chore: auto-update index.json

Map all 754 skills to MITRE ATT&CK v19.1
- Add validated mitre_attack frontmatter to all 754 skills (286 distinct techniques), verified against MITRE ATT&CK v19.1 via the official mitreattack-python library: 0 revoked, deprecated, or invalid IDs - Curate precise per-skill technique IDs for forensics, malware-analysis, threat-intel, and red-team skills (e.g. DCSync -> T1003.006, Kerberoasting -> T1558.003, Pass-the-Ticket -> T1550.003) - Reconcile v19.1 tactic restructuring: Defense Evasion split into Stealth (TA0005) and Defense Impairment (TA0112); revoked T1562.* family and T1070.001/.002 remapped to active equivalents (T1685.*) - Normalize word-split tags across 35 skills (remove filename-derived stopword tags, add semantic cybersecurity tags) - Add api-reference.md for 3 skills that were missing it - Update README ATT&CK section with accurate v19.1 tactic distribution
2026-06-11 21:54:56 +03:00 · 2026-06-01 10:15:47 +00:00 · 2026-06-01 12:13:29 +02:00 · 2026-05-30 09:32:08 +00:00 · 2026-05-30 11:32:00 +02:00 · 2026-05-25 09:04:36 -04:00
760 changed files with 8452 additions and 2505 deletions
@@ -5,15 +5,15 @@
    "email": "mukuljangra5@gmail.com"
  },
  "metadata": {
-    "description": "753 cybersecurity skills for AI agents and security practitioners covering web security, pentesting, forensics, threat intelligence, cloud security, and more.",
+    "description": "754 cybersecurity skills for AI agents mapped to 5 frameworks: MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS, D3FEND, and NIST AI RMF.",
-    "version": "1.1.0"
+    "version": "1.2.0"
  },
  "plugins": [
    {
      "name": "cybersecurity-skills",
      "source": "./",
-      "descripyion": "753 cybersecurity skills covering web security, pentesting, DFIR, threat intelligence, cloud security, malware analysis, and more.",
+      "description": "754 cybersecurity skills covering web security, pentesting, DFIR, threat intelligence, cloud security, malware analysis, and more. Mapped to 5 frameworks.",
-      "version": "1.1.0",
+      "version": "1.2.0",
      "author": {
        "name": "mukul975"
      },
@@ -26,9 +26,7 @@ jobs:
        env:
          VERSION: ${{ steps.version.outputs.version }}
        run: |
-          jq --arg v "$VERSION" 
+          jq --arg v "$VERSION" '.metadata.version = $v | .plugins[].version = $v' .claude-plugin/marketplace.json > tmp.json
            '.metadata.version = $v | .plugins[].version = $v' 
            .claude-plugin/marketplace.json > tmp.json
          mv tmp.json .claude-plugin/marketplace.json
          echo "Updated marketplace.json to version $VERSION"
@@ -2,203 +2,208 @@
  <img src="assets/banner.png" alt="Anthropic Cybersecurity Skills" width="100%">
 </p>
-<p align="center">
+<div align="center">
  <a href="LICENSE"><img src="https://img.shields.io/badge/license-Apache%202.0-blue.svg" alt="License"></a>
  <a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills/stargazers"><img src="https://img.shields.io/github/stars/mukul975/Anthropic-Cybersecurity-Skills?style=social" alt="Stars"></a>
  <a href="#️-framework-coverage"><img src="https://img.shields.io/badge/frameworks-5%20mapped-brightgreen.svg" alt="Frameworks"></a>
  <a href="#️-whats-inside"><img src="https://img.shields.io/badge/skills-754-orange.svg" alt="Skills"></a>
  <a href="https://agentskills.io"><img src="https://img.shields.io/badge/standard-agentskills.io-purple.svg" alt="agentskills.io"></a>
  <a href="#-compatible-platforms"><img src="https://img.shields.io/badge/platforms-26%2B-blue.svg" alt="Platforms"></a>
 </p>
-<p align="center">
+#  Anthropic Cybersecurity Skills
  <strong>754 production-grade cybersecurity skills for AI agents — mapped to 5 industry frameworks</strong>
 </p>
-<p align="center">
+### The largest open-source cybersecurity skills library for AI agents
  <em>MITRE ATT&CK · NIST CSF 2.0 · MITRE ATLAS · MITRE D3FEND · NIST AI RMF</em>
 </p>
-> ⚠️ **Community Project** — This is an independent, community-created project. Not affiliated with Anthropic PBC.
+[![GARS-2026 Survey](https://img.shields.io/badge/GARS--2026-Take%20the%20Survey-E8B84B?style=for-the-badge&logo=googleforms&logoColor=black)](https://mahipal.engineer/survey?utm_source=github_badge&utm_medium=readme&utm_campaign=gars2026)
 [![License](https://img.shields.io/badge/License-Apache_2.0-blue.svg?style=flat-square)](LICENSE)
 [![Skills](https://img.shields.io/badge/skills-754-brightgreen?style=flat-square)](#whats-inside--26-security-domains)
 [![Frameworks](https://img.shields.io/badge/frameworks-5-orange?style=flat-square)](#five-frameworks-one-skill-library)
 [![Domains](https://img.shields.io/badge/domains-26-9cf?style=flat-square)](#whats-inside--26-security-domains)
 [![Platforms](https://img.shields.io/badge/platforms-26%2B-blueviolet?style=flat-square)](#compatible-platforms)
 [![GitHub stars](https://img.shields.io/github/stars/mukul975/Anthropic-Cybersecurity-Skills?style=flat-square)](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/stargazers)
 [![GitHub forks](https://img.shields.io/github/forks/mukul975/Anthropic-Cybersecurity-Skills?style=flat-square)](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/network/members)
 [![Last Commit](https://img.shields.io/github/last-commit/mukul975/Anthropic-Cybersecurity-Skills?style=flat-square)](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/commits/main)
 [![agentskills.io](https://img.shields.io/badge/standard-agentskills.io-ff6600?style=flat-square)](https://agentskills.io)
 [![PRs Welcome](https://img.shields.io/badge/PRs-welcome-brightgreen.svg?style=flat-square)](CONTRIBUTING.md)
 [![Playground](https://img.shields.io/badge/Playground-Casky.ai-blue)](https://casky.ai/?utm_source=github&utm_medium=readme&utm_campaign=cohort_launch#waitlist)
 [![Hermes Agent](https://img.shields.io/badge/Hermes_Agent-compatible-blueviolet?style=flat)](https://github.com/NousResearch/hermes-agent)
 **754 production-grade cybersecurity skills · 26 security domains · 5 framework mappings · 26+ AI platforms**
 [Get Started](#quick-start) · [What's Inside](#whats-inside--26-security-domains) · [Frameworks](#five-frameworks-one-skill-library) · [Platforms](#compatible-platforms) · [Contributing](#contributing)
 </div>
 ---
-## Why this exists
+> ⚠️ **Community Project** — This is an independent, community-created project. Not affiliated with Anthropic PBC. 
-AI agents are transforming cybersecurity — but they lack structured domain knowledge. A junior analyst knows which Volatility3 plugin to run on a suspicious memory dump. Your AI agent doesn't — unless you give it the skills.
+## Give any AI agent the security skills of a senior analyst
-**Anthropic Cybersecurity Skills** gives every AI agent instant access to **754 production-grade cybersecurity skills** spanning 26 security domains. Each skill follows the [agentskills.io](https://agentskills.io) open standard: YAML frontmatter for lightning-fast discovery, structured Markdown for step-by-step execution, and reference files for deep technical context.
+A junior analyst knows which Volatility3 plugin to run on a suspicious memory dump, which Sigma rules catch Kerberoasting, and how to scope a cloud breach across three providers. **Your AI agent doesn't — unless you give it these skills.**
-**What makes v1.2.0 different from every other security skills repo:**
+This repo contains **754 structured cybersecurity skills** spanning **26 security domains**, each following the [agentskills.io](https://agentskills.io) open standard.  Every skill is mapped to **five industry frameworks** — MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS, MITRE D3FEND, and NIST AI RMF  — making this the only open-source skills library with unified cross-framework coverage.  Clone it, point your agent at it, and your next security investigation gets expert-level guidance in seconds.
- **5-framework mapping** — Every skill is mapped to MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS v5.5, MITRE D3FEND v1.3, and NIST AI RMF 1.0. No other open-source library does this.
+## Five frameworks, one skill library
 - **AI-native format** — Skills cost ~30 tokens to scan, provide full expert-level guidance when triggered, and work across 26+ AI agent platforms.
 - **Real practitioner knowledge** — Not generated summaries. Structured workflows that mirror how senior security professionals actually work.
-## 🚀 Quick start
+No other open-source skills library maps every skill to all five frameworks.  One skill, five compliance checkboxes. 
 | Framework | Version | Scope in this repo | What it maps |
 |---|---|---|---|
 | [MITRE ATT&CK](https://attack.mitre.org) | v19.1 | 15 tactics · 286 techniques | Adversary behaviors and TTPs |
 | [NIST CSF 2.0](https://www.nist.gov/cyberframework) | 2.0 | 6 functions · 22 categories | Organizational security posture |
 | [MITRE ATLAS](https://atlas.mitre.org) | v5.4 | 16 tactics · 84 techniques | AI/ML adversarial threats |
 | [MITRE D3FEND](https://d3fend.mitre.org) | v1.3 | 7 categories · 267 techniques | Defensive countermeasures |
 | [NIST AI RMF](https://airc.nist.gov/AI_RMF) | 1.0 | 4 functions · 72 subcategories | AI risk management |
 **Example — a single skill maps across all five:**
 | Skill | ATT&CK | NIST CSF | ATLAS | D3FEND | AI RMF |
 |---|---|---|---|---|---|
 | `analyzing-network-traffic-of-malware` | T1071 | DE.CM | AML.T0047 | D3-NTA | MEASURE-2.6 |
 ### MITRE ATT&CK v19.1 — 754/754 skills mapped
 Every skill carries a `mitre_attack` frontmatter list validated against **MITRE ATT&CK v19.1** (the latest release) using the official `mitreattack-python` library — 286 distinct techniques across all 15 Enterprise tactics, plus ICS and Mobile techniques where relevant. Zero revoked or deprecated IDs. v19.1's restructured Defense Evasion (now split into **Stealth** and **Defense Impairment**) is reflected below.
 | Tactic | ID | Skills |
 |--------|----|--------|
 | Reconnaissance | TA0043 | 103 |
 | Resource Development | TA0042 | 22 |
 | Initial Access | TA0001 | 467 |
 | Execution | TA0002 | 350 |
 | Persistence | TA0003 | 444 |
 | Privilege Escalation | TA0004 | 464 |
 | Stealth | TA0005 | 442 |
 | Defense Impairment | TA0112 | 92 |
 | Credential Access | TA0006 | 202 |
 | Discovery | TA0007 | 237 |
 | Lateral Movement | TA0008 | 68 |
 | Collection | TA0009 | 172 |
 | Command and Control | TA0011 | 123 |
 | Exfiltration | TA0010 | 82 |
 | Impact | TA0040 | 50 |
 ## Quick start
 ```bash
 # Option 1: npx (recommended)
 npx skills add mukul975/Anthropic-Cybersecurity-Skills
-# Option 2: Claude Code
+# Option 2: Git clone
 /plugin marketplace add mukul975/Anthropic-Cybersecurity-Skills
 # Option 3: Manual clone
 git clone https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
 cd Anthropic-Cybersecurity-Skills
 ```
-Works immediately with Claude Code, GitHub Copilot, OpenAI Codex CLI, Cursor, Gemini CLI, and any MCP-compatible agent.
+Works immediately with Claude Code, GitHub Copilot, OpenAI Codex CLI, Cursor, Gemini CLI, and any [agentskills.io](https://agentskills.io)-compatible platform. 
-## 📖 Table of contents
+## 🌍 GARS-2026 — Global Agentic AI Readiness Survey
- [🛡️ What's inside](#️-whats-inside)
+I'm running a global academic study measuring how ready security professionals,
- [🗺️ Framework coverage](#️-framework-coverage)
+developers, and enterprise teams actually are for agentic AI — MCP servers,
- [🤖 Compatible platforms](#-compatible-platforms)
+tool calling, governance, and human-in-the-loop workflows.
 - [📐 Skill structure](#-skill-structure)
 - [🧠 How AI agents use these skills](#-how-ai-agents-use-these-skills)
 - [📝 Example skills](#-example-skills)
 - [👥 Contributing](#-contributing)
 - [⭐ Star history](#-star-history)
 - [📄 License](#-license)
-## 🛡️ What's inside
+**If you use this repo, your response would be a genuinely valuable data point.**
-**754 skills across 26 security domains:**
+📋 **Take the survey (10 min):**
 [Survey Link](https://mahipal.engineer/survey?utm_source=github_repo&utm_medium=readme&utm_campaign=gars2026)
-| Domain | Skills | Example capabilities |
+- 60 questions · Anonymous · Supervised by SRH Berlin
-|--------|--------|---------------------|
+- You get **50 Casky Tokens** for early access to [casky.ai](https://casky.ai)
-| ☁️ Cloud Security | 60 | AWS S3 bucket audit, Azure AD config review, GCP IAM assessment |
+- Results published open access under CC-BY 4.0
 | 🔍 Threat Hunting | 55 | C2 beaconing detection, DNS tunneling analysis, living-off-the-land |
 | 📡 Threat Intelligence | 50 | APT group analysis with MITRE Navigator, campaign attribution, IOC enrichment |
 | 🌐 Web Application Security | 42 | HTTP request smuggling, XSS with Burp Suite, web cache poisoning |
 | 🔌 Network Security | 40 | Wireshark traffic analysis, VLAN segmentation, Suricata IDS tuning |
 | 🦠 Malware Analysis | 39 | Ghidra reverse engineering, YARA rules, .NET decompilation |
 | 🔎 Digital Forensics | 37 | Disk imaging with dd/dcfldd, Volatility3 memory forensics, browser artifacts |
 | 📊 Security Operations | 36 | SIEM correlation rules, alert triage workflows, SOC playbooks |
 | 🔑 IAM Security | 35 | SAML SSO with Okta, PAM deployment, service account hardening |
 | 🖥️ SOC Operations | 33 | Tier 1-3 escalation procedures, incident classification, metrics tracking |
 | ☸️ Container Security | 30 | Kubernetes RBAC audit, pod security policies, etcd encryption |
 | 🏭 OT/ICS Security | 28 | SCADA monitoring, Modbus anomaly detection, Purdue model enforcement |
 | 🔗 API Security | 28 | OAuth2 flow analysis, rate limiting, API gateway hardening |
 | 🎯 Vulnerability Management | 25 | Nessus scanning, CVSS scoring, risk-based prioritization |
 | 🚨 Incident Response | 25 | Containment procedures, evidence preservation, post-incident review |
 | 🔴 Red Teaming | 24 | Cobalt Strike operations, LOTL techniques, evasion & persistence |
 | 🎯 Penetration Testing | 23 | Active Directory exploitation, OSCP-style methodology, pivoting |
 | 💻 Endpoint Security | 17 | EDR deployment, host-based detection, anti-tamper configuration |
 | 🔧 DevSecOps | 17 | Pipeline security gates, SAST/DAST integration, IaC scanning |
 | 🎣 Phishing Defense | 16 | Email header analysis, phishing simulation, DMARC/DKIM/SPF |
 | 🕵️ OSINT | 15 | Domain reconnaissance, social engineering recon, dark web monitoring |
 | 🔐 Cryptography | 14 | TLS configuration audit, certificate lifecycle, key management |
 | 🏰 Zero Trust | 13 | Microsegmentation, BeyondCorp implementation, continuous verification |
 | 📱 Mobile Security | 12 | APK analysis with APKTool, iOS forensics, MDM bypass detection |
 | 🛡️ Ransomware Defense | 7 | Backup validation, recovery procedures, negotiation awareness |
 | 🪤 Deception Technology | 5 | Honeypot deployment, honey tokens, decoy credential monitoring |
 | **TOTAL** | **754** | |
-## 🗺️ Framework coverage
+## 🚀 Try it on the Playground
-v1.2.0 maps every skill to **5 industry-standard frameworks** — a first for any open-source cybersecurity skills library.
+Experience Casky.ai hands-on — no setup required.
-### MITRE ATT&CK Enterprise — 754/754 skills mapped
+**[→ Launch Playground on Casky.ai](https://casky.ai/?utm_source=github&utm_medium=readme&utm_campaign=cohort_launch#waitlist)**
-All 14 Enterprise tactics covered with 200+ technique mappings:
+The playground lets you:
 - Run live cybersecurity skill exercises against real targets
 - See AI agents execute structured skills in real time
 - Explore MITRE ATT&CK mapped workflows interactively
 - Test threat hunting, DFIR, and penetration testing scenarios
-| Tactic | ID | Skills |
+No installation. No configuration. Just open and start.
-|--------|----|--------|
+## Why this exists
 | Reconnaissance | TA0043 | 45+ |
 | Resource Development | TA0042 | 30+ |
 | Initial Access | TA0001 | 55+ |
 | Execution | TA0002 | 60+ |
 | Persistence | TA0003 | 50+ |
 | Privilege Escalation | TA0004 | 55+ |
 | Defense Evasion | TA0005 | 65+ |
 | Credential Access | TA0006 | 45+ |
 | Discovery | TA0007 | 50+ |
 | Lateral Movement | TA0008 | 40+ |
 | Collection | TA0009 | 35+ |
 | Command and Control | TA0011 | 40+ |
 | Exfiltration | TA0010 | 30+ |
 | Impact | TA0040 | 35+ |
-### NIST CSF 2.0 — 754/754 skills aligned
+The cybersecurity workforce gap hit **4.8 million unfilled roles** globally in 2024 (ISC2). AI agents can help close that gap — but only if they have structured domain knowledge to work from. Today's agents can write code and search the web, but they lack the practitioner playbooks that turn a generic LLM into a capable security analyst.
