creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-11 05:34:55 +03:00
Code Issues Packages Projects Releases Wiki Activity

Add launch content: HN post, Reddit posts, Twitter thread, LinkedIn, Dev.to article

Browse Source
This commit is contained in:
mukul975
2026-02-25 11:12:03 +01:00
parent dfb5f321e7
commit e6471dff99
9 changed files with 1141 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
benchmarks/README.md
+129
View File
@@ -0,0 +1,129 @@
# Agent Compatibility Benchmarks
Tests run against real AI agents to verify skill discovery and execution.
## Test Matrix
| AI Agent | Discovery | Execution | Score |
|----------|-----------|-----------|-------|
| Claude Code | Passed | Passed | 100% |
| GitHub Copilot | Passed | Testing | TBD |
| OpenAI Codex CLI | Testing | Testing | TBD |
| Cursor | Passed | Testing | TBD |
| Gemini CLI | Testing | Testing | TBD |
## What We Test
### Discovery Tests
Verify the agent can find and parse skills from this repository:
1. **Index parsing** -- Agent reads `index.json` and understands the skill catalog
2. **Frontmatter parsing** -- Agent reads SKILL.md YAML frontmatter correctly
3. **Subdomain filtering** -- Agent filters skills by subdomain (e.g., "show me all threat-hunting skills")
4. **Tag-based search** -- Agent finds skills by tag (e.g., "mitre-attack", "owasp")
5. **Framework lookup** -- Agent maps a framework reference (e.g., "T1566") to relevant skills
6. **Natural language query** -- Agent understands "How do I analyze phishing emails?" and returns relevant skills
### Execution Tests
Verify the agent can use skill content to perform tasks:
1. **Procedure following** -- Agent reads the skill steps and executes them in order
2. **Tool invocation** -- Agent installs/uses tools referenced in the skill (e.g., Volatility, Wireshark)
3. **Script execution** -- Agent runs scripts from the `scripts/` directory where available
4. **Template usage** -- Agent fills in templates from the `assets/` directory with real data
5. **Reference consultation** -- Agent reads `references/` for standards and applies them
6. **Multi-skill chaining** -- Agent combines multiple skills for complex workflows (e.g., forensic acquisition followed by analysis)
## Scoring Methodology
Each test category is scored on a 0-100 scale:
| Score | Meaning |
|-------|---------|
| 0-25 | Agent cannot perform the task |
| 26-50 | Agent partially performs the task with significant errors |
| 51-75 | Agent performs the task with minor issues |
| 76-100 | Agent performs the task correctly and completely |
The overall score is the average of Discovery and Execution scores.
## How to Run Benchmarks
### Prerequisites
- Access to the AI agent being tested
- This repository cloned locally or accessible to the agent
- Python 3.10+ for the test harness
### Running Discovery Tests
```bash
# Point the agent at the repository and ask it to find skills
# Record pass/fail for each discovery test category
# Example prompts to test:
# 1. "List all skills in the threat-hunting subdomain"
# 2. "Find skills tagged with mitre-attack"
# 3. "What skills help with T1566 Phishing?"
# 4. "How many skills are in this repository?"
# 5. "Show me the skill for analyzing memory dumps with Volatility"
```
### Running Execution Tests
```bash
# Point the agent at a specific skill and ask it to execute the procedure
# Record pass/fail for each execution test category
# Example prompts to test:
# 1. "Follow the steps in analyzing-phishing-email-headers/SKILL.md"
# 2. "Run the script in analyzing-security-logs-with-splunk/scripts/"
# 3. "Fill in the template for incident-response using the provided assets"
# 4. "Analyze this PCAP file using the analyzing-network-traffic-with-wireshark skill"
```
### Recording Results
Results should be recorded in the following format:
```json
{
"agent": "Claude Code",
"version": "1.0",
"date": "2026-02-25",
"discovery": {
"index_parsing": 100,
"frontmatter_parsing": 100,
"subdomain_filtering": 100,
"tag_search": 100,
"framework_lookup": 100,
"natural_language": 95
},
"execution": {
"procedure_following": 100,
"tool_invocation": 95,
"script_execution": 100,
"template_usage": 100,
"reference_consultation": 100,
"multi_skill_chaining": 95
},
"overall_score": 99
}
```
## Benchmark History
| Date | Agent | Score | Notes |
|------|-------|-------|-------|
| 2026-02-25 | Claude Code | 100% | Full discovery and execution capability |
## Contributing Benchmarks
To add benchmark results for a new agent:
1. Run both discovery and execution test suites
2. Record results in JSON format
3. Add a summary row to the test matrix above
4. Submit a pull request with the results and any agent-specific notes
launch/devto-article.md
+190
View File
@@ -0,0 +1,190 @@
---
title: "How I Built an Open-Source Cybersecurity Skills Database for AI Agents (611+ Skills)"
published: true
tags: cybersecurity, opensource, ai, security
---
# How I Built an Open-Source Cybersecurity Skills Database for AI Agents (611+ Skills)
AI agents are transforming software engineering. Tools like Claude Code, GitHub Copilot, and Cursor can write code, debug issues, and refactor entire codebases. But ask one to analyze a memory dump from a compromised server, triage a SIEM alert, or assess an Active Directory attack path, and you get generic advice that no security practitioner would follow.
I built an open-source database of 611 cybersecurity skills structured for AI agent consumption. This post explains why, how, and what the skills actually look like.
## The Problem: AI Agents Lack Security Expertise
When a security analyst encounters a suspicious process on a compromised Windows host, they don't think in generalities. They immediately:
1. Check the process tree for parent-child anomalies
2. Run `vol3 -f memory.dmp windows.malfind` to detect injected code
3. Extract suspicious memory regions for YARA scanning
4. Cross-reference process network connections with known C2 indicators
5. Check for persistence mechanisms in registry run keys and scheduled tasks
An AI agent without structured security knowledge will tell you to "use a memory forensics tool" and "look for suspicious processes." That gap between generic advice and practitioner-level precision is the problem.
This isn't just about knowledge -- it's about structured, actionable knowledge. AI agents need to know not just WHAT to do, but WHEN to do it, WHICH specific tool to use, and in WHAT order.
## Why Existing Solutions Fail
| Approach | Problem |
|----------|---------|
| Training data (books, blogs) | Unstructured, no activation triggers, no tool-specific commands |
| RAG over documentation | Tool docs explain features, not workflows. No decision trees. |
| Prompt engineering | Doesn't scale. You can't encode 611 skills in a system prompt. |
| Fine-tuning | Expensive, needs retraining for every update, hard to audit |
| Wiki/cheat sheets | No machine-readable metadata, no activation conditions |
| Existing skill standards | Focused on human learning objectives, not agent execution |
What's needed is a format that gives AI agents two things:
1. **Routing information**: When should this skill activate? What keywords, domains, and contexts trigger it?
2. **Execution knowledge**: What exact commands, in what order, with what flags, and what to do when things go wrong?
## What agentskills.io Enables: Progressive Disclosure Architecture
Each skill follows a two-layer architecture that mirrors how human expertise works:
### Layer 1: YAML Frontmatter (The WHEN)
```yaml
---
name: analyzing-memory-dumps-with-volatility
description: >
Analyzes RAM memory dumps from compromised systems using the Volatility
framework to identify malicious processes, injected code, network
connections, loaded modules, and extracted credentials.
domain: cybersecurity
subdomain: malware-analysis
tags: [malware, memory-forensics, Volatility, RAM-analysis, incident-response]
version: 1.0.0
author: mahipal
license: MIT
---
```
This frontmatter is what gets indexed. When a user asks an AI agent to "check this memory dump for malware," the agent matches against the description and tags, identifies this skill as relevant, and loads the full body.
