diff --git a/README.md b/README.md index 02f161f4..ca752087 100644 --- a/README.md +++ b/README.md @@ -2,203 +2,154 @@ Anthropic Cybersecurity Skills

-

- License - Stars - Frameworks - Skills - agentskills.io - Platforms -

+
-

- 754 production-grade cybersecurity skills for AI agents — mapped to 5 industry frameworks -

+# Anthropic Cybersecurity Skills -

- MITRE ATT&CK · NIST CSF 2.0 · MITRE ATLAS · MITRE D3FEND · NIST AI RMF -

+### The largest open-source cybersecurity skills library for AI agents -> ⚠️ **Community Project** — This is an independent, community-created project. Not affiliated with Anthropic PBC. +[![License](https://img.shields.io/badge/License-Apache_2.0-blue.svg?style=flat-square)](LICENSE) +[![Skills](https://img.shields.io/badge/skills-754-brightgreen?style=flat-square)](#whats-inside--26-security-domains) +[![Frameworks](https://img.shields.io/badge/frameworks-5-orange?style=flat-square)](#five-frameworks-one-skill-library) +[![Domains](https://img.shields.io/badge/domains-26-9cf?style=flat-square)](#whats-inside--26-security-domains) +[![Platforms](https://img.shields.io/badge/platforms-26%2B-blueviolet?style=flat-square)](#compatible-platforms) +[![GitHub stars](https://img.shields.io/github/stars/mukul975/Anthropic-Cybersecurity-Skills?style=flat-square)](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/stargazers) +[![GitHub forks](https://img.shields.io/github/forks/mukul975/Anthropic-Cybersecurity-Skills?style=flat-square)](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/network/members) +[![Last Commit](https://img.shields.io/github/last-commit/mukul975/Anthropic-Cybersecurity-Skills?style=flat-square)](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/commits/main) +[![agentskills.io](https://img.shields.io/badge/standard-agentskills.io-ff6600?style=flat-square)](https://agentskills.io) +[![PRs Welcome](https://img.shields.io/badge/PRs-welcome-brightgreen.svg?style=flat-square)](CONTRIBUTING.md) + +**754 production-grade cybersecurity skills · 26 security domains · 5 framework mappings · 26+ AI platforms** + +[Get Started](#quick-start) · [What's Inside](#whats-inside--26-security-domains) · [Frameworks](#five-frameworks-one-skill-library) · [Platforms](#compatible-platforms) · [Contributing](#contributing) + +
--- -## Why this exists +> ⚠️ **Community Project** — This is an independent, community-created project. Not affiliated with Anthropic PBC. -AI agents are transforming cybersecurity — but they lack structured domain knowledge. A junior analyst knows which Volatility3 plugin to run on a suspicious memory dump. Your AI agent doesn't — unless you give it the skills. +## Give any AI agent the security skills of a senior analyst -**Anthropic Cybersecurity Skills** gives every AI agent instant access to **754 production-grade cybersecurity skills** spanning 26 security domains. Each skill follows the [agentskills.io](https://agentskills.io) open standard: YAML frontmatter for lightning-fast discovery, structured Markdown for step-by-step execution, and reference files for deep technical context. +A junior analyst knows which Volatility3 plugin to run on a suspicious memory dump, which Sigma rules catch Kerberoasting, and how to scope a cloud breach across three providers. **Your AI agent doesn't — unless you give it these skills.** -**What makes v1.2.0 different from every other security skills repo:** +This repo contains **754 structured cybersecurity skills** spanning **26 security domains**, each following the [agentskills.io](https://agentskills.io) open standard. Every skill is mapped to **five industry frameworks** — MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS, MITRE D3FEND, and NIST AI RMF — making this the only open-source skills library with unified cross-framework coverage. Clone it, point your agent at it, and your next security investigation gets expert-level guidance in seconds. -- **5-framework mapping** — Every skill is mapped to MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS v5.5, MITRE D3FEND v1.3, and NIST AI RMF 1.0. No other open-source