-| Function | Skills | Coverage areas |
+Existing security tool repos give you wordlists, payloads, or exploit code. None of them give an AI agent the structured decision-making workflow a senior analyst follows: when to use each technique, what prerequisites to check, how to execute step-by-step, and how to verify results. That is the gap this project fills.
 |----------|--------|---------------|
 | Govern (GV) | 80+ | Policy, risk strategy, supply chain oversight |
 | Identify (ID) | 120+ | Asset management, risk assessment, improvement |
 | Protect (PR) | 150+ | Access control, awareness, data security, platform security |
 | Detect (DE) | 200+ | Continuous monitoring, adverse event analysis |
 | Respond (RS) | 160+ | Incident management, analysis, mitigation, reporting |
 | Recover (RC) | 44+ | Recovery planning, execution, communication |
-### 🆕 MITRE ATLAS v5.5 — 81 skills (NEW in v1.2.0)
+**Anthropic Cybersecurity Skills** is not a collection of scripts or checklists. It is an **AI-native knowledge base** built from the ground up for the agentskills.io standard  — YAML frontmatter for sub-second discovery, structured Markdown for step-by-step execution, and reference files for deep technical context.  Every skill encodes real practitioner workflows, not generated summaries. 
-AI-specific adversarial threat coverage including:
+## What's inside — 26 security domains
 - ML model poisoning and evasion techniques
 - AI supply chain compromise scenarios
 - LLM prompt injection defense workflows
 - AI agent tool abuse detection
 - Agentic AI escape-to-host prevention
-### 🆕 MITRE D3FEND v1.3 — 139 skills (NEW in v1.2.0)
+| Domain | Skills | Key capabilities |
 |---|---|---|
 | Cloud Security | 60 | AWS, Azure, GCP hardening · CSPM · cloud forensics |
 | Threat Hunting | 55 | Hypothesis-driven hunts · LOTL detection · behavioral analytics |
 | Threat Intelligence | 50 | STIX/TAXII · MISP · feed integration · actor profiling |
 | Web Application Security | 42 | OWASP Top 10 · SQLi · XSS · SSRF · deserialization |
 | Network Security | 40 | IDS/IPS · firewall rules · VLAN segmentation · traffic analysis |
 | Malware Analysis | 39 | Static/dynamic analysis · reverse engineering · sandboxing |
 | Digital Forensics | 37 | Disk imaging · memory forensics · timeline reconstruction |
 | Security Operations | 36 | SIEM correlation · log analysis · alert triage |
 | Identity & Access Management | 35 | IAM policies · PAM · zero trust identity · Okta · SailPoint |
 | SOC Operations | 33 | Playbooks · escalation workflows · metrics · tabletop exercises |
 | Container Security | 30 | K8s RBAC · image scanning · Falco · container forensics |
 | OT/ICS Security | 28 | Modbus · DNP3 · IEC 62443 · historian defense · SCADA |
 | API Security | 28 | GraphQL · REST · OWASP API Top 10 · WAF bypass |
 | Vulnerability Management | 25 | Nessus · scanning workflows · patch prioritization · CVSS |
 | Incident Response | 25 | Breach containment · ransomware response · IR playbooks |
 | Red Teaming | 24 | Full-scope engagements · AD attacks · phishing simulation |
 | Penetration Testing | 23 | Network · web · cloud · mobile · wireless pentesting |
 | Endpoint Security | 17 | EDR · LOTL detection · fileless malware · persistence hunting |
 | DevSecOps | 17 | CI/CD security · code signing · Terraform auditing |
 | Phishing Defense | 16 | Email authentication · BEC detection · phishing IR |
 | Cryptography | 14 | TLS · Ed25519 · certificate transparency · key management |
 | Zero Trust Architecture | 13 | BeyondCorp · CISA maturity model · microsegmentation |
 | Mobile Security | 12 | Android/iOS analysis · mobile pentesting · MDM forensics |
 | Ransomware Defense | 7 | Precursor detection · response · recovery · encryption analysis |
 | Compliance & Governance | 5 | CIS benchmarks · SOC 2 · regulatory frameworks |
 | Deception Technology | 2 | Honeytokens · breach detection canaries |
-Defensive technique mappings across all 7 D3FEND tactics:
+## How AI agents use these skills
 - **Model** (27 techniques) — Threat modeling, attack surface analysis
 - **Harden** (51 techniques) — System hardening, configuration management
 - **Detect** (90 techniques) — Monitoring, anomaly detection, behavioral analysis
 - **Isolate** (57 techniques) — Segmentation, sandboxing, containment
 - **Deceive** (11 techniques) — Honeypots, decoys, misdirection
 - **Evict** (19 techniques) — Threat removal, credential rotation
 - **Restore** (12 techniques) — Backup, recovery, resilience
-### 🆕 NIST AI RMF 1.0 — 85 skills (NEW in v1.2.0)
+Each skill costs **~30 tokens to scan** (frontmatter only)  and **500–2,000 tokens to fully load** (complete workflow). This progressive disclosure architecture lets agents search all 754 skills in a single pass without blowing context windows. 
-AI risk management coverage aligned with the four core functions:
+```
- **Govern** — AI governance, accountability, organizational policies
+User prompt: "Analyze this memory dump for signs of credential theft"
 - **Map** — AI system context, risk identification, stakeholder analysis
 - **Measure** — AI risk metrics, testing, validation
 - **Manage** — AI risk treatment, monitoring, continuous improvement
-> 💡 **Why 5 frameworks matter:** Organizations face overlapping compliance requirements. A single skill like "analyzing-network-traffic-of-malware" maps to ATT&CK T1071 (Application Layer Protocol), NIST CSF DE.CM (Continuous Monitoring), ATLAS AML.T0047 (Evade ML Model), D3FEND D3-NTA (Network Traffic Analysis), and AI RMF MEASURE 2.6 (AI system monitoring). One skill, five compliance checkboxes.
+Agent's internal process:
-## 🤖 Compatible platforms
+  1. Scans 754 skill frontmatters (~30 tokens each)
     → identifies 12 relevant skills by matching tags, description, domain
-**AI code assistants:**
+  2. Loads top 3 matches:
-Claude Code (Anthropic) · GitHub Copilot (Microsoft) · Cursor · Windsurf · Cline · Aider · Continue · Roo Code · Amazon Q Developer · Tabnine · Sourcegraph Cody · JetBrains AI
+     • performing-memory-forensics-with-volatility3
     • hunting-for-credential-dumping-lsass
     • analyzing-windows-event-logs-for-credential-access
-**CLI agents:**
+  3. Executes the structured Workflow section step-by-step
-OpenAI Codex CLI · Gemini CLI (Google)
+     → runs Volatility3 plugins, checks LSASS access patterns,
        correlates with event log evidence
-**Autonomous agents:**
+  4. Validates results using the Verification section
-Devin · Replit Agent · SWE-agent · OpenHands
+     → confirms IOCs, maps findings to ATT&CK T1003 (Credential Dumping)
 ```
-**Agent frameworks & SDKs:**
+**Without these skills**, the agent guesses at tool commands and misses critical steps. **With them**, it follows the same playbook a senior DFIR analyst would use. 
 LangChain · CrewAI · AutoGen · Semantic Kernel · Haystack · Vercel AI SDK · Any MCP-compatible agent
-## 📐 Skill structure
+## Skill anatomy
-Every skill follows the [agentskills.io](https://agentskills.io) open standard:
+Every skill follows a consistent directory structure:
 ```
 skills/performing-memory-forensics-with-volatility3/
-├── SKILL.md              # Skill definition (YAML frontmatter + Markdown body)
+├── SKILL.md              ← Skill definition (YAML frontmatter + Markdown body)
 │   ├── Frontmatter       #   → name, description, domain, tags, frameworks
 │   ├── When to Use       #   → Trigger conditions for AI agents
 │   ├── Prerequisites     #   → Required tools, access, environment
 │   ├── Workflow          #   → Step-by-step execution guide
 │   └── Verification      #   → How to confirm success
 ├── references/
-│   ├── standards.md      # MITRE ATT&CK, ATLAS, D3FEND, NIST mappings
+│   ├── standards.md      ← MITRE ATT&CK, ATLAS, D3FEND, NIST mappings
-│   └── workflows.md      # Deep technical procedure reference
+│   └── workflows.md      ← Deep technical procedure reference
 ├── scripts/
-│   └── process.py        # Practitioner helper scripts
+│   └── process.py        ← Working helper scripts
 └── assets/
-    └── template.md       # Checklists, report templates
+    └── template.md       ← Filled-in checklists and report templates
 ```
-**YAML frontmatter example:**
+
 ### YAML frontmatter (real example)
 ```yaml
 ---
@@ -219,93 +224,189 @@ license: Apache-2.0
 ---
 ```
 ### Progressive disclosure — why 754 skills don't slow your agent down
-| Stage | Token cost | When |
+### Markdown body sections
 |-------|-----------|------|
 | Discovery scan | ~30 tokens | Always — agent reads YAML frontmatter |
 | Full skill load | 500–2000 tokens | Only when skill matches the task |
 | Deep reference pull | 1000–5000 tokens | Only when agent needs technical depth |
-Irrelevant skills cost virtually nothing. Relevant skills provide complete expert-level guidance.
+```markdown
 ## When to Use
 Trigger conditions — when should an AI agent activate this skill?
-## 🧠 How AI agents use these skills
+## Prerequisites
 Required tools, access levels, and environment setup.
-```
+## Workflow
-User prompt: "Analyze this memory dump for signs of credential theft"
+Step-by-step execution guide with specific commands and decision points.
-Agent's internal process:
+## Verification
-1. Scans 754 skill frontmatters (~30 tokens each) → finds 12 relevant skills
+How to confirm the skill was executed successfully.
 2. Loads top matches:
   - performing-memory-forensics-with-volatility3
   - hunting-for-credential-dumping-lsass
   - analyzing-windows-event-logs-for-credential-access
 3. Follows structured workflow from SKILL.md
 4. References ATT&CK T1003 (Credential Dumping) mapping
 5. Maps findings to D3FEND D3-PSMD (Process Self-Modification Detection)
 6. Outputs structured findings with framework references
 ```
-## 📝 Example skills
+Frontmatter fields: `name` (kebab-case, 1–64 chars), `description` (keyword-rich for agent discovery), `domain`, `subdomain`, `tags`,  `atlas_techniques` (MITRE ATLAS IDs), `d3fend_techniques` (MITRE D3FEND IDs), `nist_ai_rmf` (NIST AI RMF references), `nist_csf` (NIST CSF 2.0 categories).  MITRE ATT&CK technique mappings are documented in each skill's `references/standards.md` file and in the ATT&CK Navigator layer included with releases. 
 <details>
-<summary><strong>🔍 Hunting for C2 beaconing</strong></summary>
+<summary><strong>📊 MITRE ATT&CK Enterprise coverage — all 14 tactics</strong></summary>
-**Domain:** Threat Hunting · **ATT&CK:** T1071, T1573 · **D3FEND:** D3-NTA · **CSF:** DE.CM-01
+&nbsp;
-Identifies command-and-control communication patterns in network traffic using beacon interval analysis, JA3/JA3S fingerprinting, and DNS request frequency modeling. Includes Zeek scripts for automated detection and SIEM correlation rules.
+| Tactic | ID | Coverage | Key skills |
 |---|---|---|---|
 | Reconnaissance | TA0043 | Strong | OSINT, subdomain enumeration, DNS recon |
 | Resource Development | TA0042 | Moderate | Phishing infrastructure, C2 setup detection |
 | Initial Access | TA0001 | Strong | Phishing simulation, exploit detection, forced browsing |
 | Execution | TA0002 | Strong | PowerShell analysis, fileless malware, script block logging |
 | Persistence | TA0003 | Strong | Scheduled tasks, registry, service accounts, LOTL |
 | Privilege Escalation | TA0004 | Strong | Kerberoasting, AD attacks, cloud privilege escalation |
 | Defense Evasion | TA0005 | Strong | Obfuscation, rootkit analysis, evasion detection |
 | Credential Access | TA0006 | Strong | Mimikatz detection, pass-the-hash, credential dumping |
 | Discovery | TA0007 | Moderate | BloodHound, AD enumeration, network scanning |
 | Lateral Movement | TA0008 | Strong | SMB exploits, lateral movement detection with Splunk |
 | Collection | TA0009 | Moderate | Email forensics, data staging detection |
 | Command and Control | TA0011 | Strong | C2 beaconing, DNS tunneling, Cobalt Strike analysis |
 | Exfiltration | TA0010 | Strong | DNS exfiltration, DLP controls, data loss detection |
 | Impact | TA0040 | Strong | Ransomware defense, encryption analysis, recovery |
 An **ATT&CK Navigator layer file** is included in the [v1.0.0 release assets](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/releases/tag/v1.0.0) for visual coverage mapping. 
 > **Note:** ATT&CK v19 lands April 28, 2026 — splitting Defense Evasion (TA0005) into two new tactics: *Stealth* and *Impair Defenses*.  Skill mappings will be updated in a forthcoming release.
 </details>
 <details>
-<summary><strong>🦠 Reverse engineering .NET malware with dnSpy</strong></summary>
+<summary><strong>📊 NIST CSF 2.0 alignment — all 6 functions</strong></summary>
-**Domain:** Malware Analysis · **ATT&CK:** T1027, T1059.001 · **ATLAS:** AML.T0016 · **CSF:** DE.AE-02
+&nbsp;
-Step-by-step decompilation workflow for .NET executables including de-obfuscation techniques, string decryption, C2 extraction, and behavioral analysis. Includes YARA rule templates for family classification.
+| Function | Skills | Examples |
 |---|---|---|
 | **Govern (GV)** | 30+ | Risk strategy, policy frameworks, roles & responsibilities |
 | **Identify (ID)** | 120+ | Asset discovery, threat landscape assessment, risk analysis |
 | **Protect (PR)** | 150+ | IAM hardening, WAF rules, zero trust, encryption |
 | **Detect (DE)** | 200+ | Threat hunting, SIEM correlation, anomaly detection |
 | **Respond (RS)** | 160+ | Incident response, forensics, breach containment |
 | **Recover (RC)** | 40+ | Ransomware recovery, BCP, disaster recovery |
 NIST CSF 2.0 (February 2024) added the **Govern** function  and expanded scope from critical infrastructure to all organizations.  Skill mappings align to all 22 categories and reference 106 subcategories. 
 </details>
 <details>
-<summary><strong>☸️ Auditing Kubernetes RBAC configurations</strong></summary>
+<summary><strong>📊 Framework deep dive — ATLAS, D3FEND, AI RMF</strong></summary>
-**Domain:** Container Security · **ATT&CK:** T1078.004 · **D3FEND:** D3-ACL · **CSF:** PR.AA-01 · **AI RMF:** GOVERN-1.2
+&nbsp;
-Systematic review of ClusterRoles, RoleBindings, and ServiceAccounts to identify overprivileged workloads, lateral movement paths, and secrets exposure. Includes kubectl audit scripts and remediation playbooks.
+### MITRE ATLAS v5.4 — AI/ML adversarial threats
 ATLAS maps adversarial tactics, techniques, and case studies specific to AI and machine learning systems. Version 5.4 covers **16 tactics and 84 techniques** including agentic AI attack vectors added in late 2025: AI agent context poisoning, tool invocation abuse, MCP server compromises, and malicious agent deployment.  Skills mapped to ATLAS help agents identify and defend against threats to ML pipelines, model weights, inference APIs, and autonomous workflows. 
 ### MITRE D3FEND v1.3 — Defensive countermeasures
 D3FEND is an NSA-funded knowledge graph of **267 defensive techniques** organized across 7 tactical categories: Model, Harden, Detect, Isolate, Deceive, Evict, and Restore.  Built on OWL 2 ontology, it uses a shared Digital Artifact layer to bidirectionally map defensive countermeasures to ATT&CK offensive techniques.  Skills tagged with D3FEND identifiers let agents recommend specific countermeasures for detected threats.
 ### NIST AI RMF 1.0 + GenAI Profile (AI 600-1)
 The AI Risk Management Framework defines 4 core functions — Govern, Map, Measure, Manage — with **72 subcategories** for trustworthy AI development.  The GenAI Profile (AI 600-1, July 2024) adds **12 risk categories** specific to generative AI, from confabulation and data privacy to prompt injection and supply chain risks.  Colorado's AI Act (effective February 2026) provides a **legal safe harbor** for organizations complying with NIST AI RMF, making these mappings directly relevant to regulatory compliance.
 </details>
-## 👥 Contributing
+## Compatible platforms
-We welcome contributions! See [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines.
+**AI code assistants**
 Claude Code (Anthropic) · GitHub Copilot (Microsoft) · Cursor · Windsurf · Cline · Aider · Continue · Roo Code · Amazon Q Developer · Tabnine · Sourcegraph Cody · JetBrains AI 
-**Ways to contribute:**
+**CLI agents**
- 🆕 Add new skills using the [New Skill template](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/issues/new?template=new-skill.yml)
+OpenAI Codex CLI · Gemini CLI (Google) 
 - 🐛 Report issues with the [Bug Report template](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/issues/new?template=bug-report.yml)
 - 💡 Request features via [Feature Request](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/issues/new?template=feature-request.yml)
 - 📝 Improve documentation or fix typos
 - 🗺️ Add framework mappings to existing skills
-Every PR gets reviewed for technical accuracy and consistency with the agentskills.io standard. We aim to review within 48 hours.
+**Autonomous agents**
 Devin · Replit Agent · SWE-agent · OpenHands 
-## ⭐ Star history
+**Agent frameworks & SDKs**
 LangChain · CrewAI · AutoGen · Semantic Kernel · Haystack · Vercel AI SDK · Any MCP-compatible agent 
-[![Star History Chart](https://api.star-history.com/svg?repos=mukul975/Anthropic-Cybersecurity-Skills&type=Date)](https://star-history.com/#mukul975/Anthropic-Cybersecurity-Skills&Date)
+All platforms that support the [agentskills.io](https://agentskills.io) standard can load these skills with zero configuration. 
