Three SKILL.md files had tags that were simply words split from the
skill name (e.g., "analyzing", "block", "with", "logs") rather than
meaningful discovery keywords. Replace with domain-specific terms that
agents and search tools can actually use for routing.
- analyzing-powershell-script-block-logging: [powershell, script-block-logging, event-id-4104, obfuscation-detection, windows-forensics, endpoint-security]
- analyzing-azure-activity-logs-for-threats: [azure, cloud-security, azure-monitor, kql, threat-hunting, activity-logs]
- analyzing-memory-forensics-with-lime-and-volatility: [memory-forensics, linux-forensics, lime, volatility, incident-response, kernel-modules]
Co-Authored-By: Claude Code <noreply@anthropic.com>
Three issues fixed:
1. Description list check — added elif isinstance(desc, list) branch that
emits 'Description must be a string value, not a list'. Previously the
block was silently skipped when YAML returned a list, causing the skill
to pass without validating the description field.
2. tools/README.md synced — updated description constraint from '20-500
characters' to 'at least 50 characters (no upper limit)' to match the
current code (DESCRIPTION_MIN_CHARS=50, no max enforced).
3. --all with wrong CWD now exits 1 — if glob returns no skill dirs,
the script prints an error and exits with code 1 instead of reporting
'Total: 0 Passed: 0 Failed: 0' and exiting 0, which would cause CI to
silently pass while validating nothing.
All 754 skills continue to pass (0 regressions).
Required changes:
- Error handling: IOError and UnicodeDecodeError already wrapped in
try/except from previous commit — still present and correct.
- ALLOWED_SUBDOMAINS: synced with actual repo usage (audited all 754
skills). identity-access-management (34 skills) added; identity-security
was the placeholder in its place.
New in this commit:
1. Description minimum: raised from 20 → 50 chars to align with other
repo tooling as requested.
2. Folded scalar support: parse_frontmatter now handles YAML `>-` and `>`
folded scalars, preventing incorrect parse of multi-line descriptions.
Added a comment documenting the one remaining edge case (value-less key
followed by non-list content — treated as no-value, acceptable for
well-formed SKILL.md files).
3. Canonical subdomain warnings: alias subdomain values (e.g.
security-operations vs soc-operations) now print a WARN line pointing
to the canonical form, but are non-blocking. A _SUBDOMAIN_ALIASES dict
documents canonical/alias pairs explicitly.
4. Description upper limit: removed hard cap — folded scalars legitimately
produce long strings in existing skills.
5. PR description: removed false mention of type hints (there are none
in this file).
Validator now passes 754/754 skills in the repo with 0 errors.
- Wrap open() call in try/except for IOError and UnicodeDecodeError
to report clean errors instead of crashing on encoding issues
- Add all subdomains actually used by existing skills in the repo:
identity-access-management (33 skills), security-operations (28),
identity-and-access-management, zero-trust, ot-security, purple-team,
red-team, ai-security, social-engineering-defense, and others
- Remove identity-security as the canonical form is identity-access-management
2026-04-03 09:49:04 -06:00
9 changed files with 606 additions and 219 deletions
"description":"753 cybersecurity skills for AI agents and security practitioners covering web security, pentesting, forensics, threat intelligence, cloud security, and more.",
"version":"1.1.0"
"description":"754 cybersecurity skills for AI agents mapped to 5 frameworks: MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS, D3FEND, and NIST AI RMF.",
"version":"1.2.0"
},
"plugins":[
{
"name":"cybersecurity-skills",
"source":"./",
"descripyion":"753 cybersecurity skills covering web security, pentesting, DFIR, threat intelligence, cloud security, malware analysis, and more.",
"version":"1.1.0",
"description":"754 cybersecurity skills covering web security, pentesting, DFIR, threat intelligence, cloud security, malware analysis, and more. Mapped to 5 frameworks.",
> ⚠️ **Community Project** — This is an independent, community-created project. Not affiliated with Anthropic PBC.
