chore: auto-update index.json

Map all 754 skills to MITRE ATT&CK v19.1
- Add validated mitre_attack frontmatter to all 754 skills (286 distinct techniques), verified against MITRE ATT&CK v19.1 via the official mitreattack-python library: 0 revoked, deprecated, or invalid IDs - Curate precise per-skill technique IDs for forensics, malware-analysis, threat-intel, and red-team skills (e.g. DCSync -> T1003.006, Kerberoasting -> T1558.003, Pass-the-Ticket -> T1550.003) - Reconcile v19.1 tactic restructuring: Defense Evasion split into Stealth (TA0005) and Defense Impairment (TA0112); revoked T1562.* family and T1070.001/.002 remapped to active equivalents (T1685.*) - Normalize word-split tags across 35 skills (remove filename-derived stopword tags, add semantic cybersecurity tags) - Add api-reference.md for 3 skills that were missing it - Update README ATT&CK section with accurate v19.1 tactic distribution
2026-06-10 21:24:56 +03:00 · 2026-06-01 10:15:47 +00:00 · 2026-06-01 12:13:29 +02:00 · 2026-05-30 09:32:08 +00:00 · 2026-05-30 11:32:00 +02:00 · 2026-05-25 09:04:36 -04:00
760 changed files with 8452 additions and 2505 deletions
@@ -5,15 +5,15 @@
    "email": "mukuljangra5@gmail.com"
  },
  "metadata": {
-    "description": "753 cybersecurity skills for AI agents and security practitioners covering web security, pentesting, forensics, threat intelligence, cloud security, and more.",
-    "version": "1.1.0"
+    "description": "754 cybersecurity skills for AI agents mapped to 5 frameworks: MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS, D3FEND, and NIST AI RMF.",
+    "version": "1.2.0"
  },
  "plugins": [
    {
      "name": "cybersecurity-skills",
      "source": "./",
-      "descripyion": "753 cybersecurity skills covering web security, pentesting, DFIR, threat intelligence, cloud security, malware analysis, and more.",
-      "version": "1.1.0",
+      "description": "754 cybersecurity skills covering web security, pentesting, DFIR, threat intelligence, cloud security, malware analysis, and more. Mapped to 5 frameworks.",
+      "version": "1.2.0",
      "author": {
        "name": "mukul975"
      },
@@ -26,9 +26,7 @@ jobs:
        env:
          VERSION: ${{ steps.version.outputs.version }}
        run: |
-          jq --arg v "$VERSION" 
-            '.metadata.version = $v | .plugins[].version = $v' 
-            .claude-plugin/marketplace.json > tmp.json
+          jq --arg v "$VERSION" '.metadata.version = $v | .plugins[].version = $v' .claude-plugin/marketplace.json > tmp.json
          mv tmp.json .claude-plugin/marketplace.json
          echo "Updated marketplace.json to version $VERSION"

@@ -2,203 +2,208 @@
  <img src="assets/banner.png" alt="Anthropic Cybersecurity Skills" width="100%">
 </p>

-<p align="center">
-  <a href="LICENSE"><img src="https://img.shields.io/badge/license-Apache%202.0-blue.svg" alt="License"></a>
-  <a href="https://github.com/mukul975/Anthropic-Cybersecurity-Skills/stargazers"><img src="https://img.shields.io/github/stars/mukul975/Anthropic-Cybersecurity-Skills?style=social" alt="Stars"></a>
-  <a href="#️-framework-coverage"><img src="https://img.shields.io/badge/frameworks-5%20mapped-brightgreen.svg" alt="Frameworks"></a>
-  <a href="#️-whats-inside"><img src="https://img.shields.io/badge/skills-754-orange.svg" alt="Skills"></a>
-  <a href="https://agentskills.io"><img src="https://img.shields.io/badge/standard-agentskills.io-purple.svg" alt="agentskills.io"></a>
-  <a href="#-compatible-platforms"><img src="https://img.shields.io/badge/platforms-26%2B-blue.svg" alt="Platforms"></a>
-</p>
+<div align="center">

-<p align="center">
-  <strong>754 production-grade cybersecurity skills for AI agents — mapped to 5 industry frameworks</strong>
-</p>
+#  Anthropic Cybersecurity Skills

-<p align="center">
-  <em>MITRE ATT&CK · NIST CSF 2.0 · MITRE ATLAS · MITRE D3FEND · NIST AI RMF</em>
-</p>
+### The largest open-source cybersecurity skills library for AI agents

-> ⚠️ **Community Project** — This is an independent, community-created project. Not affiliated with Anthropic PBC.
+[![GARS-2026 Survey](https://img.shields.io/badge/GARS--2026-Take%20the%20Survey-E8B84B?style=for-the-badge&logo=googleforms&logoColor=black)](https://mahipal.engineer/survey?utm_source=github_badge&utm_medium=readme&utm_campaign=gars2026)
+[![License](https://img.shields.io/badge/License-Apache_2.0-blue.svg?style=flat-square)](LICENSE)
+[![Skills](https://img.shields.io/badge/skills-754-brightgreen?style=flat-square)](#whats-inside--26-security-domains)
+[![Frameworks](https://img.shields.io/badge/frameworks-5-orange?style=flat-square)](#five-frameworks-one-skill-library)
+[![Domains](https://img.shields.io/badge/domains-26-9cf?style=flat-square)](#whats-inside--26-security-domains)
+[![Platforms](https://img.shields.io/badge/platforms-26%2B-blueviolet?style=flat-square)](#compatible-platforms)
+[![GitHub stars](https://img.shields.io/github/stars/mukul975/Anthropic-Cybersecurity-Skills?style=flat-square)](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/stargazers)
+[![GitHub forks](https://img.shields.io/github/forks/mukul975/Anthropic-Cybersecurity-Skills?style=flat-square)](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/network/members)
+[![Last Commit](https://img.shields.io/github/last-commit/mukul975/Anthropic-Cybersecurity-Skills?style=flat-square)](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/commits/main)
+[![agentskills.io](https://img.shields.io/badge/standard-agentskills.io-ff6600?style=flat-square)](https://agentskills.io)
+[![PRs Welcome](https://img.shields.io/badge/PRs-welcome-brightgreen.svg?style=flat-square)](CONTRIBUTING.md)
+[![Playground](https://img.shields.io/badge/Playground-Casky.ai-blue)](https://casky.ai/?utm_source=github&utm_medium=readme&utm_campaign=cohort_launch#waitlist)
+[![Hermes Agent](https://img.shields.io/badge/Hermes_Agent-compatible-blueviolet?style=flat)](https://github.com/NousResearch/hermes-agent)
+
+
+**754 production-grade cybersecurity skills · 26 security domains · 5 framework mappings · 26+ AI platforms**
+
+[Get Started](#quick-start) · [What's Inside](#whats-inside--26-security-domains) · [Frameworks](#five-frameworks-one-skill-library) · [Platforms](#compatible-platforms) · [Contributing](#contributing)
+
+</div>

 ---

-## Why this exists
+> ⚠️ **Community Project** — This is an independent, community-created project. Not affiliated with Anthropic PBC. 

-AI agents are transforming cybersecurity — but they lack structured domain knowledge. A junior analyst knows which Volatility3 plugin to run on a suspicious memory dump. Your AI agent doesn't — unless you give it the skills.
+## Give any AI agent the security skills of a senior analyst

-**Anthropic Cybersecurity Skills** gives every AI agent instant access to **754 production-grade cybersecurity skills** spanning 26 security domains. Each skill follows the [agentskills.io](https://agentskills.io) open standard: YAML frontmatter for lightning-fast discovery, structured Markdown for step-by-step execution, and reference files for deep technical context.
+A junior analyst knows which Volatility3 plugin to run on a suspicious memory dump, which Sigma rules catch Kerberoasting, and how to scope a cloud breach across three providers. **Your AI agent doesn't — unless you give it these skills.**

-**What makes v1.2.0 different from every other security skills repo:**
+This repo contains **754 structured cybersecurity skills** spanning **26 security domains**, each following the [agentskills.io](https://agentskills.io) open standard.  Every skill is mapped to **five industry frameworks** — MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS, MITRE D3FEND, and NIST AI RMF  — making this the only open-source skills library with unified cross-framework coverage.  Clone it, point your agent at it, and your next security investigation gets expert-level guidance in seconds.

- **5-framework mapping** — Every skill is mapped to MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS v5.5, MITRE D3FEND v1.3, and NIST AI RMF 1.0. No other open-source library does this.
- **AI-native format** — Skills cost ~30 tokens to scan, provide full expert-level guidance when triggered, and work across 26+ AI agent platforms.
- **Real practitioner knowledge** — Not generated summaries. Structured workflows that mirror how senior security professionals actually work.
+## Five frameworks, one skill library

-## 🚀 Quick start
+No other open-source skills library maps every skill to all five frameworks.  One skill, five compliance checkboxes. 
+
+| Framework | Version | Scope in this repo | What it maps |
+|---|---|---|---|
+| [MITRE ATT&CK](https://attack.mitre.org) | v19.1 | 15 tactics · 286 techniques | Adversary behaviors and TTPs |
+| [NIST CSF 2.0](https://www.nist.gov/cyberframework) | 2.0 | 6 functions · 22 categories | Organizational security posture |
+| [MITRE ATLAS](https://atlas.mitre.org) | v5.4 | 16 tactics · 84 techniques | AI/ML adversarial threats |
+| [MITRE D3FEND](https://d3fend.mitre.org) | v1.3 | 7 categories · 267 techniques | Defensive countermeasures |
+| [NIST AI RMF](https://airc.nist.gov/AI_RMF) | 1.0 | 4 functions · 72 subcategories | AI risk management |
+
+**Example — a single skill maps across all five:**
+
+| Skill | ATT&CK | NIST CSF | ATLAS | D3FEND | AI RMF |
+|---|---|---|---|---|---|
+| `analyzing-network-traffic-of-malware` | T1071 | DE.CM | AML.T0047 | D3-NTA | MEASURE-2.6 |
+
+### MITRE ATT&CK v19.1 — 754/754 skills mapped
+
+Every skill carries a `mitre_attack` frontmatter list validated against **MITRE ATT&CK v19.1** (the latest release) using the official `mitreattack-python` library — 286 distinct techniques across all 15 Enterprise tactics, plus ICS and Mobile techniques where relevant. Zero revoked or deprecated IDs. v19.1's restructured Defense Evasion (now split into **Stealth** and **Defense Impairment**) is reflected below.
+
+| Tactic | ID | Skills |
+|--------|----|--------|
+| Reconnaissance | TA0043 | 103 |
+| Resource Development | TA0042 | 22 |
+| Initial Access | TA0001 | 467 |
+| Execution | TA0002 | 350 |
+| Persistence | TA0003 | 444 |
+| Privilege Escalation | TA0004 | 464 |
+| Stealth | TA0005 | 442 |
+| Defense Impairment | TA0112 | 92 |
+| Credential Access | TA0006 | 202 |
+| Discovery | TA0007 | 237 |
+| Lateral Movement | TA0008 | 68 |
+| Collection | TA0009 | 172 |
+| Command and Control | TA0011 | 123 |
+| Exfiltration | TA0010 | 82 |
+| Impact | TA0040 | 50 |
+
+## Quick start

 ```bash
 # Option 1: npx (recommended)
 npx skills add mukul975/Anthropic-Cybersecurity-Skills

-# Option 2: Claude Code
-/plugin marketplace add mukul975/Anthropic-Cybersecurity-Skills
-
-# Option 3: Manual clone
+# Option 2: Git clone
 git clone https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
 cd Anthropic-Cybersecurity-Skills
 ```

-Works immediately with Claude Code, GitHub Copilot, OpenAI Codex CLI, Cursor, Gemini CLI, and any MCP-compatible agent.
+Works immediately with Claude Code, GitHub Copilot, OpenAI Codex CLI, Cursor, Gemini CLI, and any [agentskills.io](https://agentskills.io)-compatible platform. 

-## 📖 Table of contents
+## 🌍 GARS-2026 — Global Agentic AI Readiness Survey

- [🛡️ What's inside](#️-whats-inside)
- [🗺️ Framework coverage](#️-framework-coverage)
- [🤖 Compatible platforms](#-compatible-platforms)
- [📐 Skill structure](#-skill-structure)
- [🧠 How AI agents use these skills](#-how-ai-agents-use-these-skills)
- [📝 Example skills](#-example-skills)
- [👥 Contributing](#-contributing)
- [⭐ Star history](#-star-history)
- [📄 License](#-license)
+I'm running a global academic study measuring how ready security professionals,
+developers, and enterprise teams actually are for agentic AI — MCP servers,
+tool calling, governance, and human-in-the-loop workflows.

