creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-10 05:04:56 +03:00
Code Issues Packages Projects Releases Wiki Activity

Overhaul README with badges, quick start, and skill categories

Browse Source
This commit is contained in:
mukul975
2026-02-25 11:09:42 +01:00
parent 9f3f46b4f4
commit 637a7d5267
13 changed files with 1394 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files
AUTHORS.md
+10
View File
@@ -0,0 +1,10 @@
# Authors and Contributors
## Maintainer
- **mukul975** — Creator and primary maintainer
## Contributors
<!-- Contributors will be added here as they join the project -->
## How to Become a Contributor
See [CONTRIBUTING.md](CONTRIBUTING.md) for how to add skills and get listed here.
CONTRIBUTING.md
+74
View File
@@ -0,0 +1,74 @@
# Contributing to Anthropic-Cybersecurity-Skills
## How to add a new skill
1. Create a new directory: `skills/your-skill-name/`
2. Add a `SKILL.md` file with required YAML frontmatter:
```yaml
---
name: your-skill-name
description: >-
Clear description of what this skill does and when
an AI agent should activate it. Include keywords.
domain: cybersecurity
subdomain: [category]
tags: [tag1, tag2, tag3]
version: "1.0"
author: your-github-username
license: Apache-2.0
---
```
3. Write clear, step-by-step instructions in the Markdown body using these sections:
- ## When to Use
- ## Prerequisites
- ## Workflow (numbered steps with real commands)
- ## Key Concepts (table)
- ## Tools & Systems
- ## Common Scenarios
- ## Output Format
4. (Optional) Add supporting files:
- `references/standards.md` — Real standard numbers, CVE refs, NIST/MITRE links
- `references/workflows.md` — Deep technical procedure
- `scripts/process.py` — Real working helper script
- `assets/template.md` — Real filled-in checklist/template
5. Submit a PR with title: `Add skill: your-skill-name`
## Skill quality checklist
- [ ] Name is lowercase with hyphens (kebab-case), 164 characters
- [ ] Description is clear and includes agent-discovery keywords
- [ ] Instructions are actionable with real commands and tool names
- [ ] Domain and subdomain are set correctly
- [ ] Tags include relevant tools, frameworks, and techniques
## Subdomains
Choose the most appropriate subdomain for your skill:
- web-application-security
- network-security
- penetration-testing
- red-teaming
- digital-forensics
- malware-analysis
- threat-intelligence
- cloud-security
- container-security
- identity-access-management
- cryptography
- vulnerability-management
- compliance-governance
- zero-trust-architecture
- ot-ics-security
- devsecops
- soc-operations
- incident-response
- phishing-defense
- ransomware-defense
- api-security
- mobile-security
- endpoint-security
- threat-hunting
## Code of Conduct
This project follows the [Contributor Covenant](CODE_OF_CONDUCT.md). By participating, you agree to uphold this code.
## License
By contributing, you agree that your contributions will be licensed under Apache-2.0.
LICENSE
+201
View File
@@ -0,0 +1,201 @@
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to the Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by the Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding any notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "[]"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. Please do not remove or change
the license header comment from a contributed file except when
necessary.
Copyright 2026 mukul975
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
README.md
+109 -30
View File
@@ -1,45 +1,124 @@
# Anthropic Cybersecurity Skills
<p align="center">
<img src="assets/banner.png" alt="Anthropic Cybersecurity Skills" width="600">
</p>
An open-source database of 600+ cybersecurity skills for AI agents, practitioners, and security teams.
<p align="center">
<strong>611+ cybersecurity skills for AI agents &middot; agentskills.io open standard</strong>
</p>
## Structure
<p align="center">
<a href="LICENSE"><img src="https://img.shields.io/badge/license-Apache_2.0-blue.svg?style=flat" alt="License"></a>
<img src="https://img.shields.io/badge/skills-611%2B-brightgreen?style=flat" alt="Skills Count">
<img src="https://img.shields.io/github/stars/mukul975/Anthropic-Cybersecurity-Skills?style=flat" alt="Stars">
<img src="https://img.shields.io/github/last-commit/mukul975/Anthropic-Cybersecurity-Skills?style=flat" alt="Last Commit">
<a href="https://agentskills.io"><img src="https://img.shields.io/badge/standard-agentskills.io-purple?style=flat" alt="Agent Skills"></a>
<img src="https://img.shields.io/badge/platforms-26%2B-orange?style=flat" alt="Platforms">
</p>
---
The largest open-source collection of cybersecurity skills for AI agents. Every skill follows the [agentskills.io](https://agentskills.io) open standard and works instantly with Claude Code, GitHub Copilot, OpenAI Codex CLI, Cursor, Gemini CLI, and 20+ other platforms.
## Quick Start (30 seconds)
```bash
# Add as Claude Code marketplace
/plugin marketplace add mukul975/Anthropic-Cybersecurity-Skills
# Or clone directly
git clone https://github.com/mukul975/Anthropic-Cybersecurity-Skills .skills/cybersecurity
```
## Skill Categories
| Category | Skills | Example Skills |
|----------|-------:|----------------|
| Cloud Security | 48 | AWS S3 Bucket Audit, Azure AD Configuration, GCP Security Assessment |
| Threat Intelligence | 43 | APT Group Analysis with MITRE Navigator, Campaign Attribution, Dark Web Monitoring |
| Web Application Security | 41 | HTTP Request Smuggling, XSS with Burp Suite, Web Cache Poisoning |
| Threat Hunting | 35 | Credential Dumping Detection, DNS Tunneling with Zeek, Living-off-the-Land Binaries |
| Malware Analysis | 34 | Cobalt Strike Beacon Config, Ghidra Reverse Engineering, YARA Rule Development |
| Digital Forensics | 34 | Disk Imaging with dd/dcfldd, Memory Forensics with Volatility3, Browser Forensics |
| SOC Operations | 33 | Windows Event Log Analysis, Splunk Detection Rules, SIEM Use Case Implementation |
| Network Security | 33 | Wireshark Traffic Analysis, VLAN Segmentation, Suricata IDS Configuration |
| Identity & Access Management | 33 | SAML SSO with Okta, Privileged Access Management, RBAC for Kubernetes |
| OT/ICS Security | 28 | SCADA System Attack Detection, Modbus Anomaly Detection, Purdue Model Segmentation |
| API Security | 28 | API Enumeration Detection, BOLA Exploitation, GraphQL Security Assessment |
| Container Security | 26 | Trivy Image Scanning, Falco Runtime Detection, Kubernetes Pod Security |
| Vulnerability Management | 24 | DefectDojo Dashboard, CVSS Scoring, Patch Management Workflow |
| Red Teaming | 24 | Sliver C2 Framework, BloodHound AD Analysis, Kerberoasting with Impacket |
| Incident Response | 24 | Ransomware Response, Cloud Incident Containment, Volatile Evidence Collection |
| Penetration Testing | 23 | External Network Pentest, Kubernetes Pentest, Active Directory Pentest |
| Zero Trust Architecture | 17 | HashiCorp Boundary, Zscaler ZTNA, BeyondCorp Access Model |
| Endpoint Security | 16 | CIS Benchmark Hardening, Windows Defender Configuration, Host-Based IDS |
| DevSecOps | 16 | GitLab CI Pipeline, Semgrep Custom SAST Rules, Secret Scanning with Gitleaks |
| Phishing Defense | 16 | Email Header Analysis, GoPhish Simulation, DMARC/DKIM/SPF Configuration |
| Cryptography | 13 | TLS 1.3 Configuration, HSM Key Storage, Certificate Authority with OpenSSL |
| Mobile Security | 12 | iOS App Analysis with Objection, Android Malware Reverse Engineering, Frida Hooking |
| Ransomware Defense | 5 | Ransomware Precursor Detection, Backup Strategy, Honeypot Detection |
| Compliance & Governance | 5 | GDPR Data Protection, ISO 27001 ISMS, PCI DSS Controls |
## How It Works
Each skill follows the [agentskills.io](https://agentskills.io) **progressive disclosure** pattern. During discovery, an AI agent reads only the YAML frontmatter (~30-50 tokens) to decide relevance:
```yaml
---
name: performing-memory-forensics-with-volatility3
description: Analyze memory dumps to extract processes, network connections, and malware artifacts using Volatility3.
