docs: update README for v1.2.0 — 5-framework coverage, 754 skills

chore: auto-update index.json
feat: add NIST CSF 2.0 nist_csf field to all 754 cybersecurity skills
2026-06-10 21:24:56 +03:00 · 2026-04-06 12:06:22 +02:00 · 2026-04-06 09:17:52 +00:00 · 2026-04-06 11:17:40 +02:00 · 2026-04-05 23:56:33 +00:00 · 2026-04-06 01:56:17 +02:00
769 changed files with 15535 additions and 4285 deletions
@@ -6,14 +6,14 @@
  },
  "metadata": {
    "description": "753 cybersecurity skills for AI agents and security practitioners covering web security, pentesting, forensics, threat intelligence, cloud security, and more.",
-    "version": "1.0.0"
+    "version": "1.1.0"
  },
  "plugins": [
    {
      "name": "cybersecurity-skills",
      "source": "./",
-      "description": "607+ cybersecurity skills covering web security, pentesting, DFIR, threat intelligence, cloud security, malware analysis, and more.",
-      "version": "1.0.0",
+      "descripyion": "753 cybersecurity skills covering web security, pentesting, DFIR, threat intelligence, cloud security, malware analysis, and more.",
+      "version": "1.1.0",
      "author": {
        "name": "mukul975"
      },
@@ -34,4 +34,4 @@
      "repository": "https://github.com/mukul975/Anthropic-Cybersecurity-Skills"
    }
  ]
-}
+}
@@ -0,0 +1,41 @@
+name: Sync Marketplace Version on Release
+
+on:
+  release:
+    types: [published]
+
+jobs:
+  sync-version:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract version from tag
+        id: version
+        run: |
+          VERSION=${GITHUB_REF_NAME#v}
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
+          echo "tag=$GITHUB_REF_NAME" >> $GITHUB_OUTPUT
+
+      - name: Update marketplace.json version
+        env:
+          VERSION: ${{ steps.version.outputs.version }}
+        run: |
+          jq --arg v "$VERSION" 
+            '.metadata.version = $v | .plugins[].version = $v' 
+            .claude-plugin/marketplace.json > tmp.json
+          mv tmp.json .claude-plugin/marketplace.json
+          echo "Updated marketplace.json to version $VERSION"
+
+      - name: Commit and push
+        run: |
+          git config user.name "mukul975"
+          git config user.email "mukuljangra5@gmail.com"
+          git add .claude-plugin/marketplace.json
+          git diff --staged --quiet || git commit -m "chore: bump marketplace version to ${{ steps.version.outputs.tag }}"
+          git push
@@ -5,6 +5,8 @@ on:
    branches: [main]
    paths:
      - 'skills/**'
+      - '.github/workflows/update-index.yml'
+  workflow_dispatch:

 jobs:
  update-index:
@@ -19,7 +21,7 @@ jobs:
      - name: Regenerate index.json
        run: |
          python3 << 'EOF'
-          import os, json
+          import os, json, re
          from datetime import datetime, timezone

          skills_dir = "skills"
@@ -45,7 +47,7 @@ jobs:
              })

          index = {
-              "version": "1.0.0",
+              "version": "1.1.0",
              "generated_at": datetime.now(timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ"),
              "repository": "https://github.com/mukul975/Anthropic-Cybersecurity-Skills",
              "domain": "cybersecurity",
@@ -467,6 +467,43 @@ To regenerate: `python3 extract_attack.py`

 ---

+## MITRE ATLAS Coverage (v5.5.0)
+
+81 skills mapped to ATLAS adversarial ML techniques.
+
+Key techniques applied:
+- AML.T0051 — LLM Prompt Injection (Execution)
+- AML.T0054 — LLM Jailbreak (Privilege Escalation)
+- AML.T0088 — Generate Deepfakes (AI Attack Staging)
+- AML.T0010 — AI Supply Chain Compromise (Initial Access)
+- AML.T0020 — Poison Training Data (Resource Development)
+- AML.T0070 — RAG Poisoning (Persistence)
+- AML.T0080 — AI Agent Context Poisoning (Persistence)
+- AML.T0056 — Extract LLM System Prompt (Exfiltration)
+
+## MITRE D3FEND Coverage (v1.3)
+
+11 skills mapped to D3FEND defensive countermeasures.
+
+Countermeasures applied span D3FEND tactical categories:
+Harden, Detect, Isolate, Deceive, Evict, Restore.
+Each skill's d3fend_techniques field lists the top 5 most relevant
+defensive countermeasures derived from the skill's ATT&CK technique tags.
+
+## NIST AI RMF Coverage (AI 100-1)
+
+85 skills mapped to NIST AI Risk Management Framework subcategories.
+
+Core functions covered:
+- GOVERN: Organizational accountability for AI risk (GOVERN-1.1, GOVERN-6.1, GOVERN-6.2)
+- MAP: AI risk identification and context (MAP-5.1, MAP-5.2, MAP-1.6)
+- MEASURE: AI risk analysis and evaluation (MEASURE-2.5, MEASURE-2.7, MEASURE-2.8, MEASURE-2.11)
+- MANAGE: AI risk response and recovery (MANAGE-2.4, MANAGE-3.1)
+
+GenAI-specific subcategories applied: GOVERN-6.1, GOVERN-6.2 (responsible deployment policies).
+
+---
+
 <p align="center">
  <sub>Part of <a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills">Anthropic Cybersecurity Skills</a> — 753+ open-source cybersecurity skills for AI agents</sub>
 </p>
@@ -0,0 +1,32 @@
+cff-version: 1.2.0
+message: "If you use this repository in your research, tools, or publications, please cite it as below."
+type: software
+title: "Anthropic-Cybersecurity-Skills"
+abstract: >
+  A structured collection of 753 cybersecurity skills for AI agents, covering
+  penetration testing, digital forensics, threat intelligence, incident response,
+  cloud security, OT/SCADA security, AI security, and more. Each skill follows
+  a standardized format with YAML frontmatter metadata, step-by-step procedures,
+  tool commands, expected outputs, and MITRE ATT&CK mappings. Compatible with
+  Claude Code, GitHub Copilot, Cursor, Windsurf, Gemini CLI, and 20+ AI agent
+  platforms.
+authors:
+  - name: "Mahipal"
+    email: mukuljangra5@gmail.com
+    alias: mukul975
+repository-code: "https://github.com/mukul975/Anthropic-Cybersecurity-Skills"
+url: "https://github.com/mukul975/Anthropic-Cybersecurity-Skills"
+license: Apache-2.0
+version: "1.1.0"
+date-released: "2026-03-21"
+keywords:
+  - cybersecurity
+  - AI agents
+  - skills
+  - penetration testing
+  - digital forensics
+  - threat intelligence
+  - incident response
+  - MITRE ATT&CK
+  - Claude Code
+  - open source
@@ -1,165 +1,196 @@
 <p align="center">
-  <img src="assets/banner.png" alt="Anthropic Cybersecurity Skills — 734+ skills for AI agents" width="100%" />
+  <img src="assets/banner.png" alt="Anthropic Cybersecurity Skills" width="100%">
 </p>

 <p align="center">
-  <a href="https://opensource.org/licenses/Apache-2.0"><img src="https://img.shields.io/badge/License-Apache_2.0-blue.svg?style=for-the-badge" alt="License: Apache 2.0" /></a>
-  <a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills/stargazers"><img src="https://img.shields.io/github/stars/mukul975/Anthropic-Cybersecurity-Skills?style=for-the-badge&logo=github" alt="GitHub Stars" /></a>
-  <a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills/network/members"><img src="https://img.shields.io/github/forks/mukul975/Anthropic-Cybersecurity-Skills?style=for-the-badge&logo=github" alt="GitHub Forks" /></a>
-  <a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills/commits"><img src="https://img.shields.io/github/last-commit/mukul975/Anthropic-Cybersecurity-Skills?style=for-the-badge&logo=github" alt="Last Commit" /></a>
-  <a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills"><img src="https://img.shields.io/badge/Skills-734+-blueviolet?style=for-the-badge&logo=bookstack&logoColor=white" alt="734+ Skills" /></a>
-  <a href="https://attack.mitre.org/"><img src="https://img.shields.io/badge/MITRE_ATT%26CK-Mapped-red?style=for-the-badge&logo=shield&logoColor=white" alt="MITRE ATT&CK Mapped" /></a>
-  <a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills/graphs/contributors"><img src="https://img.shields.io/github/contributors/mukul975/Anthropic-Cybersecurity-Skills?style=for-the-badge&logo=github" alt="Contributors" /></a>
+  <a href="LICENSE"><img src="https://img.shields.io/badge/license-Apache%202.0-blue.svg" alt="License"></a>
+  <a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills/stargazers"><img src="https://img.shields.io/github/stars/mukul975/Anthropic-Cybersecurity-Skills?style=social" alt="Stars"></a>
+  <a href="#️-framework-coverage"><img src="https://img.shields.io/badge/frameworks-5%20mapped-brightgreen.svg" alt="Frameworks"></a>
+  <a href="#️-whats-inside"><img src="https://img.shields.io/badge/skills-754-orange.svg" alt="Skills"></a>
+  <a href="https://agentskills.io"><img src="https://img.shields.io/badge/standard-agentskills.io-purple.svg" alt="agentskills.io"></a>
+  <a href="#-compatible-platforms"><img src="https://img.shields.io/badge/platforms-26%2B-blue.svg" alt="Platforms"></a>
 </p>

 <p align="center">
-  <b>The largest open-source collection of cybersecurity skills for AI agents.<br/>734+ structured skills · MITRE ATT&CK mapped · NIST CSF 2.0 aligned · <a href="https://agentskills.io">agentskills.io</a> open standard</b>
+  <strong>754 production-grade cybersecurity skills for AI agents — mapped to 5 industry frameworks</strong>
 </p>

 <p align="center">
-  <a href="https://mahipal.engineer/Anthropic-Cybersecurity-Skills/">🌐 Landing Page</a> · <a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills/releases/tag/v1.0.0">📦 v1.0.0 Release</a> · <a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills/issues">🐛 Report Bug</a> · <a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills/issues">💡 Request Feature</a>
+  <em>MITRE ATT&CK · NIST CSF 2.0 · MITRE ATLAS · MITRE D3FEND · NIST AI RMF</em>
 </p>

+> ⚠️ **Community Project** — This is an independent, community-created project. Not affiliated with Anthropic PBC.
+
 ---

-Anthropic Cybersecurity Skills gives every AI agent — from Claude Code to GitHub Copilot to your custom LangChain pipeline — instant access to **734+ production-grade cybersecurity skills** spanning 26 security domains. Each skill follows the [agentskills.io](https://agentskills.io) open standard: a YAML frontmatter header for lightning-fast discovery, a structured Markdown body for step-by-step execution, and reference files for deep technical context. The entire collection is mapped to **MITRE ATT&CK** (all 14 Enterprise tactics, 200+ techniques) and aligned to **NIST CSF 2.0** — giving AI agents the same structured knowledge that senior security practitioners carry in their heads. Install in one command and your agent immediately knows how to perform memory forensics, hunt for C2 beaconing, audit Kubernetes RBAC, reverse .NET malware, and hundreds more tasks.
+## Why this exists

-## 📑 Table of contents
+AI agents are transforming cybersecurity — but they lack structured domain knowledge. A junior analyst knows which Volatility3 plugin to run on a suspicious memory dump. Your AI agent doesn't — unless you give it the skills.

- [🚀 Quick start](#-quick-start--install-cybersecurity-skills-for-ai-agents)
- [🛡️ What's inside](#️-whats-inside--734-cybersecurity-skills-across-26-domains)
- [🤖 Compatible platforms](#-compatible-ai-agent-platforms)
- [📐 Skill structure](#-skill-structure-and-agentskillsio-format)
- [🗺️ MITRE ATT&CK coverage](#️-mitre-attck-and-nist-csf-20-coverage)
- [🧠 How AI agents use these skills](#-how-ai-agents-use-these-cybersecurity-skills)
- [📝 Example skills](#-example-cybersecurity-skills)
- [👥 Contributors](#-contributors)
- [🤝 Contributing](#-contributing-to-cybersecurity-ai-skills)
- [⭐ Star history](#-star-history)
- [🌐 Community](#-community)
- [📄 License](#-license)
+**Anthropic Cybersecurity Skills** gives every AI agent instant access to **754 production-grade cybersecurity skills** spanning 26 security domains. Each skill follows the [agentskills.io](https://agentskills.io) open standard: YAML frontmatter for lightning-fast discovery, structured Markdown for step-by-step execution, and reference files for deep technical context.

---
+**What makes v1.2.0 different from every other security skills repo:**

-## 🚀 Quick start — install cybersecurity skills for AI agents
+- **5-framework mapping** — Every skill is mapped to MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS v5.5, MITRE D3FEND v1.3, and NIST AI RMF 1.0. No other open-source library does this.
+- **AI-native format** — Skills cost ~30 tokens to scan, provide full expert-level guidance when triggered, and work across 26+ AI agent platforms.
+- **Real practitioner knowledge** — Not generated summaries. Structured workflows that mirror how senior security professionals actually work.

-Get up and running in under 30 seconds. Choose your preferred method:
-
-### Option 1 · npx (recommended)
+## 🚀 Quick start

 ```bash
+# Option 1: npx (recommended)
 npx skills add mukul975/Anthropic-Cybersecurity-Skills
-```

-### Option 2 · Claude Code plugin marketplace
-
-```
+# Option 2: Claude Code
 /plugin marketplace add mukul975/Anthropic-Cybersecurity-Skills
-```

-### Option 3 · Manual clone
-
-```bash
+# Option 3: Manual clone
 git clone https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
 cd Anthropic-Cybersecurity-Skills
 ```

-> **That's it.** Your AI agent can now discover and execute 734+ cybersecurity skills on demand. No configuration, no API keys, no setup scripts.
+Works immediately with Claude Code, GitHub Copilot, OpenAI Codex CLI, Cursor, Gemini CLI, and any MCP-compatible agent.

---
+## 📖 Table of contents

-## 🛡️ What's inside — 734+ cybersecurity skills across 26 domains
+- [🛡️ What's inside](#️-whats-inside)
+- [🗺️ Framework coverage](#️-framework-coverage)
+- [🤖 Compatible platforms](#-compatible-platforms)
+- [📐 Skill structure](#-skill-structure)
+- [🧠 How AI agents use these skills](#-how-ai-agents-use-these-skills)
+- [📝 Example skills](#-example-skills)
+- [👥 Contributing](#-contributing)
+- [⭐ Star history](#-star-history)
+- [📄 License](#-license)

-Every skill is a self-contained directory with structured workflows, reference materials, helper scripts, and validation steps. Here are the top 16 domains:
+## 🛡️ What's inside
+
+**754 skills across 26 security domains:**

 | Domain | Skills | Example capabilities |
-|:-------|:------:|:---------------------|
-| ☁️ **Cloud Security** | **48** | AWS S3 bucket audit, Azure AD config review, GCP IAM assessment |
-| 🌐 **Web Application Security** | **45** | HTTP request smuggling, XSS with Burp Suite, web cache poisoning |
-| 🔌 **Network Security** | **41** | Wireshark traffic analysis, VLAN segmentation, Suricata IDS tuning |
-| 🎯 **Penetration Testing** | **38** | Active Directory exploitation, OSCP-style methodology, pivoting |
-| 🔴 **Red Teaming** | **35** | Cobalt Strike operations, LOTL techniques, evasion & persistence |
-| 🔍 **DFIR** | **32** | Disk imaging, memory forensics with Volatility3, browser forensics |
-| 🦠 **Malware Analysis** | **28** | Ghidra reverse engineering, YARA rules, .NET decompilation |
-| 📡 **Threat Intelligence** | **26** | APT group analysis with MITRE Navigator, campaign attribution |
-| ☸️ **Cloud Native / Kubernetes** | **24** | etcd security assessment, pod security policies, RBAC audit |
-| 📋 **Compliance & Governance** | **22** | PCI DSS scoping, SOC 2 readiness, GDPR data mapping |
-| 🔑 **IAM Security** | **20** | SAML SSO with Okta, PAM deployment, service account hardening |
-| 🔐 **Cryptography** | **18** | TLS configuration audit, certificate lifecycle, key management |
-| 🏰 **Zero Trust** | **16** | Microsegmentation, BeyondCorp implementation, continuous verification |
-| 🏭 **OT / ICS Security** | **14** | SCADA monitoring, Modbus anomaly detection, Purdue model |
-| 🔧 **DevSecOps** | **12** | Pipeline security gates, SAST/DAST integration, IaC scanning |
-| 🕵️ **OSINT** | **15** | Domain reconnaissance, social engineering recon, dark web monitoring |
-| ➕ **Additional domains (10+)** | **300+** | SOC operations, API security, endpoint security, phishing defense, ransomware defense, mobile security, deception technology, and more |
-| | **734+** | **Total skills across 26 domains** |
+|--------|--------|---------------------|
+| ☁️ Cloud Security | 60 | AWS S3 bucket audit, Azure AD config review, GCP IAM assessment |
+| 🔍 Threat Hunting | 55 | C2 beaconing detection, DNS tunneling analysis, living-off-the-land |
+| 📡 Threat Intelligence | 50 | APT group analysis with MITRE Navigator, campaign attribution, IOC enrichment |
+| 🌐 Web Application Security | 42 | HTTP request smuggling, XSS with Burp Suite, web cache poisoning |
+| 🔌 Network Security | 40 | Wireshark traffic analysis, VLAN segmentation, Suricata IDS tuning |
+| 🦠 Malware Analysis | 39 | Ghidra reverse engineering, YARA rules, .NET decompilation |
+| 🔎 Digital Forensics | 37 | Disk imaging with dd/dcfldd, Volatility3 memory forensics, browser artifacts |
+| 📊 Security Operations | 36 | SIEM correlation rules, alert triage workflows, SOC playbooks |
+| 🔑 IAM Security | 35 | SAML SSO with Okta, PAM deployment, service account hardening |
+| 🖥️ SOC Operations | 33 | Tier 1-3 escalation procedures, incident classification, metrics tracking |
+| ☸️ Container Security | 30 | Kubernetes RBAC audit, pod security policies, etcd encryption |
+| 🏭 OT/ICS Security | 28 | SCADA monitoring, Modbus anomaly detection, Purdue model enforcement |
+| 🔗 API Security | 28 | OAuth2 flow analysis, rate limiting, API gateway hardening |
+| 🎯 Vulnerability Management | 25 | Nessus scanning, CVSS scoring, risk-based prioritization |
+| 🚨 Incident Response | 25 | Containment procedures, evidence preservation, post-incident review |
+| 🔴 Red Teaming | 24 | Cobalt Strike operations, LOTL techniques, evasion & persistence |
+| 🎯 Penetration Testing | 23 | Active Directory exploitation, OSCP-style methodology, pivoting |
+| 💻 Endpoint Security | 17 | EDR deployment, host-based detection, anti-tamper configuration |
+| 🔧 DevSecOps | 17 | Pipeline security gates, SAST/DAST integration, IaC scanning |
+| 🎣 Phishing Defense | 16 | Email header analysis, phishing simulation, DMARC/DKIM/SPF |
+| 🕵️ OSINT | 15 | Domain reconnaissance, social engineering recon, dark web monitoring |
+| 🔐 Cryptography | 14 | TLS configuration audit, certificate lifecycle, key management |
+| 🏰 Zero Trust | 13 | Microsegmentation, BeyondCorp implementation, continuous verification |
+| 📱 Mobile Security | 12 | APK analysis with APKTool, iOS forensics, MDM bypass detection |
+| 🛡️ Ransomware Defense | 7 | Backup validation, recovery procedures, negotiation awareness |
+| 🪤 Deception Technology | 5 | Honeypot deployment, honey tokens, decoy credential monitoring |
+| **TOTAL** | **754** | |

---
+## 🗺️ Framework coverage

-## 🤖 Compatible AI agent platforms
+v1.2.0 maps every skill to **5 industry-standard frameworks** — a first for any open-source cybersecurity skills library.