library does this. -- **AI-native format** — Skills cost ~30 tokens to scan, provide full expert-level guidance when triggered, and work across 26+ AI agent platforms. -- **Real practitioner knowledge** — Not generated summaries. Structured workflows that mirror how senior security professionals actually work. +## Five frameworks, one skill library -## 🚀 Quick start +No other open-source skills library maps every skill to all five frameworks. One skill, five compliance checkboxes. + +| Framework | Version | Scope in this repo | What it maps | +|---|---|---|---| +| [MITRE ATT&CK](https://attack.mitre.org) | v18 | 14 tactics · 200+ techniques | Adversary behaviors and TTPs | +| [NIST CSF 2.0](https://www.nist.gov/cyberframework) | 2.0 | 6 functions · 22 categories | Organizational security posture | +| [MITRE ATLAS](https://atlas.mitre.org) | v5.4 | 16 tactics · 84 techniques | AI/ML adversarial threats | +| [MITRE D3FEND](https://d3fend.mitre.org) | v1.3 | 7 categories · 267 techniques | Defensive countermeasures | +| [NIST AI RMF](https://airc.nist.gov/AI_RMF) | 1.0 | 4 functions · 72 subcategories | AI risk management | + +**Example — a single skill maps across all five:** + +| Skill | ATT&CK | NIST CSF | ATLAS | D3FEND | AI RMF | +|---|---|---|---|---|---| +| `analyzing-network-traffic-of-malware` | T1071 | DE.CM | AML.T0047 | D3-NTA | MEASURE-2.6 | + +## Quick start ```bash # Option 1: npx (recommended) npx skills add mukul975/Anthropic-Cybersecurity-Skills -# Option 2: Claude Code -/plugin marketplace add mukul975/Anthropic-Cybersecurity-Skills - -# Option 3: Manual clone +# Option 2: Git clone git clone https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git cd Anthropic-Cybersecurity-Skills ``` -Works immediately with Claude Code, GitHub Copilot, OpenAI Codex CLI, Cursor, Gemini CLI, and any MCP-compatible agent. +Works immediately with Claude Code, GitHub Copilot, OpenAI Codex CLI, Cursor, Gemini CLI, and any [agentskills.io](https://agentskills.io)-compatible platform. -## 📖 Table of contents +## Why this exists -- [🛡️ What's inside](#️-whats-inside) -- [🗺️ Framework coverage](#️-framework-coverage) -- [🤖 Compatible platforms](#-compatible-platforms) -- [📐 Skill structure](#-skill-structure) -- [🧠 How AI agents use these skills](#-how-ai-agents-use-these-skills) -- [📝 Example skills](#-example-skills) -- [👥 Contributing](#-contributing) -- [⭐ Star history](#-star-history) -- [📄 License](#-license) +The cybersecurity workforce gap hit **4.8 million unfilled roles** globally in 2024 (ISC2). AI agents can help close that gap — but only if they have structured domain knowledge to work from. Today's agents can write code and search the web, but they lack the practitioner playbooks that turn a generic LLM into a capable security analyst. -## 🛡️ What's inside +Existing security tool repos give you wordlists, payloads, or exploit code. None of them give an AI agent the structured decision-making workflow a senior analyst follows: when to use each technique, what prerequisites to check, how to execute step-by-step, and how to verify results. That is the gap this project fills. -**754 skills across 26 security domains:** +**Anthropic Cybersecurity Skills** is not a collection of scripts or checklists. It is an **AI-native knowledge base** built from the ground up for the agentskills.io standard — YAML frontmatter for sub-second discovery, structured Markdown for step-by-step execution, and reference files for deep technical context. Every skill encodes real practitioner workflows, not generated summaries. -| Domain | Skills | Example capabilities | -|--------|--------|---------------------| -| ☁️ Cloud Security | 60 | AWS S3 bucket audit, Azure AD config review, GCP IAM assessment | -| 🔍 Threat Hunting | 55 | C2 beaconing detection, DNS tunneling analysis, living-off-the-land | -| 📡 Threat Intelligence | 50 | APT group analysis with MITRE Navigator, campaign attribution, IOC enrichment | -| 🌐 Web Application Security | 42 | HTTP request smuggling, XSS with Burp Suite, web cache poisoning | -| 🔌 Network Security | 40 | Wireshark traffic analysis, VLAN segmentation, Suricata IDS tuning | -| 🦠 Malware Analysis | 39 | Ghidra reverse engineering, YARA rules, .NET decompilation | -| 🔎 Digital Forensics | 37 | Disk imaging with dd/dcfldd, Volatility3 memory forensics, browser artifacts | -| 📊 Security Operations | 36 | SIEM correlation rules, alert triage workflows, SOC playbooks | -| 🔑 IAM Security | 35 | SAML SSO with Okta, PAM deployment, service account hardening | -| 🖥️ SOC Operations | 33 | Tier 1-3 escalation procedures, incident classification, metrics tracking | -| ☸️ Container Security | 30 | Kubernetes RBAC audit, pod security policies, etcd encryption | -| 🏭 OT/ICS Security | 28 | SCADA monitoring, Modbus anomaly detection, Purdue model enforcement | -| 🔗 API Security | 28 | OAuth2 flow analysis, rate limiting, API gateway hardening | -| 🎯 Vulnerability Management | 25 | Nessus scanning, CVSS scoring, risk-based prioritization | -| 🚨 Incident Response | 25 | Containment procedures, evidence preservation, post-incident review | -| 🔴 Red Teaming | 24 | Cobalt Strike operations, LOTL techniques, evasion & persistence | -| 🎯 Penetration Testing | 23 | Active Directory exploitation, OSCP-style methodology, pivoting | -| 💻 Endpoint Security | 17 | EDR deployment, host-based detection, anti-tamper configuration | -| 🔧 DevSecOps | 17 | Pipeline security gates, SAST/DAST integration, IaC scanning | -| 🎣 Phishing Defense | 16 | Email header analysis, phishing simulation, DMARC/DKIM/SPF | -| 🕵️ OSINT | 15 | Domain reconnaissance, social engineering recon, dark web monitoring | -| 🔐 Cryptography | 14 | TLS configuration audit, certificate lifecycle, key management | -| 🏰 Zero Trust | 13 | Microsegmentation, BeyondCorp implementation, continuous verification | -| 📱 Mobile Security | 12 | APK analysis with APKTool, iOS forensics, MDM bypass detection | -| 🛡️ Ransomware Defense | 7 | Backup validation, recovery procedures, negotiation awareness | -| 🪤 Deception Technology | 5 | Honeypot deployment, honey tokens, decoy credential monitoring | -| **TOTAL** | **754** | | +## What's inside — 26 security domains -## 🗺️ Framework coverage +| Domain | Skills | Key capabilities | +|---|---|---| +| Cloud Security | 60 | AWS, Azure, GCP hardening · CSPM · cloud forensics | +| Threat Hunting | 55 | Hypothesis-driven hunts · LOTL detection · behavioral analytics | +| Threat Intelligence | 50 | STIX/TAXII · MISP · feed integration · actor profiling | +| Web Application Security | 42 | OWASP Top 10 · SQLi · XSS · SSRF · deserialization | +| Network Security | 40 | IDS/IPS · firewall rules · VLAN segmentation · traffic analysis | +| Malware Analysis | 39 | Static/dynamic analysis · reverse engineering · sandboxing | +| Digital Forensics | 37 | Disk imaging · memory forensics · timeline reconstruction | +| Security Operations | 36 | SIEM correlation · log analysis · alert triage | +| Identity & Access Management | 35 | IAM policies · PAM · zero trust identity · Okta · SailPoint | +| SOC Operations | 33 | Playbooks · escalation workflows · metrics · tabletop exercises | +| Container Security | 30 | K8s RBAC · image scanning · Falco · container forensics | +| OT/ICS Security | 28 | Modbus · DNP3 · IEC 62443 · historian defense · SCADA | +| API Security | 28 | GraphQL · REST · OWASP API Top 10 · WAF bypass | +| Vulnerability Management | 25 | Nessus · scanning workflows · patch prioritization · CVSS | +| Incident Response | 25 | Breach containment · ransomware response · IR playbooks | +| Red Teaming | 24 | Full-scope engagements · AD attacks · phishing simulation | +| Penetration Testing | 23 | Network · web · cloud · mobile · wireless pentesting | +| Endpoint Security | 17 | EDR · LOTL detection · fileless malware · persistence hunting | +| DevSecOps | 17 | CI/CD security · code signing · Terraform auditing | +| Phishing Defense | 16 | Email authentication · BEC detection · phishing IR | +| Cryptography | 14 | TLS · Ed25519 · certificate transparency · key management | +| Zero Trust Architecture | 13 | BeyondCorp · CISA maturity model · microsegmentation | +| Mobile