domain: cybersecurity
subdomain: digital-forensics
tags: [forensics, memory-analysis, volatility3, incident-response]
---
```
If the skill matches the task, the agent loads the full body -- workflow steps, prerequisites, tool commands, and verification checks -- without wasting tokens on irrelevant skills.
## Compatible Platforms
These skills work with any tool that supports the agentskills.io standard or can read structured Markdown:
| Platform | Integration |
|----------|------------|
| **Claude Code** | Native skill loading via `/plugin` |
| **GitHub Copilot** | Workspace context via `.skills/` directory |
| **OpenAI Codex CLI** | File-based context injection |
| **Cursor** | Project rules and docs integration |
| **Gemini CLI** | Context file loading |
| **Amp** | Skill directory mounting |
| **Goose** | Plugin-based skill loading |
| **Windsurf** | Context awareness from project files |
| **Aider** | Repository map integration |
| **Continue** | Custom context providers |
| And 16+ others | Any agent that reads structured Markdown |
## Skill Anatomy
Every skill follows a consistent directory structure:
```
skills/cybersecurity/{skill-name}/
skills/{skill-name}/
├── SKILL.md # Skill definition with YAML frontmatter
│ ├── Frontmatter # name, description, domain, subdomain, tags
│ ├── When to Use # Trigger conditions for AI agents
│ ├── Prerequisites # Required tools and access
│ ├── Workflow # Step-by-step execution guide
│ └── Verification # How to confirm success
├── references/
│ ├── standards.md # Real standard numbers, CVE refs, NIST/MITRE links
│ ├── standards.md # NIST, MITRE ATT&CK, CVE references
│ └── workflows.md # Deep technical procedure reference
├── scripts/
│ └── process.py # Real practitioner helper script
│ └── process.py # Practitioner helper scripts
└── assets/
└── template.md # Real filled-in checklist/report template
└── template.md # Checklists and report templates
```
## Domains Covered
## Contributing
- Web Application Security
- Network Security
- Penetration Testing
- Red Teaming
- Digital Forensics & Incident Response (DFIR)
- Malware Analysis
- Threat Intelligence
- Cloud Security
- Container Security
- Identity & Access Management
- Cryptography
- Vulnerability Management
- Compliance & Governance
- Zero Trust Architecture
- OT/ICS Security
- DevSecOps
- And more...
## Usage
Each `SKILL.md` follows the agentskills.io open standard with YAML frontmatter and structured Markdown body.
We welcome contributions from the cybersecurity community. See [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines on adding new skills, improving existing ones, and our review process.
## License
MIT
<a href="LICENSE"><img src="https://img.shields.io/badge/license-Apache_2.0-blue.svg?style=flat" alt="License"></a>
This project is licensed under the Apache License 2.0. See [LICENSE](LICENSE) for details.
assets/README.md
+13
View File
@@ -0,0 +1,13 @@
# Assets
This directory contains repository assets:
- `banner.png` — Repository social banner (1280×640px)
- `demo.gif` or `demo.svg` — Terminal demo animation
## Creating the Banner
Recommended: Use [Socialify](https://socialify.git.ci/mukul975/Anthropic-Cybersecurity-Skills) to generate a professional banner.
## Creating the Demo
Record with asciinema: `asciinema rec demo.cast`
Export as SVG: `svg-term --cast demo.cast --out demo.svg --window`
launch/awesome-list-submissions.md
+206
View File
@@ -0,0 +1,206 @@
# Awesome List Submission Guide
Structured guide for submitting Anthropic-Cybersecurity-Skills to relevant awesome lists on GitHub. Each entry includes the target repo, PR template, and submission notes.
---
## Priority Order
### 1. awesome-cybersecurity-agentic-ai (raphabot) -- HIGHEST PRIORITY
- **Repo:** https://github.com/raphabot/awesome-cybersecurity-agentic-ai
- **Section:** Skills / Knowledge Bases (or most relevant section)
- **Why highest priority:** Exact domain overlap -- cybersecurity + AI agents
**PR Title:**
```
Add Anthropic-Cybersecurity-Skills to Skills/Knowledge Bases
```
**PR Body:**
```markdown
Adding the first comprehensive cybersecurity skills database for AI agents.
611+ skills following the agentskills.io open standard, compatible with
Claude Code, GitHub Copilot, OpenAI Codex CLI, Cursor, and 20+ platforms.
**[Anthropic-Cybersecurity-Skills](https://github.com/mukul975/Anthropic-Cybersecurity-Skills)** — 611+ cybersecurity skills for AI agents following the agentskills.io open standard. Covers threat detection, incident response, penetration testing, digital forensics, cloud security, and more.
```
**Suggested list entry:**
```markdown
- [Anthropic-Cybersecurity-Skills](https://github.com/mukul975/Anthropic-Cybersecurity-Skills) — 611+ cybersecurity skills for AI agents following the agentskills.io open standard. Covers threat detection, incident response, penetration testing, digital forensics, cloud security, and more.
```
**Pre-submission checklist:**
- [ ] Read CONTRIBUTING.md in the target repo
- [ ] Verify the list entry matches their formatting conventions
- [ ] Ensure alphabetical ordering if required
- [ ] Star the awesome list repo before submitting
---
### 2. awesome-ai-security (TalEliyahu)
- **Repo:** https://github.com/TalEliyahu/awesome-ai-security
- **Section:** Tools / Resources (or AI Security Tools)
**PR Title:**
```
Add Anthropic-Cybersecurity-Skills — 611+ cybersecurity skills for AI agents
```
**PR Body:**
```markdown
## What is this?
A comprehensive cybersecurity skills database designed for AI coding agents. Contains 611+ skills covering the full cybersecurity domain: threat detection, incident response, penetration testing, digital forensics, cloud security, network security, malware analysis, and more.