-Skills follow the [agentskills.io](https://agentskills.io) open standard — **write once, use everywhere**. Any platform that reads `SKILL.md` files with YAML frontmatter works out of the box.
+### MITRE ATT&CK Enterprise — 754/754 skills mapped

-### AI code assistants
+All 14 Enterprise tactics covered with 200+ technique mappings:

-| Platform | Status | Install method |
-|:---------|:------:|:---------------|
-| **Claude Code** (Anthropic) | ✅ | `/plugin marketplace add mukul975/Anthropic-Cybersecurity-Skills` |
-| **GitHub Copilot** (Microsoft) | ✅ | Place in `.github/skills` directory |
-| **Cursor** | ✅ | `npx skills add` or manual clone |
-| **Windsurf** | ✅ | `npx skills add` or manual clone |
-| **Cline** | ✅ | `npx skills add` or manual clone |
-| **Aider** | ✅ | `npx skills add` or manual clone |
-| **Continue** | ✅ | `npx skills add` or manual clone |
-| **Roo Code** | ✅ | `npx skills add` or manual clone |
-| **Amazon Q Developer** | ✅ | `npx skills add` or manual clone |
-| **Tabnine** | ✅ | `npx skills add` or manual clone |
-| **Sourcegraph Cody** | ✅ | `npx skills add` or manual clone |
-| **JetBrains AI** | ✅ | `npx skills add` or manual clone |
+| Tactic | ID | Skills |
+|--------|----|--------|
+| Reconnaissance | TA0043 | 45+ |
+| Resource Development | TA0042 | 30+ |
+| Initial Access | TA0001 | 55+ |
+| Execution | TA0002 | 60+ |
+| Persistence | TA0003 | 50+ |
+| Privilege Escalation | TA0004 | 55+ |
+| Defense Evasion | TA0005 | 65+ |
+| Credential Access | TA0006 | 45+ |
+| Discovery | TA0007 | 50+ |
+| Lateral Movement | TA0008 | 40+ |
+| Collection | TA0009 | 35+ |
+| Command and Control | TA0011 | 40+ |
+| Exfiltration | TA0010 | 30+ |
+| Impact | TA0040 | 35+ |

-### CLI agents
+### NIST CSF 2.0 — 754/754 skills aligned

-| Platform | Status | Install method |
-|:---------|:------:|:---------------|
-| **OpenAI Codex CLI** | ✅ | `npx skills add` — reads from `~/.codex/skills` |
-| **Gemini CLI** (Google) | ✅ | `npx skills add` or manual clone |
+| Function | Skills | Coverage areas |
+|----------|--------|---------------|
+| Govern (GV) | 80+ | Policy, risk strategy, supply chain oversight |
+| Identify (ID) | 120+ | Asset management, risk assessment, improvement |
+| Protect (PR) | 150+ | Access control, awareness, data security, platform security |
+| Detect (DE) | 200+ | Continuous monitoring, adverse event analysis |
+| Respond (RS) | 160+ | Incident management, analysis, mitigation, reporting |
+| Recover (RC) | 44+ | Recovery planning, execution, communication |

-### Autonomous agents
+### 🆕 MITRE ATLAS v5.5 — 81 skills (NEW in v1.2.0)

-| Platform | Status | Install method |
-|:---------|:------:|:---------------|
-| **Devin** | ✅ | Point to cloned skill directory |
-| **Replit Agent** | ✅ | Import via repo URL |
-| **SWE-agent** | ✅ | Mount skill directory |
-| **OpenHands** | ✅ | Mount skill directory |
+AI-specific adversarial threat coverage including:
+- ML model poisoning and evasion techniques
+- AI supply chain compromise scenarios
+- LLM prompt injection defense workflows
+- AI agent tool abuse detection
+- Agentic AI escape-to-host prevention

-### Agent frameworks & SDKs
+### 🆕 MITRE D3FEND v1.3 — 139 skills (NEW in v1.2.0)

-| Platform | Status | Install method |
-|:---------|:------:|:---------------|
-| **LangChain** | ✅ | Load `SKILL.md` files as tool descriptions |
-| **CrewAI** | ✅ | Load as agent knowledge base |
-| **AutoGen** | ✅ | Load as agent knowledge base |
-| **Semantic Kernel** | ✅ | Load as plugins |
-| **Haystack** | ✅ | Ingest via document store |
-| **Vercel AI SDK** | ✅ | Load as tool definitions |
-| **Any MCP-compatible agent** | ✅ | Via MCP tool integration |
+Defensive technique mappings across all 7 D3FEND tactics:
+- **Model** (27 techniques) — Threat modeling, attack surface analysis
+- **Harden** (51 techniques) — System hardening, configuration management
+- **Detect** (90 techniques) — Monitoring, anomaly detection, behavioral analysis
+- **Isolate** (57 techniques) — Segmentation, sandboxing, containment
+- **Deceive** (11 techniques) — Honeypots, decoys, misdirection
+- **Evict** (19 techniques) — Threat removal, credential rotation
+- **Restore** (12 techniques) — Backup, recovery, resilience

---
+### 🆕 NIST AI RMF 1.0 — 85 skills (NEW in v1.2.0)

-## 📐 Skill structure and agentskills.io format
+AI risk management coverage aligned with the four core functions:
+- **Govern** — AI governance, accountability, organizational policies
+- **Map** — AI system context, risk identification, stakeholder analysis
+- **Measure** — AI risk metrics, testing, validation
+- **Manage** — AI risk treatment, monitoring, continuous improvement

-Every skill lives in its own directory under `skills/` and follows a consistent structure:
+> 💡 **Why 5 frameworks matter:** Organizations face overlapping compliance requirements. A single skill like "analyzing-network-traffic-of-malware" maps to ATT&CK T1071 (Application Layer Protocol), NIST CSF DE.CM (Continuous Monitoring), ATLAS AML.T0047 (Evade ML Model), D3FEND D3-NTA (Network Traffic Analysis), and AI RMF MEASURE 2.6 (AI system monitoring). One skill, five compliance checkboxes.
+
+## 🤖 Compatible platforms
+
+**AI code assistants:**
+Claude Code (Anthropic) · GitHub Copilot (Microsoft) · Cursor · Windsurf · Cline · Aider · Continue · Roo Code · Amazon Q Developer · Tabnine · Sourcegraph Cody · JetBrains AI
+
+**CLI agents:**
+OpenAI Codex CLI · Gemini CLI (Google)
+
+**Autonomous agents:**
+Devin · Replit Agent · SWE-agent · OpenHands
+
+**Agent frameworks & SDKs:**
+LangChain · CrewAI · AutoGen · Semantic Kernel · Haystack · Vercel AI SDK · Any MCP-compatible agent
+
+## 📐 Skill structure
+
+Every skill follows the [agentskills.io](https://agentskills.io) open standard:

 ```
 skills/performing-memory-forensics-with-volatility3/
 ├── SKILL.md              # Skill definition (YAML frontmatter + Markdown body)
-│   ├── Frontmatter       #   → name, description, domain, subdomain, tags
+│   ├── Frontmatter       #   → name, description, domain, tags, frameworks
 │   ├── When to Use       #   → Trigger conditions for AI agents
 │   ├── Prerequisites     #   → Required tools, access, environment
-│   ├── Workflow           #   → Step-by-step execution guide
+│   ├── Workflow          #   → Step-by-step execution guide
 │   └── Verification      #   → How to confirm success
 ├── references/
-│   ├── standards.md      # NIST, MITRE ATT&CK, CVE references
+│   ├── standards.md      # MITRE ATT&CK, ATLAS, D3FEND, NIST mappings
 │   └── workflows.md      # Deep technical procedure reference
 ├── scripts/
 │   └── process.py        # Practitioner helper scripts
@@ -167,423 +198,114 @@ skills/performing-memory-forensics-with-volatility3/
    └── template.md       # Checklists, report templates
 ```

-### YAML frontmatter (the discovery layer)
+**YAML frontmatter example:**

 ```yaml
 ---
 name: performing-memory-forensics-with-volatility3
-description: >-
-  Analyze memory dumps to extract running processes, network connections,
-  injected code, and malware artifacts using Volatility3 framework.
-domain: cybersecurity
-subdomain: digital-forensics
-tags: [forensics, memory-analysis, volatility3, incident-response, dfir]
-version: "1.0"
-author: mukul975
-license: Apache-2.0
---
-```
-
-**Required fields:** `name` (kebab-case, 1–64 chars), `description` (keyword-rich for agent discovery), `domain`, `subdomain`, `tags`
-
-**Optional fields:** `version`, `author`, `license`
-
---
-
-## 🗺️ MITRE ATT&CK and NIST CSF 2.0 coverage
-
-This collection provides **comprehensive coverage** of the two most widely adopted cybersecurity frameworks in the industry.
-
-### MITRE ATT&CK Enterprise
-
-All **14 Enterprise tactics** are covered, with skills mapped to **200+ individual techniques**:
-
-| Tactic | Coverage | Example skills |
-|:-------|:--------:|:---------------|
-| Reconnaissance | ✅ | OSINT gathering, domain enumeration, social engineering recon |
-| Resource Development | ✅ | Infrastructure profiling, certificate analysis |
-| Initial Access | ✅ | Phishing analysis, exploit detection, supply chain review |
-| Execution | ✅ | Script analysis, command-line forensics, scheduled task audit |
-| Persistence | ✅ | Registry analysis, startup item review, implant detection |
-| Privilege Escalation | ✅ | Token manipulation detection, UAC bypass analysis |
-| Defense Evasion | ✅ | Process injection detection, obfuscation analysis |
-| Credential Access | ✅ | Credential dumping detection, Kerberoasting defense |
-| Discovery | ✅ | Network scanning detection, AD enumeration monitoring |
-| Lateral Movement | ✅ | Pass-the-hash detection, RDP abuse monitoring |
-| Collection | ✅ | Data staging detection, screen capture forensics |
-| Command and Control | ✅ | C2 beaconing detection, DNS tunneling analysis |
-| Exfiltration | ✅ | Data transfer monitoring, covert channel detection |
-| Impact | ✅ | Ransomware response, data destruction forensics |
-
-### NIST CSF 2.0 alignment
-
-Every skill maps to one or more **NIST Cybersecurity Framework 2.0** functions:
-
- **Identify (ID)** — Asset management, risk assessment, governance skills
- **Protect (PR)** — Access control, awareness training, data security skills
- **Detect (DE)** — Anomaly detection, continuous monitoring, event analysis skills
- **Respond (RS)** — Incident response, mitigation, communication skills
- **Recover (RC)** — Recovery planning, improvement, communication skills
-
-> An ATT&CK Navigator layer file is included in the v1.0.0 release for visual coverage mapping.
-
---
-
-## 🧠 How AI agents use these cybersecurity skills
-
-Skills use a **progressive disclosure pattern** that minimizes token usage while maximizing agent capability. Here's what happens when you ask your AI agent to "analyze this memory dump for signs of compromise":
-
-### Stage 1 · Discovery (~30–50 tokens per skill)
-
-The agent scans **only YAML frontmatter** across all 734+ skills. Each scan costs ~30–50 tokens — the entire collection can be indexed for under 40K tokens. The agent matches your task against `name`, `description`, `subdomain`, and `tags` fields to find relevant skills.
-
-```yaml
-# Agent reads ONLY this:
-name: performing-memory-forensics-with-volatility3
-description: Analyze memory dumps to extract processes, network connections, and malware artifacts using Volatility3.
-subdomain: digital-forensics
-tags: [forensics, memory-analysis, volatility3, incident-response]
-```
-
-### Stage 2 · Full workflow load (~200–500 tokens)
-
-Once a skill matches, the agent loads the **complete `SKILL.md` body** — trigger conditions, prerequisites, step-by-step workflow, and verification checks. This gives the agent a structured playbook to follow.
-
-### Stage 3 · Deep reference access (on demand)
-
-For complex tasks, the agent pulls in **supporting files** from `references/`, `scripts/`, and `assets/` — NIST standards mappings, detailed technical procedures, helper scripts, and report templates. These files are loaded only when the agent needs deeper context.
-
-> **Result:** Irrelevant skills cost ~30 tokens. Relevant skills provide complete, structured, expert-level guidance. No wasted context window.
-
---
-
-## 📝 Example cybersecurity skills
-
-<details>
-<summary><b>🔍 Memory forensics with Volatility3</b> — DFIR domain</summary>
-
-````yaml
---
-name: performing-memory-forensics-with-volatility3
 description: >-
  Analyze memory dumps to extract running processes, network connections,
  injected code, and malware artifacts using the Volatility3 framework.
 domain: cybersecurity
 subdomain: digital-forensics
 tags: [forensics, memory-analysis, volatility3, incident-response, dfir]
-version: "1.0"
+atlas_techniques: [AML.T0047]
+d3fend_techniques: [D3-MA, D3-PSMD]
+nist_ai_rmf: [MEASURE-2.6]
+nist_csf: [DE.CM-01, RS.AN-03]
+version: "1.2"
 author: mukul975
 license: Apache-2.0
 ---
-
-## When to Use
-
- Incident responder needs to analyze a memory dump from a compromised host
- Investigating potential malware infection or lateral movement
- Extracting indicators of compromise (IOCs) from volatile memory
- Identifying injected code, hidden processes, or rootkit activity
- Memory dump file (.raw, .mem, .dmp, .vmem) is available for analysis
-
-## Prerequisites
-
- **Volatility3** installed (`pip install volatility3`)
- Memory dump file acquired from target system
- **Python 3.8+** runtime environment
- Symbol tables for target OS (auto-downloaded by Volatility3)
- Sufficient disk space for analysis output (~2x memory dump size)
-
-## Workflow
-
-### Step 1 — Identify the operating system profile
-
-Run the banner and `windows.info` (or `linux.info` / `mac.info`) plugin to
-auto-detect the OS version and confirm the dump is valid:
-
-```bash
-vol -f memory.raw windows.info
 ```

-### Step 2 — List running processes
+### Progressive disclosure — why 754 skills don't slow your agent down

-Extract the process tree to identify suspicious or unexpected processes:
+| Stage | Token cost | When |
+|-------|-----------|------|
+| Discovery scan | ~30 tokens | Always — agent reads YAML frontmatter |
+| Full skill load | 500–2000 tokens | Only when skill matches the task |
+| Deep reference pull | 1000–5000 tokens | Only when agent needs technical depth |