AI agents are transforming cybersecurity — but they lack structured domain knowledge. A junior analyst knows which Volatility3 plugin to run on a suspicious memory dump. Your AI agent doesn't — unless you give it the skills.
## Give any AI agent the security skills of a senior analyst
**Anthropic Cybersecurity Skills** gives every AI agent instant access to **754 production-grade cybersecurity skills** spanning 26 security domains. Each skill follows the [agentskills.io](https://agentskills.io) open standard: YAML frontmatter for lightning-fast discovery, structured Markdown for step-by-step execution, and reference files for deep technical context.
A junior analyst knows which Volatility3 plugin to run on a suspicious memory dump, which Sigma rules catch Kerberoasting, and how to scope a cloud breach across three providers. **Your AI agent doesn't — unless you give it these skills.**
**What makes v1.2.0 different from every other security skills repo:**
This repo contains **754 structured cybersecurity skills** spanning **26 security domains**, each following the [agentskills.io](https://agentskills.io) open standard. Every skill is mapped to **five industry frameworks** — MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS, MITRE D3FEND, and NIST AI RMF — making this the only open-source skills library with unified cross-framework coverage. Clone it, point your agent at it, and your next security investigation gets expert-level guidance in seconds.
- **5-framework mapping** — Every skill is mapped to MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS v5.5, MITRE D3FEND v1.3, and NIST AI RMF 1.0. No other open-source library does this.
- **AI-native format** — Skills cost ~30 tokens to scan, provide full expert-level guidance when triggered, and work across 26+ AI agent platforms.
- **Real practitioner knowledge** — Not generated summaries. Structured workflows that mirror how senior security professionals actually work.
## Five frameworks, one skill library
## 🚀 Quick start
No other open-source skills library maps every skill to all five frameworks. One skill, five compliance checkboxes.
| Framework | Version | Scope in this repo | What it maps |
Works immediately with Claude Code, GitHub Copilot, OpenAI Codex CLI, Cursor, Gemini CLI, and any MCP-compatible agent.
Works immediately with Claude Code, GitHub Copilot, OpenAI Codex CLI, Cursor, Gemini CLI, and any [agentskills.io](https://agentskills.io)-compatible platform.
The cybersecurity workforce gap hit **4.8 million unfilled roles** globally in 2024 (ISC2). AI agents can help close that gap — but only if they have structured domain knowledge to work from. Today's agents can write code and search the web, but they lack the practitioner playbooks that turn a generic LLM into a capable security analyst.
## 🗺️ Framework coverage
Existing security tool repos give you wordlists, payloads, or exploit code. None of them give an AI agent the structured decision-making workflow a senior analyst follows: when to use each technique, what prerequisites to check, how to execute step-by-step, and how to verify results. That is the gap this project fills.
v1.2.0 maps every skill to **5 industry-standard frameworks** — a first for any open-source cybersecurity skills library.
**Anthropic Cybersecurity Skills** is not a collection of scripts or checklists. It is an **AI-native knowledge base** built from the ground up for the agentskills.io standard — YAML frontmatter for sub-second discovery, structured Markdown for step-by-step execution, and reference files for deep technical context. Every skill encodes real practitioner workflows, not generated summaries.
Each skill costs **~30 tokens to scan** (frontmatter only) and **500–2,000 tokens to fully load** (complete workflow). This progressive disclosure architecture lets agents search all 754 skills in a single pass without blowing context windows.
4. Validates results using the Verification section
→ confirms IOCs, maps findings to ATT&CK T1003 (Credential Dumping)
```
AI risk management coverage aligned with the four core functions:
- **Govern** — AI governance, accountability, organizational policies
- **Map** — AI system context, risk identification, stakeholder analysis
- **Measure** — AI risk metrics, testing, validation
- **Manage** — AI risk treatment, monitoring, continuous improvement
**Without these skills**, the agent guesses at tool commands and misses critical steps. **With them**, it follows the same playbook a senior DFIR analyst would use.