## Why it fits this list
- AI agents using these skills can perform real security analysis tasks
- Follows the agentskills.io open standard (SKILL.md format)
- Compatible with Claude Code, GitHub Copilot, Cursor, Windsurf, and 20+ AI platforms
- Open source under MIT license
**Link:** https://github.com/mukul975/Anthropic-Cybersecurity-Skills
```
**Suggested list entry:**
```markdown
- [Anthropic-Cybersecurity-Skills](https://github.com/mukul975/Anthropic-Cybersecurity-Skills) — 611+ cybersecurity skills for AI coding agents. Covers threat detection, incident response, penetration testing, forensics, cloud security. agentskills.io standard.
```
---
### 3. awesome-security (sindresorhus ecosystem)
- **Repo:** https://github.com/sbilly/awesome-security
- **Section:** Other / Tools / AI-Assisted Security
**PR Title:**
```
Add Anthropic-Cybersecurity-Skills — cybersecurity skill library for AI agents
```
**PR Body:**
```markdown
Adding a cybersecurity skills database that enables AI coding agents to perform security tasks.
- 611+ structured skills across 12 cybersecurity subdomains
- Threat detection, incident response, penetration testing, digital forensics, cloud security, and more
- Follows the agentskills.io open standard (SKILL.md format)
- Compatible with Claude Code, GitHub Copilot, Cursor, and 20+ AI platforms
**Link:** https://github.com/mukul975/Anthropic-Cybersecurity-Skills
```
**Suggested list entry:**
```markdown
- [Anthropic-Cybersecurity-Skills](https://github.com/mukul975/Anthropic-Cybersecurity-Skills) — 611+ cybersecurity skills for AI agents covering threat detection, IR, pentesting, forensics, and cloud security.
```
---
### 4. awesome-pentest
- **Repo:** https://github.com/enaqx/awesome-pentest
- **Section:** Tools / AI-Assisted / Knowledge Bases
**PR Title:**
```
Add Anthropic-Cybersecurity-Skills — AI agent pentesting skills library
```
**PR Body:**
```markdown
A library of 611+ cybersecurity skills structured for AI coding agents. Includes dedicated penetration testing skills covering:
- Network penetration testing
- Web application security testing
- Wireless security assessment
- Social engineering simulation
- Red team operations
- Exploit development methodology
Skills follow the agentskills.io open standard and work with Claude Code, GitHub Copilot, Cursor, and 20+ platforms.
**Link:** https://github.com/mukul975/Anthropic-Cybersecurity-Skills
```
---
### 5. awesome-incident-response
- **Repo:** https://github.com/meirwah/awesome-incident-response
- **Section:** Tools / Knowledge Bases / AI-Assisted
**PR Title:**
```
Add Anthropic-Cybersecurity-Skills — AI-powered incident response skill library
```
**PR Body:**
```markdown
A structured skill library enabling AI agents to assist with incident response workflows. Includes skills for:
- Incident triage and classification
- Log analysis and correlation
- Forensic evidence collection
- Malware analysis and containment
- Post-incident reporting
- Threat hunting and detection
611+ skills total, with dedicated incident response coverage. agentskills.io open standard, compatible with Claude Code, Copilot, Cursor, and 20+ AI platforms.
**Link:** https://github.com/mukul975/Anthropic-Cybersecurity-Skills
```
---
### 6. awesome-threat-intelligence
- **Repo:** https://github.com/hslatman/awesome-threat-intelligence
- **Section:** Tools / Resources / AI-Assisted
**PR Title:**
```
Add Anthropic-Cybersecurity-Skills — threat intelligence skills for AI agents
```
**PR Body:**
```markdown
A skill library enabling AI agents to assist with threat intelligence tasks. Includes skills covering:
- OSINT collection and analysis
- Threat actor profiling
- IOC extraction and enrichment
- MITRE ATT&CK mapping
- Threat landscape assessment
- Intelligence report generation
Part of a 611+ skill library following the agentskills.io open standard. Compatible with Claude Code, GitHub Copilot, Cursor, and 20+ AI platforms.
**Link:** https://github.com/mukul975/Anthropic-Cybersecurity-Skills
```
---
## General Submission Process
1. **Fork** the target awesome list repository
2. **Read** their CONTRIBUTING.md and follow formatting rules exactly
3. **Add** the entry in the correct section, respecting alphabetical order
4. **Create PR** using the templates above, adjusting as needed
5. **Be patient** -- maintainers are volunteers; follow up politely after 2 weeks if no response
6. **Do not** submit to all lists on the same day; space submissions 2-3 days apart to avoid appearing spammy
## Tracking
| List | Submitted | PR Link | Status | Notes |
|------|-----------|---------|--------|-------|
| awesome-cybersecurity-agentic-ai | | | Pending | Highest priority |
| awesome-ai-security | | | Pending | |
| awesome-security | | | Pending | |
| awesome-pentest | | | Pending | |
| awesome-incident-response | | | Pending | |
| awesome-threat-intelligence | | | Pending | |
launch/conference-cfp-tracker.md
+127
View File
@@ -0,0 +1,127 @@
# Conference CFP Tracker
Track Call for Papers (CFP) deadlines and submission status for presenting Anthropic-Cybersecurity-Skills at security and AI conferences.
---
## Priority Target: Black Hat Arsenal
- **Event:** Black Hat USA 2026 Arsenal
- **Location:** Las Vegas, NV
- **Dates:** August 2026 (typically first week)
- **Deadline:** ~April 2026 (Arsenal CFP opens spring 2026)
- **Type:** Open-source tool showcase (Arsenal, not Briefings)
- **Requirements:**
- Working demo of the tool/project
- Open-source and publicly available
- Security-focused
- Live demonstration capability
- **Action Items:**
- [ ] Monitor https://www.blackhat.com/us-26/arsenal.html for CFP opening
- [ ] Prepare 2-minute elevator pitch
- [ ] Build live demo showing AI agent using skills for a security task
- [ ] Record backup demo video in case of technical issues
- [ ] Prepare poster/handout with QR code to repo
---
## All Conferences
| Conference | Type | Location | Estimated Dates | CFP Deadline | Submission Type | Status |
|-----------|------|----------|----------------|--------------|-----------------|--------|
| **Black Hat USA Arsenal** | Tool Demo | Las Vegas, NV | Aug 2026 | ~Apr 2026 | Arsenal submission | Monitoring |
| **DEF CON Demo Labs** | Tool Demo | Las Vegas, NV | Aug 2026 | ~May 2026 | Demo application | Monitoring |
| **BSides Las Vegas** | Talk/Workshop | Las Vegas, NV | Aug 2026 | ~Apr 2026 | CFP talk/workshop | Monitoring |
| **RSA Conference** | Talk/Expo | San Francisco, CA | Apr 2027 | ~Oct 2026 | Innovation Sandbox / talk | Future |
| **SANS Summits** | Talk | Various | Rolling | Rolling | Speaker application | Eligible |
| **ShmooCon** | Talk | Washington, DC | Jan 2027 | ~Oct 2026 | CFP talk | Future |
| **GrrCon** | Talk | Grand Rapids, MI | Oct 2026 | ~Jun 2026 | CFP talk | Monitoring |
| **DerbyCon / Louisville** | Talk | Louisville, KY | TBD | TBD | CFP talk | Check status |
| **Wild West Hackin' Fest** | Talk | Deadwood, SD | Oct 2026 | ~Jul 2026 | CFP talk | Monitoring |
| **Hack In The Box** | Talk | Various | Various | Various | CFP talk | Monitoring |
| **CanSecWest** | Talk | Vancouver, BC | Mar 2027 | ~Dec 2026 | CFP talk | Future |
| **Offensive Con** | Talk | Berlin, DE | Feb 2027 | ~Sep 2026 | CFP talk | Future |
| **NorthSec** | Talk/Workshop | Montreal, QC | May 2026 | ~Feb 2026 | CFP talk | Check if open |
| **AI Village (DEF CON)** | Talk/Demo | Las Vegas, NV | Aug 2026 | ~May 2026 | CFP talk/demo | Monitoring |
| **OWASP Global AppSec** | Talk | Various | Various | Various | CFP talk | Monitoring |
---
## Talk Abstract (Template)
**Title:** Building 611 Cybersecurity Skills for AI Agents: An Open Standard Approach
**Abstract:**
```
AI coding agents are increasingly used for security tasks, but they lack structured
cybersecurity knowledge. We present Anthropic-Cybersecurity-Skills, the first open-source
library of 611+ cybersecurity skills built on the agentskills.io standard. Each skill
is a self-contained SKILL.md file that any compatible AI agent can install and execute.