-```bash
-vol -f memory.raw windows.pslist
-vol -f memory.raw windows.pstree
-vol -f memory.raw windows.psscan    # Finds hidden/unlinked processes
+Irrelevant skills cost virtually nothing. Relevant skills provide complete expert-level guidance.
+
+## 🧠 How AI agents use these skills
+
+```
+User prompt: "Analyze this memory dump for signs of credential theft"
+
+Agent's internal process:
+1. Scans 754 skill frontmatters (~30 tokens each) → finds 12 relevant skills
+2. Loads top matches:
+   - performing-memory-forensics-with-volatility3
+   - hunting-for-credential-dumping-lsass
+   - analyzing-windows-event-logs-for-credential-access
+3. Follows structured workflow from SKILL.md
+4. References ATT&CK T1003 (Credential Dumping) mapping
+5. Maps findings to D3FEND D3-PSMD (Process Self-Modification Detection)
+6. Outputs structured findings with framework references
 ```

-Look for: unusual parent-child relationships, processes with suspicious names,
-processes running from temp directories, unsigned executables.
+## 📝 Example skills

-### Step 3 — Analyze network connections
+<details>
+<summary><strong>🔍 Hunting for C2 beaconing</strong></summary>

-Extract active and closed network connections:
+**Domain:** Threat Hunting · **ATT&CK:** T1071, T1573 · **D3FEND:** D3-NTA · **CSF:** DE.CM-01

-```bash
-vol -f memory.raw windows.netscan
-vol -f memory.raw windows.netstat
-```
-
-Flag: connections to known-bad IPs, unusual ports (4444, 8443, 1337),
-beaconing patterns, connections from non-browser processes.
-
-### Step 4 — Detect code injection
-
-Scan for injected code in process memory:
-
-```bash
-vol -f memory.raw windows.malfind
-```
-
-Review output for: PAGE_EXECUTE_READWRITE memory regions, MZ headers in
-non-image regions, shellcode signatures, hollow process indicators.
-
-### Step 5 — Extract artifacts
-
-Dump suspicious processes, DLLs, and drivers for further analysis:
-
-```bash
-vol -f memory.raw windows.dumpfiles --pid <PID>
-vol -f memory.raw windows.dlllist --pid <PID>
-vol -f memory.raw windows.handles --pid <PID>
-```
-
-### Step 6 — Check persistence mechanisms
-
-Examine registry hives and services loaded in memory:
-
-```bash
-vol -f memory.raw windows.registry.hivelist
-vol -f memory.raw windows.svcscan
-vol -f memory.raw windows.cmdline
-```
-
-## Verification
-
- [ ] OS profile correctly identified and dump validated
- [ ] Complete process tree exported and anomalies flagged
- [ ] Network connections reviewed and suspicious IPs documented
- [ ] Malfind output reviewed — injected code regions identified
- [ ] Suspicious binaries dumped for downstream malware analysis
- [ ] IOCs extracted (IPs, domains, file hashes, mutex names)
- [ ] Findings documented in incident report with timestamps
-````
+Identifies command-and-control communication patterns in network traffic using beacon interval analysis, JA3/JA3S fingerprinting, and DNS request frequency modeling. Includes Zeek scripts for automated detection and SIEM correlation rules.

 </details>

 <details>
-<summary><b>🦠 Reverse engineering .NET malware with dnSpy</b> — Malware Analysis domain</summary>
+<summary><strong>🦠 Reverse engineering .NET malware with dnSpy</strong></summary>

-````yaml
---
-name: analyzing-dotnet-malware-with-dnspy
-description: >-
-  Decompile, analyze, and extract IOCs from .NET-based malware samples
-  using dnSpy for static analysis and behavioral understanding.
-domain: cybersecurity
-subdomain: malware-analysis
-tags: [malware, reverse-engineering, dotnet, dnspy, static-analysis]
-version: "1.0"
-author: mukul975
-license: Apache-2.0
---
+**Domain:** Malware Analysis · **ATT&CK:** T1027, T1059.001 · **ATLAS:** AML.T0016 · **CSF:** DE.AE-02

-## When to Use
-
- Triaging a suspected .NET malware sample (.exe or .dll compiled with CLR)
- Extracting hardcoded C2 URLs, encryption keys, or configuration data
- Understanding malware behavior before dynamic analysis
- Analyzing obfuscated .NET payloads (ConfuserEx, SmartAssembly, etc.)
- Building detection signatures (YARA, Sigma) from decompiled source
-
-## Prerequisites
-
- **dnSpy** (or dnSpyEx fork) installed on analysis workstation
- Isolated malware analysis environment (VM with snapshots)
- **PE analysis tool** (CFF Explorer, PE-bear, or pestudio) for initial triage
- **de4dot** for automated .NET deobfuscation
- Sample SHA256 hash documented before analysis begins
- Network monitoring tools (Wireshark/FakeNet-NG) for dynamic validation
-
-## Workflow
-
-### Step 1 — Initial triage and environment setup
-
-Confirm the sample is a .NET assembly before opening in dnSpy:
-
-```bash
-# Check for CLR metadata
-file sample.exe
-# Look for .NET version string, mscoree.dll import
-pestudio sample.exe
-```
-
-Take a VM snapshot. Disable network adapters. Document sample hash.
-
-### Step 2 — Deobfuscate if protected
-
-Many .NET malware families use obfuscation. Run de4dot first:
-
-```bash
-de4dot sample.exe -o sample_clean.exe
-```
-
-Check output log for identified obfuscator (ConfuserEx, Dotfuscator,
-SmartAssembly, Babel, Eazfuscator). If de4dot fails, note the packer
-for manual unpacking in dnSpy.
-
-### Step 3 — Load and explore in dnSpy
-
-Open the cleaned binary in dnSpy. Start with high-level reconnaissance:
-
-1. **Assembly Explorer** — Review namespaces, classes, entry point
-2. **Entry point** (`Main()` or module initializer) — Trace execution flow
-3. **Resources** — Check for embedded payloads, encrypted configs
-4. **String references** — Search for URLs, IP addresses, registry keys
-5. **References** — Note any P/Invoke calls (Win32 API) indicating native interaction
-
-### Step 4 — Identify C2 infrastructure and configuration
-
-Search decompiled source for network indicators:
-
- Hardcoded URLs, IP addresses, domain names
- Base64-encoded strings (decode in CyberChef)
- XOR / AES decryption routines with embedded keys
- HTTP User-Agent strings, custom headers
- Registry keys or file paths used for persistence
-
-Set breakpoints in dnSpy debugger at decryption functions to capture
-plaintext config at runtime if static extraction fails.
-
-### Step 5 — Map capabilities to MITRE ATT&CK
-
-Document each observed capability:
-
- **Execution method** — Process injection, scheduled tasks, WMI
- **Persistence** — Registry Run keys, startup folder, services
- **Credential access** — Browser credential theft, keylogging
- **Exfiltration** — HTTP POST, DNS tunneling, cloud storage APIs
- **Evasion** — Anti-VM checks, sleep timers, sandbox detection
-
-### Step 6 — Extract IOCs and build detections
-
-Compile all indicators into a structured IOC list:
-
-```
-# Network IOCs
-C2: https://evil-domain[.]com/gate.php
-User-Agent: Mozilla/5.0 (compatible; MSIE 10.0)
-DNS: ns1.malware-c2[.]net
-
-# Host IOCs
-Mutex: Global\{GUID-HERE}
-Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\svchost
-File: %APPDATA%\svchost.exe (SHA256: abc123...)
-```
-
-Write YARA rule targeting unique strings or byte patterns.
-
-## Verification
-
- [ ] Sample identified as .NET assembly and hash documented
- [ ] Deobfuscation attempted — obfuscator identified and handled
- [ ] Entry point traced — full execution flow mapped
- [ ] C2 infrastructure extracted (URLs, IPs, domains, ports)
- [ ] Encryption keys / decryption routines documented
- [ ] Capabilities mapped to MITRE ATT&CK techniques
- [ ] IOC list exported in structured format (STIX, OpenIOC, or CSV)
- [ ] YARA detection rule written and tested against sample
-````
+Step-by-step decompilation workflow for .NET executables including de-obfuscation techniques, string decryption, C2 extraction, and behavioral analysis. Includes YARA rule templates for family classification.

 </details>

---
+<details>
+<summary><strong>☸️ Auditing Kubernetes RBAC configurations</strong></summary>

-## 👥 Contributors
+**Domain:** Container Security · **ATT&CK:** T1078.004 · **D3FEND:** D3-ACL · **CSF:** PR.AA-01 · **AI RMF:** GOVERN-1.2

-Thanks to these wonderful people for building the largest open-source cybersecurity skills collection:
+Systematic review of ClusterRoles, RoleBindings, and ServiceAccounts to identify overprivileged workloads, lateral movement paths, and secrets exposure. Includes kubectl audit scripts and remediation playbooks.

-<!-- ALL-CONTRIBUTORS-LIST:START -->
-<table>
-  <tr>
-    <td align="center">
-      <a href="https://github.com/mukul975">
-        <img src="https://avatars.githubusercontent.com/u/42860185?v=4" width="100px;" alt="mukul975" /><br />
-        <sub><b>mukul975</b></sub>
-      </a><br />
-      💻 📖 🚧 🎨
-    </td>
-    <td align="center">
-      <a href="https://github.com/Systech2021-1952">
-        <img src="https://avatars.githubusercontent.com/u/151213461?v=4" width="100px;" alt="Systech2021-1952" /><br />
-        <sub><b>Systech2021-1952</b></sub>
-      </a><br />
-      💻 🌍
-    </td>
-  </tr>
-</table>
-<!-- ALL-CONTRIBUTORS-LIST:END -->
+</details>

-Want to see your name here? Check out the [contributing guide](#-contributing-to-cybersecurity-ai-skills) below.
+## 👥 Contributing

---
+We welcome contributions! See [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines.

-## 🤝 Contributing to cybersecurity AI skills
+**Ways to contribute:**
+- 🆕 Add new skills using the [New Skill template](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/issues/new?template=new-skill.yml)
+- 🐛 Report issues with the [Bug Report template](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/issues/new?template=bug-report.yml)
+- 💡 Request features via [Feature Request](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/issues/new?template=feature-request.yml)
+- 📝 Improve documentation or fix typos
+- 🗺️ Add framework mappings to existing skills

-This project hit **3.5k stars in two weeks** — the community momentum is real. With **328 forks**, **9 open PRs**, and security professionals from around the world getting involved, now is the perfect time to contribute.
-
-We welcome four types of contributions:
-
-| Type | Description | Good for |
-|:-----|:------------|:---------|
-| 🆕 **New skills** | Add skills for uncovered techniques or domains | Security practitioners, pen testers, IR analysts |
-| 📖 **Improve existing skills** | Enhance workflows, add edge cases, fix errors | Anyone who uses the skills and spots improvements |
-| 🌍 **Translations & i18n** | Help make skills accessible to non-English speakers | Multilingual security professionals |
-| 🐛 **Bug reports & feedback** | Report issues, suggest improvements, review PRs | Everyone — all experience levels welcome |
-
-### How to get started
-
-1. **Browse [open issues](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/issues)** — look for `good first issue` and `help wanted` labels
-2. **Read [`CONTRIBUTING.md`](CONTRIBUTING.md)** for the full skill template and submission guidelines
-3. **Fork the repo**, create your skill directory under `skills/`, and submit a PR
-4. **Title format:** `Add skill: your-skill-name-here`
-
-> Every PR gets reviewed for technical accuracy and consistency with the agentskills.io standard. We aim to review within 48 hours.
-
---
+Every PR gets reviewed for technical accuracy and consistency with the agentskills.io standard. We aim to review within 48 hours.

 ## ⭐ Star history

 [![Star History Chart](https://api.star-history.com/svg?repos=mukul975/Anthropic-Cybersecurity-Skills&type=Date)](https://star-history.com/#mukul975/Anthropic-Cybersecurity-Skills&Date)

---
-
 ## 🌐 Community

-<p align="center">
-  <a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills/stargazers">⭐ Star this repo</a> ·
-  <a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills/fork">🍴 Fork it</a> ·
-  <a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills/discussions">💬 Discuss</a> ·
-  <a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills/issues/new">📝 Open an issue</a>
-</p>
-
-If this project saves you time or makes your AI agent more capable, **give it a ⭐** — it helps others discover these skills and keeps the community growing.
-
---
+- 📋 Listed on [SkillsLLM](https://skillsllm.com/skill/anthropic-cybersecurity-skills)
+- 📚 Featured in [awesome-agent-skills](https://github.com/VoltAgent/awesome-agent-skills)
+- 🔒 Featured in [awesome-ai-security](https://github.com/ottosulin/awesome-ai-security)
+- 🖥️ Featured in [awesome-codex-cli](https://github.com/RoggeOhta/awesome-codex-cli)
+- 📖 [Complete guide on Medium](https://fazal-sec.medium.com/claude-skills-ai-powered-cybersecurity-the-complete-guide-to-building-intelligent-security-7bb7e9d14c8e)

 ## 📄 License

-This project is licensed under the **Apache License 2.0** — see the [`LICENSE`](LICENSE) file for details.
-
-You are free to use, modify, and distribute these skills in both personal and commercial projects. Attribution is appreciated but not required.
+Apache License 2.0 — free for commercial and personal use. See [LICENSE](LICENSE) for details.

 ---

 <p align="center">
-  <sub>
-    <b>⚠️ Disclaimer:</b> This is an independent, community-created project. <b>Not affiliated with Anthropic PBC.</b><br/>
-    "Anthropic" in the repository name refers to compatibility with the <a href="https://agentskills.io">agentskills.io</a> open standard,<br/>
-    not official Anthropic endorsement or affiliation. All trademarks belong to their respective owners.
-  </sub>
+  <strong>If these skills help your AI agent defend better, consider giving this repo a ⭐</strong>
 </p>
@@ -1,6 +1,6 @@
 # ATT&CK Coverage Summary

-Coverage analysis of the 607 cybersecurity skills mapped to MITRE ATT&CK Enterprise v15 tactics.
+Coverage analysis of the 753 cybersecurity skills mapped to MITRE ATT&CK Enterprise v15 tactics.

 ## Tactic Coverage Matrix

@@ -1,12 +1,24 @@
 ---
 name: acquiring-disk-image-with-dd-and-dcfldd
-description: Create forensically sound bit-for-bit disk images using dd and dcfldd while preserving evidence integrity through hash verification.
+description: Create forensically sound bit-for-bit disk images using dd and dcfldd while preserving evidence integrity through
+  hash verification.
 domain: cybersecurity
 subdomain: digital-forensics
-tags: [forensics, disk-imaging, evidence-acquisition, dd, dcfldd, hash-verification]
-version: "1.0"
+tags:
+- forensics
+- disk-imaging
+- evidence-acquisition
+- dd
+- dcfldd
+- hash-verification
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- RS.AN-01
+- RS.AN-03
+- DE.AE-02
+- RS.MA-01
 ---

 # Acquiring Disk Image with dd and dcfldd
@@ -1,12 +1,21 @@
 ---
 name: analyzing-active-directory-acl-abuse
-description: Detect dangerous ACL misconfigurations in Active Directory using ldap3 to identify GenericAll, WriteDACL, and WriteOwner abuse paths
+description: Detect dangerous ACL misconfigurations in Active Directory using ldap3 to identify GenericAll, WriteDACL, and
+  WriteOwner abuse paths
 domain: cybersecurity
 subdomain: identity-security
-tags: [active-directory, acl-abuse, ldap, privilege-escalation]
-version: "1.0"
+tags:
+- active-directory
+- acl-abuse
+- ldap
+- privilege-escalation
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- PR.AA-01
+- PR.AA-05
+- PR.AA-06
 ---


@@ -1,12 +1,26 @@
 ---
 name: analyzing-android-malware-with-apktool
-description: Perform static analysis of Android APK malware samples using apktool for decompilation, jadx for Java source recovery, and androguard for permission analysis, manifest inspection, and suspicious API call detection.
+description: Perform static analysis of Android APK malware samples using apktool for decompilation, jadx for Java source
+  recovery, and androguard for permission analysis, manifest inspection, and suspicious API call detection.
 domain: cybersecurity
 subdomain: malware-analysis
-tags: [Android, APK, apktool, jadx, androguard, mobile-malware, static-analysis, reverse-engineering]
-version: "1.0"
+tags:
+- Android
+- APK
+- apktool
+- jadx
+- androguard
+- mobile-malware
+- static-analysis
+- reverse-engineering
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- DE.AE-02
+- RS.AN-03
+- ID.RA-01
+- DE.CM-01
 ---

 # Analyzing Android Malware with Apktool
@@ -1,16 +1,25 @@
 ---
 name: analyzing-api-gateway-access-logs
-description: >
-  Parses API Gateway access logs (AWS API Gateway, Kong, Nginx) to detect BOLA/IDOR
-  attacks, rate limit bypass, credential scanning, and injection attempts. Uses pandas
-  for statistical analysis of request patterns and anomaly detection. Use when
-  investigating API abuse or building API-specific threat detection rules.
+description: 'Parses API Gateway access logs (AWS API Gateway, Kong, Nginx) to detect BOLA/IDOR attacks, rate limit bypass,
+  credential scanning, and injection attempts. Uses pandas for statistical analysis of request patterns and anomaly detection.
+  Use when investigating API abuse or building API-specific threat detection rules.
+
+  '
 domain: cybersecurity
 subdomain: security-operations
-tags: [analyzing, api, gateway, access]
-version: "1.0"
+tags:
+- analyzing
+- api
+- gateway
+- access
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- DE.CM-01
+- RS.MA-01
+- GV.OV-01
+- DE.AE-02
 ---

 # Analyzing API Gateway Access Logs
@@ -1,12 +1,32 @@
 ---
 name: analyzing-apt-group-with-mitre-navigator
-description: Analyze advanced persistent threat (APT) group techniques using MITRE ATT&CK Navigator to create layered heatmaps of adversary TTPs for detection gap analysis and threat-informed defense.
+description: Analyze advanced persistent threat (APT) group techniques using MITRE ATT&CK Navigator to create layered heatmaps
+  of adversary TTPs for detection gap analysis and threat-informed defense.
 domain: cybersecurity
 subdomain: threat-intelligence
-tags: [mitre-attack, navigator, apt, threat-actor, ttp-analysis, heatmap, detection-gap, threat-intelligence]
-version: "1.0"
+tags:
+- mitre-attack
+- navigator
+- apt
+- threat-actor
+- ttp-analysis
+- heatmap
+- detection-gap
+- threat-intelligence
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+d3fend_techniques:
+- Executable Denylisting
+- Execution Isolation
+- File Metadata Consistency Validation
+- Content Format Conversion
+- File Content Analysis
+nist_csf:
+- ID.RA-01
+- ID.RA-05
+- DE.CM-01
+- DE.AE-02
 ---
 # Analyzing APT Group with MITRE ATT&CK Navigator

@@ -1,16 +1,25 @@
 ---
 name: analyzing-azure-activity-logs-for-threats
-description: >
-  Queries Azure Monitor activity logs and sign-in logs via azure-monitor-query to
-  detect suspicious administrative operations, impossible travel, privilege escalation,
-  and resource modifications. Builds KQL queries for threat hunting in Azure environments.
-  Use when investigating suspicious Azure tenant activity or building cloud SIEM detections.
+description: 'Queries Azure Monitor activity logs and sign-in logs via azure-monitor-query to detect suspicious administrative
+  operations, impossible travel, privilege escalation, and resource modifications. Builds KQL queries for threat hunting in
+  Azure environments. Use when investigating suspicious Azure tenant activity or building cloud SIEM detections.
+
+  '
 domain: cybersecurity
 subdomain: security-operations
-tags: [analyzing, azure, activity, logs]
-version: "1.0"
+tags:
+- analyzing
+- azure
+- activity
+- logs
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- DE.CM-01
+- RS.MA-01
+- GV.OV-01
+- DE.AE-02
 ---

 # Analyzing Azure Activity Logs for Threats
@@ -1,17 +1,27 @@
 ---
 name: analyzing-bootkit-and-rootkit-samples
-description: >
-  Analyzes bootkit and advanced rootkit malware that infects the Master Boot Record (MBR),
-  Volume Boot Record (VBR), or UEFI firmware to gain persistence below the operating system.
-  Covers boot sector analysis, UEFI module inspection, and anti-rootkit detection techniques.
-  Activates for requests involving bootkit analysis, MBR malware investigation, UEFI
+description: 'Analyzes bootkit and advanced rootkit malware that infects the Master Boot Record (MBR), Volume Boot Record
+  (VBR), or UEFI firmware to gain persistence below the operating system. Covers boot sector analysis, UEFI module inspection,
+  and anti-rootkit detection techniques. Activates for requests involving bootkit analysis, MBR malware investigation, UEFI
  persistence analysis, or pre-OS malware detection.
+
+  '
 domain: cybersecurity
 subdomain: malware-analysis
-tags: [malware, bootkit, rootkit, UEFI, MBR-analysis]
+tags:
+- malware
+- bootkit
+- rootkit
+- UEFI
+- MBR-analysis
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- DE.AE-02
+- RS.AN-03
+- ID.RA-01
+- DE.CM-01
 ---

 # Analyzing Bootkit and Rootkit Samples
@@ -1,12 +1,28 @@
 ---
 name: analyzing-browser-forensics-with-hindsight
-description: Analyze Chromium-based browser artifacts using Hindsight to extract browsing history, downloads, cookies, cached content, autofill data, saved passwords, and browser extensions from Chrome, Edge, Brave, and Opera for forensic investigation.
+description: Analyze Chromium-based browser artifacts using Hindsight to extract browsing history, downloads, cookies, cached
+  content, autofill data, saved passwords, and browser extensions from Chrome, Edge, Brave, and Opera for forensic investigation.