-## 🌐 Community
+## What people are saying
- 📋 Listed on [SkillsLLM](https://skillsllm.com/skill/anthropic-cybersecurity-skills)
+> *"A database of real, organized security skills that any AI agent can plug into and use. Not tutorials. Not blog posts."* 
- 📚 Featured in [awesome-agent-skills](https://github.com/VoltAgent/awesome-agent-skills)
+> — **[Hasan Toor (@hasantoxr)](https://x.com/hasantoxr/status/2033193922349179249)**, AI/tech creator
 - 🔒 Featured in [awesome-ai-security](https://github.com/ottosulin/awesome-ai-security)
 - 🖥️ Featured in [awesome-codex-cli](https://github.com/RoggeOhta/awesome-codex-cli)
 - 📖 [Complete guide on Medium](https://fazal-sec.medium.com/claude-skills-ai-powered-cybersecurity-the-complete-guide-to-building-intelligent-security-7bb7e9d14c8e)
-## 📄 License
+> *"This is not a random collection of security scripts. It's a structured operational knowledge base designed for AI-driven security workflows."* 
 > — **[fazal-sec](https://fazal-sec.medium.com/claude-skills-ai-powered-cybersecurity-the-complete-guide-to-building-intelligent-security-7bb7e9d14c8e)**,  Medium
-Apache License 2.0 — free for commercial and personal use. See [LICENSE](LICENSE) for details.
+## Featured in
 | Where | Type | Link |
 |---|---|---|
 | **awesome-agent-skills** | Awesome List (1,000+ skills index) | [VoltAgent/awesome-agent-skills](https://github.com/VoltAgent/awesome-agent-skills) |
 | **awesome-ai-security** | Awesome List (AI security tools) | [ottosulin/awesome-ai-security](https://github.com/ottosulin/awesome-ai-security) |
 | **awesome-codex-cli** | Awesome List (Codex CLI resources) | [RoggeOhta/awesome-codex-cli](https://github.com/RoggeOhta/awesome-codex-cli) |
 | **SkillsLLM** | Skills directory & marketplace | [skillsllm.com/skill/anthropic-cybersecurity-skills](https://skillsllm.com/skill/anthropic-cybersecurity-skills) |
 | **Openflows** | Signal analysis & tracking | [openflows.org](https://openflows.org/currency/currents/anthropic-cybersecurity-skills/) |
 | **NeverSight skills_feed** | Automated skills index | [NeverSight/skills_feed](https://github.com/NeverSight/skills_feed) |
 ## Star history
 <a href="https://star-history.com/#mukul975/Anthropic-Cybersecurity-Skills&Date">
 <picture>
   <source media="(prefers-color-scheme: dark)" srcset="https://api.star-history.com/svg?repos=mukul975/Anthropic-Cybersecurity-Skills&type=Date&theme=dark" />
   <source media="(prefers-color-scheme: light)" srcset="https://api.star-history.com/svg?repos=mukul975/Anthropic-Cybersecurity-Skills&type=Date" />
   <img alt="Star History Chart" src="https://api.star-history.com/svg?repos=mukul975/Anthropic-Cybersecurity-Skills&type=Date" width="100%" />
 </picture>
 </a>
 ## Releases
 | Version | Date | Highlights |
 |---|---|---|
 | [v1.0.0](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/releases/tag/v1.0.0) | March 11, 2026 | 734 skills · 26 domains · MITRE ATT&CK + NIST CSF 2.0 mapping · ATT&CK Navigator layer |
 Skills have continued to grow on `main` since v1.0.0 — the library now contains **754 skills** with **5-framework mapping**  (MITRE ATLAS, D3FEND, and NIST AI RMF added post-release).  Check [Releases](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/releases) for the latest tagged version.
 ## Contributing
 This project grows through community contributions. Here is how to get involved:
 **Add a new skill** — Domains like Deception Technology (2 skills) and Compliance & Governance (5 skills) need the most help. Follow the template in [CONTRIBUTING.md](CONTRIBUTING.md) and submit a PR with the title `Add skill: your-skill-name`.
 **Improve existing skills** — Add framework mappings, fix workflows, update tool references, or contribute scripts and templates.
 **Report issues** — Found an inaccurate procedure or broken script? [Open an issue](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/issues).
 Every PR is reviewed for technical accuracy and agentskills.io standard compliance within 48 hours.  Check [good first issues](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/issues?q=is%3Aissue+is%3Aopen+label%3A%22good+first+issue%22) for a starting point.
 This project follows the [Contributor Covenant](https://www.contributor-covenant.org/). By participating, you agree to uphold this code. 
 ## Community
 💬 [Discussions](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/discussions) — Questions, ideas, and roadmap conversations
 🐛 [Issues](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/issues) — Bug reports and feature requests
 🔒 [Security Policy](SECURITY.md) — Responsible disclosure process (48-hour acknowledgment) 
 ## Citation
 If you use this project in research or publications:
 ```bibtex
@software{anthropic_cybersecurity_skills,
  author       = {Jangra, Mahipal},
  title        = {Anthropic Cybersecurity Skills},
  year         = {2026},
  url          = {https://github.com/mukul975/Anthropic-Cybersecurity-Skills},
  license      = {Apache-2.0},
  note         = {754 structured cybersecurity skills for AI agents,
                  mapped to MITRE ATT\&CK, NIST CSF 2.0, MITRE ATLAS,
                  MITRE D3FEND, and NIST AI RMF}
 }
 ```
 ## License
 This project is licensed under the [Apache License 2.0](LICENSE). You are free to use, modify, and distribute these skills in both personal and commercial projects. 
 ---
-<p align="center">
+<div align="center">
-  <strong>If these skills help your AI agent defend better, consider giving this repo a ⭐</strong>
+
-</p>
+**If this project helps your security work, consider giving it a ⭐**
 [⭐ Star](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/stargazers) · [🍴 Fork](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/fork) · [💬 Discuss](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/discussions) · [📝 Contribute](CONTRIBUTING.md)
 Community project by [@mukul975](https://github.com/mukul975). Not affiliated with Anthropic PBC.
 </div>
@@ -1,7 +1,7 @@
 ---
 name: acquiring-disk-image-with-dd-and-dcfldd
-description: Create forensically sound bit-for-bit disk images using dd and dcfldd while preserving evidence integrity through
+description: Create forensically sound bit-for-bit disk images using dd and dcfldd
-  hash verification.
+  while preserving evidence integrity through hash verification.
 domain: cybersecurity
 subdomain: digital-forensics
 tags:
@@ -19,6 +19,11 @@ nist_csf:
 - RS.AN-03
 - DE.AE-02
 - RS.MA-01
 mitre_attack:
 - T1006
 - T1005
 - T1025
 - T1074.001
 ---
 # Acquiring Disk Image with dd and dcfldd
@@ -1,7 +1,7 @@
 ---
 name: analyzing-active-directory-acl-abuse
-description: Detect dangerous ACL misconfigurations in Active Directory using ldap3 to identify GenericAll, WriteDACL, and
+description: Detect dangerous ACL misconfigurations in Active Directory using ldap3
-  WriteOwner abuse paths
+  to identify GenericAll, WriteDACL, and WriteOwner abuse paths
 domain: cybersecurity
 subdomain: identity-security
 tags:
@@ -16,6 +16,12 @@ nist_csf:
 - PR.AA-01
 - PR.AA-05
 - PR.AA-06
 mitre_attack:
 - T1098
 - T1098.007
 - T1484.001
 - T1222.001
 - T1078.002
 ---
@@ -1,7 +1,8 @@
 ---
 name: analyzing-android-malware-with-apktool
-description: Perform static analysis of Android APK malware samples using apktool for decompilation, jadx for Java source
+description: Perform static analysis of Android APK malware samples using apktool
-  recovery, and androguard for permission analysis, manifest inspection, and suspicious API call detection.
+  for decompilation, jadx for Java source recovery, and androguard for permission
  analysis, manifest inspection, and suspicious API call detection.
 domain: cybersecurity
 subdomain: malware-analysis
 tags:
@@ -21,6 +22,12 @@ nist_csf:
 - RS.AN-03
 - ID.RA-01
 - DE.CM-01
 mitre_attack:
 - T1406
 - T1407
 - T1626.001
 - T1655.001
 - T1521.001
 ---
 # Analyzing Android Malware with Apktool
@@ -1,17 +1,22 @@
 ---
 name: analyzing-api-gateway-access-logs
-description: 'Parses API Gateway access logs (AWS API Gateway, Kong, Nginx) to detect BOLA/IDOR attacks, rate limit bypass,
+description: 'Parses API Gateway access logs (AWS API Gateway, Kong, Nginx) to detect
-  credential scanning, and injection attempts. Uses pandas for statistical analysis of request patterns and anomaly detection.
+  BOLA/IDOR attacks, rate limit bypass, credential scanning, and injection attempts.
  Uses pandas for statistical analysis of request patterns and anomaly detection.
  Use when investigating API abuse or building API-specific threat detection rules.
  '
 domain: cybersecurity
 subdomain: security-operations
 tags:
- analyzing
+- api-security
- api
+- access-log-analysis
- gateway
+- aws-api-gateway
- access
+- kong
 - nginx
 - bola-detection
 - rate-limit-bypass
 - security-operations
 version: '1.0'
 author: mahipal
 license: Apache-2.0
@@ -20,6 +25,11 @@ nist_csf:
 - RS.MA-01
 - GV.OV-01
 - DE.AE-02
 mitre_attack:
 - T1190
 - T1110.004
 - T1078.004
 - T1119
 ---
 # Analyzing API Gateway Access Logs
@@ -1,7 +1,8 @@
 ---
 name: analyzing-apt-group-with-mitre-navigator
-description: Analyze advanced persistent threat (APT) group techniques using MITRE ATT&CK Navigator to create layered heatmaps
+description: Analyze advanced persistent threat (APT) group techniques using MITRE
-  of adversary TTPs for detection gap analysis and threat-informed defense.
+  ATT&CK Navigator to create layered heatmaps of adversary TTPs for detection gap
  analysis and threat-informed defense.
 domain: cybersecurity
 subdomain: threat-intelligence
 tags:
@@ -27,6 +28,12 @@ nist_csf:
 - ID.RA-05
 - DE.CM-01
 - DE.AE-02
 mitre_attack:
 - T1059.001
 - T1071.001
 - T1003.001
 - T1486
 - T1547.001
 ---
 # Analyzing APT Group with MITRE ATT&CK Navigator
@@ -1,17 +1,20 @@
 ---
 name: analyzing-azure-activity-logs-for-threats
-description: 'Queries Azure Monitor activity logs and sign-in logs via azure-monitor-query to detect suspicious administrative
+description: 'Queries Azure Monitor activity logs and sign-in logs via azure-monitor-query
-  operations, impossible travel, privilege escalation, and resource modifications. Builds KQL queries for threat hunting in
+  to detect suspicious administrative operations, impossible travel, privilege escalation,
-  Azure environments. Use when investigating suspicious Azure tenant activity or building cloud SIEM detections.
+  and resource modifications. Builds KQL queries for threat hunting in Azure environments.
  Use when investigating suspicious Azure tenant activity or building cloud SIEM detections.
  '
 domain: cybersecurity
 subdomain: security-operations
 tags:
 - analyzing
 - azure
- activity
+- cloud-security
- logs
+- azure-monitor
 - kql
 - threat-hunting
 - activity-logs
 version: '1.0'
 author: mahipal
 license: Apache-2.0
@@ -20,6 +23,12 @@ nist_csf:
 - RS.MA-01
 - GV.OV-01
 - DE.AE-02
 mitre_attack:
 - T1078.004
 - T1098.003
 - T1538
 - T1556.009
 - T1580
 ---
 # Analyzing Azure Activity Logs for Threats
@@ -1,9 +1,11 @@
 ---
 name: analyzing-bootkit-and-rootkit-samples
-description: 'Analyzes bootkit and advanced rootkit malware that infects the Master Boot Record (MBR), Volume Boot Record
+description: 'Analyzes bootkit and advanced rootkit malware that infects the Master
-  (VBR), or UEFI firmware to gain persistence below the operating system. Covers boot sector analysis, UEFI module inspection,
+  Boot Record (MBR), Volume Boot Record (VBR), or UEFI firmware to gain persistence
-  and anti-rootkit detection techniques. Activates for requests involving bootkit analysis, MBR malware investigation, UEFI
+  below the operating system. Covers boot sector analysis, UEFI module inspection,
-  persistence analysis, or pre-OS malware detection.
+  and anti-rootkit detection techniques. Activates for requests involving bootkit
  analysis, MBR malware investigation, UEFI persistence analysis, or pre-OS malware
  detection.
  '
 domain: cybersecurity
@@ -22,6 +24,12 @@ nist_csf:
 - RS.AN-03
 - ID.RA-01
 - DE.CM-01
 mitre_attack:
 - T1542.003
 - T1542.001
 - T1542.002
 - T1014
 - T1547.006
 ---
 # Analyzing Bootkit and Rootkit Samples
@@ -1,7 +1,8 @@
 ---
 name: analyzing-browser-forensics-with-hindsight
-description: Analyze Chromium-based browser artifacts using Hindsight to extract browsing history, downloads, cookies, cached
+description: Analyze Chromium-based browser artifacts using Hindsight to extract browsing
-  content, autofill data, saved passwords, and browser extensions from Chrome, Edge, Brave, and Opera for forensic investigation.
+  history, downloads, cookies, cached content, autofill data, saved passwords, and
  browser extensions from Chrome, Edge, Brave, and Opera for forensic investigation.
 domain: cybersecurity
 subdomain: digital-forensics
 tags:
@@ -23,6 +24,11 @@ nist_csf:
 - RS.AN-03
 - DE.AE-02
 - RS.MA-01
 mitre_attack:
 - T1217
 - T1539
 - T1555.003
 - T1185
 ---
 # Analyzing Browser Forensics with Hindsight
@@ -1,7 +1,8 @@
 ---
 name: analyzing-campaign-attribution-evidence
-description: Campaign attribution analysis involves systematically evaluating evidence to determine which threat actor or
+description: Campaign attribution analysis involves systematically evaluating evidence
-  group is responsible for a cyber operation. This skill covers collecting and weighting attr
+  to determine which threat actor or group is responsible for a cyber operation. This
  skill covers collecting and weighting attr
 domain: cybersecurity
 subdomain: threat-intelligence
 tags:
@@ -20,6 +21,11 @@ nist_csf:
 - ID.RA-05
 - DE.CM-01
 - DE.AE-02
 mitre_attack:
 - T1587.001
 - T1583.001
 - T1588.002
 - T1071.001
 ---
 # Analyzing Campaign Attribution Evidence
@@ -1,7 +1,8 @@
 ---
 name: analyzing-certificate-transparency-for-phishing
-description: Monitor Certificate Transparency logs using crt.sh and Certstream to detect phishing domains, lookalike certificates,
+description: Monitor Certificate Transparency logs using crt.sh and Certstream to
-  and unauthorized certificate issuance targeting your organization.
+  detect phishing domains, lookalike certificates, and unauthorized certificate issuance
  targeting your organization.
 domain: cybersecurity
 subdomain: threat-intelligence
 tags:
@@ -23,6 +24,12 @@ nist_csf:
 - ID.RA-05
 - DE.CM-01
 - DE.AE-02
 mitre_attack:
 - T1583.001
 - T1583.004
 - T1566.002
 - T1608.005
 - T1596.003
 ---
 # Analyzing Certificate Transparency for Phishing
@@ -1,15 +1,20 @@
 ---
 name: analyzing-cloud-storage-access-patterns
-description: Detect abnormal access patterns in AWS S3, GCS, and Azure Blob Storage by analyzing CloudTrail Data Events, GCS
+description: Detect abnormal access patterns in AWS S3, GCS, and Azure Blob Storage
-  audit logs, and Azure Storage Analytics. Identifies after-hours bulk downloads, access from new IP addresses, unusual API
+  by analyzing CloudTrail Data Events, GCS audit logs, and Azure Storage Analytics.
-  calls (GetObject spikes), and potential data exfiltration using statistical baselines and time-series anomaly detection.
+  Identifies after-hours bulk downloads, access from new IP addresses, unusual API
  calls (GetObject spikes), and potential data exfiltration using statistical baselines
  and time-series anomaly detection.
 domain: cybersecurity
 subdomain: cloud-security
 tags:
- analyzing
+- cloud-security
- cloud
+- aws-s3
- storage
+- gcs
- access
+- azure-blob-storage
 - cloudtrail
 - data-access-anomaly
 - exfiltration-detection
 version: '1.0'
 author: mahipal
 license: Apache-2.0
@@ -25,6 +30,12 @@ nist_csf:
 - ID.AM-08
 - GV.SC-06
 - DE.CM-01
 mitre_attack:
 - T1530
 - T1567.002
 - T1619
 - T1078.004
 - T1048
 ---
@@ -1,7 +1,8 @@
 ---
 name: analyzing-cobalt-strike-beacon-configuration
-description: Extract and analyze Cobalt Strike beacon configuration from PE files and memory dumps to identify C2 infrastructure,
+description: Extract and analyze Cobalt Strike beacon configuration from PE files
-  malleable profiles, and operator tradecraft.
+  and memory dumps to identify C2 infrastructure, malleable profiles, and operator
  tradecraft.
 domain: cybersecurity
 subdomain: malware-analysis
 tags:
@@ -20,6 +21,12 @@ nist_csf:
 - RS.AN-03
 - ID.RA-01
 - DE.CM-01
 mitre_attack:
 - T1071.001
 - T1573.001
 - T1090.004
 - T1105
 - T1027
 ---
 # Analyzing Cobalt Strike Beacon Configuration
@@ -1,7 +1,8 @@
 ---
 name: analyzing-cobaltstrike-malleable-c2-profiles
-description: Parse and analyze Cobalt Strike Malleable C2 profiles using dissect.cobaltstrike and pyMalleableC2 to extract
+description: Parse and analyze Cobalt Strike Malleable C2 profiles using dissect.cobaltstrike
-  C2 indicators, detect evasion techniques, and generate network detection signatures.