Security | 12 | Android/iOS analysis · mobile pentesting · MDM forensics | +| Ransomware Defense | 7 | Precursor detection · response · recovery · encryption analysis | +| Compliance & Governance | 5 | CIS benchmarks · SOC 2 · regulatory frameworks | +| Deception Technology | 2 | Honeytokens · breach detection canaries | -v1.2.0 maps every skill to **5 industry-standard frameworks** — a first for any open-source cybersecurity skills library. +## How AI agents use these skills -### MITRE ATT&CK Enterprise — 754/754 skills mapped +Each skill costs **~30 tokens to scan** (frontmatter only) and **500–2,000 tokens to fully load** (complete workflow). This progressive disclosure architecture lets agents search all 754 skills in a single pass without blowing context windows. -All 14 Enterprise tactics covered with 200+ technique mappings: +``` +User prompt: "Analyze this memory dump for signs of credential theft" -| Tactic | ID | Skills | -|--------|----|--------| -| Reconnaissance | TA0043 | 45+ | -| Resource Development | TA0042 | 30+ | -| Initial Access | TA0001 | 55+ | -| Execution | TA0002 | 60+ | -| Persistence | TA0003 | 50+ | -| Privilege Escalation | TA0004 | 55+ | -| Defense Evasion | TA0005 | 65+ | -| Credential Access | TA0006 | 45+ | -| Discovery | TA0007 | 50+ | -| Lateral Movement | TA0008 | 40+ | -| Collection | TA0009 | 35+ | -| Command and Control | TA0011 | 40+ | -| Exfiltration | TA0010 | 30+ | -| Impact | TA0040 | 35+ | +Agent's internal process: -### NIST CSF 2.0 — 754/754 skills aligned + 1. Scans 754 skill frontmatters (~30 tokens each) + → identifies 12 relevant skills by matching tags, description, domain -| Function | Skills | Coverage areas | -|----------|--------|---------------| -| Govern (GV) | 80+ | Policy, risk strategy, supply chain oversight | -| Identify (ID) | 120+ | Asset management, risk assessment, improvement | -| Protect (PR) | 150+ | Access control, awareness, data security, platform security | -| Detect (DE) | 200+ | Continuous monitoring, adverse event analysis | -| Respond (RS) | 160+ | Incident management, analysis, mitigation, reporting | -| Recover (RC) | 44+ | Recovery planning, execution, communication | + 2. Loads top 3 matches: + • performing-memory-forensics-with-volatility3 + • hunting-for-credential-dumping-lsass + • analyzing-windows-event-logs-for-credential-access -### 🆕 MITRE ATLAS v5.5 — 81 skills (NEW in v1.2.0) + 3. Executes the structured Workflow section step-by-step + → runs Volatility3 plugins, checks LSASS access patterns, + correlates with event log evidence -AI-specific adversarial threat coverage including: -- ML model poisoning and evasion techniques -- AI supply chain compromise scenarios -- LLM prompt injection defense workflows -- AI agent tool abuse detection -- Agentic AI escape-to-host prevention + 4. Validates results using the Verification section + → confirms IOCs, maps findings to ATT&CK T1003 (Credential Dumping) +``` -### 🆕 MITRE D3FEND v1.3 — 139 skills (NEW in v1.2.0) +**Without these skills**, the agent guesses at tool commands and misses critical steps. **With them**, it follows the same playbook a senior DFIR analyst would use. -Defensive technique mappings across all 7 D3FEND tactics: -- **Model** (27 techniques) — Threat modeling, attack surface analysis -- **Harden** (51 techniques) — System hardening, configuration management -- **Detect** (90 techniques) — Monitoring, anomaly detection, behavioral analysis -- **Isolate** (57 techniques) — Segmentation, sandboxing, containment -- **Deceive** (11 techniques) — Honeypots, decoys, misdirection -- **Evict** (19 techniques) — Threat removal, credential rotation -- **Restore** (12 techniques) — Backup, recovery, resilience +## Skill anatomy -### 🆕 NIST AI RMF 1.0 — 85 skills (NEW in v1.2.0) - -AI risk management coverage aligned with the four core functions: -- **Govern** — AI governance, accountability, organizational policies -- **Map** — AI system context, risk identification, stakeholder analysis -- **Measure** — AI risk metrics, testing, validation -- **Manage** — AI risk