 domain: cybersecurity
 subdomain: digital-forensics
-tags: [browser-forensics, hindsight, chrome-forensics, chromium, edge, browsing-history, cookies, downloads, cache, web-artifacts]
-version: "1.0"
+tags:
+- browser-forensics
+- hindsight
+- chrome-forensics
+- chromium
+- edge
+- browsing-history
+- cookies
+- downloads
+- cache
+- web-artifacts
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- RS.AN-01
+- RS.AN-03
+- DE.AE-02
+- RS.MA-01
 ---

 # Analyzing Browser Forensics with Hindsight
@@ -1,12 +1,25 @@
 ---
 name: analyzing-campaign-attribution-evidence
-description: Campaign attribution analysis involves systematically evaluating evidence to determine which threat actor or group is responsible for a cyber operation. This skill covers collecting and weighting attr
+description: Campaign attribution analysis involves systematically evaluating evidence to determine which threat actor or
+  group is responsible for a cyber operation. This skill covers collecting and weighting attr
 domain: cybersecurity
 subdomain: threat-intelligence
-tags: [threat-intelligence, cti, ioc, mitre-attack, stix, attribution, campaign-analysis]
-version: "1.0"
+tags:
+- threat-intelligence
+- cti
+- ioc
+- mitre-attack
+- stix
+- attribution
+- campaign-analysis
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- ID.RA-01
+- ID.RA-05
+- DE.CM-01
+- DE.AE-02
 ---
 # Analyzing Campaign Attribution Evidence

@@ -1,12 +1,28 @@
 ---
 name: analyzing-certificate-transparency-for-phishing
-description: Monitor Certificate Transparency logs using crt.sh and Certstream to detect phishing domains, lookalike certificates, and unauthorized certificate issuance targeting your organization.
+description: Monitor Certificate Transparency logs using crt.sh and Certstream to detect phishing domains, lookalike certificates,
+  and unauthorized certificate issuance targeting your organization.
 domain: cybersecurity
 subdomain: threat-intelligence
-tags: [certificate-transparency, ct-logs, phishing, crt-sh, certstream, ssl, domain-monitoring, threat-intelligence]
-version: "1.0"
+tags:
+- certificate-transparency
+- ct-logs
+- phishing
+- crt-sh
+- certstream
+- ssl
+- domain-monitoring
+- threat-intelligence
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+atlas_techniques:
+- AML.T0052
+nist_csf:
+- ID.RA-01
+- ID.RA-05
+- DE.CM-01
+- DE.AE-02
 ---
 # Analyzing Certificate Transparency for Phishing

@@ -1,16 +1,30 @@
 ---
 name: analyzing-cloud-storage-access-patterns
-description: >-
-  Detect abnormal access patterns in AWS S3, GCS, and Azure Blob Storage by analyzing CloudTrail
-  Data Events, GCS audit logs, and Azure Storage Analytics. Identifies after-hours bulk downloads,
-  access from new IP addresses, unusual API calls (GetObject spikes), and potential data exfiltration
-  using statistical baselines and time-series anomaly detection.
+description: Detect abnormal access patterns in AWS S3, GCS, and Azure Blob Storage by analyzing CloudTrail Data Events, GCS
+  audit logs, and Azure Storage Analytics. Identifies after-hours bulk downloads, access from new IP addresses, unusual API
+  calls (GetObject spikes), and potential data exfiltration using statistical baselines and time-series anomaly detection.
 domain: cybersecurity
 subdomain: cloud-security
-tags: [analyzing, cloud, storage, access]
-version: "1.0"
+tags:
+- analyzing
+- cloud
+- storage
+- access
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+atlas_techniques:
+- AML.T0024
+- AML.T0056
+nist_ai_rmf:
+- MEASURE-2.7
+- MAP-5.1
+- MANAGE-2.4
+nist_csf:
+- PR.IR-01
+- ID.AM-08
+- GV.SC-06
+- DE.CM-01
 ---


@@ -1,12 +1,25 @@
 ---
 name: analyzing-cobalt-strike-beacon-configuration
-description: Extract and analyze Cobalt Strike beacon configuration from PE files and memory dumps to identify C2 infrastructure, malleable profiles, and operator tradecraft.
+description: Extract and analyze Cobalt Strike beacon configuration from PE files and memory dumps to identify C2 infrastructure,
+  malleable profiles, and operator tradecraft.
 domain: cybersecurity
 subdomain: malware-analysis
-tags: [cobalt-strike, beacon, c2, malware-analysis, config-extraction, threat-hunting, red-team-tools]
-version: "1.0"
+tags:
+- cobalt-strike
+- beacon
+- c2
+- malware-analysis
+- config-extraction
+- threat-hunting
+- red-team-tools
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- DE.AE-02
+- RS.AN-03
+- ID.RA-01
+- DE.CM-01
 ---
 # Analyzing Cobalt Strike Beacon Configuration

@@ -1,12 +1,25 @@
 ---
 name: analyzing-cobaltstrike-malleable-c2-profiles
-description: Parse and analyze Cobalt Strike Malleable C2 profiles using dissect.cobaltstrike and pyMalleableC2 to extract C2 indicators, detect evasion techniques, and generate network detection signatures.
+description: Parse and analyze Cobalt Strike Malleable C2 profiles using dissect.cobaltstrike and pyMalleableC2 to extract
+  C2 indicators, detect evasion techniques, and generate network detection signatures.
 domain: cybersecurity
 subdomain: malware-analysis
-tags: [cobalt-strike, malleable-c2, c2-detection, beacon-analysis, network-signatures, threat-hunting, red-team-tools]
-version: "1.0"
+tags:
+- cobalt-strike
+- malleable-c2
+- c2-detection
+- beacon-analysis
+- network-signatures
+- threat-hunting
+- red-team-tools
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- DE.AE-02
+- RS.AN-03
+- ID.RA-01
+- DE.CM-01
 ---
 # Analyzing CobaltStrike Malleable C2 Profiles

@@ -1,17 +1,27 @@
 ---
 name: analyzing-command-and-control-communication
-description: >
-  Analyzes malware command-and-control (C2) communication protocols to understand beacon
-  patterns, command structures, data encoding, and infrastructure. Covers HTTP, HTTPS, DNS,
-  and custom protocol C2 analysis for detection development and threat intelligence.
-  Activates for requests involving C2 analysis, beacon detection, C2 protocol reverse
-  engineering, or command-and-control infrastructure mapping.
+description: 'Analyzes malware command-and-control (C2) communication protocols to understand beacon patterns, command structures,
+  data encoding, and infrastructure. Covers HTTP, HTTPS, DNS, and custom protocol C2 analysis for detection development and
+  threat intelligence. Activates for requests involving C2 analysis, beacon detection, C2 protocol reverse engineering, or
+  command-and-control infrastructure mapping.
+
+  '
 domain: cybersecurity
 subdomain: malware-analysis
-tags: [malware, C2, command-and-control, beacon, protocol-analysis]
+tags:
+- malware
+- C2
+- command-and-control
+- beacon
+- protocol-analysis
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- DE.AE-02
+- RS.AN-03
+- ID.RA-01
+- DE.CM-01
 ---

 # Analyzing Command-and-Control Communication
@@ -1,18 +1,29 @@
 ---
 name: analyzing-cyber-kill-chain
-description: >
-  Analyzes intrusion activity against the Lockheed Martin Cyber Kill Chain framework to identify
-  which phases an adversary has completed, where defenses succeeded or failed, and what controls
-  would have interrupted the attack at earlier phases. Use when conducting post-incident analysis,
-  building prevention-focused security controls, or mapping detection gaps to kill chain phases.
-  Activates for requests involving kill chain analysis, intrusion kill chain, attack phase mapping,
+description: 'Analyzes intrusion activity against the Lockheed Martin Cyber Kill Chain framework to identify which phases
+  an adversary has completed, where defenses succeeded or failed, and what controls would have interrupted the attack at earlier
+  phases. Use when conducting post-incident analysis, building prevention-focused security controls, or mapping detection
+  gaps to kill chain phases. Activates for requests involving kill chain analysis, intrusion kill chain, attack phase mapping,
  or Lockheed Martin kill chain framework.
+
+  '
 domain: cybersecurity
 subdomain: threat-intelligence
-tags: [kill-chain, Lockheed-Martin, MITRE-ATT&CK, intrusion-analysis, defense-in-depth, NIST-CSF]
+tags:
+- kill-chain
+- Lockheed-Martin
+- MITRE-ATT&CK
+- intrusion-analysis
+- defense-in-depth
+- NIST-CSF
 version: 1.0.0
 author: team-cybersecurity
 license: Apache-2.0
+nist_csf:
+- ID.RA-01
+- ID.RA-05
+- DE.CM-01
+- DE.AE-02
 ---
 # Analyzing Cyber Kill Chain

@@ -1,12 +1,24 @@
 ---
 name: analyzing-disk-image-with-autopsy
-description: Perform comprehensive forensic analysis of disk images using Autopsy to recover files, examine artifacts, and build investigation timelines.
+description: Perform comprehensive forensic analysis of disk images using Autopsy to recover files, examine artifacts, and
+  build investigation timelines.
 domain: cybersecurity
 subdomain: digital-forensics
-tags: [forensics, autopsy, disk-analysis, sleuth-kit, file-recovery, artifact-analysis]
-version: "1.0"
+tags:
+- forensics
+- autopsy
+- disk-analysis
+- sleuth-kit
+- file-recovery
+- artifact-analysis
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- RS.AN-01
+- RS.AN-03
+- DE.AE-02
+- RS.MA-01
 ---

 # Analyzing Disk Image with Autopsy
@@ -1,16 +1,33 @@
 ---
 name: analyzing-dns-logs-for-exfiltration
-description: >
-  Analyzes DNS query logs to detect data exfiltration via DNS tunneling, DGA domain communication,
-  and covert C2 channels using entropy analysis, query volume anomalies, and subdomain length
-  detection in SIEM platforms. Use when SOC teams need to identify DNS-based threats that bypass
-  traditional network security controls.
+description: 'Analyzes DNS query logs to detect data exfiltration via DNS tunneling, DGA domain communication, and covert
+  C2 channels using entropy analysis, query volume anomalies, and subdomain length detection in SIEM platforms. Use when SOC
+  teams need to identify DNS-based threats that bypass traditional network security controls.
+
+  '
 domain: cybersecurity
 subdomain: soc-operations
-tags: [soc, dns, exfiltration, dns-tunneling, dga, c2-detection, splunk, threat-detection]
-version: "1.0"
+tags:
+- soc
+- dns
+- exfiltration
+- dns-tunneling
+- dga
+- c2-detection
+- splunk
+- threat-detection
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+atlas_techniques:
+- AML.T0024
+- AML.T0056
+- AML.T0086
+nist_csf:
+- DE.CM-01
+- DE.AE-02
+- RS.MA-01
+- DE.AE-06
 ---
 # Analyzing DNS Logs for Exfiltration

@@ -1,12 +1,24 @@
 ---
 name: analyzing-docker-container-forensics
-description: Investigate compromised Docker containers by analyzing images, layers, volumes, logs, and runtime artifacts to identify malicious activity and evidence.
+description: Investigate compromised Docker containers by analyzing images, layers, volumes, logs, and runtime artifacts to
+  identify malicious activity and evidence.
 domain: cybersecurity
 subdomain: digital-forensics
-tags: [forensics, docker, container-forensics, container-security, image-analysis, runtime-investigation]
-version: "1.0"
+tags:
+- forensics
+- docker
+- container-forensics
+- container-security
+- image-analysis
+- runtime-investigation
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- RS.AN-01
+- RS.AN-03
+- DE.AE-02
+- RS.MA-01
 ---

 # Analyzing Docker Container Forensics
@@ -1,12 +1,27 @@
 ---
 name: analyzing-email-headers-for-phishing-investigation
-description: Parse and analyze email headers to trace the origin of phishing emails, verify sender authenticity, and identify spoofing through SPF, DKIM, and DMARC validation.
+description: Parse and analyze email headers to trace the origin of phishing emails, verify sender authenticity, and identify
+  spoofing through SPF, DKIM, and DMARC validation.
 domain: cybersecurity
 subdomain: digital-forensics
-tags: [forensics, email-analysis, phishing, spf, dkim, dmarc, header-analysis]
-version: "1.0"
+tags:
+- forensics
+- email-analysis
+- phishing
+- spf
+- dkim
+- dmarc
+- header-analysis
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+atlas_techniques:
+- AML.T0052
+nist_csf:
+- RS.AN-01
+- RS.AN-03
+- DE.AE-02
+- RS.MA-01
 ---

 # Analyzing Email Headers for Phishing Investigation
@@ -1,12 +1,25 @@
 ---
 name: analyzing-ethereum-smart-contract-vulnerabilities
-description: Perform static and symbolic analysis of Solidity smart contracts using Slither and Mythril to detect reentrancy, integer overflow, access control, and other vulnerability classes before deployment to Ethereum mainnet.
+description: Perform static and symbolic analysis of Solidity smart contracts using Slither and Mythril to detect reentrancy,
+  integer overflow, access control, and other vulnerability classes before deployment to Ethereum mainnet.
 domain: cybersecurity
 subdomain: blockchain-security
-tags: [ethereum, solidity, smart-contract, slither, mythril, blockchain, defi, audit]
-version: "1.0"
+tags:
+- ethereum
+- solidity
+- smart-contract
+- slither
+- mythril
+- blockchain
+- defi
+- audit
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- PR.DS-01
+- PR.DS-02
+- ID.RA-01
 ---

 # Analyzing Ethereum Smart Contract Vulnerabilities
@@ -1,12 +1,25 @@
 ---
 name: analyzing-golang-malware-with-ghidra
-description: Reverse engineer Go-compiled malware using Ghidra with specialized scripts for function recovery, string extraction, and type reconstruction in stripped Go binaries.
+description: Reverse engineer Go-compiled malware using Ghidra with specialized scripts for function recovery, string extraction,
+  and type reconstruction in stripped Go binaries.
 domain: cybersecurity
 subdomain: malware-analysis
-tags: [golang, ghidra, reverse-engineering, malware-analysis, binary-analysis, go-malware, disassembly]
-version: "1.0"
+tags:
+- golang
+- ghidra
+- reverse-engineering
+- malware-analysis
+- binary-analysis
+- go-malware
+- disassembly
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- DE.AE-02
+- RS.AN-03
+- ID.RA-01
+- DE.CM-01
 ---
 # Analyzing Golang Malware with Ghidra

@@ -1,12 +1,23 @@
 ---
 name: analyzing-heap-spray-exploitation
-description: Detect and analyze heap spray attacks in memory dumps using Volatility3 plugins to identify NOP sled patterns, shellcode landing zones, and suspicious large allocations in process virtual address space.
+description: Detect and analyze heap spray attacks in memory dumps using Volatility3 plugins to identify NOP sled patterns,
+  shellcode landing zones, and suspicious large allocations in process virtual address space.
 domain: cybersecurity
 subdomain: malware-analysis
-tags: [malware-analysis, memory-forensics, heap-spray, volatility3, exploit-analysis]
-version: "1.0"
+tags:
+- malware-analysis
+- memory-forensics
+- heap-spray
+- volatility3
+- exploit-analysis
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- DE.AE-02
+- RS.AN-03
+- ID.RA-01
+- DE.CM-01
 ---
 # Analyzing Heap Spray Exploitation

@@ -1,17 +1,32 @@
 ---
 name: analyzing-indicators-of-compromise
-description: >
-  Analyzes indicators of compromise (IOCs) including IP addresses, domains, file hashes, URLs,
-  and email artifacts to determine maliciousness confidence, campaign attribution, and blocking
-  priority. Use when triaging IOCs from phishing emails, security alerts, or external threat feeds;
-  enriching raw IOCs with multi-source intelligence; or making block/monitor/whitelist decisions.
-  Activates for requests involving VirusTotal, AbuseIPDB, MalwareBazaar, MISP, or IOC enrichment pipelines.
+description: 'Analyzes indicators of compromise (IOCs) including IP addresses, domains, file hashes, URLs, and email artifacts
+  to determine maliciousness confidence, campaign attribution, and blocking priority. Use when triaging IOCs from phishing
+  emails, security alerts, or external threat feeds; enriching raw IOCs with multi-source intelligence; or making block/monitor/whitelist
+  decisions. Activates for requests involving VirusTotal, AbuseIPDB, MalwareBazaar, MISP, or IOC enrichment pipelines.
+
+  '
 domain: cybersecurity
 subdomain: threat-intelligence
-tags: [IOC, VirusTotal, AbuseIPDB, MalwareBazaar, MISP, threat-intelligence, STIX, NIST-CSF]
+tags:
+- IOC
+- VirusTotal
+- AbuseIPDB
+- MalwareBazaar
+- MISP
+- threat-intelligence
+- STIX
+- NIST-CSF
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
+atlas_techniques:
+- AML.T0052
+nist_csf:
+- ID.RA-01
+- ID.RA-05
+- DE.CM-01
+- DE.AE-02
 ---
 # Analyzing Indicators of Compromise

@@ -1,18 +1,36 @@
 ---
 name: analyzing-ios-app-security-with-objection
-description: >
-  Performs runtime mobile security exploration of iOS applications using Objection, a Frida-powered
-  toolkit that enables security testers to interact with app internals without jailbreaking. Use when
-  assessing iOS app security posture, bypassing client-side protections, dumping keychain items,
-  inspecting filesystem storage, and evaluating runtime behavior. Activates for requests involving
-  iOS security testing, Objection runtime analysis, Frida-based iOS assessment, or mobile runtime
-  exploration.
+description: 'Performs runtime mobile security exploration of iOS applications using Objection, a Frida-powered toolkit that
+  enables security testers to interact with app internals without jailbreaking. Use when assessing iOS app security posture,
+  bypassing client-side protections, dumping keychain items, inspecting filesystem storage, and evaluating runtime behavior.
+  Activates for requests involving iOS security testing, Objection runtime analysis, Frida-based iOS assessment, or mobile
+  runtime exploration.
+
+  '
 domain: cybersecurity
 subdomain: mobile-security
 author: mahipal
-tags: [mobile-security, ios, objection, frida, owasp-mobile, penetration-testing]
+tags:
+- mobile-security
+- ios
+- objection
+- frida
+- owasp-mobile
+- penetration-testing
 version: 1.0.0
 license: Apache-2.0
+atlas_techniques:
+- AML.T0054
+nist_ai_rmf:
+- MEASURE-2.7
+- MANAGE-2.4
+- GOVERN-6.2
+- MAP-5.1
+nist_csf:
+- PR.PS-01
+- PR.AA-05
+- ID.RA-01
+- DE.CM-09
 ---
 # Analyzing iOS App Security with Objection

@@ -1,16 +1,25 @@
 ---
 name: analyzing-kubernetes-audit-logs
-description: >
-  Parses Kubernetes API server audit logs (JSON lines) to detect exec-into-pod, secret
-  access, RBAC modifications, privileged pod creation, and anonymous API access. Builds
-  threat detection rules from audit event patterns. Use when investigating Kubernetes
-  cluster compromise or building k8s-specific SIEM detection rules.
+description: 'Parses Kubernetes API server audit logs (JSON lines) to detect exec-into-pod, secret access, RBAC modifications,
+  privileged pod creation, and anonymous API access. Builds threat detection rules from audit event patterns. Use when investigating
+  Kubernetes cluster compromise or building k8s-specific SIEM detection rules.
+
+  '
 domain: cybersecurity
 subdomain: container-security
-tags: [analyzing, kubernetes, audit, logs]
-version: "1.0"
+tags:
+- analyzing
+- kubernetes
+- audit
+- logs
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- PR.PS-01
+- PR.IR-01
+- ID.AM-08
+- DE.CM-01
 ---

 # Analyzing Kubernetes Audit Logs
@@ -1,18 +1,29 @@
 ---
 name: analyzing-linux-audit-logs-for-intrusion
-description: >
-  Uses the Linux Audit framework (auditd) with ausearch and aureport utilities
-  to detect intrusion attempts, unauthorized access, privilege escalation, and
-  suspicious system activity. Covers audit rule configuration, log querying,
-  timeline reconstruction, and integration with SIEM platforms. Activates for
-  requests involving auditd analysis, Linux audit log investigation, ausearch
+description: 'Uses the Linux Audit framework (auditd) with ausearch and aureport utilities to detect intrusion attempts, unauthorized
+  access, privilege escalation, and suspicious system activity. Covers audit rule configuration, log querying, timeline reconstruction,
+  and integration with SIEM platforms. Activates for requests involving auditd analysis, Linux audit log investigation, ausearch
  queries, aureport summaries, or host-based intrusion detection on Linux.
+
+  '
 domain: cybersecurity
 subdomain: incident-response
-tags: [auditd, ausearch, aureport, linux-security, intrusion-detection, HIDS, forensics]
+tags:
+- auditd
+- ausearch
+- aureport
+- linux-security
+- intrusion-detection
+- HIDS
+- forensics
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- RS.MA-01
+- RS.MA-02
+- RS.AN-03
+- RC.RP-01
 ---

 # Analyzing Linux Audit Logs for Intrusion
@@ -1,17 +1,27 @@
 ---
 name: analyzing-linux-elf-malware
-description: >
-  Analyzes malicious Linux ELF (Executable and Linkable Format) binaries including botnets,
-  cryptominers, ransomware, and rootkits targeting Linux servers, containers, and cloud
-  infrastructure. Covers static analysis, dynamic tracing, and reverse engineering of
-  x86_64 and ARM ELF samples. Activates for requests involving Linux malware analysis,
-  ELF binary investigation, Linux server compromise assessment, or container malware analysis.
+description: 'Analyzes malicious Linux ELF (Executable and Linkable Format) binaries including botnets, cryptominers, ransomware,
+  and rootkits targeting Linux servers, containers, and cloud infrastructure. Covers static analysis, dynamic tracing, and
+  reverse engineering of x86_64 and ARM ELF samples. Activates for requests involving Linux malware analysis, ELF binary investigation,