+  and pyMalleableC2 to extract C2 indicators, detect evasion techniques, and generate
  network detection signatures.
 domain: cybersecurity
 subdomain: malware-analysis
 tags:
@@ -20,6 +21,12 @@ nist_csf:
 - RS.AN-03
 - ID.RA-01
 - DE.CM-01
 mitre_attack:
 - T1071.001
 - T1573.002
 - T1001.003
 - T1090.004
 - T1102
 ---
 # Analyzing CobaltStrike Malleable C2 Profiles
@@ -1,9 +1,10 @@
 ---
 name: analyzing-command-and-control-communication
-description: 'Analyzes malware command-and-control (C2) communication protocols to understand beacon patterns, command structures,
+description: 'Analyzes malware command-and-control (C2) communication protocols to
-  data encoding, and infrastructure. Covers HTTP, HTTPS, DNS, and custom protocol C2 analysis for detection development and
+  understand beacon patterns, command structures, data encoding, and infrastructure.
-  threat intelligence. Activates for requests involving C2 analysis, beacon detection, C2 protocol reverse engineering, or
+  Covers HTTP, HTTPS, DNS, and custom protocol C2 analysis for detection development
-  command-and-control infrastructure mapping.
+  and threat intelligence. Activates for requests involving C2 analysis, beacon detection,
  C2 protocol reverse engineering, or command-and-control infrastructure mapping.
  '
 domain: cybersecurity
@@ -22,6 +23,12 @@ nist_csf:
 - RS.AN-03
 - ID.RA-01
 - DE.CM-01
 mitre_attack:
 - T1071.001
 - T1573
 - T1571
 - T1008
 - T1095
 ---
 # Analyzing Command-and-Control Communication
@@ -1,10 +1,12 @@
 ---
 name: analyzing-cyber-kill-chain
-description: 'Analyzes intrusion activity against the Lockheed Martin Cyber Kill Chain framework to identify which phases
+description: 'Analyzes intrusion activity against the Lockheed Martin Cyber Kill Chain
-  an adversary has completed, where defenses succeeded or failed, and what controls would have interrupted the attack at earlier
+  framework to identify which phases an adversary has completed, where defenses succeeded
-  phases. Use when conducting post-incident analysis, building prevention-focused security controls, or mapping detection
+  or failed, and what controls would have interrupted the attack at earlier phases.
-  gaps to kill chain phases. Activates for requests involving kill chain analysis, intrusion kill chain, attack phase mapping,
+  Use when conducting post-incident analysis, building prevention-focused security
-  or Lockheed Martin kill chain framework.
+  controls, or mapping detection gaps to kill chain phases. Activates for requests
  involving kill chain analysis, intrusion kill chain, attack phase mapping, or Lockheed
  Martin kill chain framework.
  '
 domain: cybersecurity
@@ -24,6 +26,12 @@ nist_csf:
 - ID.RA-05
 - DE.CM-01
 - DE.AE-02
 mitre_attack:
 - T1566.001
 - T1190
 - T1547.001
 - T1071.001
 - T1486
 ---
 # Analyzing Cyber Kill Chain
@@ -1,7 +1,7 @@
 ---
 name: analyzing-disk-image-with-autopsy
-description: Perform comprehensive forensic analysis of disk images using Autopsy to recover files, examine artifacts, and
+description: Perform comprehensive forensic analysis of disk images using Autopsy
-  build investigation timelines.
+  to recover files, examine artifacts, and build investigation timelines.
 domain: cybersecurity
 subdomain: digital-forensics
 tags:
@@ -19,6 +19,11 @@ nist_csf:
 - RS.AN-03
 - DE.AE-02
 - RS.MA-01
 mitre_attack:
 - T1005
 - T1074.001
 - T1070.004
 - T1083
 ---
 # Analyzing Disk Image with Autopsy
@@ -1,8 +1,9 @@
 ---
 name: analyzing-dns-logs-for-exfiltration
-description: 'Analyzes DNS query logs to detect data exfiltration via DNS tunneling, DGA domain communication, and covert
+description: 'Analyzes DNS query logs to detect data exfiltration via DNS tunneling,
-  C2 channels using entropy analysis, query volume anomalies, and subdomain length detection in SIEM platforms. Use when SOC
+  DGA domain communication, and covert C2 channels using entropy analysis, query volume
-  teams need to identify DNS-based threats that bypass traditional network security controls.
+  anomalies, and subdomain length detection in SIEM platforms. Use when SOC teams
  need to identify DNS-based threats that bypass traditional network security controls.
  '
 domain: cybersecurity
@@ -28,6 +29,10 @@ nist_csf:
 - DE.AE-02
 - RS.MA-01
 - DE.AE-06
 mitre_attack:
 - T1048.003
 - T1071.004
 - T1567
 ---
 # Analyzing DNS Logs for Exfiltration
@@ -1,7 +1,7 @@
 ---
 name: analyzing-docker-container-forensics
-description: Investigate compromised Docker containers by analyzing images, layers, volumes, logs, and runtime artifacts to
+description: Investigate compromised Docker containers by analyzing images, layers,
-  identify malicious activity and evidence.
+  volumes, logs, and runtime artifacts to identify malicious activity and evidence.
 domain: cybersecurity
 subdomain: digital-forensics
 tags:
@@ -19,6 +19,11 @@ nist_csf:
 - RS.AN-03
 - DE.AE-02
 - RS.MA-01
 mitre_attack:
 - T1610
 - T1611
 - T1613
 - T1612
 ---
 # Analyzing Docker Container Forensics
@@ -1,7 +1,7 @@
 ---
 name: analyzing-email-headers-for-phishing-investigation
-description: Parse and analyze email headers to trace the origin of phishing emails, verify sender authenticity, and identify
+description: Parse and analyze email headers to trace the origin of phishing emails,
-  spoofing through SPF, DKIM, and DMARC validation.
+  verify sender authenticity, and identify spoofing through SPF, DKIM, and DMARC validation.
 domain: cybersecurity
 subdomain: digital-forensics
 tags:
@@ -22,6 +22,10 @@ nist_csf:
 - RS.AN-03
 - DE.AE-02
 - RS.MA-01
 mitre_attack:
 - T1566.001
 - T1566.002
 - T1598.003
 ---
 # Analyzing Email Headers for Phishing Investigation
@@ -1,7 +1,8 @@
 ---
 name: analyzing-ethereum-smart-contract-vulnerabilities
-description: Perform static and symbolic analysis of Solidity smart contracts using Slither and Mythril to detect reentrancy,
+description: Perform static and symbolic analysis of Solidity smart contracts using
-  integer overflow, access control, and other vulnerability classes before deployment to Ethereum mainnet.
+  Slither and Mythril to detect reentrancy, integer overflow, access control, and
  other vulnerability classes before deployment to Ethereum mainnet.
 domain: cybersecurity
 subdomain: blockchain-security
 tags:
@@ -20,6 +21,9 @@ nist_csf:
 - PR.DS-01
 - PR.DS-02
 - ID.RA-01
 mitre_attack:
 - T1190
 - T1059
 ---
 # Analyzing Ethereum Smart Contract Vulnerabilities
@@ -1,7 +1,8 @@
 ---
 name: analyzing-golang-malware-with-ghidra
-description: Reverse engineer Go-compiled malware using Ghidra with specialized scripts for function recovery, string extraction,
+description: Reverse engineer Go-compiled malware using Ghidra with specialized scripts
-  and type reconstruction in stripped Go binaries.
+  for function recovery, string extraction, and type reconstruction in stripped Go
  binaries.
 domain: cybersecurity
 subdomain: malware-analysis
 tags:
@@ -20,6 +21,11 @@ nist_csf:
 - RS.AN-03
 - ID.RA-01
 - DE.CM-01
 mitre_attack:
 - T1027
 - T1620
 - T1140
 - T1059
 ---
 # Analyzing Golang Malware with Ghidra
@@ -1,7 +1,8 @@
 ---
 name: analyzing-heap-spray-exploitation
-description: Detect and analyze heap spray attacks in memory dumps using Volatility3 plugins to identify NOP sled patterns,
+description: Detect and analyze heap spray attacks in memory dumps using Volatility3
-  shellcode landing zones, and suspicious large allocations in process virtual address space.
+  plugins to identify NOP sled patterns, shellcode landing zones, and suspicious large
  allocations in process virtual address space.
 domain: cybersecurity
 subdomain: malware-analysis
 tags:
@@ -18,6 +19,10 @@ nist_csf:
 - RS.AN-03
 - ID.RA-01
 - DE.CM-01
 mitre_attack:
 - T1203
 - T1059.007
 - T1106
 ---
 # Analyzing Heap Spray Exploitation
@@ -1,9 +1,11 @@
 ---
 name: analyzing-indicators-of-compromise
-description: 'Analyzes indicators of compromise (IOCs) including IP addresses, domains, file hashes, URLs, and email artifacts
+description: 'Analyzes indicators of compromise (IOCs) including IP addresses, domains,
-  to determine maliciousness confidence, campaign attribution, and blocking priority. Use when triaging IOCs from phishing
+  file hashes, URLs, and email artifacts to determine maliciousness confidence, campaign
-  emails, security alerts, or external threat feeds; enriching raw IOCs with multi-source intelligence; or making block/monitor/whitelist
+  attribution, and blocking priority. Use when triaging IOCs from phishing emails,
-  decisions. Activates for requests involving VirusTotal, AbuseIPDB, MalwareBazaar, MISP, or IOC enrichment pipelines.
+  security alerts, or external threat feeds; enriching raw IOCs with multi-source
  intelligence; or making block/monitor/whitelist decisions. Activates for requests
  involving VirusTotal, AbuseIPDB, MalwareBazaar, MISP, or IOC enrichment pipelines.
  '
 domain: cybersecurity
@@ -27,6 +29,11 @@ nist_csf:
 - ID.RA-05
 - DE.CM-01
 - DE.AE-02
 mitre_attack:
 - T1071
 - T1105
 - T1041
 - T1567
 ---
 # Analyzing Indicators of Compromise
@@ -1,12 +1,9 @@
 ---
 name: analyzing-ios-app-security-with-objection
-description: 'Performs runtime mobile security exploration of iOS applications using Objection, a Frida-powered toolkit that
+description: >-
-  enables security testers to interact with app internals without jailbreaking. Use when assessing iOS app security posture,
+  Runtime iOS app security testing with Objection (Frida): inspect keychain and
-  bypassing client-side protections, dumping keychain items, inspecting filesystem storage, and evaluating runtime behavior.
+  filesystem data, explore app internals at runtime, and validate/bypass
-  Activates for requests involving iOS security testing, Objection runtime analysis, Frida-based iOS assessment, or mobile
+  client-side protections during authorized mobile assessments.
  runtime exploration.
  '
 domain: cybersecurity
 subdomain: mobile-security
 author: mahipal
@@ -31,6 +28,11 @@ nist_csf:
 - PR.AA-05
 - ID.RA-01
 - DE.CM-09
 mitre_attack:
 - T1635
 - T1414
 - T1417.001
 - T1409
 ---
 # Analyzing iOS App Security with Objection
@@ -1,17 +1,21 @@
 ---
 name: analyzing-kubernetes-audit-logs
-description: 'Parses Kubernetes API server audit logs (JSON lines) to detect exec-into-pod, secret access, RBAC modifications,
+description: 'Parses Kubernetes API server audit logs (JSON lines) to detect exec-into-pod,
-  privileged pod creation, and anonymous API access. Builds threat detection rules from audit event patterns. Use when investigating
+  secret access, RBAC modifications, privileged pod creation, and anonymous API access.
  Builds threat detection rules from audit event patterns. Use when investigating
  Kubernetes cluster compromise or building k8s-specific SIEM detection rules.
  '
 domain: cybersecurity
 subdomain: container-security
 tags:
- analyzing
+- kubernetes-security
- kubernetes
+- container-security
- audit
+- audit-log-analysis
- logs
+- rbac
 - privilege-escalation
 - k8s-api-server
 - threat-detection
 version: '1.0'
 author: mahipal
 license: Apache-2.0
@@ -20,6 +24,11 @@ nist_csf:
 - PR.IR-01
 - ID.AM-08
 - DE.CM-01
 mitre_attack:
 - T1610
 - T1613
 - T1078
 - T1552.007
 ---
 # Analyzing Kubernetes Audit Logs
@@ -1,9 +1,11 @@
 ---
 name: analyzing-linux-audit-logs-for-intrusion
-description: 'Uses the Linux Audit framework (auditd) with ausearch and aureport utilities to detect intrusion attempts, unauthorized
+description: 'Uses the Linux Audit framework (auditd) with ausearch and aureport utilities
-  access, privilege escalation, and suspicious system activity. Covers audit rule configuration, log querying, timeline reconstruction,
+  to detect intrusion attempts, unauthorized access, privilege escalation, and suspicious
-  and integration with SIEM platforms. Activates for requests involving auditd analysis, Linux audit log investigation, ausearch
+  system activity. Covers audit rule configuration, log querying, timeline reconstruction,
-  queries, aureport summaries, or host-based intrusion detection on Linux.
+  and integration with SIEM platforms. Activates for requests involving auditd analysis,
  Linux audit log investigation, ausearch queries, aureport summaries, or host-based
  intrusion detection on Linux.
  '
 domain: cybersecurity
@@ -24,6 +26,11 @@ nist_csf:
 - RS.MA-02
 - RS.AN-03
 - RC.RP-01
 mitre_attack:
 - T1059.004
 - T1070
 - T1548.003
 - T1543.002
 ---
 # Analyzing Linux Audit Logs for Intrusion
@@ -1,9 +1,11 @@
 ---
 name: analyzing-linux-elf-malware
-description: 'Analyzes malicious Linux ELF (Executable and Linkable Format) binaries including botnets, cryptominers, ransomware,
+description: 'Analyzes malicious Linux ELF (Executable and Linkable Format) binaries
-  and rootkits targeting Linux servers, containers, and cloud infrastructure. Covers static analysis, dynamic tracing, and
+  including botnets, cryptominers, ransomware, and rootkits targeting Linux servers,
-  reverse engineering of x86_64 and ARM ELF samples. Activates for requests involving Linux malware analysis, ELF binary investigation,
+  containers, and cloud infrastructure. Covers static analysis, dynamic tracing, and
-  Linux server compromise assessment, or container malware analysis.
+  reverse engineering of x86_64 and ARM ELF samples. Activates for requests involving
  Linux malware analysis, ELF binary investigation, Linux server compromise assessment,
  or container malware analysis.
  '
 domain: cybersecurity
@@ -22,6 +24,11 @@ nist_csf:
 - RS.AN-03
 - ID.RA-01
 - DE.CM-01
 mitre_attack:
 - T1027
 - T1059.004
 - T1620
 - T1574.006
 ---
 # Analyzing Linux ELF Malware
@@ -1,8 +1,9 @@
 ---
 name: analyzing-linux-kernel-rootkits
-description: Detect kernel-level rootkits in Linux memory dumps using Volatility3 linux plugins (check_syscall, lsmod, hidden_modules),
+description: Detect kernel-level rootkits in Linux memory dumps using Volatility3
-  rkhunter system scanning, and /proc vs /sys discrepancy analysis to identify hooked syscalls, hidden kernel modules, and
+  linux plugins (check_syscall, lsmod, hidden_modules), rkhunter system scanning,
-  tampered system structures.
+  and /proc vs /sys discrepancy analysis to identify hooked syscalls, hidden kernel
  modules, and tampered system structures.
 domain: cybersecurity
 subdomain: digital-forensics
 tags:
@@ -22,6 +23,10 @@ nist_csf:
 - RS.AN-03
 - DE.AE-02
 - RS.MA-01
 mitre_attack:
 - T1014
 - T1547.006
 - T1564.001
 ---
 # Analyzing Linux Kernel Rootkits
@@ -1,7 +1,8 @@
 ---
 name: analyzing-linux-system-artifacts
-description: Examine Linux system artifacts including auth logs, cron jobs, shell history, and system configuration to uncover
+description: Examine Linux system artifacts including auth logs, cron jobs, shell
-  evidence of compromise or unauthorized activity.
+  history, and system configuration to uncover evidence of compromise or unauthorized
  activity.
 domain: cybersecurity
 subdomain: digital-forensics
 tags:
@@ -19,6 +20,11 @@ nist_csf:
 - RS.AN-03
 - DE.AE-02
 - RS.MA-01
 mitre_attack:
 - T1070
 - T1059.004
 - T1543.002
 - T1053.003
 ---
 # Analyzing Linux System Artifacts
@@ -1,7 +1,8 @@
 ---
 name: analyzing-lnk-file-and-jump-list-artifacts
-description: Analyze Windows LNK shortcut files and Jump List artifacts to establish evidence of file access, program execution,
+description: Analyze Windows LNK shortcut files and Jump List artifacts to establish
-  and user activity using LECmd, JLECmd, and manual binary parsing of the Shell Link Binary format.
+  evidence of file access, program execution, and user activity using LECmd, JLECmd,
  and manual binary parsing of the Shell Link Binary format.
 domain: cybersecurity
 subdomain: digital-forensics
 tags:
@@ -23,6 +24,10 @@ nist_csf:
 - RS.AN-03
 - DE.AE-02
 - RS.MA-01
 mitre_attack:
 - T1547.009
 - T1204.002
 - T1059.001
 ---
 # Analyzing LNK File and Jump List Artifacts
@@ -1,9 +1,10 @@
 ---
 name: analyzing-macro-malware-in-office-documents
-description: 'Analyzes malicious VBA macros embedded in Microsoft Office documents (Word, Excel, PowerPoint) to identify download
+description: 'Analyzes malicious VBA macros embedded in Microsoft Office documents
-  cradles, payload execution, persistence mechanisms, and anti-analysis techniques. Uses olevba, oledump, and VBA deobfuscation
+  (Word, Excel, PowerPoint) to identify download cradles, payload execution, persistence
-  to extract the attack chain. Activates for requests involving Office macro analysis, VBA malware investigation, maldoc analysis,
+  mechanisms, and anti-analysis techniques. Uses olevba, oledump, and VBA deobfuscation
-  or document-based threat examination.