treatment, monitoring, continuous improvement - -> 💡 **Why 5 frameworks matter:** Organizations face overlapping compliance requirements. A single skill like "analyzing-network-traffic-of-malware" maps to ATT&CK T1071 (Application Layer Protocol), NIST CSF DE.CM (Continuous Monitoring), ATLAS AML.T0047 (Evade ML Model), D3FEND D3-NTA (Network Traffic Analysis), and AI RMF MEASURE 2.6 (AI system monitoring). One skill, five compliance checkboxes. - -## 🤖 Compatible platforms - -**AI code assistants:** -Claude Code (Anthropic) · GitHub Copilot (Microsoft) · Cursor · Windsurf · Cline · Aider · Continue · Roo Code · Amazon Q Developer · Tabnine · Sourcegraph Cody · JetBrains AI - -**CLI agents:** -OpenAI Codex CLI · Gemini CLI (Google) - -**Autonomous agents:** -Devin · Replit Agent · SWE-agent · OpenHands - -**Agent frameworks & SDKs:** -LangChain · CrewAI · AutoGen · Semantic Kernel · Haystack · Vercel AI SDK · Any MCP-compatible agent - -## 📐 Skill structure - -Every skill follows the [agentskills.io](https://agentskills.io) open standard: +Every skill follows a consistent directory structure: ``` skills/performing-memory-forensics-with-volatility3/ -├── SKILL.md # Skill definition (YAML frontmatter + Markdown body) -│ ├── Frontmatter # → name, description, domain, tags, frameworks -│ ├── When to Use # → Trigger conditions for AI agents -│ ├── Prerequisites # → Required tools, access, environment -│ ├── Workflow # → Step-by-step execution guide -│ └── Verification # → How to confirm success +├── SKILL.md ← Skill definition (YAML frontmatter + Markdown body) ├── references/ -│ ├── standards.md # MITRE ATT&CK, ATLAS, D3FEND, NIST mappings -│ └── workflows.md # Deep technical procedure reference +│ ├── standards.md ← MITRE ATT&CK, ATLAS, D3FEND, NIST mappings +│ └── workflows.md ← Deep technical procedure reference ├── scripts/ -│ └── process.py # Practitioner helper scripts +│ └── process.py ← Working helper scripts └── assets/ - └── template.md # Checklists, report templates + └── template.md ← Filled-in checklists and report templates ``` -**YAML frontmatter example:** + +### YAML frontmatter (real example) ```yaml --- @@ -219,93 +170,189 @@ license: Apache-2.0 --- ``` -### Progressive disclosure — why 754 skills don't slow your agent down -| Stage | Token cost | When | -|-------|-----------|------| -| Discovery scan | ~30 tokens | Always — agent reads YAML frontmatter | -| Full skill load | 500–2000 tokens | Only when skill matches the task | -| Deep reference pull | 1000–5000 tokens | Only when agent needs technical depth | +### Markdown body sections -Irrelevant skills cost virtually nothing. Relevant skills provide complete expert-level guidance. +```markdown +## When to Use +Trigger conditions — when should an AI agent activate this skill? -## 🧠 How AI agents use these skills +## Prerequisites +Required tools, access levels, and environment setup. -``` -User prompt: "Analyze this memory dump for signs of credential theft" +## Workflow +Step-by-step execution guide with specific commands and decision points. -Agent's internal process: -1. Scans 754 skill frontmatters (~30 tokens each) → finds 12 relevant skills -2. Loads top matches: - - performing-memory-forensics-with-volatility3 - - hunting-for-credential-dumping-lsass - - analyzing-windows-event-logs-for-credential-access -3. Follows structured workflow from SKILL.md -4. References ATT&CK T1003 (Credential Dumping) mapping -5. Maps findings to D3FEND D3-PSMD (Process Self-Modification Detection) -6. Outputs structured findings with framework references +## Verification +How to confirm the skill was executed successfully. ``` -## 📝 Example skills +Frontmatter fields: `name` (kebab-case, 1–64 chars), `description` (keyword-rich for agent discovery), `domain`, `subdomain`, `tags`, `atlas_techniques` (MITRE ATLAS IDs), `d3fend_techniques` (MITRE D3FEND IDs), `nist_ai_rmf` (NIST AI RMF references), `nist_csf` (NIST CSF 2.0 categories). MITRE ATT&CK technique mappings are documented in each skill's `references/standards.md` file and in the ATT&CK Navigator layer included with releases.