-## 🛡️ What's inside
+**If you use this repo, your response would be a genuinely valuable data point.**

-**754 skills across 26 security domains:**
+📋 **Take the survey (10 min):**
+[Survey Link](https://mahipal.engineer/survey?utm_source=github_repo&utm_medium=readme&utm_campaign=gars2026)

-| Domain | Skills | Example capabilities |
-|--------|--------|---------------------|
-| ☁️ Cloud Security | 60 | AWS S3 bucket audit, Azure AD config review, GCP IAM assessment |
-| 🔍 Threat Hunting | 55 | C2 beaconing detection, DNS tunneling analysis, living-off-the-land |
-| 📡 Threat Intelligence | 50 | APT group analysis with MITRE Navigator, campaign attribution, IOC enrichment |
-| 🌐 Web Application Security | 42 | HTTP request smuggling, XSS with Burp Suite, web cache poisoning |
-| 🔌 Network Security | 40 | Wireshark traffic analysis, VLAN segmentation, Suricata IDS tuning |
-| 🦠 Malware Analysis | 39 | Ghidra reverse engineering, YARA rules, .NET decompilation |
-| 🔎 Digital Forensics | 37 | Disk imaging with dd/dcfldd, Volatility3 memory forensics, browser artifacts |
-| 📊 Security Operations | 36 | SIEM correlation rules, alert triage workflows, SOC playbooks |
-| 🔑 IAM Security | 35 | SAML SSO with Okta, PAM deployment, service account hardening |
-| 🖥️ SOC Operations | 33 | Tier 1-3 escalation procedures, incident classification, metrics tracking |
-| ☸️ Container Security | 30 | Kubernetes RBAC audit, pod security policies, etcd encryption |
-| 🏭 OT/ICS Security | 28 | SCADA monitoring, Modbus anomaly detection, Purdue model enforcement |
-| 🔗 API Security | 28 | OAuth2 flow analysis, rate limiting, API gateway hardening |
-| 🎯 Vulnerability Management | 25 | Nessus scanning, CVSS scoring, risk-based prioritization |
-| 🚨 Incident Response | 25 | Containment procedures, evidence preservation, post-incident review |
-| 🔴 Red Teaming | 24 | Cobalt Strike operations, LOTL techniques, evasion & persistence |
-| 🎯 Penetration Testing | 23 | Active Directory exploitation, OSCP-style methodology, pivoting |
-| 💻 Endpoint Security | 17 | EDR deployment, host-based detection, anti-tamper configuration |
-| 🔧 DevSecOps | 17 | Pipeline security gates, SAST/DAST integration, IaC scanning |
-| 🎣 Phishing Defense | 16 | Email header analysis, phishing simulation, DMARC/DKIM/SPF |
-| 🕵️ OSINT | 15 | Domain reconnaissance, social engineering recon, dark web monitoring |
-| 🔐 Cryptography | 14 | TLS configuration audit, certificate lifecycle, key management |
-| 🏰 Zero Trust | 13 | Microsegmentation, BeyondCorp implementation, continuous verification |
-| 📱 Mobile Security | 12 | APK analysis with APKTool, iOS forensics, MDM bypass detection |
-| 🛡️ Ransomware Defense | 7 | Backup validation, recovery procedures, negotiation awareness |
-| 🪤 Deception Technology | 5 | Honeypot deployment, honey tokens, decoy credential monitoring |
-| **TOTAL** | **754** | |
+- 60 questions · Anonymous · Supervised by SRH Berlin
+- You get **50 Casky Tokens** for early access to [casky.ai](https://casky.ai)
+- Results published open access under CC-BY 4.0

-## 🗺️ Framework coverage
+## 🚀 Try it on the Playground

-v1.2.0 maps every skill to **5 industry-standard frameworks** — a first for any open-source cybersecurity skills library.
+Experience Casky.ai hands-on — no setup required.

-### MITRE ATT&CK Enterprise — 754/754 skills mapped
+**[→ Launch Playground on Casky.ai](https://casky.ai/?utm_source=github&utm_medium=readme&utm_campaign=cohort_launch#waitlist)**

-All 14 Enterprise tactics covered with 200+ technique mappings:
+The playground lets you:
+- Run live cybersecurity skill exercises against real targets
+- See AI agents execute structured skills in real time
+- Explore MITRE ATT&CK mapped workflows interactively
+- Test threat hunting, DFIR, and penetration testing scenarios

-| Tactic | ID | Skills |
-|--------|----|--------|
-| Reconnaissance | TA0043 | 45+ |
-| Resource Development | TA0042 | 30+ |
-| Initial Access | TA0001 | 55+ |
-| Execution | TA0002 | 60+ |
-| Persistence | TA0003 | 50+ |
-| Privilege Escalation | TA0004 | 55+ |
-| Defense Evasion | TA0005 | 65+ |
-| Credential Access | TA0006 | 45+ |
-| Discovery | TA0007 | 50+ |
-| Lateral Movement | TA0008 | 40+ |
-| Collection | TA0009 | 35+ |
-| Command and Control | TA0011 | 40+ |
-| Exfiltration | TA0010 | 30+ |
-| Impact | TA0040 | 35+ |
+No installation. No configuration. Just open and start.
+## Why this exists

-### NIST CSF 2.0 — 754/754 skills aligned
+The cybersecurity workforce gap hit **4.8 million unfilled roles** globally in 2024 (ISC2). AI agents can help close that gap — but only if they have structured domain knowledge to work from. Today's agents can write code and search the web, but they lack the practitioner playbooks that turn a generic LLM into a capable security analyst.

-| Function | Skills | Coverage areas |
-|----------|--------|---------------|
-| Govern (GV) | 80+ | Policy, risk strategy, supply chain oversight |
-| Identify (ID) | 120+ | Asset management, risk assessment, improvement |
-| Protect (PR) | 150+ | Access control, awareness, data security, platform security |
-| Detect (DE) | 200+ | Continuous monitoring, adverse event analysis |
-| Respond (RS) | 160+ | Incident management, analysis, mitigation, reporting |
-| Recover (RC) | 44+ | Recovery planning, execution, communication |
+Existing security tool repos give you wordlists, payloads, or exploit code. None of them give an AI agent the structured decision-making workflow a senior analyst follows: when to use each technique, what prerequisites to check, how to execute step-by-step, and how to verify results. That is the gap this project fills.

-### 🆕 MITRE ATLAS v5.5 — 81 skills (NEW in v1.2.0)
+**Anthropic Cybersecurity Skills** is not a collection of scripts or checklists. It is an **AI-native knowledge base** built from the ground up for the agentskills.io standard  — YAML frontmatter for sub-second discovery, structured Markdown for step-by-step execution, and reference files for deep technical context.  Every skill encodes real practitioner workflows, not generated summaries. 

-AI-specific adversarial threat coverage including:
- ML model poisoning and evasion techniques
- AI supply chain compromise scenarios
- LLM prompt injection defense workflows
- AI agent tool abuse detection
- Agentic AI escape-to-host prevention
+## What's inside — 26 security domains

-### 🆕 MITRE D3FEND v1.3 — 139 skills (NEW in v1.2.0)
+| Domain | Skills | Key capabilities |
+|---|---|---|
+| Cloud Security | 60 | AWS, Azure, GCP hardening · CSPM · cloud forensics |
+| Threat Hunting | 55 | Hypothesis-driven hunts · LOTL detection · behavioral analytics |
+| Threat Intelligence | 50 | STIX/TAXII · MISP · feed integration · actor profiling |
+| Web Application Security | 42 | OWASP Top 10 · SQLi · XSS · SSRF · deserialization |
+| Network Security | 40 | IDS/IPS · firewall rules · VLAN segmentation · traffic analysis |
+| Malware Analysis | 39 | Static/dynamic analysis · reverse engineering · sandboxing |
+| Digital Forensics | 37 | Disk imaging · memory forensics · timeline reconstruction |
+| Security Operations | 36 | SIEM correlation · log analysis · alert triage |
+| Identity & Access Management | 35 | IAM policies · PAM · zero trust identity · Okta · SailPoint |
+| SOC Operations | 33 | Playbooks · escalation workflows · metrics · tabletop exercises |
+| Container Security | 30 | K8s RBAC · image scanning · Falco · container forensics |
+| OT/ICS Security | 28 | Modbus · DNP3 · IEC 62443 · historian defense · SCADA |
+| API Security | 28 | GraphQL · REST · OWASP API Top 10 · WAF bypass |
+| Vulnerability Management | 25 | Nessus · scanning workflows · patch prioritization · CVSS |
+| Incident Response | 25 | Breach containment · ransomware response · IR playbooks |
+| Red Teaming | 24 | Full-scope engagements · AD attacks · phishing simulation |
+| Penetration Testing | 23 | Network · web · cloud · mobile · wireless pentesting |
+| Endpoint Security | 17 | EDR · LOTL detection · fileless malware · persistence hunting |
+| DevSecOps | 17 | CI/CD security · code signing · Terraform auditing |
+| Phishing Defense | 16 | Email authentication · BEC detection · phishing IR |
+| Cryptography | 14 | TLS · Ed25519 · certificate transparency · key management |
+| Zero Trust Architecture | 13 | BeyondCorp · CISA maturity model · microsegmentation |
+| Mobile Security | 12 | Android/iOS analysis · mobile pentesting · MDM forensics |
+| Ransomware Defense | 7 | Precursor detection · response · recovery · encryption analysis |
+| Compliance & Governance | 5 | CIS benchmarks · SOC 2 · regulatory frameworks |
+| Deception Technology | 2 | Honeytokens · breach detection canaries |

-Defensive technique mappings across all 7 D3FEND tactics:
- **Model** (27 techniques) — Threat modeling, attack surface analysis
- **Harden** (51 techniques) — System hardening, configuration management
- **Detect** (90 techniques) — Monitoring, anomaly detection, behavioral analysis
- **Isolate** (57 techniques) — Segmentation, sandboxing, containment
- **Deceive** (11 techniques) — Honeypots, decoys, misdirection
- **Evict** (19 techniques) — Threat removal, credential rotation
- **Restore** (12 techniques) — Backup, recovery, resilience
+## How AI agents use these skills

-### 🆕 NIST AI RMF 1.0 — 85 skills (NEW in v1.2.0)
+Each skill costs **~30 tokens to scan** (frontmatter only)  and **500–2,000 tokens to fully load** (complete workflow). This progressive disclosure architecture lets agents search all 754 skills in a single pass without blowing context windows. 

-AI risk management coverage aligned with the four core functions:
- **Govern** — AI governance, accountability, organizational policies
- **Map** — AI system context, risk identification, stakeholder analysis
- **Measure** — AI risk metrics, testing, validation
- **Manage** — AI risk treatment, monitoring, continuous improvement
+```
+User prompt: "Analyze this memory dump for signs of credential theft"

-> 💡 **Why 5 frameworks matter:** Organizations face overlapping compliance requirements. A single skill like "analyzing-network-traffic-of-malware" maps to ATT&CK T1071 (Application Layer Protocol), NIST CSF DE.CM (Continuous Monitoring), ATLAS AML.T0047 (Evade ML Model), D3FEND D3-NTA (Network Traffic Analysis), and AI RMF MEASURE 2.6 (AI system monitoring). One skill, five compliance checkboxes.
+Agent's internal process:

-## 🤖 Compatible platforms
+  1. Scans 754 skill frontmatters (~30 tokens each)
+     → identifies 12 relevant skills by matching tags, description, domain

-**AI code assistants:**
-Claude Code (Anthropic) · GitHub Copilot (Microsoft) · Cursor · Windsurf · Cline · Aider · Continue · Roo Code · Amazon Q Developer · Tabnine · Sourcegraph Cody · JetBrains AI
+  2. Loads top 3 matches:
+     • performing-memory-forensics-with-volatility3
+     • hunting-for-credential-dumping-lsass
+     • analyzing-windows-event-logs-for-credential-access

-**CLI agents:**
-OpenAI Codex CLI · Gemini CLI (Google)
+  3. Executes the structured Workflow section step-by-step
+     → runs Volatility3 plugins, checks LSASS access patterns,
+        correlates with event log evidence

-**Autonomous agents:**
-Devin · Replit Agent · SWE-agent · OpenHands
+  4. Validates results using the Verification section
+     → confirms IOCs, maps findings to ATT&CK T1003 (Credential Dumping)
+```

-**Agent frameworks & SDKs:**
-LangChain · CrewAI · AutoGen · Semantic Kernel · Haystack · Vercel AI SDK · Any MCP-compatible agent
+**Without these skills**, the agent guesses at tool commands and misses critical steps. **With them**, it follows the same playbook a senior DFIR analyst would use. 