+  to extract the attack chain. Activates for requests involving Office macro analysis,
  VBA malware investigation, maldoc analysis, or document-based threat examination.
  '
 domain: cybersecurity
@@ -31,6 +32,11 @@ nist_csf:
 - RS.AN-03
 - ID.RA-01
 - DE.CM-01
 mitre_attack:
 - T1137.001
 - T1204.002
 - T1059.005
 - T1027
 ---
 # Analyzing Macro Malware in Office Documents
@@ -1,7 +1,7 @@
 ---
 name: analyzing-malicious-pdf-with-peepdf
-description: Perform static analysis of malicious PDF documents using peepdf, pdfid, and pdf-parser to extract embedded JavaScript,
+description: Perform static analysis of malicious PDF documents using peepdf, pdfid,
-  shellcode, and suspicious objects.
+  and pdf-parser to extract embedded JavaScript, shellcode, and suspicious objects.
 domain: cybersecurity
 subdomain: malware-analysis
 tags:
@@ -21,6 +21,11 @@ nist_csf:
 - RS.AN-03
 - ID.RA-01
 - DE.CM-01
 mitre_attack:
 - T1204.002
 - T1059.007
 - T1027
 - T1106
 ---
 # Analyzing Malicious PDF with peepdf
@@ -1,7 +1,8 @@
 ---
 name: analyzing-malicious-url-with-urlscan
-description: URLScan.io is a free service for scanning and analyzing suspicious URLs. It captures screenshots, DOM content,
+description: URLScan.io is a free service for scanning and analyzing suspicious URLs.
-  HTTP transactions, JavaScript behavior, and network connections of web pages in an isolat
+  It captures screenshots, DOM content, HTTP transactions, JavaScript behavior, and
  network connections of web pages in an isolat
 domain: cybersecurity
 subdomain: phishing-defense
 tags:
@@ -22,6 +23,10 @@ nist_csf:
 - DE.CM-09
 - RS.CO-02
 - DE.AE-02
 mitre_attack:
 - T1566.002
 - T1204.001
 - T1598.003
 ---
 # Analyzing Malicious URL with URLScan
@@ -1,9 +1,10 @@
 ---
 name: analyzing-malware-behavior-with-cuckoo-sandbox
-description: 'Executes malware samples in Cuckoo Sandbox to observe runtime behavior including process creation, file system
+description: 'Executes malware samples in Cuckoo Sandbox to observe runtime behavior
-  modifications, registry changes, network communications, and API calls. Generates comprehensive behavioral reports for malware
+  including process creation, file system modifications, registry changes, network
-  classification and IOC extraction. Activates for requests involving dynamic malware analysis, sandbox detonation, behavioral
+  communications, and API calls. Generates comprehensive behavioral reports for malware
-  analysis, or automated malware execution.
+  classification and IOC extraction. Activates for requests involving dynamic malware
  analysis, sandbox detonation, behavioral analysis, or automated malware execution.
  '
 domain: cybersecurity
@@ -22,6 +23,11 @@ nist_csf:
 - RS.AN-03
 - ID.RA-01
 - DE.CM-01
 mitre_attack:
 - T1497
 - T1055
 - T1071
 - T1027
 ---
 # Analyzing Malware Behavior with Cuckoo Sandbox
@@ -1,7 +1,8 @@
 ---
 name: analyzing-malware-family-relationships-with-malpedia
-description: Use the Malpedia platform and API to research malware family relationships, track variant evolution, link families
+description: Use the Malpedia platform and API to research malware family relationships,
-  to threat actors, and integrate YARA rules for detection across malware lineages.
+  track variant evolution, link families to threat actors, and integrate YARA rules
  for detection across malware lineages.
 domain: cybersecurity
 subdomain: threat-intelligence
 tags:
@@ -21,6 +22,10 @@ nist_csf:
 - ID.RA-05
 - DE.CM-01
 - DE.AE-02
 mitre_attack:
 - T1587.001
 - T1027
 - T1071
 ---
 # Analyzing Malware Family Relationships with Malpedia
@@ -1,7 +1,8 @@
 ---
 name: analyzing-malware-persistence-with-autoruns
-description: Use Sysinternals Autoruns to systematically identify and analyze malware persistence mechanisms across registry
+description: Use Sysinternals Autoruns to systematically identify and analyze malware
-  keys, scheduled tasks, services, drivers, and startup locations on Windows systems.
+  persistence mechanisms across registry keys, scheduled tasks, services, drivers,
  and startup locations on Windows systems.
 domain: cybersecurity
 subdomain: malware-analysis
 tags:
@@ -14,10 +15,11 @@ tags:
 - startup
 - incident-response
 mitre_attack:
- T1547
+- T1547.001
- T1053
+- T1543.003
- T1543
+- T1053.005
- T1546
+- T1574.001
 - T1037.001
 version: '1.0'
 author: mahipal
 license: Apache-2.0
@@ -1,7 +1,8 @@
 ---
 name: analyzing-malware-sandbox-evasion-techniques
-description: Detect sandbox evasion techniques in malware samples by analyzing timing checks, VM artifact queries, user interaction
+description: Detect sandbox evasion techniques in malware samples by analyzing timing
-  detection, and sleep inflation patterns from Cuckoo/AnyRun behavioral reports
+  checks, VM artifact queries, user interaction detection, and sleep inflation patterns
  from Cuckoo/AnyRun behavioral reports
 domain: cybersecurity
 subdomain: malware-analysis
 tags:
@@ -26,6 +27,11 @@ nist_csf:
 - RS.AN-03
 - ID.RA-01
 - DE.CM-01
 mitre_attack:
 - T1497.001
 - T1497.003
 - T1480
 - T1027.002
 ---
 # Analyzing Malware Sandbox Evasion Techniques
@@ -1,17 +1,21 @@
 ---
 name: analyzing-memory-forensics-with-lime-and-volatility
-description: 'Performs Linux memory acquisition using LiME (Linux Memory Extractor) kernel module and analysis with Volatility
+description: 'Performs Linux memory acquisition using LiME (Linux Memory Extractor)
-  3 framework. Extracts process lists, network connections, bash history, loaded kernel modules, and injected code from Linux
+  kernel module and analysis with Volatility 3 framework. Extracts process lists,
-  memory images. Use when performing incident response on compromised Linux systems.
+  network connections, bash history, loaded kernel modules, and injected code from
  Linux memory images. Use when performing incident response on compromised Linux
  systems.
  '
 domain: cybersecurity
 subdomain: security-operations
 tags:
- analyzing
+- memory-forensics
- memory
+- linux-forensics
- forensics
+- lime
- with
+- volatility
 - incident-response
 - kernel-modules
 version: '1.0'
 author: mahipal
 license: Apache-2.0
@@ -20,6 +24,11 @@ nist_csf:
 - RS.MA-01
 - GV.OV-01
 - DE.AE-02
 mitre_attack:
 - T1055
 - T1003.001
 - T1620
 - T1564.001
 ---
 # Analyzing Memory Forensics with LiME and Volatility
@@ -1,7 +1,8 @@
 ---
 name: analyzing-mft-for-deleted-file-recovery
-description: Analyze the NTFS Master File Table ($MFT) to recover metadata and content of deleted files by examining MFT record
+description: Analyze the NTFS Master File Table ($MFT) to recover metadata and content
-  entries, $LogFile, $UsnJrnl, and MFT slack space using MFTECmd, analyzeMFT, and X-Ways Forensics.
+  of deleted files by examining MFT record entries, $LogFile, $UsnJrnl, and MFT slack
  space using MFTECmd, analyzeMFT, and X-Ways Forensics.
 domain: cybersecurity
 subdomain: digital-forensics
 tags:
@@ -23,6 +24,10 @@ nist_csf:
 - RS.AN-03
 - DE.AE-02
 - RS.MA-01
 mitre_attack:
 - T1070.004
 - T1070.006
 - T1005
 ---
 # Analyzing MFT for Deleted File Recovery
@@ -1,7 +1,8 @@
 ---
 name: analyzing-network-covert-channels-in-malware
-description: Detect and analyze covert communication channels used by malware including DNS tunneling, ICMP exfiltration,
+description: Detect and analyze covert communication channels used by malware including
-  steganographic HTTP, and protocol abuse for C2 and data exfiltration.
+  DNS tunneling, ICMP exfiltration, steganographic HTTP, and protocol abuse for C2
  and data exfiltration.
 domain: cybersecurity
 subdomain: malware-analysis
 tags:
@@ -26,6 +27,11 @@ nist_csf:
 - RS.AN-03
 - ID.RA-01
 - DE.CM-01
 mitre_attack:
 - T1071.001
 - T1095
 - T1572
 - T1001
 ---
 # Analyzing Network Covert Channels in Malware
@@ -1,8 +1,10 @@
 ---
 name: analyzing-network-flow-data-with-netflow
-description: Parse NetFlow v9 and IPFIX records to detect volumetric anomalies, port scanning, data exfiltration, and C2 beaconing
+description: Parse NetFlow v9 and IPFIX records to detect volumetric anomalies, port
-  patterns. Uses the Python netflow library to decode flow records, builds traffic baselines, and applies statistical analysis
+  scanning, data exfiltration, and C2 beaconing patterns. Uses the Python netflow
-  to identify flows with abnormal byte counts, connection durations, and periodic timing patterns.
+  library to decode flow records, builds traffic baselines, and applies statistical
  analysis to identify flows with abnormal byte counts, connection durations, and
  periodic timing patterns.
 domain: cybersecurity
 subdomain: network-security
 tags:
@@ -18,6 +20,11 @@ nist_csf:
 - DE.CM-01
 - ID.AM-03
 - PR.DS-02
 mitre_attack:
 - T1071
 - T1048
 - T1046
 - T1095
 ---
@@ -1,7 +1,8 @@
 ---
 name: analyzing-network-packets-with-scapy
-description: Craft, send, sniff, and dissect network packets using Scapy for protocol analysis, network reconnaissance, and
+description: Craft, send, sniff, and dissect network packets using Scapy for protocol
-  traffic anomaly detection in authorized security testing
+  analysis, network reconnaissance, and traffic anomaly detection in authorized security
  testing
 domain: cybersecurity
 subdomain: network-security
 tags:
@@ -19,6 +20,11 @@ nist_csf:
 - DE.CM-01
 - ID.AM-03
 - PR.DS-02
 mitre_attack:
 - T1040
 - T1071
 - T1046
 - T1557
 ---
 # Analyzing Network Packets with Scapy
@@ -1,9 +1,10 @@
 ---
 name: analyzing-network-traffic-of-malware
-description: 'Analyzes network traffic generated by malware during sandbox execution or live incident response to identify
+description: 'Analyzes network traffic generated by malware during sandbox execution
-  C2 protocols, data exfiltration channels, payload downloads, and lateral movement patterns using Wireshark, Zeek, and Suricata.
+  or live incident response to identify C2 protocols, data exfiltration channels,
-  Activates for requests involving malware network analysis, C2 traffic decoding, malware PCAP analysis, or network-based
+  payload downloads, and lateral movement patterns using Wireshark, Zeek, and Suricata.
-  malware detection.
+  Activates for requests involving malware network analysis, C2 traffic decoding,
  malware PCAP analysis, or network-based malware detection.
  '
 domain: cybersecurity
@@ -22,6 +23,11 @@ nist_csf:
 - RS.AN-03
 - ID.RA-01
 - DE.CM-01
 mitre_attack:
 - T1071.001
 - T1571
 - T1573
 - T1095
 ---
 # Analyzing Network Traffic of Malware
@@ -1,7 +1,8 @@
 ---
 name: analyzing-network-traffic-with-wireshark
-description: 'Captures and analyzes network packet data using Wireshark and tshark to identify malicious traffic patterns,
+description: 'Captures and analyzes network packet data using Wireshark and tshark
-  diagnose protocol issues, extract artifacts, and support incident response investigations on authorized network segments.
+  to identify malicious traffic patterns, diagnose protocol issues, extract artifacts,
  and support incident response investigations on authorized network segments.
  '
 domain: cybersecurity
@@ -20,6 +21,11 @@ nist_csf:
 - DE.CM-01
 - ID.AM-03
 - PR.DS-02
 mitre_attack:
 - T1040
 - T1071
 - T1557
 - T1046
 ---
 # Analyzing Network Traffic with Wireshark
@@ -1,7 +1,8 @@
 ---
 name: analyzing-office365-audit-logs-for-compromise
-description: Parse Office 365 Unified Audit Logs via Microsoft Graph API to detect email forwarding rule creation, inbox delegation,
+description: Parse Office 365 Unified Audit Logs via Microsoft Graph API to detect
-  suspicious OAuth app grants, and other indicators of account compromise.
+  email forwarding rule creation, inbox delegation, suspicious OAuth app grants, and
  other indicators of account compromise.
 domain: cybersecurity
 subdomain: cloud-security
 tags:
@@ -20,6 +21,11 @@ nist_csf:
 - ID.AM-08
 - GV.SC-06
 - DE.CM-01
 mitre_attack:
 - T1114.002
 - T1098.002
 - T1556.006
 - T1078.004
 ---
 # Analyzing Office 365 Audit Logs for Compromise
@@ -1,8 +1,9 @@
 ---
 name: analyzing-outlook-pst-for-email-forensics
-description: Analyze Microsoft Outlook PST and OST files for email forensic evidence including message content, headers, attachments,
+description: Analyze Microsoft Outlook PST and OST files for email forensic evidence
-  deleted items, and metadata using libpff, pst-utils, and forensic email analysis tools for legal investigations and incident
+  including message content, headers, attachments, deleted items, and metadata using
-  response.
+  libpff, pst-utils, and forensic email analysis tools for legal investigations and
  incident response.
 domain: cybersecurity
 subdomain: digital-forensics
 tags:
@@ -28,6 +29,10 @@ nist_csf:
 - RS.AN-03
 - DE.AE-02
 - RS.MA-01
 mitre_attack:
 - T1114.001
 - T1564.008
 - T1070.008
 ---
 # Analyzing Outlook PST for Email Forensics
@@ -1,8 +1,10 @@
 ---
 name: analyzing-packed-malware-with-upx-unpacker
-description: 'Identifies and unpacks UPX-packed and other packed malware samples to expose the original executable code for
+description: 'Identifies and unpacks UPX-packed and other packed malware samples to
-  static analysis. Covers both standard UPX unpacking and handling modified UPX headers that prevent automated decompression.
+  expose the original executable code for static analysis. Covers both standard UPX
-  Activates for requests involving malware unpacking, UPX decompression, packer removal, or preparing packed samples for analysis.
+  unpacking and handling modified UPX headers that prevent automated decompression.
  Activates for requests involving malware unpacking, UPX decompression, packer removal,
  or preparing packed samples for analysis.
  '
 domain: cybersecurity
@@ -21,6 +23,10 @@ nist_csf:
 - RS.AN-03
 - ID.RA-01
 - DE.CM-01
 mitre_attack:
 - T1027.002
 - T1140
 - T1620
 ---
 # Analyzing Packed Malware with UPX Unpacker
@@ -1,9 +1,10 @@
 ---
 name: analyzing-pdf-malware-with-pdfid
-description: 'Analyzes malicious PDF files using PDFiD, pdf-parser, and peepdf to identify embedded JavaScript, shellcode,
+description: 'Analyzes malicious PDF files using PDFiD, pdf-parser, and peepdf to
-  exploits, and suspicious objects without opening the document. Determines the attack vector and extracts embedded payloads
+  identify embedded JavaScript, shellcode, exploits, and suspicious objects without
-  for further analysis. Activates for requests involving PDF malware analysis, malicious document analysis, PDF exploit investigation,
+  opening the document. Determines the attack vector and extracts embedded payloads
-  or suspicious attachment triage.
+  for further analysis. Activates for requests involving PDF malware analysis, malicious
  document analysis, PDF exploit investigation, or suspicious attachment triage.
  '
 domain: cybersecurity
@@ -22,6 +23,11 @@ nist_csf:
 - RS.AN-03
 - ID.RA-01
 - DE.CM-01
 mitre_attack:
 - T1204.002
 - T1566.001
 - T1059.007
 - T1027
 ---
 # Analyzing PDF Malware with PDFiD
@@ -1,7 +1,8 @@
 ---
 name: analyzing-persistence-mechanisms-in-linux
-description: Detect and analyze Linux persistence mechanisms including crontab entries, systemd service units, LD_PRELOAD
+description: Detect and analyze Linux persistence mechanisms including crontab entries,
-  hijacking, bashrc modifications, and authorized_keys backdoors using auditd and file integrity monitoring
+  systemd service units, LD_PRELOAD hijacking, bashrc modifications, and authorized_keys
  backdoors using auditd and file integrity monitoring
 domain: cybersecurity
 subdomain: threat-hunting
 tags:
@@ -17,6 +18,7 @@ mitre_attack:
 - T1543.002
 - T1574.006
 - T1546.004
 - T1098.004
 version: '1.0'
 author: mahipal
 license: Apache-2.0
@@ -1,7 +1,8 @@
 ---
 name: analyzing-powershell-empire-artifacts
-description: Detect PowerShell Empire framework artifacts in Windows event logs by identifying Base64 encoded launcher patterns,
+description: Detect PowerShell Empire framework artifacts in Windows event logs by
-  default user agents, staging URL structures, stager IOCs, and known Empire module signatures in Script Block Logging events.
+  identifying Base64 encoded launcher patterns, default user agents, staging URL structures,
  stager IOCs, and known Empire module signatures in Script Block Logging events.
 domain: cybersecurity
 subdomain: threat-hunting
 tags:
@@ -32,6 +33,12 @@ nist_csf:
 - DE.AE-02
 - DE.AE-07
 - ID.RA-05
 mitre_attack:
 - T1059.001
 - T1071.001
 - T1003.001
 - T1558.003
 - T1027.010
 ---
 # Analyzing PowerShell Empire Artifacts
@@ -1,15 +1,19 @@
 ---
 name: analyzing-powershell-script-block-logging
-description: Parse Windows PowerShell Script Block Logs (Event ID 4104) from EVTX files to detect obfuscated commands, encoded
+description: Parse Windows PowerShell Script Block Logs (Event ID 4104) from EVTX
-  payloads, and living-off-the-land techniques. Uses python-evtx to extract and reconstruct multi-block scripts, applies entropy
+  files to detect obfuscated commands, encoded payloads, and living-off-the-land techniques.