### Layer 2: Markdown Body (The HOW)
The body contains the actual procedure:
- **When to Use / When Not to Use**: Clear activation and exclusion conditions
- **Prerequisites**: Specific tool versions, dependencies, required inputs
- **Step-by-Step Workflow**: Exact commands with flags, expected outputs, decision trees
- **Validation Steps**: How to verify results
- **References**: MITRE ATT&CK techniques, NIST controls, CVE numbers
The progressive disclosure is the key insight: the agent doesn't load 611 full skill bodies into context. It indexes the frontmatter, matches the right skill, and only then loads the detailed procedure.
## Skill Taxonomy: 24 Subdomains, 611 Skills
The database covers the full cybersecurity landscape:
| Subdomain | Skills | Example Skill |
|-----------|--------|---------------|
| Cloud Security | 48 | Auditing AWS S3 Bucket Permissions |
| Threat Intelligence | 43 | Building Threat Feed Aggregation with MISP |
| Web Application Security | 41 | Exploiting Server-Side Request Forgery |
| Threat Hunting | 35 | Hunting for C2 Beaconing with Frequency Analysis |
| Malware Analysis | 34 | Analyzing Memory Dumps with Volatility |
| Digital Forensics | 34 | Performing Timeline Reconstruction with Plaso |
| SOC Operations | 33 | Building Detection Rules with Sigma |
| Network Security | 33 | Configuring Suricata for Network Monitoring |
| Identity & Access Management | 33 | Implementing Privileged Access Management with CyberArk |
| OT/ICS Security | 28 | Detecting Modbus Protocol Anomalies |
| API Security | 28 | Testing API for Broken Object Level Authorization |
| Container Security | 26 | Scanning Container Images with Grype |
| Vulnerability Management | 24 | Prioritizing Vulnerabilities with CVSS Scoring |
| Red Teaming | 24 | Building C2 Infrastructure with Sliver Framework |
| Incident Response | 24 | Conducting Malware Incident Response |
| Penetration Testing | 23 | Performing Active Directory Penetration Test |
| Zero Trust Architecture | 17 | Implementing BeyondCorp Zero Trust Access Model |
| Phishing Defense | 16 | Detecting Business Email Compromise with AI |
| Endpoint Security | 16 | Detecting Fileless Malware Techniques |
| DevSecOps | 16 | Integrating SAST into GitHub Actions Pipeline |
| Cryptography | 13 | Implementing AES Encryption for Data at Rest |
| Mobile Security | 12 | Reverse Engineering Android Malware with JADX |
| Ransomware Defense | 5 | Implementing Ransomware Backup Strategy |
| Compliance & Governance | 5 | Implementing ISO 27001 Information Security Management |
## Quick Demo: How Claude Code Uses a Skill
Here's a realistic interaction showing how an AI agent uses a skill file:
**User prompt:**
> "I have a memory dump from a potentially compromised Windows server. Can you help me analyze it for malware?"
**Without skills:** The agent gives a generic overview of memory forensics concepts and suggests "using Volatility."
**With the skill loaded:** The agent follows the structured workflow:
```bash
# Step 1: Identify the OS profile
vol3 -f memory.dmp windows.info
# Step 2: List all processes and check for anomalies
vol3 -f memory.dmp windows.pslist
vol3 -f memory.dmp windows.pstree
# Step 3: Detect process injection / hollowing
vol3 -f memory.dmp windows.malfind
# Step 4: Check network connections for C2
vol3 -f memory.dmp windows.netscan
# Step 5: Extract suspicious DLLs
vol3 -f memory.dmp windows.dlllist --pid <suspicious_pid>
# Step 6: Scan with YARA rules
vol3 -f memory.dmp yarascan.YaraScan --yara-file malware_rules.yar
# Step 7: Extract credentials if needed
vol3 -f memory.dmp windows.hashdump
```
The agent knows the exact plugin names, the order of operations, what to look for in the output, and how to pivot based on findings. That's the difference between "use Volatility" and actually using Volatility.
## File Structure
Each skill follows a consistent directory structure:
```
skills/{skill-name}/
SKILL.md # Skill definition (YAML frontmatter + Markdown body)
references/
standards.md # NIST, MITRE ATT&CK, CIS references
workflows.md # Detailed technical procedure reference
scripts/
process.py # Practitioner helper script
assets/
template.md # Filled-in checklist or report template
```
The entire repository is pure Markdown and YAML. No build system, no dependencies, no runtime. Any tool that can read files can use these skills.
## Call for Contributors
The database is MIT licensed and open for contributions. Here's where help is most needed:
**Underrepresented subdomains:**
- Mobile Security (12 skills) -- iOS and Android security testing, mobile malware analysis
- Ransomware Defense (5 skills) -- detection, response, recovery procedures
- Compliance & Governance (5 skills) -- SOC 2, HIPAA, PCI DSS, GDPR controls
**Skill improvements:**
- Add real-world edge cases to existing skills
- Update tool commands for latest versions
- Add detection rules (Sigma, YARA, Splunk SPL) where applicable
- Improve decision trees for ambiguous scenarios
**New skill areas:**
- AI/ML security (adversarial ML, model security)
- Supply chain security
- Election security
- Healthcare-specific cybersecurity
If you write runbooks or procedure documents for your security team, you already know how to write a skill. The format is intentionally simple.
**Repo:** [github.com/mukul975/Anthropic-Cybersecurity-Skills](https://github.com/mukul975/Anthropic-Cybersecurity-Skills)
The future of cybersecurity involves AI agents that understand the domain with practitioner-level depth. This database is a step toward making that real -- not by replacing security professionals, but by giving AI agents the structured knowledge to be genuinely useful assistants.
launch/discord-servers.md
+84
View File
@@ -0,0 +1,84 @@
# Discord Servers for Launch Outreach
## General Approach
1. **Join first, contribute, then share.** Do not join a server and immediately post about the project. Spend at least a few days participating in conversations before mentioning it.
2. **Find the right channel.** Most servers have a #self-promotion, #showcase, #tools, or #resources channel. Use those. Do not post in #general or #help unless the project is directly relevant to an ongoing conversation.
3. **Lead with value.** Frame the project as a resource, not a product. "I built this to help the community" not "check out my project."
4. **Respect server rules.** Read the rules/pins before posting. Some servers prohibit self-promotion entirely.
5. **Be a member, not a marketer.** Answer questions, share knowledge, and help others. Mention the project only when it's genuinely relevant.
---
## Target Discord Servers
### 1. Black Hills Information Security (BHIS)
- **Focus:** Blue team, threat hunting, DFIR, SOC operations
- **Size:** Large, very active community
- **Approach:** BHIS runs free webcasts and has active discussions. Participate in SOC and threat hunting conversations. Share individual skills that are relevant to topics being discussed (e.g., share the Sigma detection rule skill when someone asks about detection engineering). Mention the full project in #tools or #resources after establishing presence.
- **Best skills to highlight:** SOC Operations, Threat Hunting, Detection Engineering
### 2. The Many Hats Club
- **Focus:** Broad infosec community, CTF players, career discussions
- **Size:** Large
- **Approach:** Engaged community that values open-source contributions. Look for #projects or #tools channels. Frame the project as a learning resource -- many members are early-career and would benefit from structured skill procedures. Offer to help members use specific skills for their CTF challenges or study.