We cover the design of the skill format, the taxonomy across 12 cybersecurity subdomains
(threat detection, incident response, penetration testing, digital forensics, cloud
security, network security, malware analysis, and more), and live demonstrations of
AI agents performing real security tasks using these skills.
The project is open source (MIT), compatible with 20+ AI platforms including Claude Code,
GitHub Copilot, and Cursor, and designed for community contribution.
```
**Duration options:** Lightning talk (10 min), Standard talk (25-30 min), Workshop (60-90 min)
---
## Workshop Abstract (Template)
**Title:** Hands-On: Teaching AI Agents Cybersecurity with the agentskills.io Standard
**Abstract:**
```
In this hands-on workshop, attendees will learn how to create, install, and use
cybersecurity skills for AI coding agents. We start with installing existing skills
from the Anthropic-Cybersecurity-Skills library (611+ skills), then progress to
writing custom skills for specific security workflows.
Attendees will leave with:
- A working AI agent setup with cybersecurity skills installed
- Understanding of the SKILL.md format and agentskills.io standard
- A custom skill they authored during the workshop
- Knowledge of how to contribute back to the open-source project
Prerequisites: Laptop with an AI coding agent installed (Claude Code, Cursor, or similar).
```
---
## CFP Monitoring Resources
- **cfptime.org** -- Aggregated CFP deadlines across tech conferences
- **sec-deadlines.github.io** -- Security conference deadlines specifically
- **Twitter/X lists** -- Follow @BlackHatEvents, @defaborea, @BSidesLV, @RSAConference
- **Infosec CFP Calendar** -- https://infosec-conferences.com/cfp/
- **Lanyrd / Sessionize** -- Check for open CFPs
---
## Submission Tracking
| Conference | Submitted Date | Abstract Used | Status | Accepted? | Presentation Date | Notes |
|-----------|---------------|---------------|--------|-----------|-------------------|-------|
| | | | | | | |
---
## Demo Preparation Checklist
For any conference demo or Arsenal submission:
- [ ] Record 2-minute overview video
- [ ] Prepare offline fallback demo (no internet dependency)
- [ ] Create handout with repo QR code, key stats, and contact info
- [ ] Test skill installation flow end-to-end
- [ ] Prepare 3 compelling live demo scenarios:
1. Threat hunting with AI agent using detection skills
2. Incident response workflow guided by IR skills
3. Writing and installing a custom security skill
- [ ] Backup slides in case of demo failure
- [ ] Business cards or contact handouts
launch/hacker-news.md
+49
View File
@@ -0,0 +1,49 @@
# Hacker News - Show HN Post
## Title
Show HN: 611+ Cybersecurity Skills for AI Agents (agentskills.io open standard)
## Body
I built an open-source database of 611+ cybersecurity skills that AI agents can use to perform real security work -- from malware analysis with Volatility to cloud pen-testing with Pacu.
Each skill follows a structured format (YAML frontmatter + Markdown body) with:
- When to use (and when NOT to)
- Prerequisites and tool requirements
- Step-by-step workflows with real commands, not pseudocode
- References to real standards (NIST, MITRE ATT&CK, CIS)
- Practitioner helper scripts and report templates
The 611 skills cover 24 subdomains: cloud security, threat intelligence, web app security, threat hunting, malware analysis, digital forensics, SOC operations, network security, IAM, OT/ICS security, API security, container security, vulnerability management, red teaming, incident response, penetration testing, zero trust, phishing defense, endpoint security, DevSecOps, cryptography, mobile security, ransomware defense, and compliance/governance.
Why I built this: AI coding agents (Claude Code, Cursor, Copilot) are great at software engineering but have no structured cybersecurity knowledge. When you ask them to analyze a memory dump or triage a SIEM alert, they give generic advice instead of the precise Volatility plugin sequence or Splunk SPL query a practitioner would use.
The skills use "progressive disclosure" -- the frontmatter tells the agent WHEN to activate a skill, and the full body provides the HOW with exact commands, flags, and decision trees.
Format follows the agentskills.io open standard so any agent framework can consume them.
Repo: https://github.com/mukul975/Anthropic-Cybersecurity-Skills
Tech details:
- Each skill has SKILL.md + references/ + scripts/ + assets/
- Skills are tool-specific (not "use a scanner" but "use Nessus with these plugin families")
- Real CVE references, real MITRE ATT&CK technique IDs
- MIT licensed
Looking for contributors, especially practitioners who want to improve existing skills or add new ones in underrepresented areas (mobile security, OT/ICS, compliance).
## Timing
Post at 6:00 AM Pacific (9:00 AM Eastern) for maximum HN visibility. Tuesday through Thursday are optimal days.
## Engagement Rules
1. **Respond within 1 hour** of posting. Early engagement signals to the HN algorithm that the post is active and worth ranking higher.
2. **Be technical, not promotional.** Answer questions with specific technical details. Reference actual skill files, tool commands, and MITRE technique IDs.
3. **No vote requests.** Never ask anyone to upvote. This violates HN guidelines and can get the post flagged or penalized.
4. **Engage authentically.** If someone raises a valid criticism (e.g., "these skills are too shallow for real practitioners"), acknowledge it and explain the contribution model.
5. **Link to specific skills** when answering questions. For example: "Here's the actual Volatility skill that covers that -- [link to SKILL.md]"
6. **Avoid marketing language.** No "revolutionary," "game-changing," or "disrupting." Stick to factual descriptions of what the repo contains.
7. **Be prepared for skepticism.** HN users will question whether AI agents can actually do security work. Have concrete examples ready showing how an agent uses a skill file.
launch/metrics-tracker.md
+129
View File
@@ -0,0 +1,129 @@
# 30-Day Launch Metrics
Track key growth metrics for the first 30 days after public launch.
