0 +1,89 @@ +# Twitter/X Launch Thread + +Post as a thread. Pin the first tweet. Include the repo link in tweet 1 and tweet 7. + +--- + +## Tweet 1 (268 characters) + +I just open-sourced 611 cybersecurity skills for AI agents. + +From malware analysis with Volatility to cloud pentesting with Pacu -- structured so Claude Code, Copilot, and any AI agent can use them. + +MIT licensed. All 24 subdomains of cybersecurity. + +github.com/mukul975/Anthropic-Cybersecurity-Skills + +--- + +## Tweet 2 (277 characters) + +The problem: AI agents are great at coding but terrible at cybersecurity. + +Ask Claude to analyze a memory dump and you get generic advice. + +Give it a structured skill with the exact Volatility plugin sequence, and it gives you the precise commands a senior analyst would use. + +--- + +## Tweet 3 (270 characters) + +Each skill uses progressive disclosure: + +YAML frontmatter = WHEN to activate (triggers, domain, tags) +Markdown body = HOW to execute (exact commands, decision trees, validation) + +The agent loads the frontmatter for routing, then the full body only when it needs the details. + +--- + +## Tweet 4 (280 characters) + +611 skills across 24 subdomains: + +- Cloud Security (48) +- Threat Intelligence (43) +- Web App Security (41) +- Threat Hunting (35) +- Malware Analysis (34) +- Digital Forensics (34) +- SOC Operations (33) +- Network Security (33) +- IAM (33) +- OT/ICS Security (28) +- And 14 more + +--- + +## Tweet 5 (257 characters) + +These aren't generic cheat sheets. Every skill has: + +- Real tool commands (not "use a scanner") +- MITRE ATT&CK technique IDs +- NIST/CIS benchmark references +- Decision trees for edge cases +- Practitioner helper scripts +- Filled-in report templates + +--- + +## Tweet 6 (243 characters) + +Why this matters for the security industry: + +AI agents will increasingly assist with security work. The question isn't IF but HOW WELL. + +Structured skill databases are how we go from "vaguely helpful AI" to "AI that knows the right Splunk query for T1059.001." + +--- + +## Tweet 7 (248 characters) + +The repo is MIT licensed and follows the agentskills.io open standard. + +Looking for contributors -- especially practitioners who want to encode their expertise for AI agents. + +If you write runbooks, you can write skills. + +github.com/mukul975/Anthropic-Cybersecurity-Skills diff --git a/mappings/README.md b/mappings/README.md new file mode 100644 index 00000000..ad08e8f5 --- /dev/null +++ b/mappings/README.md @@ -0,0 +1,87 @@ +# Security Framework Mappings + +This directory maps the 607+ cybersecurity skills in this repository to industry-standard security frameworks, enabling practitioners and AI agents to discover relevant skills through the lens of established security models. + +## Supported Frameworks + +### MITRE ATT&CK v15 + +The [MITRE ATT&CK](https://attack.mitre.org/) framework is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. Skills are mapped to: + +- **Tactics** (TA00xx) -- the adversary's tactical goals during an operation +- **Techniques** (T1xxx) -- the specific methods used to achieve those goals +- **Sub-techniques** (T1xxx.xxx) -- more granular variations of techniques + +See [`mitre-attack/`](mitre-attack/) for the full mapping and coverage analysis. + +### NIST Cybersecurity Framework 2.0 + +The [NIST CSF 2.0](https://www.nist.gov/cyberframework) provides a taxonomy of high-level cybersecurity outcomes organized into 6 core functions: + +| Function | Code | Description | +|----------|------|-------------| +| Govern | GV | Establishing and monitoring cybersecurity risk management strategy | +| Identify | ID | Understanding organizational cybersecurity risk | +| Protect | PR | Safeguarding assets through security controls | +| Detect | DE | Finding and analyzing cybersecurity events | +| Respond | RS | Taking action regarding detected incidents | +| Recover | RC | Restoring capabilities after an incident | + +See [`nist-csf/`](nist-csf/) for the full alignment and category mapping. + +### OWASP Top 10 (2025) + +The [OWASP Top 10](https://owasp.org/www-project-top-ten/) represents the most critical security risks to web applications. Skills are mapped to each risk category to provide hands-on remediation and testing