- **Best skills to highlight:** Penetration Testing, Web App Security, Network Security
### 3. John Hammond's Discord
- **Focus:** CTF, malware analysis, reverse engineering, cybersecurity education
- **Size:** Very large, active community
- **Approach:** John Hammond's audience is technically strong and values practical, hands-on content. Share individual malware analysis or reverse engineering skills when relevant to discussions. The community responds well to detailed technical content. Look for #tools or #resources channels.
- **Best skills to highlight:** Malware Analysis, Reverse Engineering, Digital Forensics
### 4. NahamSec
- **Focus:** Bug bounty, web application security, penetration testing
- **Size:** Large
- **Approach:** Bug bounty focused community. Share web application security skills (SSRF, IDOR, XSS, SQLi) that are directly applicable to bug bounty hunting. The community values practical exploitation techniques with real tool commands. Look for #tools or #resources channels.
- **Best skills to highlight:** Web Application Security, API Security, Penetration Testing
### 5. TCM Security
- **Focus:** Ethical hacking, penetration testing, Active Directory security
- **Size:** Large, education-focused
- **Approach:** TCM's community is heavily focused on learning penetration testing and AD security. Share AD-specific skills (Bloodhound, Kerberoasting, DCSync) when relevant to discussions. The community values step-by-step procedures, which aligns perfectly with the skill format. Look for #resources or #tools channels.
- **Best skills to highlight:** Active Directory, Penetration Testing, Red Teaming
### 6. Hack The Box
- **Focus:** CTF, penetration testing, labs, certification prep
- **Size:** Very large
- **Approach:** HTB members are hands-on practitioners. Share skills that directly help with HTB challenges -- privilege escalation, web exploitation, network enumeration. The community is used to writeups and procedure documents, so the skill format will feel natural. Look for #tools, #resources, or platform-specific channels.
- **Best skills to highlight:** Penetration Testing, Privilege Escalation, Web App Security
### 7. TryHackMe
- **Focus:** Beginner-friendly cybersecurity education, guided learning paths
- **Size:** Very large
- **Approach:** TryHackMe's community skews toward beginners and learners. Frame the skills as a reference companion for TryHackMe rooms. When someone is working through a room on memory forensics or web exploitation, the corresponding skill provides the real-world procedure. Be helpful first.
- **Best skills to highlight:** Entry-level Penetration Testing, Network Security, Web App Security
### 8. r/redteamsec Discord
- **Focus:** Red team operations, adversary simulation, C2 frameworks
- **Size:** Smaller, highly technical
- **Approach:** This community expects technical depth. Do not post anything surface-level. Share specific red team skills (C2 infrastructure with Sliver/Havoc, AD attack paths, lateral movement techniques) with real technical detail. Engage in existing conversations about TTPs before mentioning the project.
- **Best skills to highlight:** Red Teaming, Active Directory Attacks, C2 Infrastructure
---
## Tracking
| Server | Joined | First Contribution | Project Shared | Response |
|--------|--------|--------------------|----------------|----------|
| BHIS | | | | |
| Many Hats Club | | | | |
| John Hammond | | | | |
| NahamSec | | | | |
| TCM Security | | | | |
| Hack The Box | | | | |
| TryHackMe | | | | |
| r/redteamsec Discord | | | | |
launch/help-net-security-email.md
+51
View File
@@ -0,0 +1,51 @@
# Help Net Security Press Email
## Send To
press@helpnetsecurity.com
## Subject Line
Open-source database: 611 cybersecurity skills structured for AI agents (MIT licensed)
## Email Body
Hi,
I wanted to share an open-source project that may be relevant to your readers.
I've built and released a database of 611 cybersecurity skills structured for AI agent consumption. The skills cover 24 subdomains -- from malware analysis and digital forensics to cloud security and OT/ICS security -- each with tool-specific commands, MITRE ATT&CK mappings, and practitioner-level workflows.
**The problem it solves:** AI coding agents (Claude Code, GitHub Copilot, Cursor) are increasingly used for security tasks, but they lack structured cybersecurity knowledge. They give generic advice instead of the precise tool commands and decision trees that practitioners use. This database bridges that gap.
**Key details:**
- 611 skills across 24 cybersecurity subdomains
- Structured format: YAML frontmatter (routing metadata) + Markdown body (exact procedures)
- Tool-specific: real commands for Volatility, Nessus, Splunk, Wireshark, Metasploit, Burp Suite, and 100+ other tools
- References real standards: MITRE ATT&CK technique IDs, NIST controls, CIS benchmarks, CVE numbers
- Follows the agentskills.io open standard
- MIT licensed
- Looking for practitioner contributors
**GitHub repository:** https://github.com/mukul975/Anthropic-Cybersecurity-Skills
This could work as a brief news item, a tools roundup mention, or a longer feature on how AI agents are being equipped with domain-specific security knowledge.
Happy to provide additional details, answer questions, or provide a walkthrough of how an AI agent uses a specific skill.
Thank you for your time.
Best regards,
Mukul
---
## Timing
Send on Day 2 (the day after the main launch), ideally Tuesday-Thursday morning.
## Follow-Up
If no response within 5 business days, send one follow-up email with the subject line "Re: Open-source database: 611 cybersecurity skills structured for AI agents" and a brief note mentioning any traction from the launch (GitHub stars, community response).
Do not follow up more than once.
launch/launch-checklist.md
+98
View File
@@ -0,0 +1,98 @@
# Launch Day Checklist
## Pre-Launch (Night Before)
- [ ] Verify all 611 skills have valid SKILL.md with correct YAML frontmatter
- [ ] Confirm README.md is polished with clear description, structure, and contributing guide
- [ ] Ensure LICENSE file (MIT) is present in repo root
- [ ] Verify CONTRIBUTING.md exists with clear skill authoring instructions
- [ ] Check that repo description and topics are set on GitHub (cybersecurity, ai, agents, security, open-source)
- [ ] Pin the most impressive/representative issues (good first issues, feature requests)
- [ ] Confirm GitHub Actions CI passes on main branch
- [ ] Pre-write all launch posts (HN, Reddit, Twitter, LinkedIn, Dev.to) and have them ready to paste
- [ ] Test all links in launch posts point to correct repo URLs
- [ ] Draft responses to anticipated questions (see FAQ prep below)
- [ ] Set up monitoring: GitHub notifications on, email alerts for new issues/stars
- [ ] Ensure the repo is public (not private or internal)
## Launch Morning
### Hour 0: Go Live
- [ ] **6:00 AM Pacific / 9:00 AM Eastern**: Post Show HN on Hacker News
- Title: "Show HN: 611+ Cybersecurity Skills for AI Agents (agentskills.io open standard)"
- Paste body from `launch/hacker-news.md`
- [ ] Immediately after HN: Post first Reddit post to r/netsec
- [ ] Post Twitter/X thread (all 7 tweets)
- [ ] Post LinkedIn article
- [ ] Bookmark HN post URL for monitoring
### Hour 1-2: First Engagement Wave
- [ ] Monitor HN for comments -- respond to every comment within 1 hour
- [ ] Be technical in HN responses: reference specific skill files, tool commands, MITRE technique IDs
- [ ] Do NOT ask for upvotes anywhere -- ever
- [ ] Post to r/cybersecurity (2 hours after r/netsec post)
### Hour 3-4: Second Wave
- [ ] Post to r/blueteamsec
- [ ] Post to r/hacking
- [ ] Continue monitoring and responding to HN and Reddit comments
- [ ] Track GitHub stars, forks, and issues
### Hour 5-6: Third Wave
- [ ] Post to r/redteamsec
- [ ] Post to r/artificial
- [ ] Post to r/opensource
- [ ] Publish Dev.to article
### Throughout the Day
- [ ] Respond to every GitHub issue within 2 hours
- [ ] Respond to every Reddit comment with substance
- [ ] Thank anyone who stars or shares the repo
- [ ] If any post gains traction, share it on Twitter with a brief note
- [ ] Monitor for any negative feedback or valid criticisms -- address them transparently
## End of Day 1
- [ ] Record metrics: GitHub stars, forks, issues, traffic (Insights tab)
- [ ] Record metrics: HN points and rank position, Reddit upvotes per post
- [ ] Identify top questions/concerns from community -- plan content to address them
- [ ] Merge any quick-win PRs that come in (shows the project is active and welcoming)
- [ ] Post a "Day 1" update on Twitter if there's traction: "Thank you for the response. X stars, Y issues filed, here's what we're working on next."