> 💡 **Why 5 frameworks matter:** Organizations face overlapping compliance requirements. A single skill like "analyzing-network-traffic-of-malware" maps to ATT&CK T1071 (Application Layer Protocol), NIST CSF DE.CM (Continuous Monitoring), ATLAS AML.T0047 (Evade ML Model), D3FEND D3-NTA (Network Traffic Analysis), and AI RMF MEASURE 2.6 (AI system monitoring). One skill, five compliance checkboxes.
Identifies command-and-control communication patterns in network traffic using beacon interval analysis, JA3/JA3S fingerprinting, and DNS request frequency modeling. Includes Zeek scripts for automated detection and SIEM correlation rules.
An **ATT&CK Navigator layer file** is included in the [v1.0.0 release assets](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/releases/tag/v1.0.0) for visual coverage mapping.
> **Note:** ATT&CK v19 lands April 28, 2026 — splitting Defense Evasion (TA0005) into two new tactics: *Stealth* and *Impair Defenses*. Skill mappings will be updated in a forthcoming release.
</details>
<details>
<summary><strong>🦠 Reverse engineering .NET malware with dnSpy</strong></summary>
<summary><strong>📊 NIST CSF 2.0 alignment — all 6 functions</strong></summary>
Step-by-step decompilation workflow for .NET executables including de-obfuscation techniques, string decryption, C2 extraction, and behavioral analysis. Includes YARA rule templates for family classification.
NIST CSF 2.0 (February 2024) added the **Govern** function and expanded scope from critical infrastructure to all organizations. Skill mappings align to all 22 categories and reference 106 subcategories.
Systematic review of ClusterRoles, RoleBindings, and ServiceAccounts to identify overprivileged workloads, lateral movement paths, and secrets exposure. Includes kubectl audit scripts and remediation playbooks.
### MITRE ATLAS v5.4 — AI/ML adversarial threats
ATLAS maps adversarial tactics, techniques, and case studies specific to AI and machine learning systems. Version 5.4 covers **16 tactics and 84 techniques** including agentic AI attack vectors added in late 2025: AI agent context poisoning, tool invocation abuse, MCP server compromises, and malicious agent deployment. Skills mapped to ATLAS help agents identify and defend against threats to ML pipelines, model weights, inference APIs, and autonomous workflows.
### MITRE D3FEND v1.3 — Defensive countermeasures
D3FEND is an NSA-funded knowledge graph of **267 defensive techniques** organized across 7 tactical categories: Model, Harden, Detect, Isolate, Deceive, Evict, and Restore. Built on OWL 2 ontology, it uses a shared Digital Artifact layer to bidirectionally map defensive countermeasures to ATT&CK offensive techniques. Skills tagged with D3FEND identifiers let agents recommend specific countermeasures for detected threats.
### NIST AI RMF 1.0 + GenAI Profile (AI 600-1)
The AI Risk Management Framework defines 4 core functions — Govern, Map, Measure, Manage — with **72 subcategories** for trustworthy AI development. The GenAI Profile (AI 600-1, July 2024) adds **12 risk categories** specific to generative AI, from confabulation and data privacy to prompt injection and supply chain risks. Colorado's AI Act (effective February 2026) provides a **legal safe harbor** for organizations complying with NIST AI RMF, making these mappings directly relevant to regulatory compliance.
</details>
## 👥 Contributing
## Compatible platforms
We welcome contributions! See [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines.
- 🆕 Add new skills using the [New Skill template](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/issues/new?template=new-skill.yml)
- 🐛 Report issues with the [Bug Report template](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/issues/new?template=bug-report.yml)
- 💡 Request features via [Feature Request](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/issues/new?template=feature-request.yml)
- 📝 Improve documentation or fix typos
- 🗺️ Add framework mappings to existing skills
**CLI agents**
OpenAI Codex CLI · Gemini CLI (Google)
Every PR gets reviewed for technical accuracy and consistency with the agentskills.io standard. We aim to review within 48 hours.