+  Linux server compromise assessment, or container malware analysis.
+
+  '
 domain: cybersecurity
 subdomain: malware-analysis
-tags: [malware, Linux, ELF, reverse-engineering, server-malware]
+tags:
+- malware
+- Linux
+- ELF
+- reverse-engineering
+- server-malware
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- DE.AE-02
+- RS.AN-03
+- ID.RA-01
+- DE.CM-01
 ---

 # Analyzing Linux ELF Malware
@@ -1,12 +1,27 @@
 ---
 name: analyzing-linux-kernel-rootkits
-description: Detect kernel-level rootkits in Linux memory dumps using Volatility3 linux plugins (check_syscall, lsmod, hidden_modules), rkhunter system scanning, and /proc vs /sys discrepancy analysis to identify hooked syscalls, hidden kernel modules, and tampered system structures.
+description: Detect kernel-level rootkits in Linux memory dumps using Volatility3 linux plugins (check_syscall, lsmod, hidden_modules),
+  rkhunter system scanning, and /proc vs /sys discrepancy analysis to identify hooked syscalls, hidden kernel modules, and
+  tampered system structures.
 domain: cybersecurity
 subdomain: digital-forensics
-tags: [rootkit, linux, kernel, volatility3, memory-forensics, malware-analysis, rkhunter, forensics]
-version: "1.0"
+tags:
+- rootkit
+- linux
+- kernel
+- volatility3
+- memory-forensics
+- malware-analysis
+- rkhunter
+- forensics
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- RS.AN-01
+- RS.AN-03
+- DE.AE-02
+- RS.MA-01
 ---

 # Analyzing Linux Kernel Rootkits
@@ -1,12 +1,24 @@
 ---
 name: analyzing-linux-system-artifacts
-description: Examine Linux system artifacts including auth logs, cron jobs, shell history, and system configuration to uncover evidence of compromise or unauthorized activity.
+description: Examine Linux system artifacts including auth logs, cron jobs, shell history, and system configuration to uncover
+  evidence of compromise or unauthorized activity.
 domain: cybersecurity
 subdomain: digital-forensics
-tags: [forensics, linux-forensics, system-artifacts, log-analysis, persistence-detection, incident-investigation]
-version: "1.0"
+tags:
+- forensics
+- linux-forensics
+- system-artifacts
+- log-analysis
+- persistence-detection
+- incident-investigation
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- RS.AN-01
+- RS.AN-03
+- DE.AE-02
+- RS.MA-01
 ---

 # Analyzing Linux System Artifacts
@@ -1,12 +1,28 @@
 ---
 name: analyzing-lnk-file-and-jump-list-artifacts
-description: Analyze Windows LNK shortcut files and Jump List artifacts to establish evidence of file access, program execution, and user activity using LECmd, JLECmd, and manual binary parsing of the Shell Link Binary format.
+description: Analyze Windows LNK shortcut files and Jump List artifacts to establish evidence of file access, program execution,
+  and user activity using LECmd, JLECmd, and manual binary parsing of the Shell Link Binary format.
 domain: cybersecurity
 subdomain: digital-forensics
-tags: [lnk-files, jump-lists, lecmd, jlecmd, windows-forensics, shell-link, user-activity, file-access, program-execution, recent-files]
-version: "1.0"
+tags:
+- lnk-files
+- jump-lists
+- lecmd
+- jlecmd
+- windows-forensics
+- shell-link
+- user-activity
+- file-access
+- program-execution
+- recent-files
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- RS.AN-01
+- RS.AN-03
+- DE.AE-02
+- RS.MA-01
 ---

 # Analyzing LNK File and Jump List Artifacts
@@ -1,17 +1,36 @@
 ---
 name: analyzing-macro-malware-in-office-documents
-description: >
-  Analyzes malicious VBA macros embedded in Microsoft Office documents (Word, Excel, PowerPoint)
-  to identify download cradles, payload execution, persistence mechanisms, and anti-analysis
-  techniques. Uses olevba, oledump, and VBA deobfuscation to extract the attack chain.
-  Activates for requests involving Office macro analysis, VBA malware investigation,
-  maldoc analysis, or document-based threat examination.
+description: 'Analyzes malicious VBA macros embedded in Microsoft Office documents (Word, Excel, PowerPoint) to identify download
+  cradles, payload execution, persistence mechanisms, and anti-analysis techniques. Uses olevba, oledump, and VBA deobfuscation
+  to extract the attack chain. Activates for requests involving Office macro analysis, VBA malware investigation, maldoc analysis,
+  or document-based threat examination.
+
+  '
 domain: cybersecurity
 subdomain: malware-analysis
-tags: [malware, macro, Office, VBA, document-malware]
+tags:
+- malware
+- macro
+- Office
+- VBA
+- document-malware
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
+atlas_techniques:
+- AML.T0068
+- AML.T0067
+d3fend_techniques:
+- File Metadata Consistency Validation
+- Application Protocol Command Analysis
+- Identifier Analysis
+- Content Format Conversion
+- Message Analysis
+nist_csf:
+- DE.AE-02
+- RS.AN-03
+- ID.RA-01
+- DE.CM-01
 ---

 # Analyzing Macro Malware in Office Documents
@@ -1,12 +1,26 @@
 ---
 name: analyzing-malicious-pdf-with-peepdf
-description: Perform static analysis of malicious PDF documents using peepdf, pdfid, and pdf-parser to extract embedded JavaScript, shellcode, and suspicious objects.
+description: Perform static analysis of malicious PDF documents using peepdf, pdfid, and pdf-parser to extract embedded JavaScript,
+  shellcode, and suspicious objects.
 domain: cybersecurity
 subdomain: malware-analysis
-tags: [malware-analysis, pdf, peepdf, pdfid, pdf-parser, static-analysis, reverse-engineering, dfir]
-version: "1.0"
+tags:
+- malware-analysis
+- pdf
+- peepdf
+- pdfid
+- pdf-parser
+- static-analysis
+- reverse-engineering
+- dfir
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- DE.AE-02
+- RS.AN-03
+- ID.RA-01
+- DE.CM-01
 ---

 # Analyzing Malicious PDF with peepdf
@@ -1,12 +1,27 @@
 ---
 name: analyzing-malicious-url-with-urlscan
-description: URLScan.io is a free service for scanning and analyzing suspicious URLs. It captures screenshots, DOM content, HTTP transactions, JavaScript behavior, and network connections of web pages in an isolat
+description: URLScan.io is a free service for scanning and analyzing suspicious URLs. It captures screenshots, DOM content,
+  HTTP transactions, JavaScript behavior, and network connections of web pages in an isolat
 domain: cybersecurity
 subdomain: phishing-defense
-tags: [phishing, email-security, social-engineering, dmarc, awareness, url-analysis, threat-intelligence]
-version: "1.0"
+tags:
+- phishing
+- email-security
+- social-engineering
+- dmarc
+- awareness
+- url-analysis
+- threat-intelligence
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+atlas_techniques:
+- AML.T0052
+nist_csf:
+- PR.AT-01
+- DE.CM-09
+- RS.CO-02
+- DE.AE-02
 ---
 # Analyzing Malicious URL with URLScan

@@ -1,17 +1,27 @@
 ---
 name: analyzing-malware-behavior-with-cuckoo-sandbox
-description: >
-  Executes malware samples in Cuckoo Sandbox to observe runtime behavior including
-  process creation, file system modifications, registry changes, network communications,
-  and API calls. Generates comprehensive behavioral reports for malware classification
-  and IOC extraction. Activates for requests involving dynamic malware analysis, sandbox
-  detonation, behavioral analysis, or automated malware execution.
+description: 'Executes malware samples in Cuckoo Sandbox to observe runtime behavior including process creation, file system
+  modifications, registry changes, network communications, and API calls. Generates comprehensive behavioral reports for malware
+  classification and IOC extraction. Activates for requests involving dynamic malware analysis, sandbox detonation, behavioral
+  analysis, or automated malware execution.
+
+  '
 domain: cybersecurity
 subdomain: malware-analysis
-tags: [malware, dynamic-analysis, sandbox, Cuckoo, behavioral-analysis]
+tags:
+- malware
+- dynamic-analysis
+- sandbox
+- Cuckoo
+- behavioral-analysis
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- DE.AE-02
+- RS.AN-03
+- ID.RA-01
+- DE.CM-01
 ---

 # Analyzing Malware Behavior with Cuckoo Sandbox
@@ -1,12 +1,26 @@
 ---
 name: analyzing-malware-family-relationships-with-malpedia
-description: Use the Malpedia platform and API to research malware family relationships, track variant evolution, link families to threat actors, and integrate YARA rules for detection across malware lineages.
+description: Use the Malpedia platform and API to research malware family relationships, track variant evolution, link families
+  to threat actors, and integrate YARA rules for detection across malware lineages.
 domain: cybersecurity
 subdomain: threat-intelligence
-tags: [malpedia, malware-family, yara, threat-actor, malware-tracking, threat-intelligence, variant-analysis, malware-intelligence]
-version: "1.0"
+tags:
+- malpedia
+- malware-family
+- yara
+- threat-actor
+- malware-tracking
+- threat-intelligence
+- variant-analysis
+- malware-intelligence
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- ID.RA-01
+- ID.RA-05
+- DE.CM-01
+- DE.AE-02
 ---
 # Analyzing Malware Family Relationships with Malpedia

@@ -1,12 +1,37 @@
 ---
 name: analyzing-malware-persistence-with-autoruns
-description: Use Sysinternals Autoruns to systematically identify and analyze malware persistence mechanisms across registry keys, scheduled tasks, services, drivers, and startup locations on Windows systems.
+description: Use Sysinternals Autoruns to systematically identify and analyze malware persistence mechanisms across registry
+  keys, scheduled tasks, services, drivers, and startup locations on Windows systems.
 domain: cybersecurity
 subdomain: malware-analysis
-tags: [autoruns, persistence, malware-analysis, sysinternals, windows, registry, startup, incident-response]
-version: "1.0"
+tags:
+- autoruns
+- persistence
+- malware-analysis
+- sysinternals
+- windows
+- registry
+- startup
+- incident-response
+mitre_attack:
+- T1547
+- T1053
+- T1543
+- T1546
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+d3fend_techniques:
+- Executable Denylisting
+- Execution Isolation
+- File Metadata Consistency Validation
+- Content Format Conversion
+- File Content Analysis
+nist_csf:
+- DE.AE-02
+- RS.AN-03
+- ID.RA-01
+- DE.CM-01
 ---
 # Analyzing Malware Persistence with Autoruns

@@ -1,19 +1,31 @@
 ---
 name: analyzing-malware-sandbox-evasion-techniques
-description: Detect sandbox evasion techniques in malware samples by analyzing timing checks, VM artifact queries, user interaction detection, and sleep inflation patterns from Cuckoo/AnyRun behavioral reports
+description: Detect sandbox evasion techniques in malware samples by analyzing timing checks, VM artifact queries, user interaction
+  detection, and sleep inflation patterns from Cuckoo/AnyRun behavioral reports
 domain: cybersecurity
 subdomain: malware-analysis
 tags:
-  - sandbox-evasion
-  - malware-analysis
-  - cuckoo
-  - anyrun
-  - mitre-attack
-  - virtualization-detection
-  - behavioral-analysis
-version: "1.0"
+- sandbox-evasion
+- malware-analysis
+- cuckoo
+- anyrun
+- mitre-attack
+- virtualization-detection
+- behavioral-analysis
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+d3fend_techniques:
+- Platform Hardening
+- Restore Object
+- Process Analysis
+- System Call Filtering
+- Restore Software
+nist_csf:
+- DE.AE-02
+- RS.AN-03
+- ID.RA-01
+- DE.CM-01
 ---

 # Analyzing Malware Sandbox Evasion Techniques
@@ -1,17 +1,32 @@
 ---
 name: analyzing-memory-dumps-with-volatility
-description: >
-  Analyzes RAM memory dumps from compromised systems using the Volatility framework to
-  identify malicious processes, injected code, network connections, loaded modules, and
-  extracted credentials. Supports Windows, Linux, and macOS memory forensics. Activates
-  for requests involving memory forensics, RAM analysis, volatile data examination,
-  process injection detection, or memory-resident malware investigation.
+description: 'Analyzes RAM memory dumps from compromised systems using the Volatility framework to identify malicious processes,
+  injected code, network connections, loaded modules, and extracted credentials. Supports Windows, Linux, and macOS memory
+  forensics. Activates for requests involving memory forensics, RAM analysis, volatile data examination, process injection
+  detection, or memory-resident malware investigation.
+
+  '
 domain: cybersecurity
 subdomain: malware-analysis
-tags: [malware, memory-forensics, Volatility, RAM-analysis, incident-response]
+tags:
+- malware
+- memory-forensics
+- Volatility
+- RAM-analysis
+- incident-response
+mitre_attack:
+- T1055
+- T1003
+- T1059
+- T1620
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- DE.AE-02
+- RS.AN-03
+- ID.RA-01
+- DE.CM-01
 ---

 # Analyzing Memory Dumps with Volatility
@@ -1,16 +1,25 @@
 ---
 name: analyzing-memory-forensics-with-lime-and-volatility
-description: >
-  Performs Linux memory acquisition using LiME (Linux Memory Extractor) kernel module
-  and analysis with Volatility 3 framework. Extracts process lists, network connections,
-  bash history, loaded kernel modules, and injected code from Linux memory images.
-  Use when performing incident response on compromised Linux systems.
+description: 'Performs Linux memory acquisition using LiME (Linux Memory Extractor) kernel module and analysis with Volatility
+  3 framework. Extracts process lists, network connections, bash history, loaded kernel modules, and injected code from Linux
+  memory images. Use when performing incident response on compromised Linux systems.
+
+  '
 domain: cybersecurity
 subdomain: security-operations
-tags: [analyzing, memory, forensics, with]
-version: "1.0"
+tags:
+- analyzing
+- memory
+- forensics
+- with
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- DE.CM-01
+- RS.MA-01
+- GV.OV-01
+- DE.AE-02
 ---

 # Analyzing Memory Forensics with LiME and Volatility
@@ -1,12 +1,28 @@
 ---
 name: analyzing-mft-for-deleted-file-recovery
-description: Analyze the NTFS Master File Table ($MFT) to recover metadata and content of deleted files by examining MFT record entries, $LogFile, $UsnJrnl, and MFT slack space using MFTECmd, analyzeMFT, and X-Ways Forensics.
+description: Analyze the NTFS Master File Table ($MFT) to recover metadata and content of deleted files by examining MFT record
+  entries, $LogFile, $UsnJrnl, and MFT slack space using MFTECmd, analyzeMFT, and X-Ways Forensics.
 domain: cybersecurity
 subdomain: digital-forensics
-tags: [mft, ntfs, deleted-files, file-recovery, mftecmd, usn-journal, logfile, mft-slack-space, file-system-forensics, dfir]
-version: "1.0"
+tags:
+- mft
+- ntfs
+- deleted-files
+- file-recovery
+- mftecmd
+- usn-journal
+- logfile
+- mft-slack-space
+- file-system-forensics
+- dfir
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- RS.AN-01
+- RS.AN-03
+- DE.AE-02
+- RS.MA-01
 ---

 # Analyzing MFT for Deleted File Recovery
@@ -1,12 +1,31 @@
 ---
 name: analyzing-network-covert-channels-in-malware
-description: Detect and analyze covert communication channels used by malware including DNS tunneling, ICMP exfiltration, steganographic HTTP, and protocol abuse for C2 and data exfiltration.
+description: Detect and analyze covert communication channels used by malware including DNS tunneling, ICMP exfiltration,
+  steganographic HTTP, and protocol abuse for C2 and data exfiltration.
 domain: cybersecurity
 subdomain: malware-analysis
-tags: [covert-channels, dns-tunneling, icmp-exfiltration, malware-analysis, network-forensics, c2-detection, data-exfiltration]
-version: "1.0"
+tags:
+- covert-channels
+- dns-tunneling
+- icmp-exfiltration
+- malware-analysis
+- network-forensics
+- c2-detection
+- data-exfiltration
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+d3fend_techniques:
+- File Metadata Consistency Validation
+- Certificate Analysis
+- Application Protocol Command Analysis
+- Content Format Conversion
+- File Content Analysis
+nist_csf:
+- DE.AE-02
+- RS.AN-03
+- ID.RA-01
+- DE.CM-01
 ---
 # Analyzing Network Covert Channels in Malware

@@ -1,16 +1,23 @@
 ---
 name: analyzing-network-flow-data-with-netflow
-description: >-
-  Parse NetFlow v9 and IPFIX records to detect volumetric anomalies, port scanning, data
-  exfiltration, and C2 beaconing patterns. Uses the Python netflow library to decode flow
-  records, builds traffic baselines, and applies statistical analysis to identify flows
-  with abnormal byte counts, connection durations, and periodic timing patterns.
+description: Parse NetFlow v9 and IPFIX records to detect volumetric anomalies, port scanning, data exfiltration, and C2 beaconing
+  patterns. Uses the Python netflow library to decode flow records, builds traffic baselines, and applies statistical analysis
+  to identify flows with abnormal byte counts, connection durations, and periodic timing patterns.
 domain: cybersecurity
 subdomain: network-security
-tags: [analyzing, network, flow, data]
-version: "1.0"
+tags:
+- analyzing
+- network
+- flow
+- data
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- PR.IR-01
+- DE.CM-01
+- ID.AM-03
+- PR.DS-02
 ---


@@ -1,18 +1,24 @@
 ---
 name: analyzing-network-packets-with-scapy
-description: Craft, send, sniff, and dissect network packets using Scapy for protocol analysis, network reconnaissance, and traffic anomaly detection in authorized security testing
+description: Craft, send, sniff, and dissect network packets using Scapy for protocol analysis, network reconnaissance, and
+  traffic anomaly detection in authorized security testing
 domain: cybersecurity
 subdomain: network-security
 tags:
-  - scapy
-  - packet-analysis
-  - network-forensics
-  - protocol-dissection
-  - pcap
-  - traffic-analysis
-version: "1.0"
+- scapy
+- packet-analysis
+- network-forensics
+- protocol-dissection
+- pcap
+- traffic-analysis
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- PR.IR-01
+- DE.CM-01
+- ID.AM-03
+- PR.DS-02
 ---

 # Analyzing Network Packets with Scapy
@@ -1,18 +1,32 @@
 ---
 name: analyzing-network-traffic-for-incidents
-description: >
-  Analyzes network traffic captures and flow data to identify adversary activity during
-  security incidents, including command-and-control communications, lateral movement,
-  data exfiltration, and exploitation attempts. Uses Wireshark, Zeek, and NetFlow
-  analysis techniques. Activates for requests involving network traffic analysis,
-  packet capture investigation, PCAP analysis, network forensics, C2 traffic detection,
-  or exfiltration detection.
+description: 'Analyzes network traffic captures and flow data to identify adversary activity during security incidents, including
+  command-and-control communications, lateral movement, data exfiltration, and exploitation attempts. Uses Wireshark, Zeek,
+  and NetFlow analysis techniques. Activates for requests involving network traffic analysis, packet capture investigation,
+  PCAP analysis, network forensics, C2 traffic detection, or exfiltration detection.
+
+  '
 domain: cybersecurity
 subdomain: incident-response
-tags: [network-forensics, PCAP-analysis, Wireshark, Zeek, traffic-analysis]
+tags:
+- network-forensics
+- PCAP-analysis
+- Wireshark
+- Zeek
+- traffic-analysis
+mitre_attack:
+- T1071
+- T1095
+- T1573
+- T1572
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- RS.MA-01
+- RS.MA-02
+- RS.AN-03
+- RC.RP-01
 ---

 # Analyzing Network Traffic for Incidents
@@ -1,17 +1,27 @@
 ---
 name: analyzing-network-traffic-of-malware
-description: >
-  Analyzes network traffic generated by malware during sandbox execution or live incident
-  response to identify C2 protocols, data exfiltration channels, payload downloads, and
-  lateral movement patterns using Wireshark, Zeek, and Suricata. Activates for requests
-  involving malware network analysis, C2 traffic decoding, malware PCAP analysis, or
-  network-based malware detection.
+description: 'Analyzes network traffic generated by malware during sandbox execution or live incident response to identify
+  C2 protocols, data exfiltration channels, payload downloads, and lateral movement patterns using Wireshark, Zeek, and Suricata.
+  Activates for requests involving malware network analysis, C2 traffic decoding, malware PCAP analysis, or network-based
+  malware detection.
+
+  '
 domain: cybersecurity
 subdomain: malware-analysis
-tags: [malware, network-analysis, PCAP, Wireshark, C2-detection]
+tags:
+- malware
+- network-analysis
+- PCAP
+- Wireshark
+- C2-detection
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- DE.AE-02
+- RS.AN-03
+- ID.RA-01
+- DE.CM-01
 ---

 # Analyzing Network Traffic of Malware
@@ -1,15 +1,25 @@
 ---
 name: analyzing-network-traffic-with-wireshark
-description: >
-  Captures and analyzes network packet data using Wireshark and tshark to identify
-  malicious traffic patterns, diagnose protocol issues, extract artifacts, and
-  support incident response investigations on authorized network segments.
+description: 'Captures and analyzes network packet data using Wireshark and tshark to identify malicious traffic patterns,
+  diagnose protocol issues, extract artifacts, and support incident response investigations on authorized network segments.
+
+  '
 domain: cybersecurity
 subdomain: network-security