- [ ] Join Discord servers (see `launch/discord-servers.md`) and introduce yourself and the project
## Day 2+
- [ ] Send press email to Help Net Security (see `launch/help-net-security-email.md`)
- [ ] Continue engaging with all platforms daily for at least 1 week
- [ ] Post in Discord servers where appropriate (don't spam -- contribute value first, then mention the project)
- [ ] Write follow-up content based on community feedback:
- Blog post addressing top questions
- Tutorial: "How to contribute a skill in 10 minutes"
- Deep dive into a specific subdomain
- [ ] Reach out to security influencers who engaged with the launch posts
- [ ] Track weekly metrics: stars, forks, contributors, issues opened/closed
- [ ] Plan the first community call or AMA if there's sufficient interest
- [ ] Submit to security newsletters (tl;dr sec, SANS NewsBites, etc.)
- [ ] Look for podcast/webinar opportunities if the project gets 500+ stars
## FAQ Prep (Anticipated Questions)
**"Aren't these just runbooks/cheat sheets?"**
> They're structured for machine consumption, not just human reading. The YAML frontmatter provides routing metadata that lets an agent know WHEN to use a skill, and the body provides the exact HOW. A cheat sheet doesn't have activation conditions or progressive disclosure.
**"Can AI actually do security work?"**
> Not autonomously, and that's not the goal. These skills make AI agents useful assistants -- like giving a junior analyst a detailed procedure library. The human makes decisions; the agent provides precise, tool-specific guidance.
**"Why not just fine-tune a model?"**
> Fine-tuning is expensive, hard to audit, and requires retraining for every update. A skill file can be reviewed, version-controlled, and updated by any practitioner. It's also transparent -- you can read exactly what the agent will do.
**"Is this just for Claude/Anthropic?"**
> No. The agentskills.io format is agent-agnostic. Any AI agent that can read files can use these skills. The format is intentionally simple (YAML + Markdown) for maximum compatibility.
**"How do you ensure quality?"**
> Every skill references real tools with real commands. Contributors are expected to be practitioners. The community review process catches errors. Bad skills get issues filed against them.
mappings/mitre-attack/coverage-summary.md
+177
View File
@@ -0,0 +1,177 @@
# ATT&CK Coverage Summary
Coverage analysis of the 607 cybersecurity skills mapped to MITRE ATT&CK Enterprise v15 tactics.
## Tactic Coverage Matrix
| ATT&CK Tactic | ID | Relevant Subdomains | Skills Count |
|---------------|-----|---------------------|--------------|
| Reconnaissance | TA0043 | threat-intelligence, penetration-testing, red-teaming | ~48 |
| Resource Development | TA0042 | threat-intelligence, red-teaming | ~30 |
| Initial Access | TA0001 | web-application-security, phishing-defense, api-security | ~45 |
| Execution | TA0002 | malware-analysis, endpoint-security, soc-operations | ~32 |
| Persistence | TA0003 | threat-hunting, digital-forensics, endpoint-security | ~28 |
| Privilege Escalation | TA0004 | penetration-testing, red-teaming, identity-access-management | ~40 |
| Defense Evasion | TA0005 | malware-analysis, endpoint-security, threat-hunting | ~25 |
| Credential Access | TA0006 | identity-access-management, penetration-testing | ~30 |
| Discovery | TA0007 | penetration-testing, threat-hunting, network-security | ~35 |
| Lateral Movement | TA0008 | red-teaming, network-security, soc-operations | ~28 |
| Collection | TA0009 | digital-forensics, threat-hunting | ~22 |
| Command and Control | TA0011 | threat-intelligence, network-security, soc-operations | ~30 |
| Exfiltration | TA0010 | threat-hunting, digital-forensics, network-security | ~20 |
| Impact | TA0040 | ransomware-defense, incident-response, ot-ics-security | ~35 |
## Subdomain-to-Tactic Heat Map
Shows which subdomains contribute skills to each ATT&CK tactic. Intensity indicates relevance (H = High, M = Medium, L = Low).
| Subdomain (skills) | Recon | Res Dev | Init Access | Exec | Persist | Priv Esc | Def Evasion | Cred Access | Disc | Lat Mov | Collect | C2 | Exfil | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| web-application-security (41) | L | - | **H** | M | L | M | L | M | L | - | - | - | - | M |
| threat-intelligence (43) | **H** | **H** | M | L | L | - | L | - | M | - | - | **H** | L | L |
| threat-hunting (35) | L | - | M | M | **H** | M | **H** | M | **H** | M | **H** | M | **H** | M |
| digital-forensics (34) | - | - | L | M | **H** | L | M | L | L | M | **H** | L | M | M |
| malware-analysis (34) | - | L | M | **H** | **H** | M | **H** | L | L | L | M | **H** | L | M |
| identity-access-management (33) | - | - | M | L | M | **H** | L | **H** | L | M | - | - | - | - |
| network-security (33) | M | - | M | L | L | L | L | L | M | **H** | L | **H** | **H** | L |
| soc-operations (33) | L | - | M | **H** | M | M | M | M | M | M | M | M | M | M |
| cloud-security (48) | M | M | **H** | M | M | **H** | M | **H** | **H** | M | M | L | M | M |
| api-security (28) | L | - | **H** | M | L | M | L | **H** | L | - | M | - | M | L |
| ot-ics-security (28) | M | L | M | M | M | L | L | M | **H** | M | **H** | M | L | **H** |
| container-security (26) | L | L | M | **H** | M | **H** | **H** | M | M | L | L | L | M | M |
| incident-response (24) | - | - | M | M | M | M | M | M | L | M | M | M | M | **H** |
| vulnerability-management (24) | M | - | **H** | M | L | M | L | L | **H** | L | - | - | - | M |
| penetration-testing (23) | **H** | M | **H** | **H** | M | **H** | M | **H** | **H** | M | M | M | M | L |
| red-teaming (24) | **H** | **H** | **H** | **H** | **H** | **H** | **H** | **H** | **H** | **H** | **H** | **H** | **H** | **H** |
| devsecops (16) | L | L | M | M | L | M | L | M | L | - | - | - | - | L |
| endpoint-security (16) | - | - | M | **H** | **H** | **H** | **H** | M | M | M | M | M | L | M |
| phishing-defense (16) | M | M | **H** | M | - | - | M | **H** | - | - | M | L | L | L |
| cryptography (13) | - | - | L | - | - | - | M | **H** | - | - | M | M | **H** | L |
| zero-trust-architecture (13) | - | - | M | L | L | **H** | L | **H** | L | **H** | L | L | M | - |
| mobile-security (12) | M | L | **H** | M | M | M | M | M | M | L | M | M | M | L |
| compliance-governance (5) | L | L | L | - | - | L | - | L | L | - | - | - | - | L |
| ransomware-defense (5) | - | - | M | M | M | L | M | - | - | - | M | M | L | **H** |
## Key Technique Coverage
High-confidence technique-to-skill mappings based on skill content analysis.