-🔍 Hunting for C2 beaconing +📊 MITRE ATT&CK Enterprise coverage — all 14 tactics -**Domain:** Threat Hunting · **ATT&CK:** T1071, T1573 · **D3FEND:** D3-NTA · **CSF:** DE.CM-01 +  -Identifies command-and-control communication patterns in network traffic using beacon interval analysis, JA3/JA3S fingerprinting, and DNS request frequency modeling. Includes Zeek scripts for automated detection and SIEM correlation rules. +| Tactic | ID | Coverage | Key skills | +|---|---|---|---| +| Reconnaissance | TA0043 | Strong | OSINT, subdomain enumeration, DNS recon | +| Resource Development | TA0042 | Moderate | Phishing infrastructure, C2 setup detection | +| Initial Access | TA0001 | Strong | Phishing simulation, exploit detection, forced browsing | +| Execution | TA0002 | Strong | PowerShell analysis, fileless malware, script block logging | +| Persistence | TA0003 | Strong | Scheduled tasks, registry, service accounts, LOTL | +| Privilege Escalation | TA0004 | Strong | Kerberoasting, AD attacks, cloud privilege escalation | +| Defense Evasion | TA0005 | Strong | Obfuscation, rootkit analysis, evasion detection | +| Credential Access | TA0006 | Strong | Mimikatz detection, pass-the-hash, credential dumping | +| Discovery | TA0007 | Moderate | BloodHound, AD enumeration, network scanning | +| Lateral Movement | TA0008 | Strong | SMB exploits, lateral movement detection with Splunk | +| Collection | TA0009 | Moderate | Email forensics, data staging detection | +| Command and Control | TA0011 | Strong | C2 beaconing, DNS tunneling, Cobalt Strike analysis | +| Exfiltration | TA0010 | Strong | DNS exfiltration, DLP controls, data loss detection | +| Impact | TA0040 | Strong | Ransomware defense, encryption analysis, recovery | + +An **ATT&CK Navigator layer file** is included in the [v1.0.0 release assets](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/releases/tag/v1.0.0) for visual coverage mapping. + +> **Note:** ATT&CK v19 lands April 28, 2026 — splitting Defense Evasion (TA0005) into two new tactics: *Stealth* and *Impair Defenses*. Skill mappings will be updated in a forthcoming release.
-🦠 Reverse engineering .NET malware with dnSpy +📊 NIST CSF 2.0 alignment — all 6 functions -**Domain:** Malware Analysis · **ATT&CK:** T1027, T1059.001 · **ATLAS:** AML.T0016 · **CSF:** DE.AE-02 +  -Step-by-step decompilation workflow for .NET executables including de-obfuscation techniques, string decryption, C2 extraction, and behavioral analysis. Includes YARA rule templates for family classification. +| Function | Skills | Examples | +|---|---|---| +| **Govern (GV)** | 30+ | Risk strategy, policy frameworks, roles & responsibilities | +| **Identify (ID)** | 120+ | Asset discovery, threat landscape assessment, risk analysis | +| **Protect (PR)** | 150+ | IAM hardening, WAF rules, zero trust, encryption | +| **Detect (DE)** | 200+ | Threat hunting, SIEM correlation, anomaly detection | +| **Respond (RS)** | 160+ | Incident response, forensics, breach containment | +| **Recover (RC)** | 40+ | Ransomware recovery, BCP, disaster recovery | + +NIST CSF 2.0 (February 2024) added the **Govern** function and expanded scope from critical infrastructure to all organizations. Skill mappings align to all 22 categories and reference 106 subcategories.