-tags: [network-security, wireshark, packet-analysis, traffic-analysis, pcap]
-version: "1.0"
+tags:
+- network-security
+- wireshark
+- packet-analysis
+- traffic-analysis
+- pcap
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- PR.IR-01
+- DE.CM-01
+- ID.AM-03
+- PR.DS-02
 ---
 # Analyzing Network Traffic with Wireshark

@@ -1,12 +1,25 @@
 ---
 name: analyzing-office365-audit-logs-for-compromise
-description: Parse Office 365 Unified Audit Logs via Microsoft Graph API to detect email forwarding rule creation, inbox delegation, suspicious OAuth app grants, and other indicators of account compromise.
+description: Parse Office 365 Unified Audit Logs via Microsoft Graph API to detect email forwarding rule creation, inbox delegation,
+  suspicious OAuth app grants, and other indicators of account compromise.
 domain: cybersecurity
 subdomain: cloud-security
-tags: [Office365, Microsoft-Graph, audit-logs, email-compromise, inbox-rules, OAuth, BEC]
-version: "1.0"
+tags:
+- Office365
+- Microsoft-Graph
+- audit-logs
+- email-compromise
+- inbox-rules
+- OAuth
+- BEC
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- PR.IR-01
+- ID.AM-08
+- GV.SC-06
+- DE.CM-01
 ---

 # Analyzing Office 365 Audit Logs for Compromise
@@ -1,12 +1,33 @@
 ---
 name: analyzing-outlook-pst-for-email-forensics
-description: Analyze Microsoft Outlook PST and OST files for email forensic evidence including message content, headers, attachments, deleted items, and metadata using libpff, pst-utils, and forensic email analysis tools for legal investigations and incident response.
+description: Analyze Microsoft Outlook PST and OST files for email forensic evidence including message content, headers, attachments,
+  deleted items, and metadata using libpff, pst-utils, and forensic email analysis tools for legal investigations and incident
+  response.
 domain: cybersecurity
 subdomain: digital-forensics
-tags: [email-forensics, pst, ost, outlook, mapi, email-headers, attachments, deleted-emails, libpff, eml-extraction]
-version: "1.0"
+tags:
+- email-forensics
+- pst
+- ost
+- outlook
+- mapi
+- email-headers
+- attachments
+- deleted-emails
+- libpff
+- eml-extraction
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_ai_rmf:
+- MANAGE-2.4
+- MANAGE-3.1
+- MEASURE-3.1
+nist_csf:
+- RS.AN-01
+- RS.AN-03
+- DE.AE-02
+- RS.MA-01
 ---

 # Analyzing Outlook PST for Email Forensics
@@ -1,16 +1,26 @@
 ---
 name: analyzing-packed-malware-with-upx-unpacker
-description: >
-  Identifies and unpacks UPX-packed and other packed malware samples to expose the original
-  executable code for static analysis. Covers both standard UPX unpacking and handling
-  modified UPX headers that prevent automated decompression. Activates for requests involving
-  malware unpacking, UPX decompression, packer removal, or preparing packed samples for analysis.
+description: 'Identifies and unpacks UPX-packed and other packed malware samples to expose the original executable code for
+  static analysis. Covers both standard UPX unpacking and handling modified UPX headers that prevent automated decompression.
+  Activates for requests involving malware unpacking, UPX decompression, packer removal, or preparing packed samples for analysis.
+
+  '
 domain: cybersecurity
 subdomain: malware-analysis
-tags: [malware, unpacking, UPX, packing, static-analysis]
+tags:
+- malware
+- unpacking
+- UPX
+- packing
+- static-analysis
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- DE.AE-02
+- RS.AN-03
+- ID.RA-01
+- DE.CM-01
 ---

 # Analyzing Packed Malware with UPX Unpacker
@@ -1,17 +1,27 @@
 ---
 name: analyzing-pdf-malware-with-pdfid
-description: >
-  Analyzes malicious PDF files using PDFiD, pdf-parser, and peepdf to identify embedded
-  JavaScript, shellcode, exploits, and suspicious objects without opening the document.
-  Determines the attack vector and extracts embedded payloads for further analysis.
-  Activates for requests involving PDF malware analysis, malicious document analysis,
-  PDF exploit investigation, or suspicious attachment triage.
+description: 'Analyzes malicious PDF files using PDFiD, pdf-parser, and peepdf to identify embedded JavaScript, shellcode,
+  exploits, and suspicious objects without opening the document. Determines the attack vector and extracts embedded payloads
+  for further analysis. Activates for requests involving PDF malware analysis, malicious document analysis, PDF exploit investigation,
+  or suspicious attachment triage.
+
+  '
 domain: cybersecurity
 subdomain: malware-analysis
-tags: [malware, PDF-analysis, document-malware, PDFiD, static-analysis]
+tags:
+- malware
+- PDF-analysis
+- document-malware
+- PDFiD
+- static-analysis
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- DE.AE-02
+- RS.AN-03
+- ID.RA-01
+- DE.CM-01
 ---

 # Analyzing PDF Malware with PDFiD
@@ -1,12 +1,36 @@
 ---
 name: analyzing-persistence-mechanisms-in-linux
-description: Detect and analyze Linux persistence mechanisms including crontab entries, systemd service units, LD_PRELOAD hijacking, bashrc modifications, and authorized_keys backdoors using auditd and file integrity monitoring
+description: Detect and analyze Linux persistence mechanisms including crontab entries, systemd service units, LD_PRELOAD
+  hijacking, bashrc modifications, and authorized_keys backdoors using auditd and file integrity monitoring
 domain: cybersecurity
 subdomain: threat-hunting
-tags: [linux-persistence, crontab, systemd, ld-preload, auditd, threat-hunting, incident-response]
-version: "1.0"
+tags:
+- linux-persistence
+- crontab
+- systemd
+- ld-preload
+- auditd
+- threat-hunting
+- incident-response
+mitre_attack:
+- T1053.003
+- T1543.002
+- T1574.006
+- T1546.004
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+d3fend_techniques:
+- Executable Denylisting
+- Execution Isolation
+- File Metadata Consistency Validation
+- Process Termination
+- Content Format Conversion
+nist_csf:
+- DE.CM-01
+- DE.AE-02
+- DE.AE-07
+- ID.RA-05
 ---

 # Analyzing Persistence Mechanisms in Linux
@@ -1,12 +1,37 @@
 ---
 name: analyzing-powershell-empire-artifacts
-description: Detect PowerShell Empire framework artifacts in Windows event logs by identifying Base64 encoded launcher patterns, default user agents, staging URL structures, stager IOCs, and known Empire module signatures in Script Block Logging events.
+description: Detect PowerShell Empire framework artifacts in Windows event logs by identifying Base64 encoded launcher patterns,
+  default user agents, staging URL structures, stager IOCs, and known Empire module signatures in Script Block Logging events.
 domain: cybersecurity
 subdomain: threat-hunting
-tags: [PowerShell-Empire, threat-hunting, Script-Block-Logging, base64, stager, C2, MITRE-ATT&CK, T1059.001, forensics]
-version: "1.0"
+tags:
+- PowerShell-Empire
+- threat-hunting
+- Script-Block-Logging
+- base64
+- stager
+- C2
+- MITRE-ATT&CK
+- T1059.001
+- forensics
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+d3fend_techniques:
+- Executable Denylisting
+- Execution Isolation
+- File Metadata Consistency Validation
+- Content Format Conversion
+- File Content Analysis
+nist_ai_rmf:
+- GOVERN-1.1
+- MEASURE-2.7
+- MANAGE-3.1
+nist_csf:
+- DE.CM-01
+- DE.AE-02
+- DE.AE-07
+- ID.RA-05
 ---

 # Analyzing PowerShell Empire Artifacts
@@ -1,16 +1,23 @@
 ---
 name: analyzing-powershell-script-block-logging
-description: >-
-  Parse Windows PowerShell Script Block Logs (Event ID 4104) from EVTX files to detect obfuscated
-  commands, encoded payloads, and living-off-the-land techniques. Uses python-evtx to extract and
-  reconstruct multi-block scripts, applies entropy analysis and pattern matching for Base64-encoded
-  commands, Invoke-Expression abuse, download cradles, and AMSI bypass attempts.
+description: Parse Windows PowerShell Script Block Logs (Event ID 4104) from EVTX files to detect obfuscated commands, encoded
+  payloads, and living-off-the-land techniques. Uses python-evtx to extract and reconstruct multi-block scripts, applies entropy
+  analysis and pattern matching for Base64-encoded commands, Invoke-Expression abuse, download cradles, and AMSI bypass attempts.
 domain: cybersecurity
 subdomain: security-operations
-tags: [analyzing, powershell, script, block]
-version: "1.0"
+tags:
+- analyzing
+- powershell
+- script
+- block
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- DE.CM-01
+- RS.MA-01
+- GV.OV-01
+- DE.AE-02
 ---


@@ -1,12 +1,24 @@
 ---
 name: analyzing-prefetch-files-for-execution-history
-description: Parse Windows Prefetch files to determine program execution history including run counts, timestamps, and referenced files for forensic investigation.
+description: Parse Windows Prefetch files to determine program execution history including run counts, timestamps, and referenced
+  files for forensic investigation.
 domain: cybersecurity
 subdomain: digital-forensics
-tags: [forensics, prefetch, windows-artifacts, execution-history, timeline-analysis, evidence-collection]
-version: "1.0"
+tags:
+- forensics
+- prefetch
+- windows-artifacts
+- execution-history
+- timeline-analysis
+- evidence-collection
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- RS.AN-01
+- RS.AN-03
+- DE.AE-02
+- RS.MA-01
 ---

 # Analyzing Prefetch Files for Execution History
@@ -1,17 +1,27 @@
 ---
 name: analyzing-ransomware-encryption-mechanisms
-description: >
-  Analyzes encryption algorithms, key management, and file encryption routines used by
-  ransomware families to assess decryption feasibility, identify implementation weaknesses,
-  and support recovery efforts. Covers AES, RSA, ChaCha20, and hybrid encryption schemes.
-  Activates for requests involving ransomware cryptanalysis, encryption analysis, key
-  recovery assessment, or ransomware decryption feasibility.
+description: 'Analyzes encryption algorithms, key management, and file encryption routines used by ransomware families to
+  assess decryption feasibility, identify implementation weaknesses, and support recovery efforts. Covers AES, RSA, ChaCha20,
+  and hybrid encryption schemes. Activates for requests involving ransomware cryptanalysis, encryption analysis, key recovery
+  assessment, or ransomware decryption feasibility.
+
+  '
 domain: cybersecurity
 subdomain: malware-analysis
-tags: [malware, ransomware, encryption, cryptanalysis, reverse-engineering]
+tags:
+- malware
+- ransomware
+- encryption
+- cryptanalysis
+- reverse-engineering
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- DE.AE-02
+- RS.AN-03
+- ID.RA-01
+- DE.CM-01
 ---

 # Analyzing Ransomware Encryption Mechanisms
@@ -1,12 +1,26 @@
 ---
 name: analyzing-ransomware-leak-site-intelligence
-description: Monitor and analyze ransomware group data leak sites (DLS) to track victim postings, extract threat intelligence on group tactics, and assess sector-specific ransomware risk for proactive defense.
+description: Monitor and analyze ransomware group data leak sites (DLS) to track victim postings, extract threat intelligence
+  on group tactics, and assess sector-specific ransomware risk for proactive defense.
 domain: cybersecurity
 subdomain: threat-intelligence
-tags: [ransomware, leak-site, data-leak, extortion, threat-intelligence, monitoring, dls, victim-tracking]
-version: "1.0"
+tags:
+- ransomware
+- leak-site
+- data-leak
+- extortion
+- threat-intelligence
+- monitoring
+- dls
+- victim-tracking
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- ID.RA-01
+- ID.RA-05
+- DE.CM-01
+- DE.AE-02
 ---
 # Analyzing Ransomware Leak Site Intelligence

@@ -1,12 +1,31 @@
 ---
 name: analyzing-ransomware-network-indicators
-description: Identify ransomware network indicators including C2 beaconing patterns, TOR exit node connections, data exfiltration flows, and encryption key exchange via Zeek conn.log and NetFlow analysis
+description: Identify ransomware network indicators including C2 beaconing patterns, TOR exit node connections, data exfiltration
+  flows, and encryption key exchange via Zeek conn.log and NetFlow analysis
 domain: cybersecurity
 subdomain: threat-hunting
-tags: [ransomware, c2-beaconing, zeek, netflow, tor, exfiltration, network-forensics]
-version: "1.0"
+tags:
+- ransomware
+- c2-beaconing
+- zeek
+- netflow
+- tor
+- exfiltration
+- network-forensics
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+d3fend_techniques:
+- File Metadata Consistency Validation
+- Certificate Analysis
+- Application Protocol Command Analysis
+- Content Format Conversion
+- File Content Analysis
+nist_csf:
+- DE.CM-01
+- DE.AE-02
+- DE.AE-07
+- ID.RA-05
 ---

 # Analyzing Ransomware Network Indicators
@@ -1,18 +1,28 @@
 ---
 name: analyzing-ransomware-payment-wallets
-description: >
-  Traces ransomware cryptocurrency payment flows using blockchain analysis tools
-  such as Chainalysis Reactor, WalletExplorer, and blockchain.com APIs. Identifies
-  wallet clusters, tracks fund movement through mixers and exchanges, and supports
-  law enforcement attribution. Activates for requests involving ransomware payment
-  tracing, bitcoin wallet analysis, cryptocurrency forensics, or blockchain
-  intelligence gathering.
+description: 'Traces ransomware cryptocurrency payment flows using blockchain analysis tools such as Chainalysis Reactor,
+  WalletExplorer, and blockchain.com APIs. Identifies wallet clusters, tracks fund movement through mixers and exchanges,
+  and supports law enforcement attribution. Activates for requests involving ransomware payment tracing, bitcoin wallet analysis,
+  cryptocurrency forensics, or blockchain intelligence gathering.
+
+  '
 domain: cybersecurity
 subdomain: ransomware-defense
-tags: [ransomware, blockchain, cryptocurrency, forensics, threat-intelligence, bitcoin]
+tags:
+- ransomware
+- blockchain
+- cryptocurrency
+- forensics
+- threat-intelligence
+- bitcoin
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- PR.DS-11
+- RS.MA-01
+- RC.RP-01
+- PR.IR-01
 ---

 # Analyzing Ransomware Payment Wallets
@@ -1,18 +1,41 @@
 ---
 name: analyzing-sbom-for-supply-chain-vulnerabilities
-description: >
-  Parses Software Bill of Materials (SBOM) in CycloneDX and SPDX JSON formats to identify
-  supply chain vulnerabilities by correlating components against the NVD CVE database via
-  the NVD 2.0 API. Builds dependency graphs, calculates risk scores, identifies transitive
-  vulnerability paths, and generates compliance reports. Activates for requests involving
-  SBOM analysis, software composition analysis, supply chain security assessment, dependency
-  vulnerability scanning, CycloneDX/SPDX parsing, or CVE correlation.
+description: 'Parses Software Bill of Materials (SBOM) in CycloneDX and SPDX JSON formats to identify supply chain vulnerabilities
+  by correlating components against the NVD CVE database via the NVD 2.0 API. Builds dependency graphs, calculates risk scores,
+  identifies transitive vulnerability paths, and generates compliance reports. Activates for requests involving SBOM analysis,
+  software composition analysis, supply chain security assessment, dependency vulnerability scanning, CycloneDX/SPDX parsing,
+  or CVE correlation.
+
+  '
 domain: cybersecurity
 subdomain: supply-chain-security
-tags: [SBOM, CycloneDX, SPDX, NVD, CVE, supply-chain, dependency-analysis, syft, grype]
+tags:
+- SBOM
+- CycloneDX
+- SPDX
+- NVD
+- CVE
+- supply-chain
+- dependency-analysis
+- syft
+- grype
 version: 1.0.0
 author: mukul975
 license: Apache-2.0
+atlas_techniques:
+- AML.T0010
+- AML.T0104
+nist_ai_rmf:
+- GOVERN-5.2
+- MAP-1.6
+- MANAGE-2.2
+- GOVERN-1.1
+- GOVERN-4.2
+nist_csf:
+- GV.SC-01
+- GV.SC-03
+- GV.SC-06
+- GV.SC-07
 ---

 # Analyzing SBOM for Supply Chain Vulnerabilities
@@ -1,18 +1,47 @@
 ---
 name: analyzing-security-logs-with-splunk
-description: >
-  Leverages Splunk Enterprise Security and SPL (Search Processing Language) to
-  investigate security incidents through log correlation, timeline reconstruction,
-  and anomaly detection. Covers Windows event logs, firewall logs, proxy logs, and
-  authentication data analysis. Activates for requests involving Splunk investigation,
-  SPL queries, SIEM log analysis, security event correlation, or log-based incident
-  investigation.
+description: 'Leverages Splunk Enterprise Security and SPL (Search Processing Language) to investigate security incidents
+  through log correlation, timeline reconstruction, and anomaly detection. Covers Windows event logs, firewall logs, proxy
+  logs, and authentication data analysis. Activates for requests involving Splunk investigation, SPL queries, SIEM log analysis,
+  security event correlation, or log-based incident investigation.
+
+  '
 domain: cybersecurity
 subdomain: incident-response
-tags: [splunk, SPL, SIEM, log-analysis, security-monitoring]
+tags:
+- splunk
+- SPL
+- SIEM
+- log-analysis
+- security-monitoring
+mitre_attack:
+- T1070
+- T1562
+- T1059
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
+atlas_techniques:
+- AML.T0070
+- AML.T0066
+- AML.T0082
+d3fend_techniques:
+- Executable Denylisting
+- Execution Isolation
+- File Metadata Consistency Validation
+- Content Format Conversion
+- File Content Analysis
+nist_ai_rmf:
+- MEASURE-2.7
+- MAP-5.1
+- MANAGE-2.4
+- MANAGE-3.1
+- MEASURE-3.1
+nist_csf:
+- RS.MA-01
+- RS.MA-02
+- RS.AN-03
+- RC.RP-01
 ---

 # Analyzing Security Logs with Splunk
@@ -1,12 +1,25 @@
 ---
 name: analyzing-slack-space-and-file-system-artifacts
-description: Examine file system slack space, MFT entries, USN journal, and alternate data streams to recover hidden data and reconstruct file activity on NTFS volumes.
+description: Examine file system slack space, MFT entries, USN journal, and alternate data streams to recover hidden data
+  and reconstruct file activity on NTFS volumes.
 domain: cybersecurity
 subdomain: digital-forensics
-tags: [forensics, slack-space, ntfs, mft, usn-journal, alternate-data-streams, file-system-analysis]
-version: "1.0"
+tags:
+- forensics
+- slack-space
+- ntfs
+- mft
+- usn-journal
+- alternate-data-streams
+- file-system-analysis
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- RS.AN-01
+- RS.AN-03
+- DE.AE-02
+- RS.MA-01
 ---

 # Analyzing Slack Space and File System Artifacts
@@ -1,12 +1,38 @@
 ---
 name: analyzing-supply-chain-malware-artifacts
-description: Investigate supply chain attack artifacts including trojanized software updates, compromised build pipelines, and sideloaded dependencies to identify intrusion vectors and scope of compromise.
+description: Investigate supply chain attack artifacts including trojanized software updates, compromised build pipelines,
+  and sideloaded dependencies to identify intrusion vectors and scope of compromise.
 domain: cybersecurity
 subdomain: malware-analysis
-tags: [supply-chain, malware-analysis, trojanized-software, solarwinds, 3cx, dependency-confusion, software-integrity]
-version: "1.0"
+tags:
+- supply-chain
+- malware-analysis
+- trojanized-software
+- solarwinds
+- 3cx
+- dependency-confusion
+- software-integrity
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+atlas_techniques:
+- AML.T0010
+- AML.T0104
+nist_ai_rmf:
+- GOVERN-5.2
+- MAP-1.6
+- MANAGE-2.2
+d3fend_techniques:
+- Platform Hardening
+- Hardware Component Inventory
+- Restore Object
+- Electromagnetic Radiation Hardening
+- RF Shielding
+nist_csf:
+- DE.AE-02
+- RS.AN-03
+- ID.RA-01
+- DE.CM-01
 ---
 # Analyzing Supply Chain Malware Artifacts

@@ -1,12 +1,31 @@
 ---
 name: analyzing-threat-actor-ttps-with-mitre-attack
-description: MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics, techniques, and procedures (TTPs) based on real-world observations. This skill covers systematically mapping threat actor beh
+description: MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics, techniques, and procedures (TTPs)
+  based on real-world observations. This skill covers systematically mapping threat actor beh
 domain: cybersecurity
 subdomain: threat-intelligence
-tags: [threat-intelligence, cti, ioc, mitre-attack, stix, ttp-analysis, threat-actors]
-version: "1.0"
+tags:
+- threat-intelligence
+- cti
+- ioc
+- mitre-attack
+- stix
+- ttp-analysis
+- threat-actors
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+d3fend_techniques:
+- Executable Denylisting
+- Execution Isolation
+- File Metadata Consistency Validation
+- Content Format Conversion
+- File Content Analysis
+nist_csf:
+- ID.RA-01
+- ID.RA-05
+- DE.CM-01
+- DE.AE-02
 ---
 # Analyzing Threat Actor TTPs with MITRE ATT&CK

@@ -1,18 +1,43 @@
 ---
 name: analyzing-threat-actor-ttps-with-mitre-navigator
-description: >
-  Map advanced persistent threat (APT) group tactics, techniques, and procedures (TTPs) to
-  the MITRE ATT&CK framework using the ATT&CK Navigator and attackcti Python library. The
-  analyst queries STIX/TAXII data for group-technique associations, generates Navigator layer
-  files for visualization, and compares defensive coverage against adversary profiles.
-  Activates for requests involving APT TTP mapping, ATT&CK Navigator layers, threat actor
-  profiling, or MITRE technique coverage analysis.
+description: 'Map advanced persistent threat (APT) group tactics, techniques, and procedures (TTPs) to the MITRE ATT&CK framework