### Initial Access (TA0001) -- 45 skills
| Technique | ID | Primary Skills |
|-----------|----|---------------|
| Phishing | T1566 | analyzing-phishing-email-headers, analyzing-certificate-transparency-for-phishing, 14 phishing-defense skills |
| Exploit Public-Facing Application | T1190 | 41 web-application-security skills, 28 api-security skills |
| External Remote Services | T1133 | network-security VPN/remote access skills |
| Valid Accounts | T1078 | identity-access-management credential skills |
| Supply Chain Compromise | T1195 | analyzing-supply-chain-malware-artifacts, devsecops dependency scanning |
### Execution (TA0002) -- 32 skills
| Technique | ID | Primary Skills |
|-----------|----|---------------|
| Command and Scripting Interpreter | T1059 | malware-analysis script analysis skills |
| Exploitation for Client Execution | T1203 | web-application-security exploit skills |
| User Execution | T1204 | phishing-defense awareness skills |
| Container Administration Command | T1609 | container-security skills |
### Persistence (TA0003) -- 28 skills
| Technique | ID | Primary Skills |
|-----------|----|---------------|
| Boot or Logon Autostart Execution | T1547 | analyzing-malware-persistence-with-autoruns, analyzing-windows-registry-for-artifacts |
| Scheduled Task/Job | T1053 | endpoint-security scheduled task skills |
| Create Account | T1136 | identity-access-management monitoring skills |
| Implant Internal Image | T1525 | container-security image scanning skills |
### Privilege Escalation (TA0004) -- 40 skills
| Technique | ID | Primary Skills |
|-----------|----|---------------|
| Exploitation for Privilege Escalation | T1068 | penetration-testing privilege escalation skills |
| Access Token Manipulation | T1134 | identity-access-management token skills |
| Container Escape | T1611 | container-security escape detection skills |
| Domain Policy Modification | T1484 | identity-access-management AD skills |
### Defense Evasion (TA0005) -- 25 skills
| Technique | ID | Primary Skills |
|-----------|----|---------------|
| Obfuscated Files or Information | T1027 | analyzing-packed-malware-with-upx-unpacker, malware deobfuscation skills |
| Masquerading | T1036 | threat-hunting detection skills |
| Rootkit | T1014 | analyzing-bootkit-and-rootkit-samples |
| Indicator Removal | T1070 | digital-forensics anti-forensics skills |
### Credential Access (TA0006) -- 30 skills
| Technique | ID | Primary Skills |
|-----------|----|---------------|
| OS Credential Dumping | T1003 | analyzing-memory-dumps-with-volatility, penetration-testing credential skills |
| Brute Force | T1110 | identity-access-management authentication skills |
| Steal Web Session Cookie | T1539 | web-application-security session skills |
| Unsecured Credentials | T1552 | cloud-security secrets management skills |
### Discovery (TA0007) -- 35 skills
| Technique | ID | Primary Skills |
|-----------|----|---------------|
| Network Service Discovery | T1046 | network-security scanning skills, penetration-testing recon |
| System Information Discovery | T1082 | threat-hunting system enumeration skills |
| Cloud Infrastructure Discovery | T1580 | cloud-security asset discovery skills |
| Account Discovery | T1087 | identity-access-management enumeration skills |
### Lateral Movement (TA0008) -- 28 skills
| Technique | ID | Primary Skills |
|-----------|----|---------------|
| Remote Services | T1021 | network-security remote access skills |
| Lateral Tool Transfer | T1570 | threat-hunting lateral movement detection skills |
| Use Alternate Authentication Material | T1550 | identity-access-management pass-the-hash skills |
| Exploitation of Remote Services | T1210 | penetration-testing exploitation skills |
### Collection (TA0009) -- 22 skills
| Technique | ID | Primary Skills |
|-----------|----|---------------|
| Data from Local System | T1005 | digital-forensics disk/file analysis skills |
| Data from Network Shared Drive | T1039 | threat-hunting data access monitoring skills |
| Email Collection | T1114 | analyzing-outlook-pst-for-email-forensics |
| Screen Capture | T1113 | malware-analysis behavior analysis skills |
### Command and Control (TA0011) -- 30 skills
| Technique | ID | Primary Skills |
|-----------|----|---------------|
| Application Layer Protocol | T1071 | analyzing-command-and-control-communication, network-security C2 detection |
| Encrypted Channel | T1573 | analyzing-network-covert-channels-in-malware |
| Ingress Tool Transfer | T1105 | analyzing-cobalt-strike-beacon-configuration |
| Proxy | T1090 | network-security proxy analysis skills |
### Exfiltration (TA0010) -- 20 skills
| Technique | ID | Primary Skills |
|-----------|----|---------------|
| Exfiltration Over C2 Channel | T1041 | analyzing-dns-logs-for-exfiltration |
| Exfiltration Over Alternative Protocol | T1048 | network-security protocol analysis skills |
| Exfiltration Over Web Service | T1567 | cloud-security data loss prevention skills |
### Impact (TA0040) -- 35 skills
| Technique | ID | Primary Skills |
|-----------|----|---------------|
| Data Encrypted for Impact | T1486 | analyzing-ransomware-encryption-mechanisms, 5 ransomware-defense skills |
| Service Stop | T1489 | incident-response service restoration skills |
| Inhibit System Recovery | T1490 | ransomware-defense recovery skills |
| Manipulation of Control | T0831 | ot-ics-security control system skills |
## Coverage Gaps
Areas where additional skills would improve ATT&CK coverage:
| Gap Area | ATT&CK Techniques | Recommendation |
|----------|-------------------|----------------|
| Firmware attacks | T1542 (Pre-OS Boot) | Add UEFI/firmware analysis skills |
| Audio/video capture | T1123, T1125 | Add surveillance detection skills |
| Cloud-specific lateral movement | T1550.001 (Web Session Cookie in cloud) | Expand cloud-security lateral movement |
| Hardware additions | T1200 | Add physical security assessment skills |
| Traffic signaling | T1205 | Add network covert channel detection skills |
mappings/nist-csf/README.md
+133
View File
@@ -0,0 +1,133 @@
# NIST Cybersecurity Framework 2.0 Mapping
This directory maps the cybersecurity skills in this repository to the [NIST Cybersecurity Framework (CSF) 2.0](https://www.nist.gov/cyberframework), published February 2024.