-  analysis and pattern matching for Base64-encoded commands, Invoke-Expression abuse, download cradles, and AMSI bypass attempts.
+  Uses python-evtx to extract and reconstruct multi-block scripts, applies entropy
  analysis and pattern matching for Base64-encoded commands, Invoke-Expression abuse,
  download cradles, and AMSI bypass attempts.
 domain: cybersecurity
 subdomain: security-operations
 tags:
 - analyzing
 - powershell
- script
+- script-block-logging
- block
+- event-id-4104
 - obfuscation-detection
 - windows-forensics
 - endpoint-security
 version: '1.0'
 author: mahipal
 license: Apache-2.0
@@ -18,6 +22,11 @@ nist_csf:
 - RS.MA-01
 - GV.OV-01
 - DE.AE-02
 mitre_attack:
 - T1059.001
 - T1027.010
 - T1140
 - T1105
 ---
@@ -1,7 +1,7 @@
 ---
 name: analyzing-prefetch-files-for-execution-history
-description: Parse Windows Prefetch files to determine program execution history including run counts, timestamps, and referenced
+description: Parse Windows Prefetch files to determine program execution history including
-  files for forensic investigation.
+  run counts, timestamps, and referenced files for forensic investigation.
 domain: cybersecurity
 subdomain: digital-forensics
 tags:
@@ -19,6 +19,11 @@ nist_csf:
 - RS.AN-03
 - DE.AE-02
 - RS.MA-01
 mitre_attack:
 - T1059.001
 - T1003.001
 - T1021.002
 - T1567.002
 ---
 # Analyzing Prefetch Files for Execution History
@@ -1,9 +1,10 @@
 ---
 name: analyzing-ransomware-encryption-mechanisms
-description: 'Analyzes encryption algorithms, key management, and file encryption routines used by ransomware families to
+description: 'Analyzes encryption algorithms, key management, and file encryption
-  assess decryption feasibility, identify implementation weaknesses, and support recovery efforts. Covers AES, RSA, ChaCha20,
+  routines used by ransomware families to assess decryption feasibility, identify
-  and hybrid encryption schemes. Activates for requests involving ransomware cryptanalysis, encryption analysis, key recovery
+  implementation weaknesses, and support recovery efforts. Covers AES, RSA, ChaCha20,
-  assessment, or ransomware decryption feasibility.
+  and hybrid encryption schemes. Activates for requests involving ransomware cryptanalysis,
  encryption analysis, key recovery assessment, or ransomware decryption feasibility.
  '
 domain: cybersecurity
@@ -22,6 +23,11 @@ nist_csf:
 - RS.AN-03
 - ID.RA-01
 - DE.CM-01
 mitre_attack:
 - T1486
 - T1573.001
 - T1573.002
 - T1027
 ---
 # Analyzing Ransomware Encryption Mechanisms
@@ -1,7 +1,8 @@
 ---
 name: analyzing-ransomware-leak-site-intelligence
-description: Monitor and analyze ransomware group data leak sites (DLS) to track victim postings, extract threat intelligence
+description: Monitor and analyze ransomware group data leak sites (DLS) to track victim
-  on group tactics, and assess sector-specific ransomware risk for proactive defense.
+  postings, extract threat intelligence on group tactics, and assess sector-specific
  ransomware risk for proactive defense.
 domain: cybersecurity
 subdomain: threat-intelligence
 tags:
@@ -10,7 +11,7 @@ tags:
 - data-leak
 - extortion
 - threat-intelligence
- monitoring
+- leak-site-monitoring
 - dls
 - victim-tracking
 version: '1.0'
@@ -21,6 +22,11 @@ nist_csf:
 - ID.RA-05
 - DE.CM-01
 - DE.AE-02
 mitre_attack:
 - T1657
 - T1486
 - T1567.002
 - T1591
 ---
 # Analyzing Ransomware Leak Site Intelligence
@@ -1,7 +1,8 @@
 ---
 name: analyzing-ransomware-network-indicators
-description: Identify ransomware network indicators including C2 beaconing patterns, TOR exit node connections, data exfiltration
+description: Identify ransomware network indicators including C2 beaconing patterns,
-  flows, and encryption key exchange via Zeek conn.log and NetFlow analysis
+  TOR exit node connections, data exfiltration flows, and encryption key exchange
  via Zeek conn.log and NetFlow analysis
 domain: cybersecurity
 subdomain: threat-hunting
 tags:
@@ -26,6 +27,12 @@ nist_csf:
 - DE.AE-02
 - DE.AE-07
 - ID.RA-05
 mitre_attack:
 - T1071.001
 - T1573
 - T1048
 - T1567.002
 - T1486
 ---
 # Analyzing Ransomware Network Indicators
@@ -1,9 +1,11 @@
 ---
 name: analyzing-ransomware-payment-wallets
-description: 'Traces ransomware cryptocurrency payment flows using blockchain analysis tools such as Chainalysis Reactor,
+description: 'Traces ransomware cryptocurrency payment flows using blockchain analysis
-  WalletExplorer, and blockchain.com APIs. Identifies wallet clusters, tracks fund movement through mixers and exchanges,
+  tools such as Chainalysis Reactor, WalletExplorer, and blockchain.com APIs. Identifies
-  and supports law enforcement attribution. Activates for requests involving ransomware payment tracing, bitcoin wallet analysis,
+  wallet clusters, tracks fund movement through mixers and exchanges, and supports
-  cryptocurrency forensics, or blockchain intelligence gathering.
+  law enforcement attribution. Activates for requests involving ransomware payment
  tracing, bitcoin wallet analysis, cryptocurrency forensics, or blockchain intelligence
  gathering.
  '
 domain: cybersecurity
@@ -23,6 +25,9 @@ nist_csf:
 - RS.MA-01
 - RC.RP-01
 - PR.IR-01
 mitre_attack:
 - T1657
 - T1486
 ---
 # Analyzing Ransomware Payment Wallets
@@ -1,9 +1,11 @@
 ---
 name: analyzing-sbom-for-supply-chain-vulnerabilities
-description: 'Parses Software Bill of Materials (SBOM) in CycloneDX and SPDX JSON formats to identify supply chain vulnerabilities
+description: 'Parses Software Bill of Materials (SBOM) in CycloneDX and SPDX JSON
-  by correlating components against the NVD CVE database via the NVD 2.0 API. Builds dependency graphs, calculates risk scores,
+  formats to identify supply chain vulnerabilities by correlating components against
-  identifies transitive vulnerability paths, and generates compliance reports. Activates for requests involving SBOM analysis,
+  the NVD CVE database via the NVD 2.0 API. Builds dependency graphs, calculates risk
-  software composition analysis, supply chain security assessment, dependency vulnerability scanning, CycloneDX/SPDX parsing,
+  scores, identifies transitive vulnerability paths, and generates compliance reports.
  Activates for requests involving SBOM analysis, software composition analysis, supply
  chain security assessment, dependency vulnerability scanning, CycloneDX/SPDX parsing,
  or CVE correlation.
  '
@@ -36,6 +38,11 @@ nist_csf:
 - GV.SC-03
 - GV.SC-06
 - GV.SC-07
 mitre_attack:
 - T1195.001
 - T1195.002
 - T1554
 - T1190
 ---
 # Analyzing SBOM for Supply Chain Vulnerabilities
@@ -1,9 +1,11 @@
 ---
 name: analyzing-security-logs-with-splunk
-description: 'Leverages Splunk Enterprise Security and SPL (Search Processing Language) to investigate security incidents
+description: 'Leverages Splunk Enterprise Security and SPL (Search Processing Language)
-  through log correlation, timeline reconstruction, and anomaly detection. Covers Windows event logs, firewall logs, proxy
+  to investigate security incidents through log correlation, timeline reconstruction,
-  logs, and authentication data analysis. Activates for requests involving Splunk investigation, SPL queries, SIEM log analysis,
+  and anomaly detection. Covers Windows event logs, firewall logs, proxy logs, and
-  security event correlation, or log-based incident investigation.
+  authentication data analysis. Activates for requests involving Splunk investigation,
  SPL queries, SIEM log analysis, security event correlation, or log-based incident
  investigation.
  '
 domain: cybersecurity
@@ -15,9 +17,11 @@ tags:
 - log-analysis
 - security-monitoring
 mitre_attack:
- T1070
+- T1110
- T1562
+- T1550.002
- T1059
+- T1021.001
 - T1059.001
 - T1003.001
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
@@ -1,7 +1,7 @@
 ---
 name: analyzing-slack-space-and-file-system-artifacts
-description: Examine file system slack space, MFT entries, USN journal, and alternate data streams to recover hidden data
+description: Examine file system slack space, MFT entries, USN journal, and alternate
-  and reconstruct file activity on NTFS volumes.
+  data streams to recover hidden data and reconstruct file activity on NTFS volumes.
 domain: cybersecurity
 subdomain: digital-forensics
 tags:
@@ -20,6 +20,12 @@ nist_csf:
 - RS.AN-03
 - DE.AE-02
 - RS.MA-01
 mitre_attack:
 - T1070.006
 - T1564.004
 - T1070.004
 - T1005
 - T1006
 ---
 # Analyzing Slack Space and File System Artifacts
@@ -1,7 +1,8 @@
 ---
 name: analyzing-supply-chain-malware-artifacts
-description: Investigate supply chain attack artifacts including trojanized software updates, compromised build pipelines,
+description: Investigate supply chain attack artifacts including trojanized software
-  and sideloaded dependencies to identify intrusion vectors and scope of compromise.
+  updates, compromised build pipelines, and sideloaded dependencies to identify intrusion
  vectors and scope of compromise.
 domain: cybersecurity
 subdomain: malware-analysis
 tags:
@@ -33,6 +34,12 @@ nist_csf:
 - RS.AN-03
 - ID.RA-01
 - DE.CM-01
 mitre_attack:
 - T1195.002
 - T1195.001
 - T1554
 - T1553.002
 - T1027
 ---
 # Analyzing Supply Chain Malware Artifacts
@@ -1,7 +1,8 @@
 ---
 name: analyzing-threat-actor-ttps-with-mitre-attack
-description: MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics, techniques, and procedures (TTPs)
+description: MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics,
-  based on real-world observations. This skill covers systematically mapping threat actor beh
+  techniques, and procedures (TTPs) based on real-world observations. This skill covers
  systematically mapping threat actor beh
 domain: cybersecurity
 subdomain: threat-intelligence
 tags:
@@ -26,6 +27,12 @@ nist_csf:
 - ID.RA-05
 - DE.CM-01
 - DE.AE-02
 mitre_attack:
 - T1566.001
 - T1059.001
 - T1071.001
 - T1547.001
 - T1053.005
 ---
 # Analyzing Threat Actor TTPs with MITRE ATT&CK
@@ -1,9 +1,11 @@
 ---
 name: analyzing-threat-actor-ttps-with-mitre-navigator
-description: 'Map advanced persistent threat (APT) group tactics, techniques, and procedures (TTPs) to the MITRE ATT&CK framework
+description: 'Map advanced persistent threat (APT) group tactics, techniques, and
-  using the ATT&CK Navigator and attackcti Python library. The analyst queries STIX/TAXII data for group-technique associations,
+  procedures (TTPs) to the MITRE ATT&CK framework using the ATT&CK Navigator and attackcti
-  generates Navigator layer files for visualization, and compares defensive coverage against adversary profiles. Activates
+  Python library. The analyst queries STIX/TAXII data for group-technique associations,
-  for requests involving APT TTP mapping, ATT&CK Navigator layers, threat actor profiling, or MITRE technique coverage analysis.
+  generates Navigator layer files for visualization, and compares defensive coverage
  against adversary profiles. Activates for requests involving APT TTP mapping, ATT&CK
  Navigator layers, threat actor profiling, or MITRE technique coverage analysis.
  '
 domain: cybersecurity
@@ -38,6 +40,12 @@ nist_csf:
 - ID.RA-05
 - DE.CM-01
 - DE.AE-02
 mitre_attack:
 - T1566.001
 - T1059.001
 - T1071.001
 - T1547.001
 - T1053.005
 ---
 # Analyzing Threat Actor TTPs with MITRE Navigator
@@ -1,9 +1,11 @@
 ---
 name: analyzing-threat-intelligence-feeds
-description: 'Analyzes structured and unstructured threat intelligence feeds to extract actionable indicators, adversary tactics,
+description: 'Analyzes structured and unstructured threat intelligence feeds to extract
-  and campaign context. Use when ingesting commercial or open-source CTI feeds, evaluating feed quality, normalizing data
+  actionable indicators, adversary tactics, and campaign context. Use when ingesting
-  into STIX 2.1 format, or enriching existing IOCs with campaign attribution. Activates for requests involving ThreatConnect,
+  commercial or open-source CTI feeds, evaluating feed quality, normalizing data into
-  Recorded Future, Mandiant Advantage, MISP, AlienVault OTX, or automated feed aggregation pipelines.
+  STIX 2.1 format, or enriching existing IOCs with campaign attribution. Activates
  for requests involving ThreatConnect, Recorded Future, Mandiant Advantage, MISP,
  AlienVault OTX, or automated feed aggregation pipelines.
  '
 domain: cybersecurity
@@ -26,6 +28,12 @@ nist_csf:
 - ID.RA-05
 - DE.CM-01
 - DE.AE-02
 mitre_attack:
 - T1071.001
 - T1566
 - T1568
 - T1583.001
 - T1102
 ---
 # Analyzing Threat Intelligence Feeds
@@ -1,16 +1,19 @@
 ---
 name: analyzing-threat-landscape-with-misp
-description: Analyze the threat landscape using MISP (Malware Information Sharing Platform) by querying event statistics,
+description: Analyze the threat landscape using MISP (Malware Information Sharing
-  attribute distributions, threat actor galaxy clusters, and tag trends over time. Uses PyMISP to pull event data, compute
+  Platform) by querying event statistics, attribute distributions, threat actor galaxy
-  IOC type breakdowns, identify top threat actors and malware families, and generate threat landscape reports with temporal
+  clusters, and tag trends over time. Uses PyMISP to pull event data, compute IOC
-  trends.
+  type breakdowns, identify top threat actors and malware families, and generate threat
  landscape reports with temporal trends.
 domain: cybersecurity
 subdomain: threat-intelligence
 tags:
- analyzing
+- threat-intelligence
- threat
+- misp
- landscape
+- threat-landscape
- with
+- ioc-analysis
 - cti
 - threat-sharing
 version: '1.0'
 author: mahipal
 license: Apache-2.0
@@ -25,6 +28,12 @@ nist_csf:
 - ID.RA-05
 - DE.CM-01
 - DE.AE-02
 mitre_attack:
 - T1566
 - T1071.001
 - T1568
 - T1583.001
 - T1102
 ---
@@ -1,17 +1,20 @@
 ---
 name: analyzing-tls-certificate-transparency-logs
-description: 'Queries Certificate Transparency logs via crt.sh and pycrtsh to detect phishing domains, unauthorized certificate
+description: 'Queries Certificate Transparency logs via crt.sh and pycrtsh to detect
-  issuance, and shadow IT. Monitors newly issued certificates for typosquatting and brand impersonation using Levenshtein
+  phishing domains, unauthorized certificate issuance, and shadow IT. Monitors newly
  issued certificates for typosquatting and brand impersonation using Levenshtein
  distance. Use for proactive phishing domain detection and certificate monitoring.
  '
 domain: cybersecurity
 subdomain: security-operations
 tags:
- analyzing
+- certificate-transparency
- tls
+- ct-logs
- certificate
+- crt-sh
- transparency
+- phishing-detection
 - tls-monitoring
 - security-operations
 version: '1.0'
 author: mahipal
 license: Apache-2.0
@@ -23,6 +26,11 @@ nist_csf:
 - RS.MA-01
 - GV.OV-01
 - DE.AE-02
 mitre_attack:
 - T1583.001
 - T1566.002
 - T1598.003
 - T1583.006
 ---
 # Analyzing TLS Certificate Transparency Logs
@@ -1,7 +1,8 @@
 ---
 name: analyzing-typosquatting-domains-with-dnstwist
-description: Detect typosquatting, homograph phishing, and brand impersonation domains using dnstwist to generate domain permutations
+description: Detect typosquatting, homograph phishing, and brand impersonation domains
-  and identify registered lookalike domains targeting your organization.
+  using dnstwist to generate domain permutations and identify registered lookalike
  domains targeting your organization.
 domain: cybersecurity
 subdomain: threat-intelligence
 tags:
@@ -24,6 +25,11 @@ nist_csf:
 - ID.RA-05
 - DE.CM-01
 - DE.AE-02
 mitre_attack:
 - T1583.001
 - T1566.002
 - T1598.003
 - T1583.006
 ---
 # Analyzing Typosquatting Domains with DNSTwist
@@ -1,10 +1,12 @@
 ---
 name: analyzing-uefi-bootkit-persistence
-description: 'Analyzes UEFI bootkit persistence mechanisms including firmware implants in SPI flash, EFI System Partition
+description: 'Analyzes UEFI bootkit persistence mechanisms including firmware implants
-  (ESP) modifications, Secure Boot bypass techniques, and UEFI variable manipulation. Covers detection of known bootkit families
+  in SPI flash, EFI System Partition (ESP) modifications, Secure Boot bypass techniques,
-  (BlackLotus, LoJax, MosaicRegressor, MoonBounce, CosmicStrand), ESP partition forensic inspection, chipsec-based firmware
+  and UEFI variable manipulation. Covers detection of known bootkit families (BlackLotus,
-  integrity verification, and Secure Boot configuration auditing. Activates for requests involving UEFI malware analysis,
+  LoJax, MosaicRegressor, MoonBounce, CosmicStrand), ESP partition forensic inspection,
-  firmware persistence investigation, boot chain integrity verification, or Secure Boot bypass detection.