-## 📐 Skill structure
+## Skill anatomy

-Every skill follows the [agentskills.io](https://agentskills.io) open standard:
+Every skill follows a consistent directory structure:

 ```
 skills/performing-memory-forensics-with-volatility3/
-├── SKILL.md              # Skill definition (YAML frontmatter + Markdown body)
-│   ├── Frontmatter       #   → name, description, domain, tags, frameworks
-│   ├── When to Use       #   → Trigger conditions for AI agents
-│   ├── Prerequisites     #   → Required tools, access, environment
-│   ├── Workflow          #   → Step-by-step execution guide
-│   └── Verification      #   → How to confirm success
+├── SKILL.md              ← Skill definition (YAML frontmatter + Markdown body)
 ├── references/
-│   ├── standards.md      # MITRE ATT&CK, ATLAS, D3FEND, NIST mappings
-│   └── workflows.md      # Deep technical procedure reference
+│   ├── standards.md      ← MITRE ATT&CK, ATLAS, D3FEND, NIST mappings
+│   └── workflows.md      ← Deep technical procedure reference
 ├── scripts/
-│   └── process.py        # Practitioner helper scripts
+│   └── process.py        ← Working helper scripts
 └── assets/
-    └── template.md       # Checklists, report templates
+    └── template.md       ← Filled-in checklists and report templates
 ```

-**YAML frontmatter example:**
+
+### YAML frontmatter (real example)

 ```yaml
 ---
@@ -219,93 +224,189 @@ license: Apache-2.0
 ---
 ```

-### Progressive disclosure — why 754 skills don't slow your agent down

-| Stage | Token cost | When |
-|-------|-----------|------|
-| Discovery scan | ~30 tokens | Always — agent reads YAML frontmatter |
-| Full skill load | 500–2000 tokens | Only when skill matches the task |
-| Deep reference pull | 1000–5000 tokens | Only when agent needs technical depth |
+### Markdown body sections

-Irrelevant skills cost virtually nothing. Relevant skills provide complete expert-level guidance.
+```markdown
+## When to Use
+Trigger conditions — when should an AI agent activate this skill?

-## 🧠 How AI agents use these skills
+## Prerequisites
+Required tools, access levels, and environment setup.

-```
-User prompt: "Analyze this memory dump for signs of credential theft"
+## Workflow
+Step-by-step execution guide with specific commands and decision points.