capabilities. + +See [`owasp/`](owasp/) for the full mapping. + +## How Mappings Work + +Each skill in this repository has YAML frontmatter with `domain`, `subdomain`, and `tags` fields. Framework mappings aggregate skills by subdomain relevance and tag correlation: + +``` +Skill YAML frontmatter + -> subdomain (e.g., "penetration-testing") + -> tags (e.g., ["mitre-attack", "privilege-escalation"]) + -> Framework mapping (e.g., ATT&CK TA0004 Privilege Escalation) +``` + +Mappings are maintained at the subdomain level for scalability. Individual skills may also carry framework-specific tags in their frontmatter for precise lookups. + +## Subdomain Distribution (607 skills) + +| Subdomain | Skills | Primary Frameworks | +|-----------|--------|--------------------| +| cloud-security | 48 | ATT&CK, NIST CSF | +| threat-intelligence | 43 | ATT&CK, NIST CSF | +| web-application-security | 41 | ATT&CK, OWASP | +| threat-hunting | 35 | ATT&CK, NIST CSF | +| digital-forensics | 34 | ATT&CK, NIST CSF | +| malware-analysis | 34 | ATT&CK, NIST CSF | +| identity-access-management | 33 | ATT&CK, NIST CSF | +| network-security | 33 | ATT&CK, NIST CSF | +| soc-operations | 33 | ATT&CK, NIST CSF | +| api-security | 28 | OWASP, ATT&CK | +| ot-ics-security | 28 | ATT&CK (ICS), NIST CSF | +| container-security | 26 | ATT&CK, NIST CSF | +| incident-response | 24 | ATT&CK, NIST CSF | +| vulnerability-management | 24 | ATT&CK, NIST CSF, OWASP | +| penetration-testing | 23 | ATT&CK | +| red-teaming | 24 | ATT&CK | +| devsecops | 16 | NIST CSF, OWASP | +| endpoint-security | 16 | ATT&CK, NIST CSF | +| phishing-defense | 16 | ATT&CK, NIST CSF | +| cryptography | 13 | NIST CSF | +| zero-trust-architecture | 13 | NIST CSF | +| mobile-security | 12 | ATT&CK (Mobile), OWASP | +| compliance-governance | 5 | NIST CSF | +| ransomware-defense | 5 | ATT&CK, NIST CSF | + +## Contributing + +To add or update a framework mapping: + +1. Identify the skill subdomain and relevant framework category +2. Update the corresponding mapping file in the framework directory +3. Ensure the skill's YAML frontmatter tags reflect the mapping +4. Submit a pull request with the mapping justification diff --git a/mappings/mitre-attack/README.md b/mappings/mitre-attack/README.md new file mode 100644 index 00000000..d0e21e58 --- /dev/null +++ b/mappings/mitre-attack/README.md @@ -0,0 +1,102 @@ +# MITRE ATT&CK Mapping + +This directory maps the cybersecurity skills in this repository to the [MITRE ATT&CK](https://attack.mitre.org/) framework (Enterprise v15). + +## Overview + +MITRE ATT&CK is a curated knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary's lifecycle and the platforms they target. This mapping connects our hands-on skills to ATT&CK tactics and techniques, enabling: + +- **Threat-informed defense** -- prioritize skill development based on real adversary behavior +- **Gap analysis** -- identify ATT&CK techniques not yet covered by available skills +- **Purple team exercises** -- pair offensive (red team) and defensive (blue team) skills for each technique +- **Agent-driven discovery** -- AI agents can query skills by ATT&CK ID for automated security workflows + +## Mapping Methodology + +### Tactic Mapping (TA00xx) + +Each of the 14 ATT&CK Enterprise tactics represents a distinct adversary objective. Skills are mapped to tactics based on which adversary goal they help achieve (offensive) or defend against (defensive): + +| Tactic | ID | Offensive Skills | Defensive Skills | +|--------|-----|-----------------|------------------| +| Reconnaissance | TA0043 | penetration-testing, red-teaming | threat-intelligence, phishing-defense | +| Resource Development | TA0042 | red-teaming | threat-intelligence | +| Initial Access | TA0001 | web-application-security, penetration-testing | phishing-defense, endpoint-security | +| Execution | TA0002 | penetration-testing, red-teaming | malware-analysis, endpoint-security, soc-operations | +| Persistence | TA0003 | red-teaming, penetration-testing | threat-hunting, digital-forensics, endpoint-security | +| Privilege Escalation | TA0004 | penetration-testing, red-teaming | endpoint-security, identity-access-management | +| Defense Evasion | TA0005 | red-teaming | malware-analysis, endpoint-security, threat-hunting | +| Credential Access | TA0006 | penetration-testing, red-teaming | identity-access-management, soc-operations | +| Discovery | TA0007 | penetration-testing, red-teaming | threat-hunting, network-security | +| Lateral Movement | TA0008 | red-teaming, penetration-testing | network-security, threat-hunting, soc-operations | +| Collection | TA0009 | red-teaming | digital-forensics, threat-hunting | +| Command and Control | TA0011 | red-teaming | threat-intelligence, network-security, soc-operations | +| Exfiltration | TA0010 | red-teaming | threat-hunting, digital-forensics, network-security | +| Impact | TA0040 | red-teaming | ransomware-defense, incident-response | + +### Technique Mapping (T1xxx) + +Skills are mapped to specific techniques based on their content. Examples: + +| Technique | ID | Example Skills | +|-----------|-----|---------------| +| Phishing | T1566 | analyzing-phishing-email-headers, analyzing-certificate-transparency-for-phishing | +| Exploit Public-Facing Application | T1190 | web-application-security skills (SQL injection, XSS, SSRF) | +| OS Credential Dumping | T1003 | penetration-testing credential harvesting skills | +| PowerShell | T1059.001 | analyzing-windows-event-logs-in-splunk, malware-analysis skills | +| Remote Services | T1021 | network-security lateral movement skills | +| Data Encrypted for Impact | T1486 | analyzing-ransomware-encryption-mechanisms | +| Command and Scripting Interpreter | T1059 | malware-analysis script deobfuscation skills | +| Scheduled Task/Job | T1053 | analyzing-malware-persistence-with-autoruns | +| Registry Run Keys | T1547.001 | analyzing-windows-registry-for-artifacts | +| DLL Side-Loading | T1574.002 | analyzing-bootkit-and-rootkit-samples | + +### Sub-technique Mapping (T1xxx.xxx) + +Where applicable, skills are mapped to sub-techniques for precision. For example: + +- `T1566.001` (Spearphishing Attachment) -- analyzing-email-headers-for-phishing-investigation +- `T1566.002` (Spearphishing Link) -- analyzing-certificate-transparency-for-phishing +- `T1003.001` (LSASS Memory) -- analyzing-memory-dumps-with-volatility + +## ATT&CK Navigator Integration + +You can visualize our skill coverage using the [ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/). To generate a Navigator layer: + +1. Use the coverage summary in [`coverage-summary.md`](coverage-summary.md) to identify covered tactics +2. Import the tactic/technique IDs into a Navigator layer JSON +3. Color-code by coverage depth (number of skills per technique) + +### Suggested Color Scale + +| Coverage | Color | Meaning | +|----------|-------|---------| +| 0 skills | White | No coverage -- gap | +| 1-2 skills | Light blue | Basic coverage | +| 3-5 skills | Medium blue | Moderate coverage | +| 6+ skills | Dark blue | Strong coverage | + +## Skill Tag Convention + +Skills relevant to ATT&CK carry these tags in their YAML frontmatter: + +- `mitre-attack` -- general ATT&CK relevance (56 skills currently tagged) +- Technique-specific tags like `privilege-escalation`, `lateral-movement`, `persistence` +- Tool-specific tags that map to ATT&CK software entries (e.g., `cobalt-strike`, `mimikatz`) + +## How to Contribute Mappings + +1. **Identify the skill** -- Read the skill's SKILL.md to understand what it teaches +2. **Find the ATT&CK technique** -- Search [attack.mitre.org](https://attack.mitre.org/) for the matching technique +3. **Determine offensive vs. defensive** -- Is the skill about performing or detecting/preventing the technique? +4. **Update the mapping** -- Add the technique ID to the appropriate table in this directory +5. **Update skill tags** -- Add `mitre-attack` and technique-specific tags to the skill's frontmatter +6. **Submit a PR** -- Include the ATT&CK technique URL as justification + +## References + +- [MITRE ATT&CK Enterprise Matrix](https://attack.mitre.org/matrices/enterprise/) +- [MITRE ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/) +- [ATT&CK v15 Release Notes](https://attack.mitre.org/resources/updates/) +- [MITRE ATT&CK for ICS](https://attack.mitre.org/matrices/ics/) -- relevant for ot-ics-security skills +- [MITRE ATT&CK for Mobile](https://attack.mitre.org/matrices/mobile/) -- relevant for mobile-security skills