-☸️ Auditing Kubernetes RBAC configurations +📊 Framework deep dive — ATLAS, D3FEND, AI RMF -**Domain:** Container Security · **ATT&CK:** T1078.004 · **D3FEND:** D3-ACL · **CSF:** PR.AA-01 · **AI RMF:** GOVERN-1.2 +  -Systematic review of ClusterRoles, RoleBindings, and ServiceAccounts to identify overprivileged workloads, lateral movement paths, and secrets exposure. Includes kubectl audit scripts and remediation playbooks. +### MITRE ATLAS v5.4 — AI/ML adversarial threats +ATLAS maps adversarial tactics, techniques, and case studies specific to AI and machine learning systems. Version 5.4 covers **16 tactics and 84 techniques** including agentic AI attack vectors added in late 2025: AI agent context poisoning, tool invocation abuse, MCP server compromises, and malicious agent deployment. Skills mapped to ATLAS help agents identify and defend against threats to ML pipelines, model weights, inference APIs, and autonomous workflows. + +### MITRE D3FEND v1.3 — Defensive countermeasures +D3FEND is an NSA-funded knowledge graph of **267 defensive techniques** organized across 7 tactical categories: Model, Harden, Detect, Isolate, Deceive, Evict, and Restore. Built on OWL 2 ontology, it uses a shared Digital Artifact layer to bidirectionally map defensive countermeasures to ATT&CK offensive techniques. Skills tagged with D3FEND identifiers let agents recommend specific countermeasures for detected threats. + +### NIST AI RMF 1.0 + GenAI Profile (AI 600-1) +The AI Risk Management Framework defines 4 core functions — Govern, Map, Measure, Manage — with **72 subcategories** for trustworthy AI development. The GenAI Profile (AI 600-1, July 2024) adds **12 risk categories** specific to generative AI, from confabulation and data privacy to prompt injection and supply chain risks. Colorado's AI Act (effective February 2026) provides a **legal safe harbor** for organizations complying with NIST AI RMF, making these mappings directly relevant to regulatory compliance.
-## 👥 Contributing +## Compatible platforms -We welcome contributions! See [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines. +**AI code assistants** +Claude Code (Anthropic) · GitHub Copilot (Microsoft) · Cursor · Windsurf · Cline · Aider · Continue · Roo Code · Amazon Q Developer · Tabnine · Sourcegraph Cody · JetBrains AI -**Ways to contribute:** -- 🆕 Add new skills using the [New Skill template](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/issues/new?template=new-skill.yml) -- 🐛 Report issues with the [Bug Report template](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/issues/new?template=bug-report.yml) -- 💡 Request features via [Feature Request](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/issues/new?template=feature-request.yml) -- 📝 Improve documentation or fix typos -- 🗺️ Add framework mappings to existing skills +**CLI agents** +OpenAI Codex CLI · Gemini CLI (Google) -Every PR gets reviewed for technical accuracy and consistency with the agentskills.io standard. We aim to review within 48 hours. +**Autonomous agents** +Devin · Replit Agent · SWE-agent · OpenHands -## ⭐ Star history +**Agent frameworks & SDKs** +LangChain · CrewAI · AutoGen · Semantic Kernel · Haystack · Vercel AI SDK · Any MCP-compatible agent -[![Star History Chart](https://api.star-history.com/svg?repos=mukul975/Anthropic-Cybersecurity-Skills&type=Date)](https://star-history.com/#mukul975/Anthropic-Cybersecurity-Skills&Date) +All platforms that support the [agentskills.io](https://agentskills.io) standard can load these skills with zero configuration. -## 🌐 Community +## What people are saying -- 📋 Listed on [SkillsLLM](https://skillsllm.com/skill/anthropic-cybersecurity-skills) -- 📚 Featured in [awesome-agent-skills](https://github.com/VoltAgent/awesome-agent-skills) -- 🔒 Featured in [awesome-ai-security](https://github.com/ottosulin/awesome-ai-security) -- 🖥️ Featured in [awesome-codex-cli](https://github.com/RoggeOhta/awesome-codex-cli) -- 📖 [Complete guide on Medium](https://fazal-sec.medium.com/claude-skills-ai-powered-cybersecurity-the-complete-guide-to-building-intelligent-security-7bb7e9d14c8e) +> *"A database of real, organized security skills that any AI agent can plug into and use. Not tutorials. Not blog posts."* +> — **[Hasan Toor (@hasantoxr)](https://x.com/hasantoxr/status/2033193922349179249)**, AI/tech creator -## 📄 License +> *"This is not a random collection of security scripts. It's a structured operational knowledge base designed for AI-driven security workflows."