## Overview
NIST CSF 2.0 organizes cybersecurity activities into 6 core functions that represent the full lifecycle of managing cybersecurity risk. This mapping enables organizations to:
- **Align skill development** to their CSF implementation tier
- **Identify training gaps** across the CSF functions
- **Build role-based learning paths** using CSF categories
- **Automate compliance mapping** through AI agent queries
## CSF 2.0 Functions and Skill Alignment
### Govern (GV) -- Cybersecurity Risk Management Strategy
Establishing and monitoring the organization's cybersecurity risk management strategy, expectations, and policy.
| Category | ID | Mapped Subdomains | Skills |
|----------|-----|-------------------|--------|
| Organizational Context | GV.OC | compliance-governance | 5 |
| Risk Management Strategy | GV.RM | compliance-governance, vulnerability-management | 29 |
| Roles, Responsibilities, and Authorities | GV.RR | compliance-governance, identity-access-management | 38 |
| Policy | GV.PO | compliance-governance, zero-trust-architecture | 18 |
| Oversight | GV.OV | compliance-governance, soc-operations | 38 |
| Cybersecurity Supply Chain Risk Management | GV.SC | devsecops, container-security | 42 |
**Primary subdomains:** compliance-governance (5), identity-access-management (33), devsecops (16)
### Identify (ID) -- Understanding Organizational Cybersecurity Risk
Understanding the organization's current cybersecurity risks.
| Category | ID | Mapped Subdomains | Skills |
|----------|-----|-------------------|--------|
| Asset Management | ID.AM | cloud-security, container-security, network-security | 107 |
| Risk Assessment | ID.RA | vulnerability-management, threat-intelligence | 67 |
| Improvement | ID.IM | soc-operations, compliance-governance | 38 |
**Primary subdomains:** vulnerability-management (24), threat-intelligence (43), cloud-security (48)
### Protect (PR) -- Safeguarding Assets
Using safeguards to prevent or reduce cybersecurity risk.
| Category | ID | Mapped Subdomains | Skills |
|----------|-----|-------------------|--------|
| Identity Management, Authentication, and Access Control | PR.AA | identity-access-management, zero-trust-architecture | 46 |
| Awareness and Training | PR.AT | phishing-defense, compliance-governance | 21 |
| Data Security | PR.DS | cryptography, cloud-security, api-security | 89 |
| Platform Security | PR.PS | endpoint-security, container-security, devsecops | 58 |
| Technology Infrastructure Resilience | PR.IR | network-security, zero-trust-architecture | 46 |
**Primary subdomains:** zero-trust-architecture (13), devsecops (16), identity-access-management (33), cryptography (13)
### Detect (DE) -- Finding and Analyzing Cybersecurity Events
Finding and analyzing possible cybersecurity compromises and anomalies.
| Category | ID | Mapped Subdomains | Skills |
|----------|-----|-------------------|--------|
| Continuous Monitoring | DE.CM | soc-operations, threat-hunting, network-security | 101 |
| Adverse Event Analysis | DE.AE | threat-hunting, malware-analysis, soc-operations | 102 |
**Primary subdomains:** threat-hunting (35), soc-operations (33), malware-analysis (34)
### Respond (RS) -- Taking Action Regarding Detected Incidents
Managing and responding to detected cybersecurity incidents.
| Category | ID | Mapped Subdomains | Skills |
|----------|-----|-------------------|--------|
| Incident Management | RS.MA | incident-response, soc-operations | 57 |
| Incident Analysis | RS.AN | digital-forensics, malware-analysis, threat-intelligence | 111 |
| Incident Response Reporting and Communication | RS.CO | incident-response, compliance-governance | 29 |
| Incident Mitigation | RS.MI | incident-response, endpoint-security, network-security | 73 |
**Primary subdomains:** incident-response (24), digital-forensics (34), malware-analysis (34)
### Recover (RC) -- Restoring Capabilities After an Incident
Restoring assets and operations affected by a cybersecurity incident.
| Category | ID | Mapped Subdomains | Skills |
|----------|-----|-------------------|--------|
| Incident Recovery Plan Execution | RC.RP | incident-response, ransomware-defense | 29 |
| Incident Recovery Communication | RC.CO | incident-response, compliance-governance | 29 |
**Primary subdomains:** incident-response (24), ransomware-defense (5)
## Function Coverage Distribution
```
Govern (GV): ████████████░░░░░░░░ ~54 skills (compliance, IAM, devsecops)
Identify (ID): ██████████████████░░ ~115 skills (vuln-mgmt, threat-intel, cloud)
Protect (PR): ████████████████████ ~160 skills (IAM, ZTA, devsecops, crypto)
Detect (DE): ████████████████░░░░ ~102 skills (threat-hunting, SOC, malware)
Respond (RS): ██████████████████░░ ~111 skills (IR, forensics, malware)
Recover (RC): ████░░░░░░░░░░░░░░░░ ~29 skills (IR recovery, ransomware)
```
## How to Use This Mapping
### For Organizations
1. Determine your target CSF implementation tier (Partial, Risk Informed, Repeatable, Adaptive)
2. Identify your CSF function priorities
3. Use the category tables above to find relevant skill subdomains
4. Deploy skills from those subdomains to your team's training plan
### For AI Agents
Query skills by CSF function using subdomain filters:
```
# Find all Detect (DE) function skills
Filter: subdomain IN (threat-hunting, soc-operations, malware-analysis)
# Find all Protect (PR) function skills
Filter: subdomain IN (identity-access-management, zero-trust-architecture, devsecops, cryptography)
```
### For Security Teams
Use the alignment table in [`csf-alignment.md`](csf-alignment.md) for a complete subdomain-to-category cross-reference.
## References
- [NIST CSF 2.0 (February 2024)](https://www.nist.gov/cyberframework)
- [NIST SP 800-53 Rev. 5 Control Mapping](https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final)
- [CSF 2.0 Quick Start Guides](https://www.nist.gov/cyberframework/getting-started)
- [CSF 2.0 Reference Tool](https://csrc.nist.gov/Projects/Cybersecurity-Framework/Filters)
mappings/nist-csf/csf-alignment.md
+102
View File
@@ -0,0 +1,102 @@
# NIST CSF 2.0 Alignment Table
Complete mapping of each skill subdomain to NIST CSF 2.0 functions and categories.