+  using the ATT&CK Navigator and attackcti Python library. The analyst queries STIX/TAXII data for group-technique associations,
+  generates Navigator layer files for visualization, and compares defensive coverage against adversary profiles. Activates
+  for requests involving APT TTP mapping, ATT&CK Navigator layers, threat actor profiling, or MITRE technique coverage analysis.
+
+  '
 domain: cybersecurity
 subdomain: threat-intelligence
-tags: [mitre-attack, navigator, threat-intelligence, apt, ttp-mapping, stix, attackcti]
-version: "1.0"
+tags:
+- mitre-attack
+- navigator
+- threat-intelligence
+- apt
+- ttp-mapping
+- stix
+- attackcti
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_ai_rmf:
+- MEASURE-2.7
+- MAP-5.1
+- MANAGE-2.4
+atlas_techniques:
+- AML.T0070
+- AML.T0066
+- AML.T0082
+d3fend_techniques:
+- File Metadata Consistency Validation
+- Application Protocol Command Analysis
+- Identifier Analysis
+- Content Format Conversion
+- Message Analysis
+nist_csf:
+- ID.RA-01
+- ID.RA-05
+- DE.CM-01
+- DE.AE-02
 ---
 # Analyzing Threat Actor TTPs with MITRE Navigator

@@ -1,17 +1,31 @@
 ---
 name: analyzing-threat-intelligence-feeds
-description: >
-  Analyzes structured and unstructured threat intelligence feeds to extract actionable indicators,
-  adversary tactics, and campaign context. Use when ingesting commercial or open-source CTI feeds,
-  evaluating feed quality, normalizing data into STIX 2.1 format, or enriching existing IOCs with
-  campaign attribution. Activates for requests involving ThreatConnect, Recorded Future, Mandiant
-  Advantage, MISP, AlienVault OTX, or automated feed aggregation pipelines.
+description: 'Analyzes structured and unstructured threat intelligence feeds to extract actionable indicators, adversary tactics,
+  and campaign context. Use when ingesting commercial or open-source CTI feeds, evaluating feed quality, normalizing data
+  into STIX 2.1 format, or enriching existing IOCs with campaign attribution. Activates for requests involving ThreatConnect,
+  Recorded Future, Mandiant Advantage, MISP, AlienVault OTX, or automated feed aggregation pipelines.
+
+  '
 domain: cybersecurity
 subdomain: threat-intelligence
-tags: [STIX, TAXII, MITRE-ATT&CK, IOC, ThreatConnect, Recorded-Future, MISP, CTI, NIST-CSF]
+tags:
+- STIX
+- TAXII
+- MITRE-ATT&CK
+- IOC
+- ThreatConnect
+- Recorded-Future
+- MISP
+- CTI
+- NIST-CSF
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- ID.RA-01
+- ID.RA-05
+- DE.CM-01
+- DE.AE-02
 ---
 # Analyzing Threat Intelligence Feeds

@@ -1,17 +1,30 @@
 ---
 name: analyzing-threat-landscape-with-misp
-description: >-
-  Analyze the threat landscape using MISP (Malware Information Sharing Platform)
-  by querying event statistics, attribute distributions, threat actor galaxy
-  clusters, and tag trends over time. Uses PyMISP to pull event data, compute
-  IOC type breakdowns, identify top threat actors and malware families, and
-  generate threat landscape reports with temporal trends.
+description: Analyze the threat landscape using MISP (Malware Information Sharing Platform) by querying event statistics,
+  attribute distributions, threat actor galaxy clusters, and tag trends over time. Uses PyMISP to pull event data, compute
+  IOC type breakdowns, identify top threat actors and malware families, and generate threat landscape reports with temporal
+  trends.
 domain: cybersecurity
 subdomain: threat-intelligence
-tags: [analyzing, threat, landscape, with]
-version: "1.0"
+tags:
+- analyzing
+- threat
+- landscape
+- with
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+d3fend_techniques:
+- File Metadata Consistency Validation
+- Application Protocol Command Analysis
+- Identifier Analysis
+- Content Format Conversion
+- Message Analysis
+nist_csf:
+- ID.RA-01
+- ID.RA-05
+- DE.CM-01
+- DE.AE-02
 ---


@@ -1,16 +1,28 @@
 ---
 name: analyzing-tls-certificate-transparency-logs
-description: >
-  Queries Certificate Transparency logs via crt.sh and pycrtsh to detect phishing
-  domains, unauthorized certificate issuance, and shadow IT. Monitors newly issued
-  certificates for typosquatting and brand impersonation using Levenshtein distance.
-  Use for proactive phishing domain detection and certificate monitoring.
+description: 'Queries Certificate Transparency logs via crt.sh and pycrtsh to detect phishing domains, unauthorized certificate
+  issuance, and shadow IT. Monitors newly issued certificates for typosquatting and brand impersonation using Levenshtein
+  distance. Use for proactive phishing domain detection and certificate monitoring.
+
+  '
 domain: cybersecurity
 subdomain: security-operations
-tags: [analyzing, tls, certificate, transparency]
-version: "1.0"
+tags:
+- analyzing
+- tls
+- certificate
+- transparency
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+atlas_techniques:
+- AML.T0073
+- AML.T0052
+nist_csf:
+- DE.CM-01
+- RS.MA-01
+- GV.OV-01
+- DE.AE-02
 ---

 # Analyzing TLS Certificate Transparency Logs
@@ -1,12 +1,29 @@
 ---
 name: analyzing-typosquatting-domains-with-dnstwist
-description: Detect typosquatting, homograph phishing, and brand impersonation domains using dnstwist to generate domain permutations and identify registered lookalike domains targeting your organization.
+description: Detect typosquatting, homograph phishing, and brand impersonation domains using dnstwist to generate domain permutations
+  and identify registered lookalike domains targeting your organization.
 domain: cybersecurity
 subdomain: threat-intelligence
-tags: [dnstwist, typosquatting, phishing, domain-monitoring, brand-protection, homograph, dns, threat-intelligence]
-version: "1.0"
+tags:
+- dnstwist
+- typosquatting
+- phishing
+- domain-monitoring
+- brand-protection
+- homograph
+- dns
+- threat-intelligence
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+atlas_techniques:
+- AML.T0073
+- AML.T0052
+nist_csf:
+- ID.RA-01
+- ID.RA-05
+- DE.CM-01
+- DE.AE-02
 ---
 # Analyzing Typosquatting Domains with DNSTwist

@@ -1,19 +1,35 @@
 ---
 name: analyzing-uefi-bootkit-persistence
-description: >
-  Analyzes UEFI bootkit persistence mechanisms including firmware implants in SPI flash,
-  EFI System Partition (ESP) modifications, Secure Boot bypass techniques, and UEFI
-  variable manipulation. Covers detection of known bootkit families (BlackLotus, LoJax,
-  MosaicRegressor, MoonBounce, CosmicStrand), ESP partition forensic inspection,
-  chipsec-based firmware integrity verification, and Secure Boot configuration auditing.
-  Activates for requests involving UEFI malware analysis, firmware persistence investigation,
-  boot chain integrity verification, or Secure Boot bypass detection.
+description: 'Analyzes UEFI bootkit persistence mechanisms including firmware implants in SPI flash, EFI System Partition
+  (ESP) modifications, Secure Boot bypass techniques, and UEFI variable manipulation. Covers detection of known bootkit families
+  (BlackLotus, LoJax, MosaicRegressor, MoonBounce, CosmicStrand), ESP partition forensic inspection, chipsec-based firmware
+  integrity verification, and Secure Boot configuration auditing. Activates for requests involving UEFI malware analysis,
+  firmware persistence investigation, boot chain integrity verification, or Secure Boot bypass detection.
+
+  '
 domain: cybersecurity
 subdomain: firmware-security
-tags: [UEFI, bootkit, firmware, Secure-Boot, chipsec, ESP, persistence]
+tags:
+- UEFI
+- bootkit
+- firmware
+- Secure-Boot
+- chipsec
+- ESP
+- persistence
 version: 1.0.0
 author: mukul975
 license: Apache-2.0
+d3fend_techniques:
+- Platform Hardening
+- Restore Object
+- Platform Monitoring
+- Firmware Verification
+- Firmware Embedded Monitoring Code
+nist_csf:
+- ID.RA-01
+- PR.PS-01
+- PR.PS-02
 ---

 # Analyzing UEFI Bootkit Persistence
@@ -1,12 +1,24 @@
 ---
 name: analyzing-usb-device-connection-history
-description: Investigate USB device connection history from Windows registry, event logs, and setupapi logs to track removable media usage and potential data exfiltration.
+description: Investigate USB device connection history from Windows registry, event logs, and setupapi logs to track removable
+  media usage and potential data exfiltration.
 domain: cybersecurity
 subdomain: digital-forensics
-tags: [forensics, usb-forensics, removable-media, registry-analysis, data-exfiltration, device-history]
-version: "1.0"
+tags:
+- forensics
+- usb-forensics
+- removable-media
+- registry-analysis
+- data-exfiltration
+- device-history
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- RS.AN-01
+- RS.AN-03
+- DE.AE-02
+- RS.MA-01
 ---

 # Analyzing USB Device Connection History
@@ -1,16 +1,23 @@
 ---
 name: analyzing-web-server-logs-for-intrusion
-description: >-
-  Parse Apache and Nginx access logs to detect SQL injection attempts, local file inclusion,
-  directory traversal, web scanner fingerprints, and brute-force patterns. Uses regex-based
-  pattern matching against OWASP attack signatures, GeoIP enrichment for source attribution,
-  and statistical anomaly detection for request frequency and response size outliers.
+description: Parse Apache and Nginx access logs to detect SQL injection attempts, local file inclusion, directory traversal,
+  web scanner fingerprints, and brute-force patterns. Uses regex-based pattern matching against OWASP attack signatures, GeoIP
+  enrichment for source attribution, and statistical anomaly detection for request frequency and response size outliers.
 domain: cybersecurity
 subdomain: security-operations
-tags: [analyzing, web, server, logs]
-version: "1.0"
+tags:
+- analyzing
+- web
+- server
+- logs
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- DE.CM-01
+- RS.MA-01
+- GV.OV-01
+- DE.AE-02
 ---


@@ -1,19 +1,29 @@
 ---
 name: analyzing-windows-amcache-artifacts
-description: >
-  Parses and analyzes the Windows Amcache.hve registry hive to extract evidence
-  of program execution, application installation, and driver loading for digital
-  forensics investigations. Uses Eric Zimmerman's AmcacheParser and Timeline
-  Explorer for artifact extraction, SHA-1 hash correlation with threat intel,
-  and timeline reconstruction. Activates for requests involving Amcache forensics,
-  program execution evidence, Windows artifact analysis, or application compatibility
-  cache investigation.
+description: 'Parses and analyzes the Windows Amcache.hve registry hive to extract evidence of program execution, application
+  installation, and driver loading for digital forensics investigations. Uses Eric Zimmerman''s AmcacheParser and Timeline
+  Explorer for artifact extraction, SHA-1 hash correlation with threat intel, and timeline reconstruction. Activates for requests
+  involving Amcache forensics, program execution evidence, Windows artifact analysis, or application compatibility cache investigation.
+
+  '
 domain: cybersecurity
 subdomain: digital-forensics
-tags: [amcache, windows-forensics, program-execution, AmcacheParser, eric-zimmerman, timeline-analysis, DFIR]
+tags:
+- amcache
+- windows-forensics
+- program-execution
+- AmcacheParser
+- eric-zimmerman
+- timeline-analysis
+- DFIR
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- RS.AN-01
+- RS.AN-03
+- DE.AE-02
+- RS.MA-01
 ---

 # Analyzing Windows Amcache Artifacts
@@ -1,16 +1,35 @@
 ---
 name: analyzing-windows-event-logs-in-splunk
-description: >
-  Analyzes Windows Security, System, and Sysmon event logs in Splunk to detect authentication attacks,
-  privilege escalation, persistence mechanisms, and lateral movement using SPL queries mapped to
-  MITRE ATT&CK techniques. Use when SOC analysts need to investigate Windows-based threats,
-  build detection queries, or perform forensic timeline analysis of Windows endpoints and domain controllers.
+description: 'Analyzes Windows Security, System, and Sysmon event logs in Splunk to detect authentication attacks, privilege
+  escalation, persistence mechanisms, and lateral movement using SPL queries mapped to MITRE ATT&CK techniques. Use when SOC
+  analysts need to investigate Windows-based threats, build detection queries, or perform forensic timeline analysis of Windows
+  endpoints and domain controllers.
+
+  '
 domain: cybersecurity
 subdomain: soc-operations
-tags: [soc, splunk, windows-events, sysmon, event-logs, mitre-attack, active-directory]
-version: "1.0"
+tags:
+- soc
+- splunk
+- windows-events
+- sysmon
+- event-logs
+- mitre-attack
+- active-directory
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+d3fend_techniques:
+- Restore Access
+- Password Authentication
+- Biometric Authentication
+- Strong Password Policy
+- Restore User Account Access
+nist_csf:
+- DE.CM-01
+- DE.AE-02
+- RS.MA-01
+- DE.AE-06
 ---
 # Analyzing Windows Event Logs in Splunk

@@ -1,12 +1,24 @@
 ---
 name: analyzing-windows-lnk-files-for-artifacts
-description: Parse Windows LNK shortcut files to extract target paths, timestamps, volume information, and machine identifiers for forensic timeline reconstruction.
+description: Parse Windows LNK shortcut files to extract target paths, timestamps, volume information, and machine identifiers
+  for forensic timeline reconstruction.
 domain: cybersecurity
 subdomain: digital-forensics
-tags: [forensics, lnk-files, windows-artifacts, shortcut-analysis, timeline-reconstruction, evidence-collection]
-version: "1.0"
+tags:
+- forensics
+- lnk-files
+- windows-artifacts
+- shortcut-analysis
+- timeline-reconstruction
+- evidence-collection
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- RS.AN-01
+- RS.AN-03
+- DE.AE-02
+- RS.MA-01
 ---

 # Analyzing Windows LNK Files for Artifacts
@@ -1,12 +1,28 @@
 ---
 name: analyzing-windows-prefetch-with-python
-description: Parse Windows Prefetch files using the windowsprefetch Python library to reconstruct application execution history, detect renamed or masquerading binaries, and identify suspicious program execution patterns.
+description: Parse Windows Prefetch files using the windowsprefetch Python library to reconstruct application execution history,
+  detect renamed or masquerading binaries, and identify suspicious program execution patterns.
 domain: cybersecurity
 subdomain: digital-forensics
-tags: [digital-forensics, windows, prefetch, execution-history, incident-response, malware-analysis]
-version: "1.0"
+tags:
+- digital-forensics
+- windows
+- prefetch
+- execution-history
+- incident-response
+- malware-analysis
+mitre_attack:
+- T1059
+- T1204
+- T1036
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- RS.AN-01
+- RS.AN-03
+- DE.AE-02
+- RS.MA-01
 ---
 # Analyzing Windows Prefetch with Python

@@ -1,12 +1,24 @@
 ---
 name: analyzing-windows-registry-for-artifacts
-description: Extract and analyze Windows Registry hives to uncover user activity, installed software, autostart entries, and evidence of system compromise.
+description: Extract and analyze Windows Registry hives to uncover user activity, installed software, autostart entries, and
+  evidence of system compromise.
 domain: cybersecurity
 subdomain: digital-forensics
-tags: [forensics, windows-registry, artifact-analysis, regripper, registry-explorer, evidence-collection]
-version: "1.0"
+tags:
+- forensics
+- windows-registry
+- artifact-analysis
+- regripper
+- registry-explorer
+- evidence-collection
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- RS.AN-01
+- RS.AN-03
+- DE.AE-02
+- RS.MA-01
 ---

 # Analyzing Windows Registry for Artifacts
@@ -1,12 +1,29 @@
 ---
 name: analyzing-windows-shellbag-artifacts
-description: Analyze Windows Shellbag registry artifacts to reconstruct folder browsing activity, detect access to removable media and network shares, and establish user interaction with directories even after deletion using SBECmd and ShellBags Explorer.
+description: Analyze Windows Shellbag registry artifacts to reconstruct folder browsing activity, detect access to removable
+  media and network shares, and establish user interaction with directories even after deletion using SBECmd and ShellBags
+  Explorer.
 domain: cybersecurity
 subdomain: digital-forensics
-tags: [shellbags, windows-registry, sbecmd, shellbags-explorer, folder-access, user-activity, removable-media, network-shares, bagmru, dfir]
-version: "1.0"
+tags:
+- shellbags
+- windows-registry
+- sbecmd
+- shellbags-explorer
+- folder-access
+- user-activity
+- removable-media
+- network-shares
+- bagmru
+- dfir
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- RS.AN-01
+- RS.AN-03
+- DE.AE-02
+- RS.MA-01
 ---

 # Analyzing Windows Shellbag Artifacts
@@ -1,15 +1,27 @@
 ---
 name: auditing-aws-s3-bucket-permissions
-description: >
-  Systematically audit AWS S3 bucket permissions to identify publicly accessible buckets,
-  overly permissive ACLs, misconfigured bucket policies, and missing encryption settings
-  using AWS CLI, S3audit, and Prowler to enforce least-privilege data access controls.
+description: 'Systematically audit AWS S3 bucket permissions to identify publicly accessible buckets, overly permissive ACLs,
+  misconfigured bucket policies, and missing encryption settings using AWS CLI, S3audit, and Prowler to enforce least-privilege
+  data access controls.
+
+  '
 domain: cybersecurity
 subdomain: cloud-security
-tags: [cloud-security, aws, s3, bucket-permissions, data-protection, access-control]
-version: "1.0"
+tags:
+- cloud-security
+- aws
+- s3
+- bucket-permissions
+- data-protection
+- access-control
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- PR.IR-01
+- ID.AM-08
+- GV.SC-06
+- DE.CM-01
 ---

 # Auditing AWS S3 Bucket Permissions
@@ -1,15 +1,27 @@
 ---
 name: auditing-azure-active-directory-configuration
-description: >
-  Auditing Microsoft Entra ID (Azure Active Directory) configuration to identify risky
-  authentication policies, overly permissive role assignments, stale accounts, conditional
-  access gaps, and guest user risks using AzureAD PowerShell, Microsoft Graph API, and ScoutSuite.
+description: 'Auditing Microsoft Entra ID (Azure Active Directory) configuration to identify risky authentication policies,
+  overly permissive role assignments, stale accounts, conditional access gaps, and guest user risks using AzureAD PowerShell,
+  Microsoft Graph API, and ScoutSuite.
+
+  '
 domain: cybersecurity
 subdomain: cloud-security
-tags: [cloud-security, azure, entra-id, active-directory, iam-audit, conditional-access]
-version: "1.0"
+tags:
+- cloud-security
+- azure
+- entra-id
+- active-directory
+- iam-audit
+- conditional-access
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- PR.IR-01
+- ID.AM-08
+- GV.SC-06
+- DE.CM-01
 ---

 # Auditing Azure Active Directory Configuration
@@ -1,17 +1,31 @@
 ---
 name: auditing-cloud-with-cis-benchmarks
-description: >
-  This skill details how to conduct cloud security audits using Center for Internet
-  Security benchmarks for AWS, Azure, and GCP. It covers interpreting CIS Foundations
-  Benchmark controls, running automated assessments with tools like Prowler and
-  ScoutSuite, remediating failed controls, and maintaining continuous compliance
-  monitoring against CIS v5 for AWS, v4 for Azure, and v4 for GCP.
+description: 'This skill details how to conduct cloud security audits using Center for Internet Security benchmarks for AWS,
+  Azure, and GCP. It covers interpreting CIS Foundations Benchmark controls, running automated assessments with tools like
+  Prowler and ScoutSuite, remediating failed controls, and maintaining continuous compliance monitoring against CIS v5 for
+  AWS, v4 for Azure, and v4 for GCP.
+
+  '
 domain: cybersecurity
 subdomain: cloud-security
-tags: [cis-benchmarks, cloud-audit, compliance-assessment, prowler, security-hardening]
+tags:
+- cis-benchmarks
+- cloud-audit
+- compliance-assessment
+- prowler
+- security-hardening
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
+nist_ai_rmf:
+- GOVERN-1.1
+- GOVERN-4.2
+- MAP-2.3
+nist_csf:
+- PR.IR-01
+- ID.AM-08
+- GV.SC-06
+- DE.CM-01
 ---

 # Auditing Cloud with CIS Benchmarks
@@ -1,15 +1,26 @@
 ---
 name: auditing-gcp-iam-permissions
-description: >
-  Auditing Google Cloud Platform IAM permissions to identify overly permissive bindings,
-  primitive role usage, service account key proliferation, and cross-project access risks
-  using gcloud CLI, Policy Analyzer, and IAM Recommender.
+description: 'Auditing Google Cloud Platform IAM permissions to identify overly permissive bindings, primitive role usage,
+  service account key proliferation, and cross-project access risks using gcloud CLI, Policy Analyzer, and IAM Recommender.
+
+  '
 domain: cybersecurity
 subdomain: cloud-security
-tags: [cloud-security, gcp, iam, permissions-audit, service-accounts, policy-analyzer]
-version: "1.0"
+tags:
+- cloud-security
+- gcp
+- iam
+- permissions-audit
+- service-accounts
+- policy-analyzer
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- PR.IR-01
+- ID.AM-08
+- GV.SC-06
+- DE.CM-01
 ---

 # Auditing GCP IAM Permissions
@@ -1,15 +1,27 @@
 ---
 name: auditing-kubernetes-cluster-rbac
-description: >
-  Auditing Kubernetes cluster RBAC configurations to identify overly permissive roles,
-  wildcard permissions, dangerous ClusterRoleBindings, service account abuse, and