* +> — **[fazal-sec](https://fazal-sec.medium.com/claude-skills-ai-powered-cybersecurity-the-complete-guide-to-building-intelligent-security-7bb7e9d14c8e)**, Medium -Apache License 2.0 — free for commercial and personal use. See [LICENSE](LICENSE) for details. +## Featured in + +| Where | Type | Link | +|---|---|---| +| **awesome-agent-skills** | Awesome List (1,000+ skills index) | [VoltAgent/awesome-agent-skills](https://github.com/VoltAgent/awesome-agent-skills) | +| **awesome-ai-security** | Awesome List (AI security tools) | [ottosulin/awesome-ai-security](https://github.com/ottosulin/awesome-ai-security) | +| **awesome-codex-cli** | Awesome List (Codex CLI resources) | [RoggeOhta/awesome-codex-cli](https://github.com/RoggeOhta/awesome-codex-cli) | +| **SkillsLLM** | Skills directory & marketplace | [skillsllm.com/skill/anthropic-cybersecurity-skills](https://skillsllm.com/skill/anthropic-cybersecurity-skills) | +| **Openflows** | Signal analysis & tracking | [openflows.org](https://openflows.org/currency/currents/anthropic-cybersecurity-skills/) | +| **NeverSight skills_feed** | Automated skills index | [NeverSight/skills_feed](https://github.com/NeverSight/skills_feed) | + +## Star history + + + + + + Star History Chart + + + +## Releases + +| Version | Date | Highlights | +|---|---|---| +| [v1.0.0](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/releases/tag/v1.0.0) | March 11, 2026 | 734 skills · 26 domains · MITRE ATT&CK + NIST CSF 2.0 mapping · ATT&CK Navigator layer | + +Skills have continued to grow on `main` since v1.0.0 — the library now contains **754 skills** with **5-framework mapping** (MITRE ATLAS, D3FEND, and NIST AI RMF added post-release). Check [Releases](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/releases) for the latest tagged version. + +## Contributing + +This project grows through community contributions. Here is how to get involved: + +**Add a new skill** — Domains like Deception Technology (2 skills) and Compliance & Governance (5 skills) need the most help. Follow the template in [CONTRIBUTING.md](CONTRIBUTING.md) and submit a PR with the title `Add skill: your-skill-name`. + +**Improve existing skills** — Add framework mappings, fix workflows, update tool references, or contribute scripts and templates. + +**Report issues** — Found an inaccurate procedure or broken script? [Open an issue](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/issues). + +Every PR is reviewed for technical accuracy and agentskills.io standard compliance within 48 hours. Check [good first issues](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/issues?q=is%3Aissue+is%3Aopen+label%3A%22good+first+issue%22) for a starting point. + +This project follows the [Contributor Covenant](https://www.contributor-covenant.org/). By participating, you agree to uphold this code. + +## Community + +💬 [Discussions](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/discussions) — Questions, ideas, and roadmap conversations +🐛 [Issues](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/issues) — Bug reports and feature requests +🔒 [Security Policy](SECURITY.md) — Responsible disclosure process (48-hour acknowledgment) + +## Citation + +If you use this project in research or publications: + +```bibtex +@software{anthropic_cybersecurity_skills, + author = {Jangra, Mahipal}, + title = {Anthropic Cybersecurity Skills}, + year = {2026}, + url = {https://github.com/mukul975/Anthropic-Cybersecurity-Skills}, + license = {Apache-2.0}, + note = {754 structured cybersecurity skills for AI agents, + mapped to MITRE ATT\&CK, NIST CSF 2.0, MITRE ATLAS, + MITRE D3FEND, and NIST AI RMF} +} +``` + +## License + +This project is licensed under the [Apache License 2.0](LICENSE). You are free to use, modify, and distribute these skills in both personal and commercial projects. --- -

- If these skills help your AI agent defend better, consider giving this repo a ⭐ -

+
+ +**If this project helps your security work, consider giving it a ⭐** + +[⭐ Star](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/stargazers) · [🍴 Fork](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/fork) · [💬 Discuss](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/discussions) · [📝 Contribute](CONTRIBUTING.md) + +Community project by [@mukul975](https://github.com/mukul975). Not affiliated with Anthropic PBC. + +