---
## Targets from Playbook
| Metric | Week 1 | Week 2 | Week 3 | Week 4 |
|--------|--------|--------|--------|--------|
| Stars | 150-400 | 400-800 | 800-1,200 | 1,200-2,000 |
| Forks | 15-40 | 40-80 | 80-120 | 120-200 |
| Contributors | 1-3 | 3-8 | 8-15 | 15-25 |
| Unique Visitors | 500-1,000 | 1,000-2,500 | 2,000-4,000 | 3,000-6,000 |
| Clones | 50-150 | 150-400 | 300-700 | 500-1,000 |
| Issues Opened | 5-15 | 15-30 | 25-50 | 40-75 |
| PRs Opened | 1-5 | 5-15 | 10-25 | 20-40 |
| Awesome List PRs Accepted | 0-1 | 1-2 | 2-4 | 3-6 |
---
## Daily Actuals
| Date | Day | Stars | Forks | Contributors | Unique Visitors | Clones | Issues | PRs | Notes |
|------|-----|-------|-------|--------------|-----------------|--------|--------|-----|-------|
| | 1 | | | | | | | | Launch day |
| | 2 | | | | | | | | |
| | 3 | | | | | | | | |
| | 4 | | | | | | | | |
| | 5 | | | | | | | | |
| | 6 | | | | | | | | |
| | 7 | | | | | | | | End of Week 1 |
| | 8 | | | | | | | | |
| | 9 | | | | | | | | |
| | 10 | | | | | | | | |
| | 11 | | | | | | | | |
| | 12 | | | | | | | | |
| | 13 | | | | | | | | |
| | 14 | | | | | | | | End of Week 2 |
| | 15 | | | | | | | | |
| | 16 | | | | | | | | |
| | 17 | | | | | | | | |
| | 18 | | | | | | | | |
| | 19 | | | | | | | | |
| | 20 | | | | | | | | |
| | 21 | | | | | | | | End of Week 3 |
| | 22 | | | | | | | | |
| | 23 | | | | | | | | |
| | 24 | | | | | | | | |
| | 25 | | | | | | | | |
| | 26 | | | | | | | | |
| | 27 | | | | | | | | |
| | 28 | | | | | | | | End of Week 4 |
| | 29 | | | | | | | | |
| | 30 | | | | | | | | 30-day mark |
---
## Weekly Summary
| Week | Stars (Total) | Stars (Delta) | Forks (Total) | Forks (Delta) | Contributors | Top Referrer | Notes |
|------|--------------|---------------|---------------|----------------|--------------|-------------|-------|
| 1 | | | | | | | |
| 2 | | | | | | | |
| 3 | | | | | | | |
| 4 | | | | | | | |
---
## Traffic Sources
Track where visitors come from (GitHub Insights > Traffic):
| Source | Week 1 | Week 2 | Week 3 | Week 4 |
|--------|--------|--------|--------|--------|
| GitHub Search | | | | |
| Direct / Bookmark | | | | |
| Reddit | | | | |
| Twitter/X | | | | |
| Hacker News | | | | |
| Awesome Lists | | | | |
| LinkedIn | | | | |
| Other | | | | |
---
## Content & Outreach Tracking
| Action | Date | Platform | Link | Engagement | Notes |
|--------|------|----------|------|------------|-------|
| Launch post | | Reddit r/cybersecurity | | | |
| Launch post | | Reddit r/netsec | | | |
| Launch post | | Hacker News | | | |
| Launch tweet | | Twitter/X | | | |
| LinkedIn post | | LinkedIn | | | |
| awesome-cybersecurity-agentic-ai PR | | GitHub | | | |
| awesome-ai-security PR | | GitHub | | | |
| awesome-security PR | | GitHub | | | |
| Demo video 1 | | YouTube | | | |
| Demo video 2 | | YouTube | | | |
| Demo video 3 | | YouTube | | | |
---
## Milestones
| Milestone | Target Date | Actual Date | Notes |
|-----------|------------|-------------|-------|
| First external star | Day 1 | | |
| First external fork | Day 1-2 | | |
| 100 stars | Week 1 | | |
| First external issue | Week 1 | | |
| First external PR | Week 1-2 | | |
| First awesome list acceptance | Week 2 | | |
| 500 stars | Week 2-3 | | |
| First external contributor merged | Week 2-3 | | |
| 1,000 stars | Week 3-4 | | |
| Featured in newsletter/blog | Week 2-4 | | |
| Conference talk accepted | Month 2+ | | |
---
## How to Collect Metrics
- **Stars/Forks:** GitHub repo page or `gh api repos/mukul975/Anthropic-Cybersecurity-Skills`
- **Unique Visitors/Clones:** GitHub Insights > Traffic (Settings > Insights, requires admin)
- **Referrers:** GitHub Insights > Traffic > Referring sites
- **Issues/PRs:** GitHub Issues/PR tabs or `gh issue list` / `gh pr list`
- **Contributors:** `git shortlog -sn --all` or GitHub Insights > Contributors
launch/reddit-posts.md
+196
View File
@@ -0,0 +1,196 @@
# Reddit Launch Posts
## Timing Guidance
- Space posts **2 hours apart** to avoid spam detection and maximize individual post visibility.
- Post **Tuesday through Thursday** for best engagement.
- Optimal window: **9:00 AM - 12:00 PM EST**.
- Suggested schedule: first post at 9:00 AM EST, second at 11:00 AM EST, third at 1:00 PM EST, then remaining posts over the following day.
- Do NOT cross-post (use Reddit's crosspost feature). Write unique copy for each subreddit.
---
## 1. r/netsec (~540K subscribers) -- Technical Focus
**Title:** Open-source database of 611+ structured cybersecurity skills for AI agents -- covers DFIR, malware analysis, cloud pentesting, and more
**Body:**
I've been building an open-source database of cybersecurity skills formatted for AI agent consumption. There are 611 skills across 24 subdomains, each following a structured YAML + Markdown format.
What makes this different from a wiki or cheat sheet:
- **Progressive disclosure architecture**: YAML frontmatter tells the agent WHEN to activate (trigger conditions, prerequisites), and the Markdown body provides the HOW (exact commands, tool flags, decision trees).
- **Tool-specific, not generic**: Skills reference specific tools with real commands. "Analyzing Memory Dumps with Volatility" includes the actual `vol3` plugin sequence, not "use a memory forensics tool."
- **Real references**: MITRE ATT&CK technique IDs, NIST control mappings, actual CVE numbers, CIS benchmark references.
- **Practitioner scripts and templates**: Each skill can include helper scripts and filled-in report/checklist templates.
Subdomain breakdown:
- Cloud Security (48 skills) -- AWS, Azure, GCP specific
- Threat Intelligence (43) -- STIX/TAXII, MISP, diamond model
- Web App Security (41) -- OWASP Top 10, specific injection types
- Threat Hunting (35) -- hypothesis-driven, ATT&CK-mapped
- Malware Analysis (34) -- static, dynamic, reverse engineering
- Digital Forensics (34) -- disk, memory, network, mobile
- Plus 18 more subdomains
Repo: https://github.com/mukul975/Anthropic-Cybersecurity-Skills
Format follows the agentskills.io open standard. MIT licensed. Looking for practitioner contributors.