+  chipsec-based firmware integrity verification, and Secure Boot configuration auditing.
  Activates for requests involving UEFI malware analysis, firmware persistence investigation,
  boot chain integrity verification, or Secure Boot bypass detection.
  '
 domain: cybersecurity
@@ -30,6 +32,12 @@ nist_csf:
 - ID.RA-01
 - PR.PS-01
 - PR.PS-02
 mitre_attack:
 - T1542.001
 - T1542.003
 - T1553.006
 - T1542
 - T1014
 ---
 # Analyzing UEFI Bootkit Persistence
@@ -1,7 +1,7 @@
 ---
 name: analyzing-usb-device-connection-history
-description: Investigate USB device connection history from Windows registry, event logs, and setupapi logs to track removable
+description: Investigate USB device connection history from Windows registry, event
-  media usage and potential data exfiltration.
+  logs, and setupapi logs to track removable media usage and potential data exfiltration.
 domain: cybersecurity
 subdomain: digital-forensics
 tags:
@@ -19,6 +19,12 @@ nist_csf:
 - RS.AN-03
 - DE.AE-02
 - RS.MA-01
 mitre_attack:
 - T1052.001
 - T1025
 - T1091
 - T1005
 - T1074.001
 ---
 # Analyzing USB Device Connection History
@@ -1,15 +1,20 @@
 ---
 name: analyzing-web-server-logs-for-intrusion
-description: Parse Apache and Nginx access logs to detect SQL injection attempts, local file inclusion, directory traversal,
+description: Parse Apache and Nginx access logs to detect SQL injection attempts,
-  web scanner fingerprints, and brute-force patterns. Uses regex-based pattern matching against OWASP attack signatures, GeoIP
+  local file inclusion, directory traversal, web scanner fingerprints, and brute-force
-  enrichment for source attribution, and statistical anomaly detection for request frequency and response size outliers.
+  patterns. Uses regex-based pattern matching against OWASP attack signatures, GeoIP
  enrichment for source attribution, and statistical anomaly detection for request
  frequency and response size outliers.
 domain: cybersecurity
 subdomain: security-operations
 tags:
- analyzing
+- web-log-analysis
- web
+- apache-logs
- server
+- nginx-logs
- logs
+- sql-injection-detection
 - lfi-detection
 - directory-traversal
 - intrusion-detection
 version: '1.0'
 author: mahipal
 license: Apache-2.0
@@ -18,6 +23,12 @@ nist_csf:
 - RS.MA-01
 - GV.OV-01
 - DE.AE-02
 mitre_attack:
 - T1190
 - T1059.007
 - T1110
 - T1595.002
 - T1505.003
 ---
@@ -1,9 +1,12 @@
 ---
 name: analyzing-windows-amcache-artifacts
-description: 'Parses and analyzes the Windows Amcache.hve registry hive to extract evidence of program execution, application
+description: 'Parses and analyzes the Windows Amcache.hve registry hive to extract
-  installation, and driver loading for digital forensics investigations. Uses Eric Zimmerman''s AmcacheParser and Timeline
+  evidence of program execution, application installation, and driver loading for
-  Explorer for artifact extraction, SHA-1 hash correlation with threat intel, and timeline reconstruction. Activates for requests
+  digital forensics investigations. Uses Eric Zimmerman''s AmcacheParser and Timeline
-  involving Amcache forensics, program execution evidence, Windows artifact analysis, or application compatibility cache investigation.
+  Explorer for artifact extraction, SHA-1 hash correlation with threat intel, and
  timeline reconstruction. Activates for requests involving Amcache forensics, program
  execution evidence, Windows artifact analysis, or application compatibility cache
  investigation.
  '
 domain: cybersecurity
@@ -24,6 +27,12 @@ nist_csf:
 - RS.AN-03
 - DE.AE-02
 - RS.MA-01
 mitre_attack:
 - T1070.004
 - T1070.006
 - T1036.005
 - T1014
 - T1005
 ---
 # Analyzing Windows Amcache Artifacts
@@ -1,9 +1,10 @@
 ---
 name: analyzing-windows-event-logs-in-splunk
-description: 'Analyzes Windows Security, System, and Sysmon event logs in Splunk to detect authentication attacks, privilege
+description: 'Analyzes Windows Security, System, and Sysmon event logs in Splunk to
-  escalation, persistence mechanisms, and lateral movement using SPL queries mapped to MITRE ATT&CK techniques. Use when SOC
+  detect authentication attacks, privilege escalation, persistence mechanisms, and
-  analysts need to investigate Windows-based threats, build detection queries, or perform forensic timeline analysis of Windows
+  lateral movement using SPL queries mapped to MITRE ATT&CK techniques. Use when SOC
-  endpoints and domain controllers.
+  analysts need to investigate Windows-based threats, build detection queries, or
  perform forensic timeline analysis of Windows endpoints and domain controllers.
  '
 domain: cybersecurity
@@ -30,6 +31,13 @@ nist_csf:
 - DE.AE-02
 - RS.MA-01
 - DE.AE-06
 mitre_attack:
 - T1110
 - T1053.005
 - T1547.001
 - T1021.002
 - T1558.003
 - T1003.006
 ---
 # Analyzing Windows Event Logs in Splunk
@@ -1,7 +1,7 @@
 ---
 name: analyzing-windows-lnk-files-for-artifacts
-description: Parse Windows LNK shortcut files to extract target paths, timestamps, volume information, and machine identifiers
+description: Parse Windows LNK shortcut files to extract target paths, timestamps,
-  for forensic timeline reconstruction.
+  volume information, and machine identifiers for forensic timeline reconstruction.
 domain: cybersecurity
 subdomain: digital-forensics
 tags:
@@ -19,6 +19,12 @@ nist_csf:
 - RS.AN-03
 - DE.AE-02
 - RS.MA-01
 mitre_attack:
 - T1547.001
 - T1204.002
 - T1005
 - T1025
 - T1074.001
 ---
 # Analyzing Windows LNK Files for Artifacts
@@ -1,7 +1,8 @@
 ---
 name: analyzing-windows-prefetch-with-python
-description: Parse Windows Prefetch files using the windowsprefetch Python library to reconstruct application execution history,
+description: Parse Windows Prefetch files using the windowsprefetch Python library
-  detect renamed or masquerading binaries, and identify suspicious program execution patterns.
+  to reconstruct application execution history, detect renamed or masquerading binaries,
  and identify suspicious program execution patterns.
 domain: cybersecurity
 subdomain: digital-forensics
 tags:
@@ -12,9 +13,11 @@ tags:
 - incident-response
 - malware-analysis
 mitre_attack:
- T1059
+- T1036.005
- T1204
+- T1070.004
- T1036
+- T1070
 - T1003.001
 - T1057
 version: '1.0'
 author: mahipal
 license: Apache-2.0
@@ -1,7 +1,7 @@
 ---
 name: analyzing-windows-registry-for-artifacts
-description: Extract and analyze Windows Registry hives to uncover user activity, installed software, autostart entries, and
+description: Extract and analyze Windows Registry hives to uncover user activity,
-  evidence of system compromise.
+  installed software, autostart entries, and evidence of system compromise.
 domain: cybersecurity
 subdomain: digital-forensics
 tags:
@@ -19,6 +19,12 @@ nist_csf:
 - RS.AN-03
 - DE.AE-02
 - RS.MA-01
 mitre_attack:
 - T1012
 - T1547.001
 - T1112
 - T1003.002
 - T1025
 ---
 # Analyzing Windows Registry for Artifacts
@@ -1,8 +1,8 @@
 ---
 name: analyzing-windows-shellbag-artifacts
-description: Analyze Windows Shellbag registry artifacts to reconstruct folder browsing activity, detect access to removable
+description: Analyze Windows Shellbag registry artifacts to reconstruct folder browsing
-  media and network shares, and establish user interaction with directories even after deletion using SBECmd and ShellBags
+  activity, detect access to removable media and network shares, and establish user
-  Explorer.
+  interaction with directories even after deletion using SBECmd and ShellBags Explorer.
 domain: cybersecurity
 subdomain: digital-forensics
 tags:
@@ -24,6 +24,12 @@ nist_csf:
 - RS.AN-03
 - DE.AE-02
 - RS.MA-01
 mitre_attack:
 - T1083
 - T1074.001
 - T1135
 - T1025
 - T1070.004
 ---
 # Analyzing Windows Shellbag Artifacts
@@ -1,7 +1,8 @@
 ---
 name: auditing-aws-s3-bucket-permissions
-description: 'Systematically audit AWS S3 bucket permissions to identify publicly accessible buckets, overly permissive ACLs,
+description: 'Systematically audit AWS S3 bucket permissions to identify publicly
-  misconfigured bucket policies, and missing encryption settings using AWS CLI, S3audit, and Prowler to enforce least-privilege
+  accessible buckets, overly permissive ACLs, misconfigured bucket policies, and missing
  encryption settings using AWS CLI, S3audit, and Prowler to enforce least-privilege
  data access controls.
  '
@@ -22,6 +23,12 @@ nist_csf:
 - ID.AM-08
 - GV.SC-06
 - DE.CM-01
 mitre_attack:
 - T1530
 - T1619
 - T1078.004
 - T1537
 - T1567.002
 ---
 # Auditing AWS S3 Bucket Permissions
@@ -1,7 +1,8 @@
 ---
 name: auditing-azure-active-directory-configuration
-description: 'Auditing Microsoft Entra ID (Azure Active Directory) configuration to identify risky authentication policies,
+description: 'Auditing Microsoft Entra ID (Azure Active Directory) configuration to
-  overly permissive role assignments, stale accounts, conditional access gaps, and guest user risks using AzureAD PowerShell,
+  identify risky authentication policies, overly permissive role assignments, stale
  accounts, conditional access gaps, and guest user risks using AzureAD PowerShell,
  Microsoft Graph API, and ScoutSuite.
  '
@@ -22,6 +23,12 @@ nist_csf:
 - ID.AM-08
 - GV.SC-06
 - DE.CM-01
 mitre_attack:
 - T1078.004
 - T1098.003
 - T1556.006
 - T1069.003
 - T1526
 ---
 # Auditing Azure Active Directory Configuration
@@ -1,9 +1,10 @@
 ---
 name: auditing-cloud-with-cis-benchmarks
-description: 'This skill details how to conduct cloud security audits using Center for Internet Security benchmarks for AWS,
+description: 'This skill details how to conduct cloud security audits using Center
-  Azure, and GCP. It covers interpreting CIS Foundations Benchmark controls, running automated assessments with tools like
+  for Internet Security benchmarks for AWS, Azure, and GCP. It covers interpreting
-  Prowler and ScoutSuite, remediating failed controls, and maintaining continuous compliance monitoring against CIS v5 for
+  CIS Foundations Benchmark controls, running automated assessments with tools like
-  AWS, v4 for Azure, and v4 for GCP.
+  Prowler and ScoutSuite, remediating failed controls, and maintaining continuous
  compliance monitoring against CIS v5 for AWS, v4 for Azure, and v4 for GCP.
  '
 domain: cybersecurity
@@ -26,6 +27,12 @@ nist_csf:
 - ID.AM-08
 - GV.SC-06
 - DE.CM-01
 mitre_attack:
 - T1078.004
 - T1530
 - T1098.003
 - T1685.002
 - T1580
 ---
 # Auditing Cloud with CIS Benchmarks
@@ -1,7 +1,8 @@
 ---
 name: auditing-gcp-iam-permissions
-description: 'Auditing Google Cloud Platform IAM permissions to identify overly permissive bindings, primitive role usage,
+description: 'Auditing Google Cloud Platform IAM permissions to identify overly permissive
-  service account key proliferation, and cross-project access risks using gcloud CLI, Policy Analyzer, and IAM Recommender.
+  bindings, primitive role usage, service account key proliferation, and cross-project
  access risks using gcloud CLI, Policy Analyzer, and IAM Recommender.
  '
 domain: cybersecurity
@@ -21,6 +22,12 @@ nist_csf:
 - ID.AM-08
 - GV.SC-06
 - DE.CM-01
 mitre_attack:
 - T1078.004
 - T1098.003
 - T1528
 - T1548.005
 - T1580
 ---
 # Auditing GCP IAM Permissions
@@ -1,7 +1,8 @@
 ---
 name: auditing-kubernetes-cluster-rbac
-description: 'Auditing Kubernetes cluster RBAC configurations to identify overly permissive roles, wildcard permissions, dangerous
+description: 'Auditing Kubernetes cluster RBAC configurations to identify overly permissive
-  ClusterRoleBindings, service account abuse, and privilege escalation paths using kubectl, rbac-tool, KubiScan, and Kubeaudit.
+  roles, wildcard permissions, dangerous ClusterRoleBindings, service account abuse,
  and privilege escalation paths using kubectl, rbac-tool, KubiScan, and Kubeaudit.
  '
 domain: cybersecurity
@@ -22,6 +23,12 @@ nist_csf:
 - ID.AM-08
 - GV.SC-06
 - DE.CM-01
 mitre_attack:
 - T1098.006
 - T1552.007
 - T1611
 - T1613
 - T1078.004
 ---
 # Auditing Kubernetes Cluster RBAC
@@ -1,7 +1,8 @@
 ---
 name: auditing-terraform-infrastructure-for-security
-description: 'Auditing Terraform infrastructure-as-code for security misconfigurations using Checkov, tfsec, Terrascan, and
+description: 'Auditing Terraform infrastructure-as-code for security misconfigurations
-  OPA/Rego policies to detect overly permissive IAM policies, public resource exposure, missing encryption, and insecure defaults
+  using Checkov, tfsec, Terrascan, and OPA/Rego policies to detect overly permissive
  IAM policies, public resource exposure, missing encryption, and insecure defaults
  before cloud deployment.
  '
@@ -22,6 +23,12 @@ nist_csf:
 - ID.AM-08
 - GV.SC-06
 - DE.CM-01
 mitre_attack:
 - T1078.004
 - T1530
 - T1190
 - T1552.001
 - T1580
 ---
 # Auditing Terraform Infrastructure for Security
@@ -1,10 +1,12 @@
 ---
 name: auditing-tls-certificate-transparency-logs
-description: 'Monitors Certificate Transparency (CT) logs to detect unauthorized certificate issuance, discover subdomains
+description: 'Monitors Certificate Transparency (CT) logs to detect unauthorized certificate
-  via CT data, and alert on suspicious certificate activity for owned domains. Uses the crt.sh API and direct CT log querying
+  issuance, discover subdomains via CT data, and alert on suspicious certificate activity
-  based on RFC 6962 to build continuous monitoring pipelines that catch rogue certificates, track CA behavior, and map the
+  for owned domains. Uses the crt.sh API and direct CT log querying based on RFC 6962
-  external attack surface. Activates for requests involving certificate transparency monitoring, CT log auditing, subdomain
+  to build continuous monitoring pipelines that catch rogue certificates, track CA
-  discovery via certificates, or certificate issuance alerting.
+  behavior, and map the external attack surface. Activates for requests involving
  certificate transparency monitoring, CT log auditing, subdomain discovery via certificates,
  or certificate issuance alerting.
  '
 domain: cybersecurity
@@ -24,6 +26,12 @@ nist_csf:
 - ID.RA-05
 - DE.CM-01
 - DE.AE-02
 mitre_attack:
 - T1596.003
 - T1583.001
 - T1587.003
 - T1593
 - T1566.002
 ---
 # Auditing TLS Certificate Transparency Logs
@@ -1,10 +1,12 @@
 ---
 name: automating-ioc-enrichment
-description: 'Automates the enrichment of raw indicators of compromise with multi-source threat intelligence context using
+description: 'Automates the enrichment of raw indicators of compromise with multi-source
-  SOAR platforms, Python pipelines, or TIP playbooks to reduce analyst triage time and standardize enrichment outputs. Use
+  threat intelligence context using SOAR platforms, Python pipelines, or TIP playbooks
-  when building automated enrichment workflows integrated with SIEM alerts, email submission pipelines, or bulk IOC processing
+  to reduce analyst triage time and standardize enrichment outputs. Use when building
-  from threat feeds. Activates for requests involving SOAR enrichment, Cortex XSOAR, Splunk SOAR, TheHive, Python enrichment
+  automated enrichment workflows integrated with SIEM alerts, email submission pipelines,
-  pipelines, or automated IOC processing.
+  or bulk IOC processing from threat feeds. Activates for requests involving SOAR
  enrichment, Cortex XSOAR, Splunk SOAR, TheHive, Python enrichment pipelines, or
  automated IOC processing.
  '
 domain: cybersecurity
@@ -27,6 +29,12 @@ nist_csf:
 - ID.RA-05
 - DE.CM-01
 - DE.AE-02
 mitre_attack:
 - T1071.001
 - T1583.001
 - T1588.001
 - T1590.005
 - T1596
 ---
 # Automating IOC Enrichment
@@ -1,7 +1,8 @@
 ---
 name: building-adversary-infrastructure-tracking-system
-description: Build an automated system to track adversary infrastructure using passive DNS, certificate transparency, WHOIS
+description: Build an automated system to track adversary infrastructure using passive
-  data, and IP enrichment to map and monitor threat actor command-and-control networks.
+  DNS, certificate transparency, WHOIS data, and IP enrichment to map and monitor
  threat actor command-and-control networks.
 domain: cybersecurity
 subdomain: threat-intelligence
 tags:
@@ -21,6 +22,12 @@ nist_csf:
 - ID.RA-05
 - DE.CM-01
 - DE.AE-02
 mitre_attack:
 - T1583.001
 - T1583.004
 - T1596.001
 - T1590.002
 - T1071.001
 ---
 # Building Adversary Infrastructure Tracking System
@@ -1,7 +1,8 @@
 ---
 name: building-attack-pattern-library-from-cti-reports
-description: Extract and catalog attack patterns from cyber threat intelligence reports into a structured STIX-based library
+description: Extract and catalog attack patterns from cyber threat intelligence reports
-  mapped to MITRE ATT&CK for detection engineering and threat-informed defense.