-Agent's internal process:
-1. Scans 754 skill frontmatters (~30 tokens each) → finds 12 relevant skills
-2. Loads top matches:
-   - performing-memory-forensics-with-volatility3
-   - hunting-for-credential-dumping-lsass
-   - analyzing-windows-event-logs-for-credential-access
-3. Follows structured workflow from SKILL.md
-4. References ATT&CK T1003 (Credential Dumping) mapping
-5. Maps findings to D3FEND D3-PSMD (Process Self-Modification Detection)
-6. Outputs structured findings with framework references
+## Verification
+How to confirm the skill was executed successfully.
 ```

-## 📝 Example skills
+Frontmatter fields: `name` (kebab-case, 1–64 chars), `description` (keyword-rich for agent discovery), `domain`, `subdomain`, `tags`,  `atlas_techniques` (MITRE ATLAS IDs), `d3fend_techniques` (MITRE D3FEND IDs), `nist_ai_rmf` (NIST AI RMF references), `nist_csf` (NIST CSF 2.0 categories).  MITRE ATT&CK technique mappings are documented in each skill's `references/standards.md` file and in the ATT&CK Navigator layer included with releases. 

 <details>
-<summary><strong>🔍 Hunting for C2 beaconing</strong></summary>
+<summary><strong>📊 MITRE ATT&CK Enterprise coverage — all 14 tactics</strong></summary>

-**Domain:** Threat Hunting · **ATT&CK:** T1071, T1573 · **D3FEND:** D3-NTA · **CSF:** DE.CM-01
+&nbsp;

-Identifies command-and-control communication patterns in network traffic using beacon interval analysis, JA3/JA3S fingerprinting, and DNS request frequency modeling. Includes Zeek scripts for automated detection and SIEM correlation rules.
+| Tactic | ID | Coverage | Key skills |
+|---|---|---|---|
+| Reconnaissance | TA0043 | Strong | OSINT, subdomain enumeration, DNS recon |
+| Resource Development | TA0042 | Moderate | Phishing infrastructure, C2 setup detection |
+| Initial Access | TA0001 | Strong | Phishing simulation, exploit detection, forced browsing |
+| Execution | TA0002 | Strong | PowerShell analysis, fileless malware, script block logging |
+| Persistence | TA0003 | Strong | Scheduled tasks, registry, service accounts, LOTL |
+| Privilege Escalation | TA0004 | Strong | Kerberoasting, AD attacks, cloud privilege escalation |
+| Defense Evasion | TA0005 | Strong | Obfuscation, rootkit analysis, evasion detection |
+| Credential Access | TA0006 | Strong | Mimikatz detection, pass-the-hash, credential dumping |
+| Discovery | TA0007 | Moderate | BloodHound, AD enumeration, network scanning |
+| Lateral Movement | TA0008 | Strong | SMB exploits, lateral movement detection with Splunk |
+| Collection | TA0009 | Moderate | Email forensics, data staging detection |
+| Command and Control | TA0011 | Strong | C2 beaconing, DNS tunneling, Cobalt Strike analysis |
+| Exfiltration | TA0010 | Strong | DNS exfiltration, DLP controls, data loss detection |
+| Impact | TA0040 | Strong | Ransomware defense, encryption analysis, recovery |
+
+An **ATT&CK Navigator layer file** is included in the [v1.0.0 release assets](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/releases/tag/v1.0.0) for visual coverage mapping. 
+
+> **Note:** ATT&CK v19 lands April 28, 2026 — splitting Defense Evasion (TA0005) into two new tactics: *Stealth* and *Impair Defenses*.  Skill mappings will be updated in a forthcoming release.

 </details>

 <details>
-<summary><strong>🦠 Reverse engineering .NET malware with dnSpy</strong></summary>
+<summary><strong>📊 NIST CSF 2.0 alignment — all 6 functions</strong></summary>

-**Domain:** Malware Analysis · **ATT&CK:** T1027, T1059.001 · **ATLAS:** AML.T0016 · **CSF:** DE.AE-02
+&nbsp;

-Step-by-step decompilation workflow for .NET executables including de-obfuscation techniques, string decryption, C2 extraction, and behavioral analysis. Includes YARA rule templates for family classification.
+| Function | Skills | Examples |
+|---|---|---|
+| **Govern (GV)** | 30+ | Risk strategy, policy frameworks, roles & responsibilities |
+| **Identify (ID)** | 120+ | Asset discovery, threat landscape assessment, risk analysis |
+| **Protect (PR)** | 150+ | IAM hardening, WAF rules, zero trust, encryption |
+| **Detect (DE)** | 200+ | Threat hunting, SIEM correlation, anomaly detection |
+| **Respond (RS)** | 160+ | Incident response, forensics, breach containment |
+| **Recover (RC)** | 40+ | Ransomware recovery, BCP, disaster recovery |
+
+NIST CSF 2.0 (February 2024) added the **Govern** function  and expanded scope from critical infrastructure to all organizations.  Skill mappings align to all 22 categories and reference 106 subcategories. 

 </details>

 <details>
-<summary><strong>☸️ Auditing Kubernetes RBAC configurations</strong></summary>
+<summary><strong>📊 Framework deep dive — ATLAS, D3FEND, AI RMF</strong></summary>

-**Domain:** Container Security · **ATT&CK:** T1078.004 · **D3FEND:** D3-ACL · **CSF:** PR.AA-01 · **AI RMF:** GOVERN-1.2
+&nbsp;

-Systematic review of ClusterRoles, RoleBindings, and ServiceAccounts to identify overprivileged workloads, lateral movement paths, and secrets exposure. Includes kubectl audit scripts and remediation playbooks.
+### MITRE ATLAS v5.4 — AI/ML adversarial threats
+ATLAS maps adversarial tactics, techniques, and case studies specific to AI and machine learning systems. Version 5.4 covers **16 tactics and 84 techniques** including agentic AI attack vectors added in late 2025: AI agent context poisoning, tool invocation abuse, MCP server compromises, and malicious agent deployment.  Skills mapped to ATLAS help agents identify and defend against threats to ML pipelines, model weights, inference APIs, and autonomous workflows. 
+
+### MITRE D3FEND v1.3 — Defensive countermeasures
+D3FEND is an NSA-funded knowledge graph of **267 defensive techniques** organized across 7 tactical categories: Model, Harden, Detect, Isolate, Deceive, Evict, and Restore.  Built on OWL 2 ontology, it uses a shared Digital Artifact layer to bidirectionally map defensive countermeasures to ATT&CK offensive techniques.  Skills tagged with D3FEND identifiers let agents recommend specific countermeasures for detected threats.
+
+### NIST AI RMF 1.0 + GenAI Profile (AI 600-1)
+The AI Risk Management Framework defines 4 core functions — Govern, Map, Measure, Manage — with **72 subcategories** for trustworthy AI development.  The GenAI Profile (AI 600-1, July 2024) adds **12 risk categories** specific to generative AI, from confabulation and data privacy to prompt injection and supply chain risks.  Colorado's AI Act (effective February 2026) provides a **legal safe harbor** for organizations complying with NIST AI RMF, making these mappings directly relevant to regulatory compliance.

 </details>

-## 👥 Contributing
+## Compatible platforms

-We welcome contributions! See [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines.
+**AI code assistants**
+Claude Code (Anthropic) · GitHub Copilot (Microsoft) · Cursor · Windsurf · Cline · Aider · Continue · Roo Code · Amazon Q Developer · Tabnine · Sourcegraph Cody · JetBrains AI 

-**Ways to contribute:**
- 🆕 Add new skills using the [New Skill template](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/issues/new?template=new-skill.yml)
- 🐛 Report issues with the [Bug Report template](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/issues/new?template=bug-report.yml)
- 💡 Request features via [Feature Request](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/issues/new?template=feature-request.yml)
- 📝 Improve documentation or fix typos
- 🗺️ Add framework mappings to existing skills
+**CLI agents**
+OpenAI Codex CLI · Gemini CLI (Google) 

-Every PR gets reviewed for technical accuracy and consistency with the agentskills.io standard. We aim to review within 48 hours.
+**Autonomous agents**
+Devin · Replit Agent · SWE-agent · OpenHands 

-## ⭐ Star history
+**Agent frameworks & SDKs**
+LangChain · CrewAI · AutoGen · Semantic Kernel · Haystack · Vercel AI SDK · Any MCP-compatible agent 

-[![Star History Chart](https://api.star-history.com/svg?repos=mukul975/Anthropic-Cybersecurity-Skills&type=Date)](https://star-history.com/#mukul975/Anthropic-Cybersecurity-Skills&Date)
+All platforms that support the [agentskills.io](https://agentskills.io) standard can load these skills with zero configuration. 

-## 🌐 Community
+## What people are saying

- 📋 Listed on [SkillsLLM](https://skillsllm.com/skill/anthropic-cybersecurity-skills)
- 📚 Featured in [awesome-agent-skills](https://github.com/VoltAgent/awesome-agent-skills)
- 🔒 Featured in [awesome-ai-security](https://github.com/ottosulin/awesome-ai-security)
- 🖥️ Featured in [awesome-codex-cli](https://github.com/RoggeOhta/awesome-codex-cli)
- 📖 [Complete guide on Medium](https://fazal-sec.medium.com/claude-skills-ai-powered-cybersecurity-the-complete-guide-to-building-intelligent-security-7bb7e9d14c8e)
+> *"A database of real, organized security skills that any AI agent can plug into and use. Not tutorials. Not blog posts."* 
+> — **[Hasan Toor (@hasantoxr)](https://x.com/hasantoxr/status/2033193922349179249)**, AI/tech creator

-## 📄 License
+> *"This is not a random collection of security scripts. It's a structured operational knowledge base designed for AI-driven security workflows."* 
+> — **[fazal-sec](https://fazal-sec.medium.com/claude-skills-ai-powered-cybersecurity-the-complete-guide-to-building-intelligent-security-7bb7e9d14c8e)**,  Medium

-Apache License 2.0 — free for commercial and personal use. See [LICENSE](LICENSE) for details.
+## Featured in
+
+| Where | Type | Link |
+|---|---|---|
+| **awesome-agent-skills** | Awesome List (1,000+ skills index) | [VoltAgent/awesome-agent-skills](https://github.com/VoltAgent/awesome-agent-skills) |
+| **awesome-ai-security** | Awesome List (AI security tools) | [ottosulin/awesome-ai-security](https://github.com/ottosulin/awesome-ai-security) |
+| **awesome-codex-cli** | Awesome List (Codex CLI resources) | [RoggeOhta/awesome-codex-cli](https://github.com/RoggeOhta/awesome-codex-cli) |
+| **SkillsLLM** | Skills directory & marketplace | [skillsllm.com/skill/anthropic-cybersecurity-skills](https://skillsllm.com/skill/anthropic-cybersecurity-skills) |
+| **Openflows** | Signal analysis & tracking | [openflows.org](https://openflows.org/currency/currents/anthropic-cybersecurity-skills/) |
+| **NeverSight skills_feed** | Automated skills index | [NeverSight/skills_feed](https://github.com/NeverSight/skills_feed) |
+
+## Star history
+
+<a href="https://star-history.com/#mukul975/Anthropic-Cybersecurity-Skills&Date">
+ <picture>
+   <source media="(prefers-color-scheme: dark)" srcset="https://api.star-history.com/svg?repos=mukul975/Anthropic-Cybersecurity-Skills&type=Date&theme=dark" />
+   <source media="(prefers-color-scheme: light)" srcset="https://api.star-history.com/svg?repos=mukul975/Anthropic-Cybersecurity-Skills&type=Date" />
+   <img alt="Star History Chart" src="https://api.star-history.com/svg?repos=mukul975/Anthropic-Cybersecurity-Skills&type=Date" width="100%" />
+ </picture>
+</a>
+
+## Releases
+
+| Version | Date | Highlights |
+|---|---|---|
+| [v1.0.0](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/releases/tag/v1.0.0) | March 11, 2026 | 734 skills · 26 domains · MITRE ATT&CK + NIST CSF 2.0 mapping · ATT&CK Navigator layer |
+
+Skills have continued to grow on `main` since v1.0.0 — the library now contains **754 skills** with **5-framework mapping**  (MITRE ATLAS, D3FEND, and NIST AI RMF added post-release).  Check [Releases](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/releases) for the latest tagged version.
+
+## Contributing
+
+This project grows through community contributions. Here is how to get involved:
+
+**Add a new skill** — Domains like Deception Technology (2 skills) and Compliance & Governance (5 skills) need the most help. Follow the template in [CONTRIBUTING.md](CONTRIBUTING.md) and submit a PR with the title `Add skill: your-skill-name`.
+
+**Improve existing skills** — Add framework mappings, fix workflows, update tool references, or contribute scripts and templates.
+
+**Report issues** — Found an inaccurate procedure or broken script? [Open an issue](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/issues).
+
+Every PR is reviewed for technical accuracy and agentskills.io standard compliance within 48 hours.  Check [good first issues](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/issues?q=is%3Aissue+is%3Aopen+label%3A%22good+first+issue%22) for a starting point.
+
+This project follows the [Contributor Covenant](https://www.contributor-covenant.org/). By participating, you agree to uphold this code. 
+
+## Community
+
+💬 [Discussions](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/discussions) — Questions, ideas, and roadmap conversations
+🐛 [Issues](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/issues) — Bug reports and feature requests
+🔒 [Security Policy](SECURITY.md) — Responsible disclosure process (48-hour acknowledgment) 
+
+## Citation
+
+If you use this project in research or publications:
+
+```bibtex
+@software{anthropic_cybersecurity_skills,
+  author       = {Jangra, Mahipal},
+  title        = {Anthropic Cybersecurity Skills},
+  year         = {2026},
+  url          = {https://github.com/mukul975/Anthropic-Cybersecurity-Skills},
+  license      = {Apache-2.0},
+  note         = {754 structured cybersecurity skills for AI agents,
+                  mapped to MITRE ATT\&CK, NIST CSF 2.0, MITRE ATLAS,
+                  MITRE D3FEND, and NIST AI RMF}
+}
+```
+
+## License
+
+This project is licensed under the [Apache License 2.0](LICENSE). You are free to use, modify, and distribute these skills in both personal and commercial projects. 

 ---

-<p align="center">
-  <strong>If these skills help your AI agent defend better, consider giving this repo a ⭐</strong>
-</p>
+<div align="center">
+
+**If this project helps your security work, consider giving it a ⭐**
+
+[⭐ Star](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/stargazers) · [🍴 Fork](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/fork) · [💬 Discuss](https://github.com/mukul975/Anthropic-Cybersecurity-Skills/discussions) · [📝 Contribute](CONTRIBUTING.md)
+
+Community project by [@mukul975](https://github.com/mukul975). Not affiliated with Anthropic PBC.
+
+</div>
@@ -1,7 +1,7 @@
 ---
 name: acquiring-disk-image-with-dd-and-dcfldd