---
## 2. r/cybersecurity (~1M+ subscribers) -- Broader Audience
**Title:** I built an open-source library of 611 cybersecurity skills that AI agents can actually use -- from memory forensics to cloud pentesting
**Body:**
AI coding agents like Claude Code and GitHub Copilot are increasingly used for security tasks, but they lack structured cybersecurity knowledge. When you ask them to analyze a suspicious process or triage a SIEM alert, you get generic advice instead of the specific Volatility plugin, Splunk query, or Nessus configuration a practitioner would use.
I built an open-source database of 611 cybersecurity skills designed to give AI agents real practitioner-level knowledge.
**What each skill includes:**
- When to use it (and when NOT to)
- Tool-specific prerequisites
- Step-by-step workflows with exact commands
- References to MITRE ATT&CK, NIST, CIS benchmarks
- Helper scripts and report templates
**Coverage across 24 subdomains:**
Cloud Security, Threat Intelligence, Web App Security, Threat Hunting, Malware Analysis, Digital Forensics, SOC Operations, Network Security, IAM, OT/ICS Security, API Security, Container Security, Vulnerability Management, Red Teaming, Incident Response, Penetration Testing, Zero Trust, Phishing Defense, Endpoint Security, DevSecOps, Cryptography, Mobile Security, Ransomware Defense, Compliance & Governance.
The skills use a "progressive disclosure" format -- the YAML frontmatter gives the agent enough context to know when to activate, and the full body has the detailed procedure.
Repo: https://github.com/mukul975/Anthropic-Cybersecurity-Skills
MIT licensed. Looking for contributors, especially from practitioners who want to encode their expertise into a format AI agents can use.
---
## 3. r/blueteamsec (~34K subscribers) -- Defensive Focus
**Title:** Open-source skill library for AI-assisted blue team operations -- 611 skills covering DFIR, threat hunting, SOC operations, and detection engineering
**Body:**
Built an open-source database of 611 cybersecurity skills structured for AI agent consumption, with strong coverage of defensive operations:
**Blue team coverage:**
- **Threat Hunting (35 skills)**: Hypothesis-driven hunts for beaconing, LOLBins, persistence mechanisms, DNS tunneling, lateral movement, supply chain compromise
- **SOC Operations (33 skills)**: Alert triage, detection rule building (Sigma, Splunk SPL), SOAR playbooks, escalation matrices, metrics/KPI tracking
- **Incident Response (24 skills)**: Containment procedures, forensic collection, timeline reconstruction, ransomware response, lessons learned
- **Digital Forensics (34 skills)**: Memory forensics with Volatility, disk analysis with Autopsy, network forensics with Wireshark/Zeek, timeline analysis with Plaso
- **Threat Intelligence (43 skills)**: STIX/TAXII integration, MISP feeds, IOC enrichment, threat actor profiling, diamond model analysis
- **Detection Engineering**: Sigma rules, Splunk SPL queries, Suricata rules, Zeek scripts
Each skill includes the exact tool commands, decision trees, and real framework references (MITRE ATT&CK techniques, NIST controls) that a practitioner would use.
The format is designed so AI agents (Claude Code, Copilot, etc.) can use these skills to assist with real security work -- not replace analysts, but give them an AI assistant that actually knows the right Volatility plugin or Splunk query.
Repo: https://github.com/mukul975/Anthropic-Cybersecurity-Skills
MIT licensed. Contributions welcome -- especially from SOC analysts and IR practitioners.
---
## 4. r/hacking
**Title:** 611 cybersecurity skills structured for AI agents -- open-source, covers pentesting, red teaming, malware analysis, forensics, and more
**Body:**
Open-sourced a database of 611 cybersecurity skills that AI agents can use to assist with real security work.
Skills cover both offensive and defensive domains:
- **Penetration Testing (23 skills)**: Web app, network, cloud, mobile, AD, wireless
- **Red Teaming (24 skills)**: C2 infrastructure, lateral movement, persistence, AD attack paths
- **Malware Analysis (34 skills)**: Reverse engineering with Ghidra, dynamic analysis with CAPE/Cuckoo, packed malware unpacking
- **Web App Security (41 skills)**: SQLi, XSS, SSRF, deserialization, race conditions, request smuggling
- **Network Security (33 skills)**: Nmap, Wireshark, Suricata, Zeek, ARP spoofing, VLAN hopping
Each skill has real commands, not pseudocode. The Metasploit skill has actual `msfconsole` commands. The SQLMap skill has actual flags and tamper scripts. The Bloodhound skill has actual Cypher queries.
Format: YAML frontmatter + structured Markdown. Follows the agentskills.io open standard.
Repo: https://github.com/mukul975/Anthropic-Cybersecurity-Skills
MIT licensed. PRs welcome.
---
## 5. r/redteamsec
**Title:** Open-source AI agent skills for red team operations -- AD attack paths, C2 infrastructure, lateral movement, persistence techniques
**Body:**
I built a structured skill database for AI agents that includes significant red team coverage:
- **Red Teaming (24 skills)**: C2 with Sliver/Havoc, AD attack simulation, engagement planning, purple team exercises
- **Penetration Testing (23 skills)**: Full-scope pentesting, AD pentesting, cloud pentesting with Pacu/ScoutSuite, wireless with Aircrack-ng
- **Active Directory**: Bloodhound CE, Kerberoasting with Impacket, DCSync, constrained delegation abuse, NoPac, Zerologon, certificate services ESC1
- **Web exploitation**: SQLi, SSRF, deserialization, template injection, prototype pollution, request smuggling, race conditions
Each skill is structured with YAML frontmatter (triggers, prerequisites, tags) and a Markdown body with exact tool commands, decision trees, and MITRE ATT&CK mappings.
The idea: give AI agents the structured knowledge to assist with authorized security testing, not replace operators but augment them with instant recall of the right tool flag or attack chain.
Repo: https://github.com/mukul975/Anthropic-Cybersecurity-Skills
MIT licensed. Would especially appreciate contributions from red teamers on evasion techniques and emerging TTPs.
---
## 6. r/artificial
**Title:** Built 611 cybersecurity skills for AI agents -- how structured knowledge databases can make AI actually useful for specialized domains
**Body:**
AI coding agents (Claude Code, Cursor, GitHub Copilot) are powerful at general software engineering, but they struggle with specialized domains like cybersecurity. Ask them to analyze a memory dump and you get vague advice. Give them a structured skill file with the exact Volatility plugin sequence and decision tree, and they become genuinely useful.
I built an open-source database of 611 cybersecurity skills structured for AI agent consumption:
**The core insight: progressive disclosure**
The skills use a two-layer architecture:
1. **YAML frontmatter** -- Tells the agent WHEN to activate: skill name, description, domain/subdomain, tags. This is what gets indexed and matched against user queries.
2. **Markdown body** -- The HOW: step-by-step workflows with exact commands, tool flags, decision trees, validation steps. Only loaded when the skill activates.
This mirrors how human expertise works -- a senior analyst doesn't consciously think through every step of memory forensics until they need to, but they know instantly when it's the right approach.