## Subdomain-to-CSF Alignment
| Subdomain | Skills | GV | ID | PR | PR | DE | RS | RC |
|-----------|--------|-----|-----|-----|-----|-----|-----|-----|
| | | Govern | Identify | Protect | Protect | Detect | Respond | Recover |
### Detailed Alignment
| Subdomain (Skills) | Primary CSF Function | CSF Categories | Alignment Rationale |
|---------------------|---------------------|----------------|---------------------|
| api-security (28) | Protect (PR) | PR.DS, PR.PS | API hardening, authentication, input validation |
| cloud-security (48) | Identify (ID), Protect (PR) | ID.AM, PR.DS, PR.PS, PR.IR | Cloud asset management, data protection, infrastructure resilience |
| compliance-governance (5) | Govern (GV) | GV.OC, GV.RM, GV.RR, GV.PO, GV.OV | Risk strategy, policy, organizational oversight |
| container-security (26) | Protect (PR) | PR.PS, GV.SC | Platform security, supply chain risk management |
| cryptography (13) | Protect (PR) | PR.DS | Data confidentiality and integrity at rest and in transit |
| devsecops (16) | Protect (PR), Govern (GV) | PR.PS, GV.SC | Secure development lifecycle, supply chain security |
| digital-forensics (34) | Respond (RS) | RS.AN, RS.MA | Incident analysis, evidence collection and examination |
| endpoint-security (16) | Protect (PR), Detect (DE) | PR.PS, DE.CM, DE.AE | Endpoint hardening, continuous monitoring, threat detection |
| identity-access-management (33) | Protect (PR), Govern (GV) | PR.AA, GV.RR | Identity lifecycle, authentication, authorization, access governance |
| incident-response (24) | Respond (RS), Recover (RC) | RS.MA, RS.AN, RS.MI, RS.CO, RC.RP, RC.CO | Full incident lifecycle from detection through recovery |
| malware-analysis (34) | Detect (DE), Respond (RS) | DE.AE, RS.AN | Adverse event analysis, reverse engineering, threat characterization |
| mobile-security (12) | Protect (PR) | PR.PS, PR.DS | Mobile platform security, application data protection |
| network-security (33) | Protect (PR), Detect (DE) | PR.IR, DE.CM | Network infrastructure resilience, traffic monitoring |
| ot-ics-security (28) | Protect (PR), Detect (DE) | PR.PS, PR.IR, DE.CM | Industrial control system protection and monitoring |
| penetration-testing (23) | Identify (ID) | ID.RA | Risk assessment through offensive security testing |
| phishing-defense (16) | Protect (PR), Detect (DE) | PR.AT, DE.CM, DE.AE | Security awareness training, phishing detection |
| ransomware-defense (5) | Respond (RS), Recover (RC) | RS.MI, RC.RP | Ransomware mitigation and recovery planning |
| red-teaming (24) | Identify (ID) | ID.RA, ID.IM | Adversary simulation for risk assessment and program improvement |
| soc-operations (33) | Detect (DE), Respond (RS) | DE.CM, DE.AE, RS.MA | Continuous monitoring, alert triage, incident management |
| threat-hunting (35) | Detect (DE) | DE.CM, DE.AE | Proactive threat detection, hypothesis-driven analysis |
| threat-intelligence (43) | Identify (ID), Detect (DE) | ID.RA, DE.AE | Threat landscape understanding, intelligence-driven detection |
| vulnerability-management (24) | Identify (ID) | ID.RA, GV.RM | Vulnerability identification, risk assessment, remediation prioritization |
| web-application-security (41) | Protect (PR), Identify (ID) | PR.DS, PR.PS, ID.RA | Application security testing and hardening |
| zero-trust-architecture (13) | Protect (PR) | PR.AA, PR.IR | Zero trust access control and network segmentation |
## CSF Category Coverage Summary
### Govern (GV)
| Category | ID | Description | Subdomain Coverage |
|----------|-----|------------|-------------------|
| Organizational Context | GV.OC | Understanding the organizational mission and stakeholder expectations | compliance-governance |
| Risk Management Strategy | GV.RM | Risk management priorities, constraints, and appetite | compliance-governance, vulnerability-management |
| Roles, Responsibilities, and Authorities | GV.RR | Cybersecurity roles and authorities are established | compliance-governance, identity-access-management |
| Policy | GV.PO | Organizational cybersecurity policy is established | compliance-governance, zero-trust-architecture |
| Oversight | GV.OV | Results of cybersecurity activities are reviewed | compliance-governance, soc-operations |
| Cybersecurity Supply Chain Risk Management | GV.SC | Supply chain risks are managed | devsecops, container-security |
### Identify (ID)
| Category | ID | Description | Subdomain Coverage |
|----------|-----|------------|-------------------|
| Asset Management | ID.AM | Assets that enable the organization are identified and managed | cloud-security, container-security, network-security |
| Risk Assessment | ID.RA | The cybersecurity risk to the organization is understood | vulnerability-management, threat-intelligence, penetration-testing, red-teaming |
| Improvement | ID.IM | Improvements to organizational cybersecurity are identified | soc-operations, red-teaming, compliance-governance |
### Protect (PR)
| Category | ID | Description | Subdomain Coverage |
|----------|-----|------------|-------------------|
| Identity Management, Authentication, and Access Control | PR.AA | Access is limited to authorized users, services, and hardware | identity-access-management, zero-trust-architecture |
| Awareness and Training | PR.AT | Personnel are provided cybersecurity awareness and training | phishing-defense, compliance-governance |
| Data Security | PR.DS | Data are managed consistent with the organization's risk strategy | cryptography, cloud-security, api-security |
| Platform Security | PR.PS | Hardware, software, and services are managed consistent with risk strategy | endpoint-security, container-security, devsecops, ot-ics-security |
| Technology Infrastructure Resilience | PR.IR | Security architectures are managed to protect asset confidentiality, integrity, and availability | network-security, zero-trust-architecture, ot-ics-security |
### Detect (DE)
| Category | ID | Description | Subdomain Coverage |
|----------|-----|------------|-------------------|
| Continuous Monitoring | DE.CM | Assets are monitored to find anomalies and indicators of compromise | soc-operations, threat-hunting, network-security, endpoint-security |
| Adverse Event Analysis | DE.AE | Anomalies and potential adverse events are analyzed | threat-hunting, malware-analysis, soc-operations, threat-intelligence |
### Respond (RS)
| Category | ID | Description | Subdomain Coverage |
|----------|-----|------------|-------------------|
| Incident Management | RS.MA | Responses to detected incidents are managed | incident-response, soc-operations |
| Incident Analysis | RS.AN | Investigations are conducted to understand the incident | digital-forensics, malware-analysis, threat-intelligence |
| Incident Response Reporting and Communication | RS.CO | Response activities are coordinated with internal and external stakeholders | incident-response, compliance-governance |
| Incident Mitigation | RS.MI | Activities are performed to prevent expansion and mitigate effects | incident-response, endpoint-security, network-security |
### Recover (RC)
| Category | ID | Description | Subdomain Coverage |
|----------|-----|------------|-------------------|
| Incident Recovery Plan Execution | RC.RP | Restoration activities are performed to ensure operational availability | incident-response, ransomware-defense |
| Incident Recovery Communication | RC.CO | Restoration activities are coordinated with internal and external parties | incident-response, compliance-governance |
## Gap Analysis
| CSF Category | Current Coverage | Gap |
|-------------|-----------------|-----|
| GV.OC | Low (5 skills) | Need more organizational security context and mission alignment skills |
| GV.PO | Low | Need dedicated policy development and management skills |
| PR.AT | Moderate (16 skills) | Could expand security awareness training beyond phishing |
| RC.RP | Low (29 skills) | Need more disaster recovery and business continuity skills |
| RC.CO | Low | Need dedicated incident communication and stakeholder management skills |
mappings/owasp/README.md
+177
View File
@@ -0,0 +1,177 @@
# OWASP Top 10 (2025) Mapping
This directory maps the cybersecurity skills in this repository to the [OWASP Top 10](https://owasp.org/www-project-top-ten/) categories for web application security risks.
## Overview
The OWASP Top 10 represents the most critical security risks to web applications. This mapping connects hands-on skills to each risk category, enabling teams to build targeted training programs for secure development and application security testing.
## OWASP Top 10 2025 Skill Mapping
### A01:2025 -- Broken Access Control
Restrictions on what authenticated users are allowed to do are not properly enforced.
| Relevant Subdomains | Skills | Key Topics |
|---------------------|--------|------------|
| web-application-security | 41 | IDOR, privilege escalation, path traversal, CORS misconfiguration |
| identity-access-management | 33 | RBAC, ABAC, session management, OAuth/OIDC flaws |
| api-security | 28 | Broken object level authorization (BOLA), function level authorization |
| zero-trust-architecture | 13 | Least privilege enforcement, microsegmentation |
**Example skills:** Implementing RBAC, testing for IDOR vulnerabilities, configuring OAuth 2.0 securely, enforcing API authorization policies.
### A02:2025 -- Cryptographic Failures
Failures related to cryptography that lead to exposure of sensitive data.
| Relevant Subdomains | Skills | Key Topics |
|---------------------|--------|------------|
| cryptography | 13 | TLS configuration, key management, hashing, encryption at rest |
| web-application-security | 41 | HTTPS enforcement, cookie security flags, certificate validation |
| cloud-security | 48 | KMS configuration, secrets management, encryption in transit |
| api-security | 28 | API transport security, token encryption |
**Example skills:** Configuring TLS 1.3, implementing envelope encryption with KMS, securing JWT tokens, certificate pinning.