-description: Create forensically sound bit-for-bit disk images using dd and dcfldd while preserving evidence integrity through
-  hash verification.
+description: Create forensically sound bit-for-bit disk images using dd and dcfldd
+  while preserving evidence integrity through hash verification.
 domain: cybersecurity
 subdomain: digital-forensics
 tags:
@@ -19,6 +19,11 @@ nist_csf:
 - RS.AN-03
 - DE.AE-02
 - RS.MA-01
+mitre_attack:
+- T1006
+- T1005
+- T1025
+- T1074.001
 ---

 # Acquiring Disk Image with dd and dcfldd
@@ -1,7 +1,7 @@
 ---
 name: analyzing-active-directory-acl-abuse
-description: Detect dangerous ACL misconfigurations in Active Directory using ldap3 to identify GenericAll, WriteDACL, and
-  WriteOwner abuse paths
+description: Detect dangerous ACL misconfigurations in Active Directory using ldap3
+  to identify GenericAll, WriteDACL, and WriteOwner abuse paths
 domain: cybersecurity
 subdomain: identity-security
 tags:
@@ -16,6 +16,12 @@ nist_csf:
 - PR.AA-01
 - PR.AA-05
 - PR.AA-06
+mitre_attack:
+- T1098
+- T1098.007
+- T1484.001
+- T1222.001
+- T1078.002
 ---


@@ -1,7 +1,8 @@
 ---
 name: analyzing-android-malware-with-apktool
-description: Perform static analysis of Android APK malware samples using apktool for decompilation, jadx for Java source
-  recovery, and androguard for permission analysis, manifest inspection, and suspicious API call detection.
+description: Perform static analysis of Android APK malware samples using apktool
+  for decompilation, jadx for Java source recovery, and androguard for permission
+  analysis, manifest inspection, and suspicious API call detection.
 domain: cybersecurity
 subdomain: malware-analysis
 tags:
@@ -21,6 +22,12 @@ nist_csf:
 - RS.AN-03
 - ID.RA-01
 - DE.CM-01
+mitre_attack:
+- T1406
+- T1407
+- T1626.001
+- T1655.001
+- T1521.001
 ---

 # Analyzing Android Malware with Apktool
@@ -1,17 +1,22 @@
 ---
 name: analyzing-api-gateway-access-logs
-description: 'Parses API Gateway access logs (AWS API Gateway, Kong, Nginx) to detect BOLA/IDOR attacks, rate limit bypass,
-  credential scanning, and injection attempts. Uses pandas for statistical analysis of request patterns and anomaly detection.
+description: 'Parses API Gateway access logs (AWS API Gateway, Kong, Nginx) to detect
+  BOLA/IDOR attacks, rate limit bypass, credential scanning, and injection attempts.
+  Uses pandas for statistical analysis of request patterns and anomaly detection.
  Use when investigating API abuse or building API-specific threat detection rules.

  '
 domain: cybersecurity
 subdomain: security-operations
 tags:
- analyzing
- api
- gateway
- access
+- api-security
+- access-log-analysis
+- aws-api-gateway
+- kong
+- nginx
+- bola-detection
+- rate-limit-bypass
+- security-operations
 version: '1.0'
 author: mahipal
 license: Apache-2.0
@@ -20,6 +25,11 @@ nist_csf:
 - RS.MA-01
 - GV.OV-01
 - DE.AE-02
+mitre_attack:
+- T1190
+- T1110.004
+- T1078.004
+- T1119
 ---

 # Analyzing API Gateway Access Logs
@@ -1,7 +1,8 @@
 ---
 name: analyzing-apt-group-with-mitre-navigator
-description: Analyze advanced persistent threat (APT) group techniques using MITRE ATT&CK Navigator to create layered heatmaps
-  of adversary TTPs for detection gap analysis and threat-informed defense.
+description: Analyze advanced persistent threat (APT) group techniques using MITRE
+  ATT&CK Navigator to create layered heatmaps of adversary TTPs for detection gap
+  analysis and threat-informed defense.
 domain: cybersecurity
 subdomain: threat-intelligence
 tags:
@@ -27,6 +28,12 @@ nist_csf:
 - ID.RA-05
 - DE.CM-01
 - DE.AE-02
+mitre_attack:
+- T1059.001
+- T1071.001
+- T1003.001
+- T1486
+- T1547.001
 ---
 # Analyzing APT Group with MITRE ATT&CK Navigator

@@ -1,17 +1,20 @@
 ---
 name: analyzing-azure-activity-logs-for-threats
-description: 'Queries Azure Monitor activity logs and sign-in logs via azure-monitor-query to detect suspicious administrative
-  operations, impossible travel, privilege escalation, and resource modifications. Builds KQL queries for threat hunting in
-  Azure environments. Use when investigating suspicious Azure tenant activity or building cloud SIEM detections.
+description: 'Queries Azure Monitor activity logs and sign-in logs via azure-monitor-query
+  to detect suspicious administrative operations, impossible travel, privilege escalation,
+  and resource modifications. Builds KQL queries for threat hunting in Azure environments.
+  Use when investigating suspicious Azure tenant activity or building cloud SIEM detections.

  '
 domain: cybersecurity
 subdomain: security-operations
 tags:
- analyzing
 - azure
- activity
- logs
+- cloud-security
+- azure-monitor
+- kql
+- threat-hunting
+- activity-logs
 version: '1.0'
 author: mahipal
 license: Apache-2.0
@@ -20,6 +23,12 @@ nist_csf:
 - RS.MA-01
 - GV.OV-01
 - DE.AE-02
+mitre_attack:
+- T1078.004
+- T1098.003
+- T1538
+- T1556.009
+- T1580
 ---

 # Analyzing Azure Activity Logs for Threats
@@ -1,9 +1,11 @@
 ---
 name: analyzing-bootkit-and-rootkit-samples
-description: 'Analyzes bootkit and advanced rootkit malware that infects the Master Boot Record (MBR), Volume Boot Record
-  (VBR), or UEFI firmware to gain persistence below the operating system. Covers boot sector analysis, UEFI module inspection,
-  and anti-rootkit detection techniques. Activates for requests involving bootkit analysis, MBR malware investigation, UEFI
-  persistence analysis, or pre-OS malware detection.
+description: 'Analyzes bootkit and advanced rootkit malware that infects the Master
+  Boot Record (MBR), Volume Boot Record (VBR), or UEFI firmware to gain persistence
+  below the operating system. Covers boot sector analysis, UEFI module inspection,
+  and anti-rootkit detection techniques. Activates for requests involving bootkit
+  analysis, MBR malware investigation, UEFI persistence analysis, or pre-OS malware
+  detection.

  '
 domain: cybersecurity
@@ -22,6 +24,12 @@ nist_csf:
 - RS.AN-03
 - ID.RA-01
 - DE.CM-01
+mitre_attack:
+- T1542.003
+- T1542.001
+- T1542.002
+- T1014
+- T1547.006
 ---

 # Analyzing Bootkit and Rootkit Samples
@@ -1,7 +1,8 @@
 ---
 name: analyzing-browser-forensics-with-hindsight
-description: Analyze Chromium-based browser artifacts using Hindsight to extract browsing history, downloads, cookies, cached
-  content, autofill data, saved passwords, and browser extensions from Chrome, Edge, Brave, and Opera for forensic investigation.
+description: Analyze Chromium-based browser artifacts using Hindsight to extract browsing
+  history, downloads, cookies, cached content, autofill data, saved passwords, and
+  browser extensions from Chrome, Edge, Brave, and Opera for forensic investigation.
 domain: cybersecurity
 subdomain: digital-forensics
 tags:
@@ -23,6 +24,11 @@ nist_csf:
 - RS.AN-03
 - DE.AE-02
 - RS.MA-01
+mitre_attack:
+- T1217
+- T1539
+- T1555.003
+- T1185
 ---

 # Analyzing Browser Forensics with Hindsight
@@ -1,7 +1,8 @@
 ---
 name: analyzing-campaign-attribution-evidence
-description: Campaign attribution analysis involves systematically evaluating evidence to determine which threat actor or
-  group is responsible for a cyber operation. This skill covers collecting and weighting attr
+description: Campaign attribution analysis involves systematically evaluating evidence
+  to determine which threat actor or group is responsible for a cyber operation. This
+  skill covers collecting and weighting attr
 domain: cybersecurity
 subdomain: threat-intelligence
 tags:
@@ -20,6 +21,11 @@ nist_csf:
 - ID.RA-05
 - DE.CM-01
 - DE.AE-02
+mitre_attack:
+- T1587.001
+- T1583.001
+- T1588.002
+- T1071.001
 ---
 # Analyzing Campaign Attribution Evidence

@@ -1,7 +1,8 @@
 ---
 name: analyzing-certificate-transparency-for-phishing
-description: Monitor Certificate Transparency logs using crt.sh and Certstream to detect phishing domains, lookalike certificates,
-  and unauthorized certificate issuance targeting your organization.
+description: Monitor Certificate Transparency logs using crt.sh and Certstream to
+  detect phishing domains, lookalike certificates, and unauthorized certificate issuance
+  targeting your organization.
 domain: cybersecurity
 subdomain: threat-intelligence
 tags:
@@ -23,6 +24,12 @@ nist_csf:
 - ID.RA-05
 - DE.CM-01
 - DE.AE-02
+mitre_attack:
+- T1583.001
+- T1583.004
+- T1566.002
+- T1608.005
+- T1596.003
 ---
 # Analyzing Certificate Transparency for Phishing

@@ -1,15 +1,20 @@
 ---
 name: analyzing-cloud-storage-access-patterns
-description: Detect abnormal access patterns in AWS S3, GCS, and Azure Blob Storage by analyzing CloudTrail Data Events, GCS
-  audit logs, and Azure Storage Analytics. Identifies after-hours bulk downloads, access from new IP addresses, unusual API
-  calls (GetObject spikes), and potential data exfiltration using statistical baselines and time-series anomaly detection.
+description: Detect abnormal access patterns in AWS S3, GCS, and Azure Blob Storage
+  by analyzing CloudTrail Data Events, GCS audit logs, and Azure Storage Analytics.
+  Identifies after-hours bulk downloads, access from new IP addresses, unusual API
+  calls (GetObject spikes), and potential data exfiltration using statistical baselines
+  and time-series anomaly detection.
 domain: cybersecurity
 subdomain: cloud-security
 tags:
- analyzing
- cloud
- storage
- access
+- cloud-security
+- aws-s3
+- gcs
+- azure-blob-storage
+- cloudtrail
+- data-access-anomaly
+- exfiltration-detection
 version: '1.0'
 author: mahipal
 license: Apache-2.0
@@ -25,6 +30,12 @@ nist_csf:
 - ID.AM-08
 - GV.SC-06
 - DE.CM-01
+mitre_attack:
+- T1530
+- T1567.002
+- T1619
+- T1078.004
+- T1048
 ---


@@ -1,7 +1,8 @@
 ---
 name: analyzing-cobalt-strike-beacon-configuration
-description: Extract and analyze Cobalt Strike beacon configuration from PE files and memory dumps to identify C2 infrastructure,
-  malleable profiles, and operator tradecraft.
+description: Extract and analyze Cobalt Strike beacon configuration from PE files
+  and memory dumps to identify C2 infrastructure, malleable profiles, and operator
+  tradecraft.
 domain: cybersecurity
 subdomain: malware-analysis
 tags:
@@ -20,6 +21,12 @@ nist_csf:
 - RS.AN-03
 - ID.RA-01
 - DE.CM-01
+mitre_attack:
+- T1071.001
+- T1573.001
+- T1090.004
+- T1105
+- T1027
 ---
 # Analyzing Cobalt Strike Beacon Configuration

@@ -1,7 +1,8 @@
 ---
 name: analyzing-cobaltstrike-malleable-c2-profiles
-description: Parse and analyze Cobalt Strike Malleable C2 profiles using dissect.cobaltstrike and pyMalleableC2 to extract
-  C2 indicators, detect evasion techniques, and generate network detection signatures.
+description: Parse and analyze Cobalt Strike Malleable C2 profiles using dissect.cobaltstrike
+  and pyMalleableC2 to extract C2 indicators, detect evasion techniques, and generate
+  network detection signatures.
 domain: cybersecurity
 subdomain: malware-analysis
 tags:
@@ -20,6 +21,12 @@ nist_csf:
 - RS.AN-03
 - ID.RA-01
 - DE.CM-01
+mitre_attack:
+- T1071.001
+- T1573.002
+- T1001.003
+- T1090.004
+- T1102
 ---
 # Analyzing CobaltStrike Malleable C2 Profiles

@@ -1,9 +1,10 @@
 ---
 name: analyzing-command-and-control-communication
-description: 'Analyzes malware command-and-control (C2) communication protocols to understand beacon patterns, command structures,
-  data encoding, and infrastructure. Covers HTTP, HTTPS, DNS, and custom protocol C2 analysis for detection development and
-  threat intelligence. Activates for requests involving C2 analysis, beacon detection, C2 protocol reverse engineering, or
-  command-and-control infrastructure mapping.
+description: 'Analyzes malware command-and-control (C2) communication protocols to
+  understand beacon patterns, command structures, data encoding, and infrastructure.
+  Covers HTTP, HTTPS, DNS, and custom protocol C2 analysis for detection development
+  and threat intelligence. Activates for requests involving C2 analysis, beacon detection,
+  C2 protocol reverse engineering, or command-and-control infrastructure mapping.

  '
 domain: cybersecurity
@@ -22,6 +23,12 @@ nist_csf:
 - RS.AN-03
 - ID.RA-01
 - DE.CM-01
+mitre_attack:
+- T1071.001
+- T1573
+- T1571
+- T1008
+- T1095
 ---

 # Analyzing Command-and-Control Communication
@@ -1,10 +1,12 @@
 ---
 name: analyzing-cyber-kill-chain
-description: 'Analyzes intrusion activity against the Lockheed Martin Cyber Kill Chain framework to identify which phases
-  an adversary has completed, where defenses succeeded or failed, and what controls would have interrupted the attack at earlier
-  phases. Use when conducting post-incident analysis, building prevention-focused security controls, or mapping detection
-  gaps to kill chain phases. Activates for requests involving kill chain analysis, intrusion kill chain, attack phase mapping,
-  or Lockheed Martin kill chain framework.
+description: 'Analyzes intrusion activity against the Lockheed Martin Cyber Kill Chain
+  framework to identify which phases an adversary has completed, where defenses succeeded
+  or failed, and what controls would have interrupted the attack at earlier phases.
+  Use when conducting post-incident analysis, building prevention-focused security
+  controls, or mapping detection gaps to kill chain phases. Activates for requests
+  involving kill chain analysis, intrusion kill chain, attack phase mapping, or Lockheed
+  Martin kill chain framework.

  '
 domain: cybersecurity
@@ -24,6 +26,12 @@ nist_csf:
 - ID.RA-05
 - DE.CM-01
 - DE.AE-02
+mitre_attack:
+- T1566.001
+- T1190
+- T1547.001
+- T1071.001
+- T1486
 ---
 # Analyzing Cyber Kill Chain

@@ -1,7 +1,7 @@
 ---
 name: analyzing-disk-image-with-autopsy
-description: Perform comprehensive forensic analysis of disk images using Autopsy to recover files, examine artifacts, and
-  build investigation timelines.
+description: Perform comprehensive forensic analysis of disk images using Autopsy
+  to recover files, examine artifacts, and build investigation timelines.
 domain: cybersecurity
 subdomain: digital-forensics
 tags:
@@ -19,6 +19,11 @@ nist_csf:
 - RS.AN-03
 - DE.AE-02
 - RS.MA-01
+mitre_attack:
+- T1005
+- T1074.001
+- T1070.004
+- T1083
 ---

 # Analyzing Disk Image with Autopsy
@@ -1,8 +1,9 @@
 ---
 name: analyzing-dns-logs-for-exfiltration
-description: 'Analyzes DNS query logs to detect data exfiltration via DNS tunneling, DGA domain communication, and covert