**24 subdomains, 611 skills** covering cloud security, malware analysis, threat hunting, incident response, penetration testing, red teaming, and more.
The format follows the agentskills.io open standard, so any agent framework can index and use these skills.
Repo: https://github.com/mukul975/Anthropic-Cybersecurity-Skills
Interested in the broader question: how do we build domain-specific knowledge layers for AI agents? Cybersecurity is just one domain -- the same pattern could work for medicine, law, finance, etc.
---
## 7. r/opensource
**Title:** Open-sourced 611 cybersecurity skills for AI agents -- MIT licensed, structured for any agent framework
**Body:**
I've open-sourced a database of 611 cybersecurity skills designed for AI agent consumption.
**Why this exists:** AI agents are increasingly used for security tasks, but they lack the structured, tool-specific knowledge that practitioners have. This database encodes that knowledge in a format any AI agent can use.
**What's in it:**
- 611 skills across 24 cybersecurity subdomains
- Each skill: YAML frontmatter + structured Markdown with real commands
- References to MITRE ATT&CK, NIST, CIS benchmarks
- Helper scripts and report templates
- Follows the agentskills.io open standard
**Tech stack:** Pure Markdown + YAML. No build system, no dependencies. Any tool that can read files can use these skills.
**License:** MIT
**Contributing:** Looking for cybersecurity practitioners who want to improve existing skills or add new ones. The format is simple -- if you can write a runbook, you can contribute a skill.
Repo: https://github.com/mukul975/Anthropic-Cybersecurity-Skills
launch/twitter-thread.md
+89
View File
@@ -0,0 +1,89 @@
# Twitter/X Launch Thread
Post as a thread. Pin the first tweet. Include the repo link in tweet 1 and tweet 7.
---
## Tweet 1 (268 characters)
I just open-sourced 611 cybersecurity skills for AI agents.
From malware analysis with Volatility to cloud pentesting with Pacu -- structured so Claude Code, Copilot, and any AI agent can use them.
MIT licensed. All 24 subdomains of cybersecurity.
github.com/mukul975/Anthropic-Cybersecurity-Skills
---
## Tweet 2 (277 characters)
The problem: AI agents are great at coding but terrible at cybersecurity.
Ask Claude to analyze a memory dump and you get generic advice.
Give it a structured skill with the exact Volatility plugin sequence, and it gives you the precise commands a senior analyst would use.
---
## Tweet 3 (270 characters)
Each skill uses progressive disclosure:
YAML frontmatter = WHEN to activate (triggers, domain, tags)
Markdown body = HOW to execute (exact commands, decision trees, validation)
The agent loads the frontmatter for routing, then the full body only when it needs the details.
---
## Tweet 4 (280 characters)
611 skills across 24 subdomains:
- Cloud Security (48)
- Threat Intelligence (43)
- Web App Security (41)
- Threat Hunting (35)
- Malware Analysis (34)
- Digital Forensics (34)
- SOC Operations (33)
- Network Security (33)
- IAM (33)
- OT/ICS Security (28)
- And 14 more
---
## Tweet 5 (257 characters)
These aren't generic cheat sheets. Every skill has:
- Real tool commands (not "use a scanner")
- MITRE ATT&CK technique IDs
- NIST/CIS benchmark references
- Decision trees for edge cases
- Practitioner helper scripts
- Filled-in report templates
---
## Tweet 6 (243 characters)
Why this matters for the security industry:
AI agents will increasingly assist with security work. The question isn't IF but HOW WELL.
Structured skill databases are how we go from "vaguely helpful AI" to "AI that knows the right Splunk query for T1059.001."
---
## Tweet 7 (248 characters)
The repo is MIT licensed and follows the agentskills.io open standard.
Looking for contributors -- especially practitioners who want to encode their expertise for AI agents.
If you write runbooks, you can write skills.
github.com/mukul975/Anthropic-Cybersecurity-Skills
mappings/README.md
+87
View File
@@ -0,0 +1,87 @@
# Security Framework Mappings
This directory maps the 607+ cybersecurity skills in this repository to industry-standard security frameworks, enabling practitioners and AI agents to discover relevant skills through the lens of established security models.
## Supported Frameworks
### MITRE ATT&CK v15
The [MITRE ATT&CK](https://attack.mitre.org/) framework is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. Skills are mapped to:
- **Tactics** (TA00xx) -- the adversary's tactical goals during an operation
- **Techniques** (T1xxx) -- the specific methods used to achieve those goals
- **Sub-techniques** (T1xxx.xxx) -- more granular variations of techniques
See [`mitre-attack/`](mitre-attack/) for the full mapping and coverage analysis.
### NIST Cybersecurity Framework 2.0
The [NIST CSF 2.0](https://www.nist.gov/cyberframework) provides a taxonomy of high-level cybersecurity outcomes organized into 6 core functions:
| Function | Code | Description |
|----------|------|-------------|
| Govern | GV | Establishing and monitoring cybersecurity risk management strategy |
| Identify | ID | Understanding organizational cybersecurity risk |
| Protect | PR | Safeguarding assets through security controls |
| Detect | DE | Finding and analyzing cybersecurity events |
| Respond | RS | Taking action regarding detected incidents |
| Recover | RC | Restoring capabilities after an incident |
See [`nist-csf/`](nist-csf/) for the full alignment and category mapping.
### OWASP Top 10 (2025)
The [OWASP Top 10](https://owasp.org/www-project-top-ten/) represents the most critical security risks to web applications. Skills are mapped to each risk category to provide hands-on remediation and testing capabilities.
See [`owasp/`](owasp/) for the full mapping.
## How Mappings Work
Each skill in this repository has YAML frontmatter with `domain`, `subdomain`, and `tags` fields. Framework mappings aggregate skills by subdomain relevance and tag correlation:
```
Skill YAML frontmatter
-> subdomain (e.g., "penetration-testing")
-> tags (e.g., ["mitre-attack", "privilege-escalation"])
-> Framework mapping (e.g., ATT&CK TA0004 Privilege Escalation)
```
Mappings are maintained at the subdomain level for scalability. Individual skills may also carry framework-specific tags in their frontmatter for precise lookups.