+  into a structured STIX-based library mapped to MITRE ATT&CK for detection engineering
  and threat-informed defense.
 domain: cybersecurity
 subdomain: threat-intelligence
 tags:
@@ -27,6 +28,12 @@ nist_csf:
 - ID.RA-05
 - DE.CM-01
 - DE.AE-02
 mitre_attack:
 - T1566.001
 - T1059.001
 - T1003.001
 - T1558.003
 - T1550.002
 ---
 # Building Attack Pattern Library from CTI Reports
@@ -1,8 +1,10 @@
 ---
 name: building-automated-malware-submission-pipeline
-description: 'Builds an automated malware submission and analysis pipeline that collects suspicious files from endpoints and
+description: 'Builds an automated malware submission and analysis pipeline that collects
-  email gateways, submits them to sandbox environments and multi-engine scanners, and generates verdicts with IOCs for SIEM
+  suspicious files from endpoints and email gateways, submits them to sandbox environments
-  integration. Use when SOC teams need to scale malware analysis beyond manual sandbox submissions for high-volume alert triage.
+  and multi-engine scanners, and generates verdicts with IOCs for SIEM integration.
  Use when SOC teams need to scale malware analysis beyond manual sandbox submissions
  for high-volume alert triage.
  '
 domain: cybersecurity
@@ -24,6 +26,12 @@ nist_csf:
 - DE.AE-02
 - RS.MA-01
 - DE.AE-06
 mitre_attack:
 - T1204.002
 - T1566.001
 - T1027
 - T1055
 - T1497
 ---
 # Building Automated Malware Submission Pipeline
@@ -1,7 +1,8 @@
 ---
 name: building-c2-infrastructure-with-sliver-framework
-description: Build and configure a resilient command-and-control infrastructure using BishopFox's Sliver C2 framework with
+description: Build and configure a resilient command-and-control infrastructure using
-  redirectors, HTTPS listeners, and multi-operator support for authorized red team engagements.
+  BishopFox's Sliver C2 framework with redirectors, HTTPS listeners, and multi-operator
  support for authorized red team engagements.
 domain: cybersecurity
 subdomain: red-teaming
 tags:
@@ -25,6 +26,13 @@ nist_csf:
 - ID.RA-01
 - GV.OV-02
 - DE.AE-07
 mitre_attack:
 - T1071.001
 - T1071.004
 - T1573.002
 - T1090.002
 - T1105
 - T1572
 ---
 # Building C2 Infrastructure with Sliver Framework
@@ -1,9 +1,10 @@
 ---
 name: building-cloud-siem-with-sentinel
-description: 'This skill covers deploying Microsoft Sentinel as a cloud-native SIEM and SOAR platform for centralized security
+description: 'This skill covers deploying Microsoft Sentinel as a cloud-native SIEM
-  operations. It details configuring data connectors for multi-cloud log ingestion, writing KQL detection queries, building
+  and SOAR platform for centralized security operations. It details configuring data
-  automated response playbooks with Logic Apps, and leveraging the Sentinel data lake for petabyte-scale threat hunting across
+  connectors for multi-cloud log ingestion, writing KQL detection queries, building
-  AWS, Azure, and GCP security telemetry.
+  automated response playbooks with Logic Apps, and leveraging the Sentinel data lake
  for petabyte-scale threat hunting across AWS, Azure, and GCP security telemetry.
  '
 domain: cybersecurity
@@ -30,6 +31,12 @@ nist_csf:
 - ID.AM-08
 - GV.SC-06
 - DE.CM-01
 mitre_attack:
 - T1078.004
 - T1548.005
 - T1485
 - T1530
 - T1021.007
 ---
 # Building Cloud SIEM with Sentinel
@@ -1,7 +1,7 @@
 ---
 name: building-detection-rule-with-splunk-spl
-description: Build effective detection rules using Splunk Search Processing Language (SPL) correlation searches to identify
+description: Build effective detection rules using Splunk Search Processing Language
-  security threats in SOC environments.
+  (SPL) correlation searches to identify security threats in SOC environments.
 domain: cybersecurity
 subdomain: soc-operations
 tags:
@@ -27,6 +27,13 @@ nist_csf:
 - DE.AE-02
 - RS.MA-01
 - DE.AE-06
 mitre_attack:
 - T1059.001
 - T1003.001
 - T1021.002
 - T1110.003
 - T1053.005
 - T1048
 ---
 # Building Detection Rules with Splunk SPL
@@ -1,9 +1,10 @@
 ---
 name: building-detection-rules-with-sigma
-description: 'Builds vendor-agnostic detection rules using the Sigma rule format for threat detection across SIEM platforms
+description: 'Builds vendor-agnostic detection rules using the Sigma rule format for
-  including Splunk, Elastic, and Microsoft Sentinel. Use when creating portable detection logic from threat intelligence,
+  threat detection across SIEM platforms including Splunk, Elastic, and Microsoft
-  mapping rules to MITRE ATT&CK techniques, or converting community Sigma rules into platform-specific queries using sigmac
+  Sentinel. Use when creating portable detection logic from threat intelligence, mapping
-  or pySigma backends.
+  rules to MITRE ATT&CK techniques, or converting community Sigma rules into platform-specific
  queries using sigmac or pySigma backends.
  '
 domain: cybersecurity
@@ -31,6 +32,12 @@ nist_csf:
 - DE.AE-02
 - RS.MA-01
 - DE.AE-06
 mitre_attack:
 - T1059.001
 - T1003.001
 - T1055
 - T1053.005
 - T1547.001
 ---
 # Building Detection Rules with Sigma
@@ -1,7 +1,7 @@
 ---
 name: building-devsecops-pipeline-with-gitlab-ci
-description: Design and implement a comprehensive DevSecOps pipeline in GitLab CI/CD integrating SAST, DAST, container scanning,
+description: Design and implement a comprehensive DevSecOps pipeline in GitLab CI/CD
-  dependency scanning, and secret detection.
+  integrating SAST, DAST, container scanning, dependency scanning, and secret detection.
 domain: cybersecurity
 subdomain: devsecops
 tags:
@@ -21,6 +21,12 @@ nist_csf:
 - GV.SC-07
 - ID.IM-04
 - PR.PS-04
 mitre_attack:
 - T1195.001
 - T1195.002
 - T1552.001
 - T1190
 - T1610
 ---
 # Building DevSecOps Pipeline with GitLab CI
@@ -1,7 +1,8 @@
 ---
 name: building-identity-federation-with-saml-azure-ad
-description: Establish SAML 2.0 identity federation between on-premises Active Directory and Azure AD (Microsoft Entra ID)
+description: Establish SAML 2.0 identity federation between on-premises Active Directory
-  for seamless cross-domain authentication and SSO to cloud applications.
+  and Azure AD (Microsoft Entra ID) for seamless cross-domain authentication and SSO
  to cloud applications.
 domain: cybersecurity
 subdomain: identity-access-management
 tags:
@@ -21,6 +22,12 @@ nist_csf:
 - PR.AA-02
 - PR.AA-05
 - PR.AA-06
 mitre_attack:
 - T1606.002
 - T1556.007
 - T1484.002
 - T1078.004
 - T1110.003
 ---
 # Building Identity Federation with SAML Azure AD
@@ -1,9 +1,10 @@
 ---
 name: building-identity-governance-lifecycle-process
-description: 'Builds comprehensive identity governance and lifecycle management processes including joiner-mover-leaver automation,
+description: 'Builds comprehensive identity governance and lifecycle management processes
-  role mining, access request workflows, periodic recertification, and orphaned account remediation using IGA platforms. Activates
+  including joiner-mover-leaver automation, role mining, access request workflows,
-  for requests involving identity lifecycle management, JML processes, role-based access provisioning, or identity governance
+  periodic recertification, and orphaned account remediation using IGA platforms.
-  program design.
+  Activates for requests involving identity lifecycle management, JML processes, role-based
  access provisioning, or identity governance program design.
  '
 domain: cybersecurity
@@ -27,6 +28,12 @@ nist_csf:
 - PR.AA-02
 - PR.AA-05
 - PR.AA-06
 mitre_attack:
 - T1098
 - T1136
 - T1078
 - T1531
 - T1087
 ---
 # Building Identity Governance Lifecycle Process
@@ -1,8 +1,10 @@
 ---
 name: building-incident-response-dashboard
-description: 'Builds real-time incident response dashboards in Splunk, Elastic, or Grafana to provide SOC analysts and leadership
+description: 'Builds real-time incident response dashboards in Splunk, Elastic, or
-  with situational awareness during active incidents, tracking affected systems, containment status, IOC spread, and response
+  Grafana to provide SOC analysts and leadership with situational awareness during
-  timeline. Use when IR teams need unified visibility during incident coordination and post-incident reporting.
+  active incidents, tracking affected systems, containment status, IOC spread, and
  response timeline. Use when IR teams need unified visibility during incident coordination
  and post-incident reporting.
  '
 domain: cybersecurity
@@ -23,6 +25,12 @@ nist_csf:
 - DE.AE-02
 - RS.MA-01
 - DE.AE-06
 mitre_attack:
 - T1486
 - T1071.001
 - T1021.002
 - T1041
 - T1566
 ---
 # Building Incident Response Dashboard
@@ -1,9 +1,11 @@
 ---
 name: building-incident-response-playbook
-description: 'Designs and documents structured incident response playbooks that define step-by-step procedures for specific
+description: 'Designs and documents structured incident response playbooks that define
-  incident types aligned with NIST SP 800-61r3 and SANS PICERL frameworks. Covers playbook structure, decision trees, escalation
+  step-by-step procedures for specific incident types aligned with NIST SP 800-61r3
-  criteria, RACI matrices, and integration with SOAR platforms. Activates for requests involving IR playbook creation, incident
+  and SANS PICERL frameworks. Covers playbook structure, decision trees, escalation
-  response procedure documentation, response runbook development, or SOAR playbook design.
+  criteria, RACI matrices, and integration with SOAR platforms. Activates for requests
  involving IR playbook creation, incident response procedure documentation, response
  runbook development, or SOAR playbook design.
  '
 domain: cybersecurity
@@ -15,8 +17,10 @@ tags:
 - SOAR-integration
 - response-procedures
 mitre_attack:
- T1190
+- T1486
 - T1566
 - T1190
 - T1041
 - T1078
 version: 1.0.0
 author: mahipal
@@ -1,7 +1,8 @@
 ---
 name: building-incident-timeline-with-timesketch
-description: Build collaborative forensic incident timelines using Timesketch to ingest, normalize, and analyze multi-source
+description: Build collaborative forensic incident timelines using Timesketch to ingest,
-  event data for attack chain reconstruction and investigation documentation.
+  normalize, and analyze multi-source event data for attack chain reconstruction and
  investigation documentation.
 domain: cybersecurity
 subdomain: incident-response
 tags:
@@ -13,9 +14,11 @@ tags:
 - incident-investigation
 - collaborative-forensics
 mitre_attack:
- T1070
+- T1059.001
- T1059
+- T1021.002
- T1053
+- T1547.001
 - T1053.005
 - T1070.006
 version: '1.0'
 author: mahipal
 license: Apache-2.0
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
mukul975	04450304b1	chore: auto-update index.json	2026-06-01 10:15:47 +00:00
mukul975	cb8d79e068	Map all 754 skills to MITRE ATT&CK v19.1 - Add validated mitre_attack frontmatter to all 754 skills (286 distinct techniques), verified against MITRE ATT&CK v19.1 via the official mitreattack-python library: 0 revoked, deprecated, or invalid IDs - Curate precise per-skill technique IDs for forensics, malware-analysis, threat-intel, and red-team skills (e.g. DCSync -> T1003.006, Kerberoasting -> T1558.003, Pass-the-Ticket -> T1550.003) - Reconcile v19.1 tactic restructuring: Defense Evasion split into Stealth (TA0005) and Defense Impairment (TA0112); revoked T1562.* family and T1070.001/.002 remapped to active equivalents (T1685.*) - Normalize word-split tags across 35 skills (remove filename-derived stopword tags, add semantic cybersecurity tags) - Add api-reference.md for 3 skills that were missing it - Update README ATT&CK section with accurate v19.1 tactic distribution	2026-06-01 12:13:29 +02:00
mukul975	9a588e643e	chore: auto-update index.json	2026-05-30 09:32:08 +00:00
Mahipal	868465b4e4	Merge pull request #58 from Bortlesboat/fix/objection-skill-description Fix description YAML for Objection iOS skill	2026-05-30 11:32:00 +02:00
Andrew Barnes	2338e0371c	Fix Objection skill description frontmatter Normalize YAML description so tools can reliably parse it.	2026-05-25 09:04:36 -04:00
Mahipal	0f429d0f96	Update README.md	2026-05-13 11:07:15 +02:00
Mahipal	15b63716a4	Update README.md	2026-05-13 10:56:27 +02:00
mukul975	77d5d9d686	chore: auto-update index.json	2026-04-26 12:03:37 +00:00
Mahipal	812db448e0	Merge PR #44 : Normalize tags in 3 skills	2026-04-26 14:03:28 +02:00
Mahipal	fcc73ea471	Merge PR #28 : Add bulk skill metadata validation script	2026-04-26 14:03:24 +02:00
claude[bot]	fbc47b7ac2	fix: replace word-split tags with domain-specific cybersecurity tags Three SKILL.md files had tags that were simply words split from the skill name (e.g., "analyzing", "block", "with", "logs") rather than meaningful discovery keywords. Replace with domain-specific terms that agents and search tools can actually use for routing. - analyzing-powershell-script-block-logging: [powershell, script-block-logging, event-id-4104, obfuscation-detection, windows-forensics, endpoint-security] - analyzing-azure-activity-logs-for-threats: [azure, cloud-security, azure-monitor, kql, threat-hunting, activity-logs] - analyzing-memory-forensics-with-lime-and-volatility: [memory-forensics, linux-forensics, lime, volatility, incident-response, kernel-modules] Co-Authored-By: Claude Code <noreply@anthropic.com>	2026-04-21 00:35:35 +00:00
Mahipal	888bbe4c6e	Delete star.yml	2026-04-18 02:09:43 +02:00
Mahipal	c60cb4aa7b	Update star.yml	2026-04-15 22:43:16 +02:00
Mahipal	d5f3fa3248	Update star.yml	2026-04-15 22:37:28 +02:00
Mahipal	91a087aacc	Update star.yml	2026-04-15 22:35:07 +02:00
Mahipal	780757902b	Create star.yml	2026-04-15 19:15:45 +02:00
Mahipal	9e8a8cda80	Add Hermes Agent badge to README	2026-04-15 00:51:53 +02:00
Mahipal	efbbbba5e2	Add Casky.ai Playground section to README Added a section for the Casky.ai Playground with details on its features and usage.	2026-04-11 15:04:51 +02:00
Mahipal	c715f0b36e	Revise README for improved clarity and structure Updated README to enhance project visibility and clarify project scope.	2026-04-11 00:46:21 +02:00
mukul975	4ae0be7f48	chore: bump marketplace version to v1.2.0	2026-04-06 12:26:39 +02:00
mukul975	dcc2dc32fd	fix: jq command line continuation in sync-marketplace workflow	2026-04-06 12:25:16 +02:00
Julio César Suástegui	efc9598525	fix(validator): address all remaining review feedback from @mukul975 Three issues fixed: 1. Description list check — added elif isinstance(desc, list) branch that emits 'Description must be a string value, not a list'. Previously the block was silently skipped when YAML returned a list, causing the skill to pass without validating the description field. 2. tools/README.md synced — updated description constraint from '20-500 characters' to 'at least 50 characters (no upper limit)' to match the current code (DESCRIPTION_MIN_CHARS=50, no max enforced). 3. --all with wrong CWD now exits 1 — if glob returns no skill dirs, the script prints an error and exits with code 1 instead of reporting 'Total: 0 Passed: 0 Failed: 0' and exiting 0, which would cause CI to silently pass while validating nothing. All 754 skills continue to pass (0 regressions).	2026-04-04 05:34:31 -06:00
Julio César Suástegui	31f745385b	fix(validator): address all review feedback from @mukul975 Required changes: - Error handling: IOError and UnicodeDecodeError already wrapped in try/except from previous commit — still present and correct. - ALLOWED_SUBDOMAINS: synced with actual repo usage (audited all 754 skills). identity-access-management (34 skills) added; identity-security was the placeholder in its place. New in this commit: 1. Description minimum: raised from 20 → 50 chars to align with other repo tooling as requested. 2. Folded scalar support: parse_frontmatter now handles YAML `>-` and `>` folded scalars, preventing incorrect parse of multi-line descriptions. Added a comment documenting the one remaining edge case (value-less key followed by non-list content — treated as no-value, acceptable for well-formed SKILL.md files). 3. Canonical subdomain warnings: alias subdomain values (e.g. security-operations vs soc-operations) now print a WARN line pointing to the canonical form, but are non-blocking. A _SUBDOMAIN_ALIASES dict documents canonical/alias pairs explicitly. 4. Description upper limit: removed hard cap — folded scalars legitimately produce long strings in existing skills. 5. PR description: removed false mention of type hints (there are none in this file). Validator now passes 754/754 skills in the repo with 0 errors.	2026-04-03 09:51:27 -06:00
Julio César Suástegui	b53f3d4991	fix: add error handling for IOError/UnicodeDecodeError + sync ALLOWED_SUBDOMAINS - Wrap open() call in try/except for IOError and UnicodeDecodeError to report clean errors instead of crashing on encoding issues - Add all subdomains actually used by existing skills in the repo: identity-access-management (33 skills), security-operations (28), identity-and-access-management, zero-trust, ot-security, purple-team, red-team, ai-security, social-engineering-defense, and others - Remove identity-security as the canonical form is identity-access-management	2026-04-03 09:49:04 -06:00