-  C2 channels using entropy analysis, query volume anomalies, and subdomain length detection in SIEM platforms. Use when SOC
-  teams need to identify DNS-based threats that bypass traditional network security controls.
+description: 'Analyzes DNS query logs to detect data exfiltration via DNS tunneling,
+  DGA domain communication, and covert C2 channels using entropy analysis, query volume
+  anomalies, and subdomain length detection in SIEM platforms. Use when SOC teams
+  need to identify DNS-based threats that bypass traditional network security controls.

  '
 domain: cybersecurity
@@ -28,6 +29,10 @@ nist_csf:
 - DE.AE-02
 - RS.MA-01
 - DE.AE-06
+mitre_attack:
+- T1048.003
+- T1071.004
+- T1567
 ---
 # Analyzing DNS Logs for Exfiltration

@@ -1,7 +1,7 @@
 ---
 name: analyzing-docker-container-forensics
-description: Investigate compromised Docker containers by analyzing images, layers, volumes, logs, and runtime artifacts to
-  identify malicious activity and evidence.
+description: Investigate compromised Docker containers by analyzing images, layers,
+  volumes, logs, and runtime artifacts to identify malicious activity and evidence.
 domain: cybersecurity
 subdomain: digital-forensics
 tags:
@@ -19,6 +19,11 @@ nist_csf:
 - RS.AN-03
 - DE.AE-02
 - RS.MA-01
+mitre_attack:
+- T1610
+- T1611
+- T1613
+- T1612
 ---

 # Analyzing Docker Container Forensics
@@ -1,7 +1,7 @@
 ---
 name: analyzing-email-headers-for-phishing-investigation
-description: Parse and analyze email headers to trace the origin of phishing emails, verify sender authenticity, and identify
-  spoofing through SPF, DKIM, and DMARC validation.
+description: Parse and analyze email headers to trace the origin of phishing emails,
+  verify sender authenticity, and identify spoofing through SPF, DKIM, and DMARC validation.
 domain: cybersecurity
 subdomain: digital-forensics
 tags:
@@ -22,6 +22,10 @@ nist_csf:
 - RS.AN-03
 - DE.AE-02
 - RS.MA-01
+mitre_attack:
+- T1566.001
+- T1566.002
+- T1598.003
 ---

 # Analyzing Email Headers for Phishing Investigation
@@ -1,7 +1,8 @@
 ---
 name: analyzing-ethereum-smart-contract-vulnerabilities
-description: Perform static and symbolic analysis of Solidity smart contracts using Slither and Mythril to detect reentrancy,
-  integer overflow, access control, and other vulnerability classes before deployment to Ethereum mainnet.
+description: Perform static and symbolic analysis of Solidity smart contracts using
+  Slither and Mythril to detect reentrancy, integer overflow, access control, and
+  other vulnerability classes before deployment to Ethereum mainnet.
 domain: cybersecurity
 subdomain: blockchain-security
 tags:
@@ -20,6 +21,9 @@ nist_csf:
 - PR.DS-01
 - PR.DS-02
 - ID.RA-01
+mitre_attack:
+- T1190
+- T1059
 ---

 # Analyzing Ethereum Smart Contract Vulnerabilities
@@ -1,7 +1,8 @@
 ---
 name: analyzing-golang-malware-with-ghidra
-description: Reverse engineer Go-compiled malware using Ghidra with specialized scripts for function recovery, string extraction,
-  and type reconstruction in stripped Go binaries.
+description: Reverse engineer Go-compiled malware using Ghidra with specialized scripts
+  for function recovery, string extraction, and type reconstruction in stripped Go
+  binaries.
 domain: cybersecurity
 subdomain: malware-analysis
 tags:
@@ -20,6 +21,11 @@ nist_csf:
 - RS.AN-03
 - ID.RA-01
 - DE.CM-01
+mitre_attack:
+- T1027
+- T1620
+- T1140
+- T1059
 ---
 # Analyzing Golang Malware with Ghidra

@@ -1,7 +1,8 @@
 ---
 name: analyzing-heap-spray-exploitation
-description: Detect and analyze heap spray attacks in memory dumps using Volatility3 plugins to identify NOP sled patterns,
-  shellcode landing zones, and suspicious large allocations in process virtual address space.
+description: Detect and analyze heap spray attacks in memory dumps using Volatility3
+  plugins to identify NOP sled patterns, shellcode landing zones, and suspicious large
+  allocations in process virtual address space.
 domain: cybersecurity
 subdomain: malware-analysis
 tags:
@@ -18,6 +19,10 @@ nist_csf:
 - RS.AN-03
 - ID.RA-01
 - DE.CM-01
+mitre_attack:
+- T1203
+- T1059.007
+- T1106
 ---
 # Analyzing Heap Spray Exploitation

@@ -1,9 +1,11 @@
 ---
 name: analyzing-indicators-of-compromise
-description: 'Analyzes indicators of compromise (IOCs) including IP addresses, domains, file hashes, URLs, and email artifacts
-  to determine maliciousness confidence, campaign attribution, and blocking priority. Use when triaging IOCs from phishing
-  emails, security alerts, or external threat feeds; enriching raw IOCs with multi-source intelligence; or making block/monitor/whitelist
-  decisions. Activates for requests involving VirusTotal, AbuseIPDB, MalwareBazaar, MISP, or IOC enrichment pipelines.
+description: 'Analyzes indicators of compromise (IOCs) including IP addresses, domains,
+  file hashes, URLs, and email artifacts to determine maliciousness confidence, campaign
+  attribution, and blocking priority. Use when triaging IOCs from phishing emails,
+  security alerts, or external threat feeds; enriching raw IOCs with multi-source
+  intelligence; or making block/monitor/whitelist decisions. Activates for requests
+  involving VirusTotal, AbuseIPDB, MalwareBazaar, MISP, or IOC enrichment pipelines.

  '
 domain: cybersecurity
@@ -27,6 +29,11 @@ nist_csf:
 - ID.RA-05
 - DE.CM-01
 - DE.AE-02
+mitre_attack:
+- T1071
+- T1105
+- T1041
+- T1567
 ---
 # Analyzing Indicators of Compromise

@@ -1,12 +1,9 @@
 ---
 name: analyzing-ios-app-security-with-objection
-description: 'Performs runtime mobile security exploration of iOS applications using Objection, a Frida-powered toolkit that
-  enables security testers to interact with app internals without jailbreaking. Use when assessing iOS app security posture,
-  bypassing client-side protections, dumping keychain items, inspecting filesystem storage, and evaluating runtime behavior.
-  Activates for requests involving iOS security testing, Objection runtime analysis, Frida-based iOS assessment, or mobile
-  runtime exploration.
-
-  '
+description: >-
+  Runtime iOS app security testing with Objection (Frida): inspect keychain and
+  filesystem data, explore app internals at runtime, and validate/bypass
+  client-side protections during authorized mobile assessments.
 domain: cybersecurity
 subdomain: mobile-security
 author: mahipal
@@ -31,6 +28,11 @@ nist_csf:
 - PR.AA-05
 - ID.RA-01
 - DE.CM-09
+mitre_attack:
+- T1635
+- T1414
+- T1417.001
+- T1409
 ---
 # Analyzing iOS App Security with Objection

@@ -1,17 +1,21 @@
 ---
 name: analyzing-kubernetes-audit-logs
-description: 'Parses Kubernetes API server audit logs (JSON lines) to detect exec-into-pod, secret access, RBAC modifications,
-  privileged pod creation, and anonymous API access. Builds threat detection rules from audit event patterns. Use when investigating
+description: 'Parses Kubernetes API server audit logs (JSON lines) to detect exec-into-pod,
+  secret access, RBAC modifications, privileged pod creation, and anonymous API access.
+  Builds threat detection rules from audit event patterns. Use when investigating
  Kubernetes cluster compromise or building k8s-specific SIEM detection rules.

  '
 domain: cybersecurity
 subdomain: container-security
 tags:
- analyzing
- kubernetes
- audit
- logs
+- kubernetes-security
+- container-security
+- audit-log-analysis
+- rbac
+- privilege-escalation
+- k8s-api-server
+- threat-detection
 version: '1.0'
 author: mahipal
 license: Apache-2.0
@@ -20,6 +24,11 @@ nist_csf:
 - PR.IR-01
 - ID.AM-08
 - DE.CM-01
+mitre_attack:
+- T1610
+- T1613
+- T1078
+- T1552.007
 ---

 # Analyzing Kubernetes Audit Logs
@@ -1,9 +1,11 @@
 ---
 name: analyzing-linux-audit-logs-for-intrusion
-description: 'Uses the Linux Audit framework (auditd) with ausearch and aureport utilities to detect intrusion attempts, unauthorized
-  access, privilege escalation, and suspicious system activity. Covers audit rule configuration, log querying, timeline reconstruction,
-  and integration with SIEM platforms. Activates for requests involving auditd analysis, Linux audit log investigation, ausearch
-  queries, aureport summaries, or host-based intrusion detection on Linux.
+description: 'Uses the Linux Audit framework (auditd) with ausearch and aureport utilities
+  to detect intrusion attempts, unauthorized access, privilege escalation, and suspicious
+  system activity. Covers audit rule configuration, log querying, timeline reconstruction,
+  and integration with SIEM platforms. Activates for requests involving auditd analysis,
+  Linux audit log investigation, ausearch queries, aureport summaries, or host-based
+  intrusion detection on Linux.

  '
 domain: cybersecurity
@@ -24,6 +26,11 @@ nist_csf:
 - RS.MA-02
 - RS.AN-03
 - RC.RP-01
+mitre_attack:
+- T1059.004
+- T1070
+- T1548.003
+- T1543.002
 ---

 # Analyzing Linux Audit Logs for Intrusion
@@ -1,9 +1,11 @@
 ---
 name: analyzing-linux-elf-malware
-description: 'Analyzes malicious Linux ELF (Executable and Linkable Format) binaries including botnets, cryptominers, ransomware,
-  and rootkits targeting Linux servers, containers, and cloud infrastructure. Covers static analysis, dynamic tracing, and
-  reverse engineering of x86_64 and ARM ELF samples. Activates for requests involving Linux malware analysis, ELF binary investigation,
-  Linux server compromise assessment, or container malware analysis.
+description: 'Analyzes malicious Linux ELF (Executable and Linkable Format) binaries
+  including botnets, cryptominers, ransomware, and rootkits targeting Linux servers,
+  containers, and cloud infrastructure. Covers static analysis, dynamic tracing, and
+  reverse engineering of x86_64 and ARM ELF samples. Activates for requests involving
+  Linux malware analysis, ELF binary investigation, Linux server compromise assessment,
+  or container malware analysis.

  '
 domain: cybersecurity
@@ -22,6 +24,11 @@ nist_csf:
 - RS.AN-03
 - ID.RA-01
 - DE.CM-01
+mitre_attack:
+- T1027
+- T1059.004
+- T1620
+- T1574.006
 ---

 # Analyzing Linux ELF Malware
@@ -1,8 +1,9 @@
 ---
 name: analyzing-linux-kernel-rootkits
-description: Detect kernel-level rootkits in Linux memory dumps using Volatility3 linux plugins (check_syscall, lsmod, hidden_modules),
-  rkhunter system scanning, and /proc vs /sys discrepancy analysis to identify hooked syscalls, hidden kernel modules, and
-  tampered system structures.
+description: Detect kernel-level rootkits in Linux memory dumps using Volatility3
+  linux plugins (check_syscall, lsmod, hidden_modules), rkhunter system scanning,
+  and /proc vs /sys discrepancy analysis to identify hooked syscalls, hidden kernel
+  modules, and tampered system structures.
 domain: cybersecurity
 subdomain: digital-forensics
 tags:
@@ -22,6 +23,10 @@ nist_csf:
 - RS.AN-03
 - DE.AE-02
 - RS.MA-01
+mitre_attack:
+- T1014
+- T1547.006
+- T1564.001
 ---

 # Analyzing Linux Kernel Rootkits
@@ -1,7 +1,8 @@
 ---
 name: analyzing-linux-system-artifacts
-description: Examine Linux system artifacts including auth logs, cron jobs, shell history, and system configuration to uncover
-  evidence of compromise or unauthorized activity.
+description: Examine Linux system artifacts including auth logs, cron jobs, shell
+  history, and system configuration to uncover evidence of compromise or unauthorized
+  activity.
 domain: cybersecurity
 subdomain: digital-forensics
 tags:
@@ -19,6 +20,11 @@ nist_csf:
 - RS.AN-03
 - DE.AE-02
 - RS.MA-01
+mitre_attack:
+- T1070
+- T1059.004
+- T1543.002
+- T1053.003
 ---

 # Analyzing Linux System Artifacts
@@ -1,7 +1,8 @@
 ---
 name: analyzing-lnk-file-and-jump-list-artifacts
-description: Analyze Windows LNK shortcut files and Jump List artifacts to establish evidence of file access, program execution,
-  and user activity using LECmd, JLECmd, and manual binary parsing of the Shell Link Binary format.
+description: Analyze Windows LNK shortcut files and Jump List artifacts to establish
+  evidence of file access, program execution, and user activity using LECmd, JLECmd,
+  and manual binary parsing of the Shell Link Binary format.
 domain: cybersecurity
 subdomain: digital-forensics
 tags:
@@ -23,6 +24,10 @@ nist_csf:
 - RS.AN-03
 - DE.AE-02
 - RS.MA-01
+mitre_attack:
+- T1547.009
+- T1204.002
+- T1059.001
 ---

 # Analyzing LNK File and Jump List Artifacts
@@ -1,9 +1,10 @@
 ---
 name: analyzing-macro-malware-in-office-documents
-description: 'Analyzes malicious VBA macros embedded in Microsoft Office documents (Word, Excel, PowerPoint) to identify download
-  cradles, payload execution, persistence mechanisms, and anti-analysis techniques. Uses olevba, oledump, and VBA deobfuscation
-  to extract the attack chain. Activates for requests involving Office macro analysis, VBA malware investigation, maldoc analysis,
-  or document-based threat examination.
+description: 'Analyzes malicious VBA macros embedded in Microsoft Office documents
+  (Word, Excel, PowerPoint) to identify download cradles, payload execution, persistence
+  mechanisms, and anti-analysis techniques. Uses olevba, oledump, and VBA deobfuscation
+  to extract the attack chain. Activates for requests involving Office macro analysis,
+  VBA malware investigation, maldoc analysis, or document-based threat examination.

  '
 domain: cybersecurity
@@ -31,6 +32,11 @@ nist_csf:
 - RS.AN-03
 - ID.RA-01
 - DE.CM-01
+mitre_attack:
+- T1137.001
+- T1204.002
+- T1059.005
+- T1027
 ---

 # Analyzing Macro Malware in Office Documents
@@ -1,7 +1,7 @@
 ---
 name: analyzing-malicious-pdf-with-peepdf
-description: Perform static analysis of malicious PDF documents using peepdf, pdfid, and pdf-parser to extract embedded JavaScript,
-  shellcode, and suspicious objects.
+description: Perform static analysis of malicious PDF documents using peepdf, pdfid,
+  and pdf-parser to extract embedded JavaScript, shellcode, and suspicious objects.
 domain: cybersecurity
 subdomain: malware-analysis
 tags:
@@ -21,6 +21,11 @@ nist_csf:
 - RS.AN-03
 - ID.RA-01
 - DE.CM-01
+mitre_attack:
+- T1204.002
+- T1059.007
+- T1027
+- T1106
 ---

 # Analyzing Malicious PDF with peepdf
@@ -1,7 +1,8 @@
 ---
 name: analyzing-malicious-url-with-urlscan
-description: URLScan.io is a free service for scanning and analyzing suspicious URLs. It captures screenshots, DOM content,
-  HTTP transactions, JavaScript behavior, and network connections of web pages in an isolat