-  privilege escalation paths using kubectl, rbac-tool, KubiScan, and Kubeaudit.
+description: 'Auditing Kubernetes cluster RBAC configurations to identify overly permissive roles, wildcard permissions, dangerous
+  ClusterRoleBindings, service account abuse, and privilege escalation paths using kubectl, rbac-tool, KubiScan, and Kubeaudit.
+
+  '
 domain: cybersecurity
 subdomain: cloud-security
-tags: [cloud-security, kubernetes, rbac, access-control, eks, gke, aks]
-version: "1.0"
+tags:
+- cloud-security
+- kubernetes
+- rbac
+- access-control
+- eks
+- gke
+- aks
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- PR.IR-01
+- ID.AM-08
+- GV.SC-06
+- DE.CM-01
 ---

 # Auditing Kubernetes Cluster RBAC
@@ -1,15 +1,27 @@
 ---
 name: auditing-terraform-infrastructure-for-security
-description: >
-  Auditing Terraform infrastructure-as-code for security misconfigurations using Checkov,
-  tfsec, Terrascan, and OPA/Rego policies to detect overly permissive IAM policies, public
-  resource exposure, missing encryption, and insecure defaults before cloud deployment.
+description: 'Auditing Terraform infrastructure-as-code for security misconfigurations using Checkov, tfsec, Terrascan, and
+  OPA/Rego policies to detect overly permissive IAM policies, public resource exposure, missing encryption, and insecure defaults
+  before cloud deployment.
+
+  '
 domain: cybersecurity
 subdomain: cloud-security
-tags: [cloud-security, terraform, infrastructure-as-code, checkov, tfsec, policy-as-code]
-version: "1.0"
+tags:
+- cloud-security
+- terraform
+- infrastructure-as-code
+- checkov
+- tfsec
+- policy-as-code
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- PR.IR-01
+- ID.AM-08
+- GV.SC-06
+- DE.CM-01
 ---

 # Auditing Terraform Infrastructure for Security
@@ -1,18 +1,29 @@
 ---
 name: auditing-tls-certificate-transparency-logs
-description: >
-  Monitors Certificate Transparency (CT) logs to detect unauthorized certificate issuance,
-  discover subdomains via CT data, and alert on suspicious certificate activity for owned domains.
-  Uses the crt.sh API and direct CT log querying based on RFC 6962 to build continuous monitoring
-  pipelines that catch rogue certificates, track CA behavior, and map the external attack surface.
-  Activates for requests involving certificate transparency monitoring, CT log auditing,
-  subdomain discovery via certificates, or certificate issuance alerting.
+description: 'Monitors Certificate Transparency (CT) logs to detect unauthorized certificate issuance, discover subdomains
+  via CT data, and alert on suspicious certificate activity for owned domains. Uses the crt.sh API and direct CT log querying
+  based on RFC 6962 to build continuous monitoring pipelines that catch rogue certificates, track CA behavior, and map the
+  external attack surface. Activates for requests involving certificate transparency monitoring, CT log auditing, subdomain
+  discovery via certificates, or certificate issuance alerting.
+
+  '
 domain: cybersecurity
 subdomain: threat-intelligence
-tags: [certificate-transparency, CT-logs, crt-sh, subdomain-discovery, TLS-monitoring, RFC-6962]
+tags:
+- certificate-transparency
+- CT-logs
+- crt-sh
+- subdomain-discovery
+- TLS-monitoring
+- RFC-6962
 version: 1.0.0
 author: mukul975
 license: Apache-2.0
+nist_csf:
+- ID.RA-01
+- ID.RA-05
+- DE.CM-01
+- DE.AE-02
 ---
 # Auditing TLS Certificate Transparency Logs

@@ -1,18 +1,32 @@
 ---
 name: automating-ioc-enrichment
-description: >
-  Automates the enrichment of raw indicators of compromise with multi-source threat intelligence
-  context using SOAR platforms, Python pipelines, or TIP playbooks to reduce analyst triage time
-  and standardize enrichment outputs. Use when building automated enrichment workflows integrated
-  with SIEM alerts, email submission pipelines, or bulk IOC processing from threat feeds. Activates
-  for requests involving SOAR enrichment, Cortex XSOAR, Splunk SOAR, TheHive, Python enrichment
+description: 'Automates the enrichment of raw indicators of compromise with multi-source threat intelligence context using
+  SOAR platforms, Python pipelines, or TIP playbooks to reduce analyst triage time and standardize enrichment outputs. Use
+  when building automated enrichment workflows integrated with SIEM alerts, email submission pipelines, or bulk IOC processing
+  from threat feeds. Activates for requests involving SOAR enrichment, Cortex XSOAR, Splunk SOAR, TheHive, Python enrichment
  pipelines, or automated IOC processing.
+
+  '
 domain: cybersecurity
 subdomain: threat-intelligence
-tags: [SOAR, enrichment, IOC, Cortex-XSOAR, Splunk-SOAR, VirusTotal, automation, CTI, NIST-CSF]
+tags:
+- SOAR
+- enrichment
+- IOC
+- Cortex-XSOAR
+- Splunk-SOAR
+- VirusTotal
+- automation
+- CTI
+- NIST-CSF
 version: 1.0.0
 author: team-cybersecurity
 license: Apache-2.0
+nist_csf:
+- ID.RA-01
+- ID.RA-05
+- DE.CM-01
+- DE.AE-02
 ---
 # Automating IOC Enrichment

@@ -1,12 +1,26 @@
 ---
 name: building-adversary-infrastructure-tracking-system
-description: Build an automated system to track adversary infrastructure using passive DNS, certificate transparency, WHOIS data, and IP enrichment to map and monitor threat actor command-and-control networks.
+description: Build an automated system to track adversary infrastructure using passive DNS, certificate transparency, WHOIS
+  data, and IP enrichment to map and monitor threat actor command-and-control networks.
 domain: cybersecurity
 subdomain: threat-intelligence
-tags: [infrastructure-tracking, passive-dns, c2, whois, threat-actor, pivoting, threat-intelligence, domain-analysis]
-version: "1.0"
+tags:
+- infrastructure-tracking
+- passive-dns
+- c2
+- whois
+- threat-actor
+- pivoting
+- threat-intelligence
+- domain-analysis
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- ID.RA-01
+- ID.RA-05
+- DE.CM-01
+- DE.AE-02
 ---
 # Building Adversary Infrastructure Tracking System

@@ -1,12 +1,32 @@
 ---
 name: building-attack-pattern-library-from-cti-reports
-description: Extract and catalog attack patterns from cyber threat intelligence reports into a structured STIX-based library mapped to MITRE ATT&CK for detection engineering and threat-informed defense.
+description: Extract and catalog attack patterns from cyber threat intelligence reports into a structured STIX-based library
+  mapped to MITRE ATT&CK for detection engineering and threat-informed defense.
 domain: cybersecurity
 subdomain: threat-intelligence
-tags: [attack-pattern, cti-reports, mitre-attack, stix, detection-engineering, threat-intelligence, nlp, extraction]
-version: "1.0"
+tags:
+- attack-pattern
+- cti-reports
+- mitre-attack
+- stix
+- detection-engineering
+- threat-intelligence
+- nlp
+- extraction
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+d3fend_techniques:
+- File Metadata Consistency Validation
+- Application Protocol Command Analysis
+- Identifier Analysis
+- Content Format Conversion
+- Message Analysis
+nist_csf:
+- ID.RA-01
+- ID.RA-05
+- DE.CM-01
+- DE.AE-02
 ---
 # Building Attack Pattern Library from CTI Reports

@@ -1,16 +1,29 @@
 ---
 name: building-automated-malware-submission-pipeline
-description: >
-  Builds an automated malware submission and analysis pipeline that collects suspicious files from
-  endpoints and email gateways, submits them to sandbox environments and multi-engine scanners,
-  and generates verdicts with IOCs for SIEM integration. Use when SOC teams need to scale malware
-  analysis beyond manual sandbox submissions for high-volume alert triage.
+description: 'Builds an automated malware submission and analysis pipeline that collects suspicious files from endpoints and
+  email gateways, submits them to sandbox environments and multi-engine scanners, and generates verdicts with IOCs for SIEM
+  integration. Use when SOC teams need to scale malware analysis beyond manual sandbox submissions for high-volume alert triage.
+
+  '
 domain: cybersecurity
 subdomain: soc-operations
-tags: [soc, malware-analysis, sandbox, automation, virustotal, cuckoo, any-run, pipeline]
-version: "1.0"
+tags:
+- soc
+- malware-analysis
+- sandbox
+- automation
+- virustotal
+- cuckoo
+- any-run
+- pipeline
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+nist_csf:
+- DE.CM-01
+- DE.AE-02
+- RS.MA-01
+- DE.AE-06
 ---
 # Building Automated Malware Submission Pipeline

@@ -1,12 +1,30 @@
 ---
 name: building-c2-infrastructure-with-sliver-framework
-description: Build and configure a resilient command-and-control infrastructure using BishopFox's Sliver C2 framework with redirectors, HTTPS listeners, and multi-operator support for authorized red team engagements.
+description: Build and configure a resilient command-and-control infrastructure using BishopFox's Sliver C2 framework with
+  redirectors, HTTPS listeners, and multi-operator support for authorized red team engagements.
 domain: cybersecurity
 subdomain: red-teaming
-tags: [red-team, c2-framework, sliver, command-and-control, adversary-simulation, infrastructure, post-exploitation]
-version: "1.0"
+tags:
+- red-team
+- c2-framework
+- sliver
+- command-and-control
+- adversary-simulation
+- infrastructure
+- post-exploitation
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+d3fend_techniques:
+- File Metadata Consistency Validation
+- Certificate Analysis
+- Application Protocol Command Analysis
+- Content Format Conversion
+- File Content Analysis
+nist_csf:
+- ID.RA-01
+- GV.OV-02
+- DE.AE-07
 ---
 # Building C2 Infrastructure with Sliver Framework

@@ -1,17 +1,35 @@
 ---
 name: building-cloud-siem-with-sentinel
-description: >
-  This skill covers deploying Microsoft Sentinel as a cloud-native SIEM and SOAR
-  platform for centralized security operations. It details configuring data connectors
-  for multi-cloud log ingestion, writing KQL detection queries, building automated
-  response playbooks with Logic Apps, and leveraging the Sentinel data lake for
-  petabyte-scale threat hunting across AWS, Azure, and GCP security telemetry.
+description: 'This skill covers deploying Microsoft Sentinel as a cloud-native SIEM and SOAR platform for centralized security
+  operations. It details configuring data connectors for multi-cloud log ingestion, writing KQL detection queries, building
+  automated response playbooks with Logic Apps, and leveraging the Sentinel data lake for petabyte-scale threat hunting across
+  AWS, Azure, and GCP security telemetry.
+
+  '
 domain: cybersecurity
 subdomain: cloud-security
-tags: [microsoft-sentinel, cloud-siem, kql-queries, soar-automation, threat-detection]
+tags:
+- microsoft-sentinel
+- cloud-siem
+- kql-queries
+- soar-automation
+- threat-detection
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
+nist_ai_rmf:
+- MEASURE-2.7
+- MAP-5.1
+- MANAGE-2.4
+atlas_techniques:
+- AML.T0070
+- AML.T0066
+- AML.T0082
+nist_csf:
+- PR.IR-01
+- ID.AM-08
+- GV.SC-06
+- DE.CM-01
 ---

 # Building Cloud SIEM with Sentinel
@@ -1,12 +1,32 @@
 ---
 name: building-detection-rule-with-splunk-spl
-description: Build effective detection rules using Splunk Search Processing Language (SPL) correlation searches to identify security threats in SOC environments.
+description: Build effective detection rules using Splunk Search Processing Language (SPL) correlation searches to identify
+  security threats in SOC environments.
 domain: cybersecurity
 subdomain: soc-operations
-tags: [splunk, spl, detection-engineering, correlation-search, siem, soc, threat-detection, enterprise-security]
-version: "1.0"
+tags:
+- splunk
+- spl
+- detection-engineering
+- correlation-search
+- siem
+- soc
+- threat-detection
+- enterprise-security
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+d3fend_techniques:
+- Executable Denylisting
+- Execution Isolation
+- File Metadata Consistency Validation
+- Content Format Conversion
+- File Content Analysis
+nist_csf:
+- DE.CM-01
+- DE.AE-02
+- RS.MA-01
+- DE.AE-06
 ---

 # Building Detection Rules with Splunk SPL
@@ -1,16 +1,36 @@
 ---
 name: building-detection-rules-with-sigma
-description: >
-  Builds vendor-agnostic detection rules using the Sigma rule format for threat detection across
-  SIEM platforms including Splunk, Elastic, and Microsoft Sentinel. Use when creating portable
-  detection logic from threat intelligence, mapping rules to MITRE ATT&CK techniques, or converting
-  community Sigma rules into platform-specific queries using sigmac or pySigma backends.
+description: 'Builds vendor-agnostic detection rules using the Sigma rule format for threat detection across SIEM platforms
+  including Splunk, Elastic, and Microsoft Sentinel. Use when creating portable detection logic from threat intelligence,
+  mapping rules to MITRE ATT&CK techniques, or converting community Sigma rules into platform-specific queries using sigmac
+  or pySigma backends.
+
+  '
 domain: cybersecurity
 subdomain: soc-operations
-tags: [soc, sigma, detection-rules, siem, mitre-attack, splunk, elastic, sentinel]
-version: "1.0"
+tags:
+- soc
+- sigma
+- detection-rules
+- siem
+- mitre-attack
+- splunk
+- elastic
+- sentinel
+version: '1.0'
 author: mahipal
 license: Apache-2.0
+d3fend_techniques:
+- Execution Isolation
+- Process Termination
+- Hardware-based Process Isolation
+- Web Session Access Mediation
+- Process Suspension
+nist_csf:
+- DE.CM-01
+- DE.AE-02
+- RS.MA-01
+- DE.AE-06
 ---
 # Building Detection Rules with Sigma

--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
mukul975	c0ab6cfccb	docs: update README for v1.2.0 — 5-framework coverage, 754 skills	2026-04-06 12:06:22 +02:00
mukul975	b4231b19e7	chore: auto-update index.json	2026-04-06 09:17:52 +00:00
mukul975	efca3ec611	feat: add NIST CSF 2.0 nist_csf field to all 754 cybersecurity skills Mapped every skill to NIST CSF 2.0 subcategory IDs (GV/ID/PR/DE/RS/RC functions) based on subdomain and content analysis. Restores 11 skills corrupted during prior rebase, re-enriching with ATLAS, D3FEND, NIST AI RMF, and CSF 2.0 fields. All 754 skills now carry structured mappings for all 5 security frameworks: - MITRE ATT&CK (in tags) - MITRE ATLAS v5.5 (atlas_techniques) - MITRE D3FEND v1.3 (d3fend_techniques) - NIST AI RMF 1.0 (nist_ai_rmf) - NIST CSF 2.0 (nist_csf)	2026-04-06 11:17:40 +02:00
mukul975	e8105a2f4d	chore: auto-update index.json	2026-04-05 23:56:33 +00:00
mukul975	ef27f026cb	feat: enrich 209 skills with MITRE ATLAS, D3FEND, and NIST AI RMF frontmatter Added structured security framework mappings to SKILL.md frontmatter across all applicable skills: - atlas_techniques: MITRE ATLAS v5.5 AML.TXXXX IDs (81 skills, AI-targeted attack techniques) - d3fend_techniques: MITRE D3FEND v1.3 defensive technique labels (139 skills, mapped from ATT&CK IDs) - nist_ai_rmf: NIST AI RMF 1.0 subcategory IDs (85 skills, AI risk management functions) Also updates ATTACK_COVERAGE.md with coverage statistics for all three frameworks.	2026-04-06 01:56:17 +02:00
mukul975	c15f73db46	chore: auto-update index.json	2026-04-03 06:56:09 +00:00
mukul975	6325c202c5	chore: auto-update index.json	2026-04-03 06:30:32 +00:00
Mahipal	1cf19ded90	Merge pull request #26 from juliosuas/add-mitre-attack-incident-response Add MITRE ATT&CK IDs to incident response skills (fixes #1)	2026-04-03 02:30:23 -04:00
Mahipal	a7f577b482	Add skill: performing-cloud-native-threat-hunting-with-aws-detective Add skill: performing-cloud-native-threat-hunting-with-aws-detective	2026-04-03 02:30:17 -04:00
Mahipal	e26a736cf7	ci: add workflow to auto-sync marketplace version on release	2026-03-31 14:46:36 +02:00
Mahipal	bb39fa73a9	Update marketplace version to v1.1.0	2026-03-31 14:41:58 +02:00
Mahipal	1cffd664f5	Remove Product Hunt badge from README Removed Product Hunt badge from README.	2026-03-28 17:51:39 +01:00
Mahipal	d7f205681a	Add Product Hunt badge to README Added a Product Hunt badge to promote the project.	2026-03-28 17:23:50 +01:00
mukul975	7283f02ba9	chore: auto-update index.json	2026-03-28 11:41:02 +00:00
mukul975	476a0880f4	Fix ESET AV false positive on AMSI bypass strings in skill docs	2026-03-28 12:40:53 +01:00
MAGI	a072845a3f	Fix review comments: correct AWS Detective API usage and forensic ordering - Fix FilterCriteria to use singular Severity/Status with Value objects instead of invalid plural Severities/Statuses arrays (SKILL.md + process.py) - Fix get_entity_history: rename to get_investigation_indicators, use investigation_id instead of entity_arn for InvestigationId parameter - Replace invalid inv-* placeholders with 21-digit numeric IDs - Fix Expected Output to match real API response structure (no embedded Indicators; document separate list-indicators call and indicator types) - Fix CLI --filter-criteria example to use correct format - Update process.py --severity to accept single value with validation - Add --max-results validation (1-100 range) - Add pagination via _collect_all_pages helper for all list API calls - Reorder Response Actions checklist: evidence preservation before containment - Reorder Phase 5 workflow: preserve evidence first when safe	2026-03-28 02:06:16 -06:00
MAGI	41b828e758	fix: add missing process.py implementation for aws-detective skill The process.py script was empty (0 bytes). Added a functional implementation that lists behavior graphs, retrieves investigations, queries indicators, and exports results — matching the pattern of other skills in the repository.	2026-03-28 02:06:16 -06:00
MAGI	2f6701d2d8	Add skill: performing-cloud-native-threat-hunting-with-aws-detective (fixes #6 )	2026-03-28 02:06:16 -06:00
mukul975	aff90acbf5	Trigger contributor recalculation	2026-03-28 02:06:16 -06:00
Julio César Suástegui	84b4699e59	fix: remove out-of-scope changes (cloud-waf tags, zero-trust description rewrite)	2026-03-28 02:06:00 -06:00
MAGI	c7ad5e7b98	Fix round 3: refine MITRE ATT&CK mappings per CodeRabbit review - osquery: replace broad IDs with concrete detections (T1049, T1620, T1053.003, T1548.001, T1552) - credential extraction: replace T1550 with T1552 (Unsecured Credentials) - persistence investigation: use sub-techniques (T1547.001, T1053.005, T1543.003, T1546.003)	2026-03-28 02:06:00 -06:00
MAGI	15d53bd09b	Fix MITRE ATT&CK mappings per CodeRabbit review: align techniques to skill content - analyzing-malware-persistence-with-autoruns: add persistence techniques T1547, T1053, T1543, T1546 - analyzing-memory-dumps-with-volatility: add memory forensics techniques T1055, T1003, T1059, T1620 - analyzing-persistence-mechanisms-in-linux: add Linux-specific sub-techniques T1053.003, T1543.002, T1574.006, T1546.004 - analyzing-windows-prefetch-with-python: add execution techniques T1059, T1204, T1036 - building-incident-response-dashboard: remove misaligned mitre_attack (dashboard is a visibility tool) - building-phishing-reporting-button-workflow: add phishing techniques T1566, T1204, T1534 - deobfuscating-powershell-obfuscated-malware: add PowerShell/obfuscation techniques T1059.001, T1027, T1140	2026-03-28 02:06:00 -06:00
MAGI	100361c3e5	Scope fix: remove mitre_attack from 24 non-incident-response skills, use sub-techniques - Removed mitre_attack from digital-forensics, cloud-security, malware-analysis, endpoint-security, threat-hunting, ransomware-defense, phishing-defense, and security-operations subdomain skills (out of PR scope per issue #1) - Applied sub-technique IDs where appropriate (T1566.001, T1003.001, etc.) - Only incident-response and soc-operations skills retain mappings	2026-03-28 02:06:00 -06:00
MAGI	42258456e8	Fix MITRE ATT&CK mappings per CodeRabbit review - Replace generic T1190/T1059/T1078 with context-specific techniques - Persistence: T1547, T1053, T1543, T1574 - Credentials: T1003, T1558, T1550 - Phishing: T1566, T1204, T1534 - Ransomware: T1486, T1490, T1489 - Cloud: T1078, T1537, T1580, T1098 - Remove mappings from out-of-scope subdomains (ot-ics, malware-analysis, digital-forensics)	2026-03-28 02:05:57 -06:00
MAGI	5e62a7ea2c	Add MITRE ATT&CK technique IDs to 60 incident-response skills (fixes #1 )	2026-03-28 02:05:53 -06:00
mukul975	0fbcbdf8dd	chore: auto-update index.json	2026-03-27 09:24:27 +00:00
Julio César Suástegui	97c213f9a4	Add skill: detecting-lateral-movement-with-zeek (fixes #5 ) (#29 )	2026-03-27 10:24:16 +01:00
mukul975	9314565dd9	docs: update release version from v1.0.0 to v1.1.0 in README	2026-03-23 19:17:24 +01:00
mukul975	c74a7547bb	docs: replace static contributors table with contrib.rocks auto-updating widget	2026-03-23 19:16:03 +01:00
mukul975	f4e791c06c	docs: remove fake contributor Systech2021-1952 from README	2026-03-23 19:14:33 +01:00
mukul975	577f795252	docs: update skill count to 753 and domain count to 38 across all files	2026-03-21 13:57:15 +01:00
mukul975	ac77250450	docs: use single name Mahipal in CITATION.cff	2026-03-21 13:38:37 +01:00
mukul975	57b684e4d6	docs: add CITATION.cff for academic and tool attribution	2026-03-21 13:37:55 +01:00
mukul975	3856835990	chore: auto-update index.json	2026-03-21 12:23:42 +00:00
mukul975	db3eaaeaf2	fix: add workflow_dispatch and self-trigger to update-index workflow	2026-03-21 13:23:34 +01:00
mukul975	7f60276fd9	fix: add missing import re in update-index workflow, bump version to 1.1.0	2026-03-21 13:21:55 +01:00