## Subdomain Distribution (607 skills)
| Subdomain | Skills | Primary Frameworks |
|-----------|--------|--------------------|
| cloud-security | 48 | ATT&CK, NIST CSF |
| threat-intelligence | 43 | ATT&CK, NIST CSF |
| web-application-security | 41 | ATT&CK, OWASP |
| threat-hunting | 35 | ATT&CK, NIST CSF |
| digital-forensics | 34 | ATT&CK, NIST CSF |
| malware-analysis | 34 | ATT&CK, NIST CSF |
| identity-access-management | 33 | ATT&CK, NIST CSF |
| network-security | 33 | ATT&CK, NIST CSF |
| soc-operations | 33 | ATT&CK, NIST CSF |
| api-security | 28 | OWASP, ATT&CK |
| ot-ics-security | 28 | ATT&CK (ICS), NIST CSF |
| container-security | 26 | ATT&CK, NIST CSF |
| incident-response | 24 | ATT&CK, NIST CSF |
| vulnerability-management | 24 | ATT&CK, NIST CSF, OWASP |
| penetration-testing | 23 | ATT&CK |
| red-teaming | 24 | ATT&CK |
| devsecops | 16 | NIST CSF, OWASP |
| endpoint-security | 16 | ATT&CK, NIST CSF |
| phishing-defense | 16 | ATT&CK, NIST CSF |
| cryptography | 13 | NIST CSF |
| zero-trust-architecture | 13 | NIST CSF |
| mobile-security | 12 | ATT&CK (Mobile), OWASP |
| compliance-governance | 5 | NIST CSF |
| ransomware-defense | 5 | ATT&CK, NIST CSF |
## Contributing
To add or update a framework mapping:
1. Identify the skill subdomain and relevant framework category
2. Update the corresponding mapping file in the framework directory
3. Ensure the skill's YAML frontmatter tags reflect the mapping
4. Submit a pull request with the mapping justification
mappings/mitre-attack/README.md
+102
View File
@@ -0,0 +1,102 @@
# MITRE ATT&CK Mapping
This directory maps the cybersecurity skills in this repository to the [MITRE ATT&CK](https://attack.mitre.org/) framework (Enterprise v15).
## Overview
MITRE ATT&CK is a curated knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary's lifecycle and the platforms they target. This mapping connects our hands-on skills to ATT&CK tactics and techniques, enabling:
- **Threat-informed defense** -- prioritize skill development based on real adversary behavior
- **Gap analysis** -- identify ATT&CK techniques not yet covered by available skills
- **Purple team exercises** -- pair offensive (red team) and defensive (blue team) skills for each technique
- **Agent-driven discovery** -- AI agents can query skills by ATT&CK ID for automated security workflows
## Mapping Methodology
### Tactic Mapping (TA00xx)
Each of the 14 ATT&CK Enterprise tactics represents a distinct adversary objective. Skills are mapped to tactics based on which adversary goal they help achieve (offensive) or defend against (defensive):
| Tactic | ID | Offensive Skills | Defensive Skills |
|--------|-----|-----------------|------------------|
| Reconnaissance | TA0043 | penetration-testing, red-teaming | threat-intelligence, phishing-defense |
| Resource Development | TA0042 | red-teaming | threat-intelligence |
| Initial Access | TA0001 | web-application-security, penetration-testing | phishing-defense, endpoint-security |
| Execution | TA0002 | penetration-testing, red-teaming | malware-analysis, endpoint-security, soc-operations |
| Persistence | TA0003 | red-teaming, penetration-testing | threat-hunting, digital-forensics, endpoint-security |
| Privilege Escalation | TA0004 | penetration-testing, red-teaming | endpoint-security, identity-access-management |
| Defense Evasion | TA0005 | red-teaming | malware-analysis, endpoint-security, threat-hunting |
| Credential Access | TA0006 | penetration-testing, red-teaming | identity-access-management, soc-operations |
| Discovery | TA0007 | penetration-testing, red-teaming | threat-hunting, network-security |
| Lateral Movement | TA0008 | red-teaming, penetration-testing | network-security, threat-hunting, soc-operations |
| Collection | TA0009 | red-teaming | digital-forensics, threat-hunting |
| Command and Control | TA0011 | red-teaming | threat-intelligence, network-security, soc-operations |
| Exfiltration | TA0010 | red-teaming | threat-hunting, digital-forensics, network-security |
| Impact | TA0040 | red-teaming | ransomware-defense, incident-response |
### Technique Mapping (T1xxx)
Skills are mapped to specific techniques based on their content. Examples:
| Technique | ID | Example Skills |
|-----------|-----|---------------|
| Phishing | T1566 | analyzing-phishing-email-headers, analyzing-certificate-transparency-for-phishing |
| Exploit Public-Facing Application | T1190 | web-application-security skills (SQL injection, XSS, SSRF) |
| OS Credential Dumping | T1003 | penetration-testing credential harvesting skills |
| PowerShell | T1059.001 | analyzing-windows-event-logs-in-splunk, malware-analysis skills |
| Remote Services | T1021 | network-security lateral movement skills |
| Data Encrypted for Impact | T1486 | analyzing-ransomware-encryption-mechanisms |
| Command and Scripting Interpreter | T1059 | malware-analysis script deobfuscation skills |
| Scheduled Task/Job | T1053 | analyzing-malware-persistence-with-autoruns |
| Registry Run Keys | T1547.001 | analyzing-windows-registry-for-artifacts |
| DLL Side-Loading | T1574.002 | analyzing-bootkit-and-rootkit-samples |
### Sub-technique Mapping (T1xxx.xxx)
Where applicable, skills are mapped to sub-techniques for precision. For example:
- `T1566.001` (Spearphishing Attachment) -- analyzing-email-headers-for-phishing-investigation
- `T1566.002` (Spearphishing Link) -- analyzing-certificate-transparency-for-phishing
- `T1003.001` (LSASS Memory) -- analyzing-memory-dumps-with-volatility
## ATT&CK Navigator Integration
You can visualize our skill coverage using the [ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/). To generate a Navigator layer:
1. Use the coverage summary in [`coverage-summary.md`](coverage-summary.md) to identify covered tactics
2. Import the tactic/technique IDs into a Navigator layer JSON
3. Color-code by coverage depth (number of skills per technique)
### Suggested Color Scale
| Coverage | Color | Meaning |
|----------|-------|---------|
| 0 skills | White | No coverage -- gap |
| 1-2 skills | Light blue | Basic coverage |
| 3-5 skills | Medium blue | Moderate coverage |
| 6+ skills | Dark blue | Strong coverage |
## Skill Tag Convention
Skills relevant to ATT&CK carry these tags in their YAML frontmatter:
- `mitre-attack` -- general ATT&CK relevance (56 skills currently tagged)
- Technique-specific tags like `privilege-escalation`, `lateral-movement`, `persistence`
- Tool-specific tags that map to ATT&CK software entries (e.g., `cobalt-strike`, `mimikatz`)
## How to Contribute Mappings
1. **Identify the skill** -- Read the skill's SKILL.md to understand what it teaches
2. **Find the ATT&CK technique** -- Search [attack.mitre.org](https://attack.mitre.org/) for the matching technique
3. **Determine offensive vs. defensive** -- Is the skill about performing or detecting/preventing the technique?
4. **Update the mapping** -- Add the technique ID to the appropriate table in this directory
5. **Update skill tags** -- Add `mitre-attack` and technique-specific tags to the skill's frontmatter
6. **Submit a PR** -- Include the ATT&CK technique URL as justification
## References
- [MITRE ATT&CK Enterprise Matrix](https://attack.mitre.org/matrices/enterprise/)
- [MITRE ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/)
- [ATT&CK v15 Release Notes](https://attack.mitre.org/resources/updates/)
- [MITRE ATT&CK for ICS](https://attack.mitre.org/matrices/ics/) -- relevant for ot-ics-security skills
- [MITRE ATT&CK for Mobile](https://attack.mitre.org/matrices/mobile/) -- relevant for mobile-security skills