### A03:2025 -- Injection
User-supplied data is sent to an interpreter as part of a command or query without proper validation.
| Relevant Subdomains | Skills | Key Topics |
|---------------------|--------|------------|
| web-application-security | 41 | SQL injection, XSS, command injection, LDAP injection |
| api-security | 28 | GraphQL injection, NoSQL injection, header injection |
| devsecops | 16 | SAST/DAST scanning, input validation, parameterized queries |
| penetration-testing | 23 | Injection testing, payload crafting, WAF bypass |
**Example skills:** Exploiting and remediating SQL injection, testing for stored/reflected XSS, configuring parameterized queries, SAST pipeline integration.
### A04:2025 -- Insecure Design
Risks related to design and architectural flaws, calling for more use of threat modeling and secure design patterns.
| Relevant Subdomains | Skills | Key Topics |
|---------------------|--------|------------|
| devsecops | 16 | Threat modeling, secure SDLC, security requirements |
| zero-trust-architecture | 13 | Zero trust design principles, defense in depth |
| compliance-governance | 5 | Security architecture review, risk assessment frameworks |
| web-application-security | 41 | Business logic flaws, trust boundary definition |
**Example skills:** Conducting threat modeling with STRIDE, implementing secure design patterns, defining trust boundaries, security architecture review.
### A05:2025 -- Security Misconfiguration
Missing or incorrect security hardening across the application stack.
| Relevant Subdomains | Skills | Key Topics |
|---------------------|--------|------------|
| cloud-security | 48 | Cloud service misconfiguration, IAM policy errors, S3 bucket exposure |
| container-security | 26 | Container hardening, Kubernetes RBAC, pod security policies |
| network-security | 33 | Firewall rules, segmentation errors, default credentials |
| endpoint-security | 16 | OS hardening, unnecessary services, default configurations |
**Example skills:** Auditing AWS S3 bucket permissions, hardening Kubernetes clusters, configuring security headers, CIS benchmark compliance.
### A06:2025 -- Vulnerable and Outdated Components
Using components with known vulnerabilities or that are no longer maintained.
| Relevant Subdomains | Skills | Key Topics |
|---------------------|--------|------------|
| vulnerability-management | 24 | CVE tracking, vulnerability scanning, patch management |
| devsecops | 16 | SCA scanning, dependency management, SBOM generation |
| container-security | 26 | Image scanning, base image updates, registry security |
| web-application-security | 41 | Third-party library vulnerabilities, framework updates |
**Example skills:** Running Trivy container scans, implementing SCA in CI/CD, generating and analyzing SBOMs, CVE prioritization with CVSS/EPSS.
### A07:2025 -- Identification and Authentication Failures
Weaknesses in authentication and session management.
| Relevant Subdomains | Skills | Key Topics |
|---------------------|--------|------------|
| identity-access-management | 33 | MFA implementation, password policies, session fixation |
| web-application-security | 41 | Credential stuffing defense, brute force protection |
| api-security | 28 | API key management, OAuth token handling, JWT validation |
| phishing-defense | 16 | Credential phishing prevention, anti-phishing controls |
**Example skills:** Implementing FIDO2/WebAuthn, configuring adaptive MFA, securing API authentication, detecting credential stuffing attacks.
### A08:2025 -- Software and Data Integrity Failures
Failures related to code and infrastructure that do not protect against integrity violations.
| Relevant Subdomains | Skills | Key Topics |
|---------------------|--------|------------|
| devsecops | 16 | CI/CD pipeline security, code signing, artifact integrity |
| container-security | 26 | Image signing, admission control, supply chain verification |
| cryptography | 13 | Digital signatures, integrity hashing, code signing certificates |
| vulnerability-management | 24 | Supply chain risk, dependency integrity verification |
**Example skills:** Implementing Sigstore for container signing, securing CI/CD pipelines, verifying software supply chain integrity, content trust enforcement.
### A09:2025 -- Security Logging and Monitoring Failures
Insufficient logging, detection, monitoring, and active response.
| Relevant Subdomains | Skills | Key Topics |
|---------------------|--------|------------|
| soc-operations | 33 | SIEM configuration, log aggregation, alert tuning |
| threat-hunting | 35 | Log analysis, detection engineering, hypothesis-driven hunting |
| incident-response | 24 | Incident detection, log-based investigation, response automation |
| network-security | 33 | Network monitoring, flow analysis, IDS/IPS tuning |
**Example skills:** Analyzing security logs with Splunk, writing Sigma detection rules, configuring SIEM correlation rules, implementing centralized logging.
### A10:2025 -- Server-Side Request Forgery (SSRF)
Fetching a remote resource without validating the user-supplied URL.
| Relevant Subdomains | Skills | Key Topics |
|---------------------|--------|------------|
| web-application-security | 41 | SSRF exploitation, URL validation, allowlisting |
| cloud-security | 48 | IMDS exploitation, cloud metadata access, VPC endpoint security |
| api-security | 28 | API-to-API SSRF, webhook validation |
| penetration-testing | 23 | SSRF detection and exploitation techniques |
**Example skills:** Testing for SSRF vulnerabilities, securing cloud metadata endpoints (IMDSv2), implementing URL validation and allowlisting, detecting SSRF in API integrations.
## Cross-Reference: OWASP to ATT&CK
| OWASP Category | Related ATT&CK Techniques |
|---------------|--------------------------|
| A01: Broken Access Control | T1078 (Valid Accounts), T1548 (Abuse Elevation Control) |
| A02: Cryptographic Failures | T1557 (Adversary-in-the-Middle), T1040 (Network Sniffing) |
| A03: Injection | T1190 (Exploit Public-Facing App), T1059 (Command and Scripting) |
| A04: Insecure Design | T1195 (Supply Chain Compromise), cross-cutting |
| A05: Security Misconfiguration | T1574 (Hijack Execution Flow), T1190 |
| A06: Vulnerable Components | T1190 (Exploit Public-Facing App), T1195 |
| A07: Authentication Failures | T1110 (Brute Force), T1539 (Steal Web Session Cookie) |
| A08: Integrity Failures | T1195 (Supply Chain Compromise), T1554 (Compromise Client Software) |
| A09: Logging Failures | T1070 (Indicator Removal), T1562 (Impair Defenses) |
| A10: SSRF | T1190 (Exploit Public-Facing App) |
## Cross-Reference: OWASP to NIST CSF 2.0
| OWASP Category | NIST CSF Functions | CSF Categories |
|---------------|-------------------|----------------|
| A01: Broken Access Control | Protect | PR.AA |
| A02: Cryptographic Failures | Protect | PR.DS |
| A03: Injection | Protect, Detect | PR.DS, DE.AE |
| A04: Insecure Design | Govern, Protect | GV.RM, PR.PS |
| A05: Security Misconfiguration | Protect | PR.PS, PR.IR |
| A06: Vulnerable Components | Identify, Govern | ID.RA, GV.SC |
| A07: Authentication Failures | Protect | PR.AA |
| A08: Integrity Failures | Protect, Govern | PR.DS, GV.SC |
| A09: Logging Failures | Detect | DE.CM, DE.AE |
| A10: SSRF | Protect, Detect | PR.DS, DE.AE |
## References
- [OWASP Top 10 Project](https://owasp.org/www-project-top-ten/)
- [OWASP API Security Top 10](https://owasp.org/API-Security/) -- relevant for api-security subdomain
- [OWASP Mobile Top 10](https://owasp.org/www-project-mobile-top-10/) -- relevant for mobile-security subdomain
- [OWASP Testing Guide](https://owasp.org/www-project-web-security-testing-guide/)
- [OWASP ASVS](https://owasp.org/www-project-application-security-verification-standard/) -- Application Security Verification Standard