**Autonomous agents**
Devin · Replit Agent · SWE-agent · OpenHands
## ⭐ Star history
**Agent frameworks & SDKs**
LangChain · CrewAI · AutoGen · Semantic Kernel · Haystack · Vercel AI SDK · Any MCP-compatible agent
[](https://star-history.com/#mukul975/Anthropic-Cybersecurity-Skills&Date)
All platforms that support the [agentskills.io](https://agentskills.io) standard can load these skills with zero configuration.
## 🌐 Community
## What people are saying
- 📋 Listed on [SkillsLLM](https://skillsllm.com/skill/anthropic-cybersecurity-skills)
- 📚 Featured in [awesome-agent-skills](https://github.com/VoltAgent/awesome-agent-skills)
- 🔒 Featured in [awesome-ai-security](https://github.com/ottosulin/awesome-ai-security)
- 🖥️ Featured in [awesome-codex-cli](https://github.com/RoggeOhta/awesome-codex-cli)
- 📖 [Complete guide on Medium](https://fazal-sec.medium.com/claude-skills-ai-powered-cybersecurity-the-complete-guide-to-building-intelligent-security-7bb7e9d14c8e)
> *"A database of real, organized security skills that any AI agent can plug into and use. Not tutorials. Not blog posts."*
> *"This is not a random collection of security scripts. It's a structured operational knowledge base designed for AI-driven security workflows."*
> — **[fazal-sec](https://fazal-sec.medium.com/claude-skills-ai-powered-cybersecurity-the-complete-guide-to-building-intelligent-security-7bb7e9d14c8e)**, Medium
Apache License 2.0 — free for commercial and personal use. See [LICENSE](LICENSE) for details.
Skills have continued to grow on `main` since v1.0.0 — the library now contains **754 skills** with **5-framework mapping** (MITRE ATLAS, D3FEND, and NIST AI RMF added post-release). Check [Releases](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/releases) for the latest tagged version.
## Contributing
This project grows through community contributions. Here is how to get involved:
**Add a new skill** — Domains like Deception Technology (2 skills) and Compliance & Governance (5 skills) need the most help. Follow the template in [CONTRIBUTING.md](CONTRIBUTING.md) and submit a PR with the title `Add skill: your-skill-name`.
**Improve existing skills** — Add framework mappings, fix workflows, update tool references, or contribute scripts and templates.
**Report issues** — Found an inaccurate procedure or broken script? [Open an issue](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/issues).
Every PR is reviewed for technical accuracy and agentskills.io standard compliance within 48 hours. Check [good first issues](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/issues?q=is%3Aissue+is%3Aopen+label%3A%22good+first+issue%22) for a starting point.
This project follows the [Contributor Covenant](https://www.contributor-covenant.org/). By participating, you agree to uphold this code.
## Community
💬 [Discussions](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/discussions) — Questions, ideas, and roadmap conversations
🐛 [Issues](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/issues) — Bug reports and feature requests
🔒 [Security Policy](SECURITY.md) — Responsible disclosure process (48-hour acknowledgment)
## Citation
If you use this project in research or publications:
note={754 structured cybersecurity skills for AI agents,
mapped to MITRE ATT\&CK, NIST CSF 2.0, MITRE ATLAS,
MITRE D3FEND, and NIST AI RMF}
}
```
## License
This project is licensed under the [Apache License 2.0](LICENSE). You are free to use, modify, and distribute these skills in both personal and commercial projects.
---
<p align="center">
<strong>If these skills help your AI agent defend better, consider giving this repo a ⭐</strong>
</p>
<div align="center">
**If this project helps your security work, consider giving it a ⭐**
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.