+description: URLScan.io is a free service for scanning and analyzing suspicious URLs.
+  It captures screenshots, DOM content, HTTP transactions, JavaScript behavior, and
+  network connections of web pages in an isolat
 domain: cybersecurity
 subdomain: phishing-defense
 tags:
@@ -22,6 +23,10 @@ nist_csf:
 - DE.CM-09
 - RS.CO-02
 - DE.AE-02
+mitre_attack:
+- T1566.002
+- T1204.001
+- T1598.003
 ---
 # Analyzing Malicious URL with URLScan

@@ -1,9 +1,10 @@
 ---
 name: analyzing-malware-behavior-with-cuckoo-sandbox
-description: 'Executes malware samples in Cuckoo Sandbox to observe runtime behavior including process creation, file system
-  modifications, registry changes, network communications, and API calls. Generates comprehensive behavioral reports for malware
-  classification and IOC extraction. Activates for requests involving dynamic malware analysis, sandbox detonation, behavioral
-  analysis, or automated malware execution.
+description: 'Executes malware samples in Cuckoo Sandbox to observe runtime behavior
+  including process creation, file system modifications, registry changes, network
+  communications, and API calls. Generates comprehensive behavioral reports for malware
+  classification and IOC extraction. Activates for requests involving dynamic malware
+  analysis, sandbox detonation, behavioral analysis, or automated malware execution.

  '
 domain: cybersecurity
@@ -22,6 +23,11 @@ nist_csf:
 - RS.AN-03
 - ID.RA-01
 - DE.CM-01
+mitre_attack:
+- T1497
+- T1055
+- T1071
+- T1027
 ---

 # Analyzing Malware Behavior with Cuckoo Sandbox
@@ -1,7 +1,8 @@
 ---
 name: analyzing-malware-family-relationships-with-malpedia
-description: Use the Malpedia platform and API to research malware family relationships, track variant evolution, link families
-  to threat actors, and integrate YARA rules for detection across malware lineages.
+description: Use the Malpedia platform and API to research malware family relationships,
+  track variant evolution, link families to threat actors, and integrate YARA rules
+  for detection across malware lineages.
 domain: cybersecurity
 subdomain: threat-intelligence
 tags:
@@ -21,6 +22,10 @@ nist_csf:
 - ID.RA-05
 - DE.CM-01
 - DE.AE-02
+mitre_attack:
+- T1587.001
+- T1027
+- T1071
 ---
 # Analyzing Malware Family Relationships with Malpedia

@@ -1,7 +1,8 @@
 ---
 name: analyzing-malware-persistence-with-autoruns
-description: Use Sysinternals Autoruns to systematically identify and analyze malware persistence mechanisms across registry
-  keys, scheduled tasks, services, drivers, and startup locations on Windows systems.
+description: Use Sysinternals Autoruns to systematically identify and analyze malware
+  persistence mechanisms across registry keys, scheduled tasks, services, drivers,
+  and startup locations on Windows systems.
 domain: cybersecurity
 subdomain: malware-analysis
 tags:
@@ -14,10 +15,11 @@ tags:
 - startup
 - incident-response
 mitre_attack:
- T1547
- T1053
- T1543
- T1546
+- T1547.001
+- T1543.003
+- T1053.005
+- T1574.001
+- T1037.001
 version: '1.0'
 author: mahipal
 license: Apache-2.0
@@ -1,7 +1,8 @@
 ---
 name: analyzing-malware-sandbox-evasion-techniques
-description: Detect sandbox evasion techniques in malware samples by analyzing timing checks, VM artifact queries, user interaction
-  detection, and sleep inflation patterns from Cuckoo/AnyRun behavioral reports
+description: Detect sandbox evasion techniques in malware samples by analyzing timing
+  checks, VM artifact queries, user interaction detection, and sleep inflation patterns
+  from Cuckoo/AnyRun behavioral reports
 domain: cybersecurity
 subdomain: malware-analysis
 tags:
@@ -26,6 +27,11 @@ nist_csf:
 - RS.AN-03
 - ID.RA-01
 - DE.CM-01
+mitre_attack:
+- T1497.001
+- T1497.003
+- T1480
+- T1027.002
 ---

 # Analyzing Malware Sandbox Evasion Techniques
@@ -1,17 +1,21 @@
 ---
 name: analyzing-memory-forensics-with-lime-and-volatility
-description: 'Performs Linux memory acquisition using LiME (Linux Memory Extractor) kernel module and analysis with Volatility
-  3 framework. Extracts process lists, network connections, bash history, loaded kernel modules, and injected code from Linux
-  memory images. Use when performing incident response on compromised Linux systems.
+description: 'Performs Linux memory acquisition using LiME (Linux Memory Extractor)
+  kernel module and analysis with Volatility 3 framework. Extracts process lists,
+  network connections, bash history, loaded kernel modules, and injected code from
+  Linux memory images. Use when performing incident response on compromised Linux
+  systems.

  '
 domain: cybersecurity
 subdomain: security-operations
 tags:
- analyzing
- memory
- forensics
- with
+- memory-forensics
+- linux-forensics
+- lime
+- volatility
+- incident-response
+- kernel-modules
 version: '1.0'
 author: mahipal
 license: Apache-2.0
@@ -20,6 +24,11 @@ nist_csf:
 - RS.MA-01
 - GV.OV-01
 - DE.AE-02
+mitre_attack:
+- T1055
+- T1003.001
+- T1620
+- T1564.001
 ---

 # Analyzing Memory Forensics with LiME and Volatility
@@ -1,7 +1,8 @@
 ---
 name: analyzing-mft-for-deleted-file-recovery
-description: Analyze the NTFS Master File Table ($MFT) to recover metadata and content of deleted files by examining MFT record
-  entries, $LogFile, $UsnJrnl, and MFT slack space using MFTECmd, analyzeMFT, and X-Ways Forensics.
+description: Analyze the NTFS Master File Table ($MFT) to recover metadata and content
+  of deleted files by examining MFT record entries, $LogFile, $UsnJrnl, and MFT slack
+  space using MFTECmd, analyzeMFT, and X-Ways Forensics.
 domain: cybersecurity
 subdomain: digital-forensics
 tags:
@@ -23,6 +24,10 @@ nist_csf:
 - RS.AN-03
 - DE.AE-02
 - RS.MA-01
+mitre_attack:
+- T1070.004
+- T1070.006
+- T1005
 ---

 # Analyzing MFT for Deleted File Recovery
@@ -1,7 +1,8 @@
 ---
 name: analyzing-network-covert-channels-in-malware
-description: Detect and analyze covert communication channels used by malware including DNS tunneling, ICMP exfiltration,
-  steganographic HTTP, and protocol abuse for C2 and data exfiltration.
+description: Detect and analyze covert communication channels used by malware including
+  DNS tunneling, ICMP exfiltration, steganographic HTTP, and protocol abuse for C2
+  and data exfiltration.
 domain: cybersecurity
 subdomain: malware-analysis
 tags:
@@ -26,6 +27,11 @@ nist_csf:
 - RS.AN-03
 - ID.RA-01
 - DE.CM-01
+mitre_attack:
+- T1071.001
+- T1095
+- T1572
+- T1001
 ---
 # Analyzing Network Covert Channels in Malware

@@ -1,8 +1,10 @@
 ---
 name: analyzing-network-flow-data-with-netflow
-description: Parse NetFlow v9 and IPFIX records to detect volumetric anomalies, port scanning, data exfiltration, and C2 beaconing
-  patterns. Uses the Python netflow library to decode flow records, builds traffic baselines, and applies statistical analysis
-  to identify flows with abnormal byte counts, connection durations, and periodic timing patterns.
+description: Parse NetFlow v9 and IPFIX records to detect volumetric anomalies, port
+  scanning, data exfiltration, and C2 beaconing patterns. Uses the Python netflow
+  library to decode flow records, builds traffic baselines, and applies statistical
+  analysis to identify flows with abnormal byte counts, connection durations, and
+  periodic timing patterns.
 domain: cybersecurity
 subdomain: network-security
 tags:
@@ -18,6 +20,11 @@ nist_csf:
 - DE.CM-01
 - ID.AM-03
 - PR.DS-02
+mitre_attack:
+- T1071
+- T1048
+- T1046
+- T1095
 ---


@@ -1,7 +1,8 @@
 ---
 name: analyzing-network-packets-with-scapy
-description: Craft, send, sniff, and dissect network packets using Scapy for protocol analysis, network reconnaissance, and
-  traffic anomaly detection in authorized security testing
+description: Craft, send, sniff, and dissect network packets using Scapy for protocol
+  analysis, network reconnaissance, and traffic anomaly detection in authorized security
+  testing
 domain: cybersecurity
 subdomain: network-security
 tags:
@@ -19,6 +20,11 @@ nist_csf:
 - DE.CM-01
 - ID.AM-03
 - PR.DS-02
+mitre_attack:
+- T1040
+- T1071
+- T1046
+- T1557
 ---

 # Analyzing Network Packets with Scapy
@@ -1,9 +1,10 @@
 ---
 name: analyzing-network-traffic-of-malware
-description: 'Analyzes network traffic generated by malware during sandbox execution or live incident response to identify
-  C2 protocols, data exfiltration channels, payload downloads, and lateral movement patterns using Wireshark, Zeek, and Suricata.
-  Activates for requests involving malware network analysis, C2 traffic decoding, malware PCAP analysis, or network-based
-  malware detection.
+description: 'Analyzes network traffic generated by malware during sandbox execution
+  or live incident response to identify C2 protocols, data exfiltration channels,
+  payload downloads, and lateral movement patterns using Wireshark, Zeek, and Suricata.
+  Activates for requests involving malware network analysis, C2 traffic decoding,
+  malware PCAP analysis, or network-based malware detection.

  '
 domain: cybersecurity
@@ -22,6 +23,11 @@ nist_csf:
 - RS.AN-03
 - ID.RA-01
 - DE.CM-01
+mitre_attack:
+- T1071.001
+- T1571
+- T1573
+- T1095
 ---

 # Analyzing Network Traffic of Malware
@@ -1,7 +1,8 @@
 ---
 name: analyzing-network-traffic-with-wireshark
-description: 'Captures and analyzes network packet data using Wireshark and tshark to identify malicious traffic patterns,
-  diagnose protocol issues, extract artifacts, and support incident response investigations on authorized network segments.
+description: 'Captures and analyzes network packet data using Wireshark and tshark
+  to identify malicious traffic patterns, diagnose protocol issues, extract artifacts,
+  and support incident response investigations on authorized network segments.

  '
 domain: cybersecurity
@@ -20,6 +21,11 @@ nist_csf:
 - DE.CM-01
 - ID.AM-03
 - PR.DS-02
+mitre_attack:
+- T1040
+- T1071
+- T1557
+- T1046
 ---
 # Analyzing Network Traffic with Wireshark

@@ -1,7 +1,8 @@
 ---
 name: analyzing-office365-audit-logs-for-compromise
-description: Parse Office 365 Unified Audit Logs via Microsoft Graph API to detect email forwarding rule creation, inbox delegation,
-  suspicious OAuth app grants, and other indicators of account compromise.
+description: Parse Office 365 Unified Audit Logs via Microsoft Graph API to detect
+  email forwarding rule creation, inbox delegation, suspicious OAuth app grants, and
+  other indicators of account compromise.
 domain: cybersecurity
 subdomain: cloud-security
 tags:
@@ -20,6 +21,11 @@ nist_csf:
 - ID.AM-08
 - GV.SC-06
 - DE.CM-01
+mitre_attack:
+- T1114.002
+- T1098.002
+- T1556.006
+- T1078.004
 ---

 # Analyzing Office 365 Audit Logs for Compromise
@@ -1,8 +1,9 @@
 ---
 name: analyzing-outlook-pst-for-email-forensics
-description: Analyze Microsoft Outlook PST and OST files for email forensic evidence including message content, headers, attachments,
-  deleted items, and metadata using libpff, pst-utils, and forensic email analysis tools for legal investigations and incident
-  response.
+description: Analyze Microsoft Outlook PST and OST files for email forensic evidence
+  including message content, headers, attachments, deleted items, and metadata using
+  libpff, pst-utils, and forensic email analysis tools for legal investigations and
+  incident response.
 domain: cybersecurity
 subdomain: digital-forensics
 tags:
@@ -28,6 +29,10 @@ nist_csf:
 - RS.AN-03
 - DE.AE-02
 - RS.MA-01
+mitre_attack:
+- T1114.001
+- T1564.008
+- T1070.008
 ---

 # Analyzing Outlook PST for Email Forensics
@@ -1,8 +1,10 @@
 ---
 name: analyzing-packed-malware-with-upx-unpacker
-description: 'Identifies and unpacks UPX-packed and other packed malware samples to expose the original executable code for
-  static analysis. Covers both standard UPX unpacking and handling modified UPX headers that prevent automated decompression.
-  Activates for requests involving malware unpacking, UPX decompression, packer removal, or preparing packed samples for analysis.
+description: 'Identifies and unpacks UPX-packed and other packed malware samples to
+  expose the original executable code for static analysis. Covers both standard UPX
+  unpacking and handling modified UPX headers that prevent automated decompression.
+  Activates for requests involving malware unpacking, UPX decompression, packer removal,
+  or preparing packed samples for analysis.

  '
 domain: cybersecurity
@@ -21,6 +23,10 @@ nist_csf:
 - RS.AN-03
 - ID.RA-01
 - DE.CM-01
+mitre_attack:
+- T1027.002
+- T1140
+- T1620
 ---

 # Analyzing Packed Malware with UPX Unpacker
@@ -1,9 +1,10 @@
 ---
 name: analyzing-pdf-malware-with-pdfid
-description: 'Analyzes malicious PDF files using PDFiD, pdf-parser, and peepdf to identify embedded JavaScript, shellcode,
-  exploits, and suspicious objects without opening the document. Determines the attack vector and extracts embedded payloads
-  for further analysis. Activates for requests involving PDF malware analysis, malicious document analysis, PDF exploit investigation,
-  or suspicious attachment triage.
+description: 'Analyzes malicious PDF files using PDFiD, pdf-parser, and peepdf to
+  identify embedded JavaScript, shellcode, exploits, and suspicious objects without
+  opening the document. Determines the attack vector and extracts embedded payloads
+  for further analysis. Activates for requests involving PDF malware analysis, malicious
+  document analysis, PDF exploit investigation, or suspicious attachment triage.

  '
 domain: cybersecurity
@@ -22,6 +23,11 @@ nist_csf:
 - RS.AN-03
 - ID.RA-01
 - DE.CM-01
+mitre_attack:
+- T1204.002
+- T1566.001
+- T1059.007
+- T1027
 ---

 # Analyzing PDF Malware with PDFiD
@@ -1,7 +1,8 @@
 ---
 name: analyzing-persistence-mechanisms-in-linux
-description: Detect and analyze Linux persistence mechanisms including crontab entries, systemd service units, LD_PRELOAD
-  hijacking, bashrc modifications, and authorized_keys backdoors using auditd and file integrity monitoring
+description: Detect and analyze Linux persistence mechanisms including crontab entries,
+  systemd service units, LD_PRELOAD hijacking, bashrc modifications, and authorized_keys
+  backdoors using auditd and file integrity monitoring
 domain: cybersecurity
 subdomain: threat-hunting
 tags:
@@ -17,6 +18,7 @@ mitre_attack:
 - T1543.002
 - T1574.006
 - T1546.004
+- T1098.004
 version: '1.0'
 author: mahipal
 license: Apache-2.0
@@ -1,7 +1,8 @@
 ---
 name: analyzing-powershell-empire-artifacts
-description: Detect PowerShell Empire framework artifacts in Windows event logs by identifying Base64 encoded launcher patterns,
-  default user agents, staging URL structures, stager IOCs, and known Empire module signatures in Script Block Logging events.
+description: Detect PowerShell Empire framework artifacts in Windows event logs by
+  identifying Base64 encoded launcher patterns, default user agents, staging URL structures,
+  stager IOCs, and known Empire module signatures in Script Block Logging events.
 domain: cybersecurity
 subdomain: threat-hunting
 tags:
@@ -32,6 +33,12 @@ nist_csf:
 - DE.AE-02
 - DE.AE-07
 - ID.RA-05
+mitre_attack:
+- T1059.001
+- T1071.001
+- T1003.001
+- T1558.003
+- T1027.010
 ---

 # Analyzing PowerShell Empire Artifacts
@@ -1,15 +1,19 @@
 ---
 name: analyzing-powershell-script-block-logging
-description: Parse Windows PowerShell Script Block Logs (Event ID 4104) from EVTX files to detect obfuscated commands, encoded
-  payloads, and living-off-the-land techniques. Uses python-evtx to extract and reconstruct multi-block scripts, applies entropy
-  analysis and pattern matching for Base64-encoded commands, Invoke-Expression abuse, download cradles, and AMSI bypass attempts.
+description: Parse Windows PowerShell Script Block Logs (Event ID 4104) from EVTX
+  files to detect obfuscated commands, encoded payloads, and living-off-the-land techniques.
+  Uses python-evtx to extract and reconstruct multi-block scripts, applies entropy
+  analysis and pattern matching for Base64-encoded commands, Invoke-Expression abuse,
+  download cradles, and AMSI bypass attempts.
 domain: cybersecurity
 subdomain: security-operations
 tags:
- analyzing
 - powershell
- script
- block
+- script-block-logging
+- event-id-4104
+- obfuscation-detection
+- windows-forensics
+- endpoint-security
 version: '1.0'
 author: mahipal
 license: Apache-2.0
@@ -18,6 +22,11 @@ nist_csf:
 - RS.MA-01
 - GV.OV-01
 - DE.AE-02
+mitre_attack:
+- T1059.001
+- T1027.010
+- T1140
+- T1105
 ---


@@ -1,7 +1,7 @@
 ---
 name: analyzing-prefetch-files-for-execution-history
-description: Parse Windows Prefetch files to determine program execution history including run counts, timestamps, and referenced
-  files for forensic investigation.
+description: Parse Windows Prefetch files to determine program execution history including
+  run counts, timestamps, and referenced files for forensic investigation.
 domain: cybersecurity
 subdomain: digital-forensics
 tags:
@@ -19,6 +19,11 @@ nist_csf:
 - RS.AN-03
 - DE.AE-02
 - RS.MA-01
+mitre_attack:
+- T1059.001
+- T1003.001
+- T1021.002
+- T1567.002
 ---

 # Analyzing Prefetch Files for Execution History
@@ -1,9 +1,10 @@
 ---
 name: analyzing-ransomware-encryption-mechanisms
-description: 'Analyzes encryption algorithms, key management, and file encryption routines used by ransomware families to
-  assess decryption feasibility, identify implementation weaknesses, and support recovery efforts. Covers AES, RSA, ChaCha20,
-  and hybrid encryption schemes. Activates for requests involving ransomware cryptanalysis, encryption analysis, key recovery
-  assessment, or ransomware decryption feasibility.
+description: 'Analyzes encryption algorithms, key management, and file encryption
+  routines used by ransomware families to assess decryption feasibility, identify
+  implementation weaknesses, and support recovery efforts. Covers AES, RSA, ChaCha20,
+  and hybrid encryption schemes. Activates for requests involving ransomware cryptanalysis,
+  encryption analysis, key recovery assessment, or ransomware decryption feasibility.

  '
 domain: cybersecurity
@@ -22,6 +23,11 @@ nist_csf:
 - RS.AN-03
 - ID.RA-01
 - DE.CM-01
+mitre_attack:
+- T1486
+- T1573.001
+- T1573.002
+- T1027
 ---

 # Analyzing Ransomware Encryption Mechanisms
@@ -1,7 +1,8 @@
 ---
 name: analyzing-ransomware-leak-site-intelligence
-description: Monitor and analyze ransomware group data leak sites (DLS) to track victim postings, extract threat intelligence
-  on group tactics, and assess sector-specific ransomware risk for proactive defense.
+description: Monitor and analyze ransomware group data leak sites (DLS) to track victim
+  postings, extract threat intelligence on group tactics, and assess sector-specific
+  ransomware risk for proactive defense.
 domain: cybersecurity
 subdomain: threat-intelligence
 tags:
@@ -10,7 +11,7 @@ tags:
 - data-leak
 - extortion
 - threat-intelligence
- monitoring
+- leak-site-monitoring
 - dls
 - victim-tracking
 version: '1.0'
@@ -21,6 +22,11 @@ nist_csf:
 - ID.RA-05
 - DE.CM-01
 - DE.AE-02
+mitre_attack:
+- T1657
+- T1486
+- T1567.002
+- T1591
 ---
 # Analyzing Ransomware Leak Site Intelligence

@@ -1,7 +1,8 @@
 ---
 name: analyzing-ransomware-network-indicators
-description: Identify ransomware network indicators including C2 beaconing patterns, TOR exit node connections, data exfiltration
-  flows, and encryption key exchange via Zeek conn.log and NetFlow analysis
+description: Identify ransomware network indicators including C2 beaconing patterns,
+  TOR exit node connections, data exfiltration flows, and encryption key exchange
+  via Zeek conn.log and NetFlow analysis
 domain: cybersecurity
 subdomain: threat-hunting
 tags:
@@ -26,6 +27,12 @@ nist_csf:
 - DE.AE-02
 - DE.AE-07
 - ID.RA-05
+mitre_attack:
+- T1071.001
+- T1573
+- T1048
+- T1567.002
+- T1486
 ---

 # Analyzing Ransomware Network Indicators
@@ -1,9 +1,11 @@
 ---
 name: analyzing-ransomware-payment-wallets
-description: 'Traces ransomware cryptocurrency payment flows using blockchain analysis tools such as Chainalysis Reactor,
-  WalletExplorer, and blockchain.com APIs. Identifies wallet clusters, tracks fund movement through mixers and exchanges,
-  and supports law enforcement attribution. Activates for requests involving ransomware payment tracing, bitcoin wallet analysis,
-  cryptocurrency forensics, or blockchain intelligence gathering.
+description: 'Traces ransomware cryptocurrency payment flows using blockchain analysis
+  tools such as Chainalysis Reactor, WalletExplorer, and blockchain.com APIs. Identifies
+  wallet clusters, tracks fund movement through mixers and exchanges, and supports
+  law enforcement attribution. Activates for requests involving ransomware payment
+  tracing, bitcoin wallet analysis, cryptocurrency forensics, or blockchain intelligence
+  gathering.

  '
 domain: cybersecurity
@@ -23,6 +25,9 @@ nist_csf:
 - RS.MA-01
 - RC.RP-01
 - PR.IR-01
+mitre_attack:
+- T1657
+- T1486
 ---

 # Analyzing Ransomware Payment Wallets
@@ -1,9 +1,11 @@
 ---
 name: analyzing-sbom-for-supply-chain-vulnerabilities
-description: 'Parses Software Bill of Materials (SBOM) in CycloneDX and SPDX JSON formats to identify supply chain vulnerabilities
-  by correlating components against the NVD CVE database via the NVD 2.0 API. Builds dependency graphs, calculates risk scores,
-  identifies transitive vulnerability paths, and generates compliance reports. Activates for requests involving SBOM analysis,
-  software composition analysis, supply chain security assessment, dependency vulnerability scanning, CycloneDX/SPDX parsing,
+description: 'Parses Software Bill of Materials (SBOM) in CycloneDX and SPDX JSON
+  formats to identify supply chain vulnerabilities by correlating components against
+  the NVD CVE database via the NVD 2.0 API. Builds dependency graphs, calculates risk
+  scores, identifies transitive vulnerability paths, and generates compliance reports.
+  Activates for requests involving SBOM analysis, software composition analysis, supply
+  chain security assessment, dependency vulnerability scanning, CycloneDX/SPDX parsing,
  or CVE correlation.

  '
@@ -36,6 +38,11 @@ nist_csf:
 - GV.SC-03
 - GV.SC-06
 - GV.SC-07
+mitre_attack:
+- T1195.001
+- T1195.002
+- T1554
+- T1190
 ---

 # Analyzing SBOM for Supply Chain Vulnerabilities
@@ -1,9 +1,11 @@
 ---
 name: analyzing-security-logs-with-splunk
-description: 'Leverages Splunk Enterprise Security and SPL (Search Processing Language) to investigate security incidents
-  through log correlation, timeline reconstruction, and anomaly detection. Covers Windows event logs, firewall logs, proxy
-  logs, and authentication data analysis. Activates for requests involving Splunk investigation, SPL queries, SIEM log analysis,
-  security event correlation, or log-based incident investigation.
+description: 'Leverages Splunk Enterprise Security and SPL (Search Processing Language)
+  to investigate security incidents through log correlation, timeline reconstruction,
+  and anomaly detection. Covers Windows event logs, firewall logs, proxy logs, and
+  authentication data analysis. Activates for requests involving Splunk investigation,
+  SPL queries, SIEM log analysis, security event correlation, or log-based incident
+  investigation.

  '
 domain: cybersecurity
@@ -15,9 +17,11 @@ tags:
 - log-analysis
 - security-monitoring
 mitre_attack:
- T1070
- T1562
- T1059
+- T1110
+- T1550.002
+- T1021.001
+- T1059.001
+- T1003.001
 version: 1.0.0
 author: mahipal
 license: Apache-2.0
@@ -1,7 +1,7 @@
 ---
 name: analyzing-slack-space-and-file-system-artifacts
-description: Examine file system slack space, MFT entries, USN journal, and alternate data streams to recover hidden data
-  and reconstruct file activity on NTFS volumes.
+description: Examine file system slack space, MFT entries, USN journal, and alternate
+  data streams to recover hidden data and reconstruct file activity on NTFS volumes.
 domain: cybersecurity
 subdomain: digital-forensics
 tags:
@@ -20,6 +20,12 @@ nist_csf:
 - RS.AN-03
 - DE.AE-02
 - RS.MA-01
+mitre_attack:
+- T1070.006
+- T1564.004
+- T1070.004
+- T1005
+- T1006
 ---

 # Analyzing Slack Space and File System Artifacts
@@ -1,7 +1,8 @@
 ---
 name: analyzing-supply-chain-malware-artifacts
-description: Investigate supply chain attack artifacts including trojanized software updates, compromised build pipelines,
-  and sideloaded dependencies to identify intrusion vectors and scope of compromise.
+description: Investigate supply chain attack artifacts including trojanized software
+  updates, compromised build pipelines, and sideloaded dependencies to identify intrusion
+  vectors and scope of compromise.
 domain: cybersecurity
 subdomain: malware-analysis
 tags:
@@ -33,6 +34,12 @@ nist_csf:
 - RS.AN-03
 - ID.RA-01
 - DE.CM-01
+mitre_attack:
+- T1195.002
+- T1195.001
+- T1554
+- T1553.002
+- T1027
 ---
 # Analyzing Supply Chain Malware Artifacts

@@ -1,7 +1,8 @@
 ---
 name: analyzing-threat-actor-ttps-with-mitre-attack
-description: MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics, techniques, and procedures (TTPs)
-  based on real-world observations. This skill covers systematically mapping threat actor beh
+description: MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics,
+  techniques, and procedures (TTPs) based on real-world observations. This skill covers
+  systematically mapping threat actor beh
 domain: cybersecurity
 subdomain: threat-intelligence
 tags:
@@ -26,6 +27,12 @@ nist_csf:
 - ID.RA-05
 - DE.CM-01
 - DE.AE-02
+mitre_attack:
+- T1566.001
+- T1059.001
+- T1071.001
+- T1547.001
+- T1053.005
 ---
 # Analyzing Threat Actor TTPs with MITRE ATT&CK

@@ -1,9 +1,11 @@
 ---
 name: analyzing-threat-actor-ttps-with-mitre-navigator
-description: 'Map advanced persistent threat (APT) group tactics, techniques, and procedures (TTPs) to the MITRE ATT&CK framework
-  using the ATT&CK Navigator and attackcti Python library. The analyst queries STIX/TAXII data for group-technique associations,
-  generates Navigator layer files for visualization, and compares defensive coverage against adversary profiles. Activates
-  for requests involving APT TTP mapping, ATT&CK Navigator layers, threat actor profiling, or MITRE technique coverage analysis.
+description: 'Map advanced persistent threat (APT) group tactics, techniques, and
+  procedures (TTPs) to the MITRE ATT&CK framework using the ATT&CK Navigator and attackcti
+  Python library. The analyst queries STIX/TAXII data for group-technique associations,
+  generates Navigator layer files for visualization, and compares defensive coverage
+  against adversary profiles. Activates for requests involving APT TTP mapping, ATT&CK
+  Navigator layers, threat actor profiling, or MITRE technique coverage analysis.

  '
 domain: cybersecurity
@@ -38,6 +40,12 @@ nist_csf:
 - ID.RA-05
 - DE.CM-01
 - DE.AE-02
+mitre_attack:
+- T1566.001
+- T1059.001
+- T1071.001
+- T1547.001
+- T1053.005
 ---
 # Analyzing Threat Actor TTPs with MITRE Navigator

@@ -1,9 +1,11 @@
 ---
 name: analyzing-threat-intelligence-feeds
-description: 'Analyzes structured and unstructured threat intelligence feeds to extract actionable indicators, adversary tactics,
-  and campaign context. Use when ingesting commercial or open-source CTI feeds, evaluating feed quality, normalizing data
-  into STIX 2.1 format, or enriching existing IOCs with campaign attribution. Activates for requests involving ThreatConnect,
-  Recorded Future, Mandiant Advantage, MISP, AlienVault OTX, or automated feed aggregation pipelines.
+description: 'Analyzes structured and unstructured threat intelligence feeds to extract
+  actionable indicators, adversary tactics, and campaign context. Use when ingesting
+  commercial or open-source CTI feeds, evaluating feed quality, normalizing data into
+  STIX 2.1 format, or enriching existing IOCs with campaign attribution. Activates
+  for requests involving ThreatConnect, Recorded Future, Mandiant Advantage, MISP,
+  AlienVault OTX, or automated feed aggregation pipelines.

  '
 domain: cybersecurity
@@ -26,6 +28,12 @@ nist_csf:
 - ID.RA-05
 - DE.CM-01
 - DE.AE-02
+mitre_attack:
+- T1071.001
+- T1566
+- T1568
+- T1583.001
+- T1102
 ---
 # Analyzing Threat Intelligence Feeds

@@ -1,16 +1,19 @@
 ---
 name: analyzing-threat-landscape-with-misp
-description: Analyze the threat landscape using MISP (Malware Information Sharing Platform) by querying event statistics,
-  attribute distributions, threat actor galaxy clusters, and tag trends over time. Uses PyMISP to pull event data, compute
-  IOC type breakdowns, identify top threat actors and malware families, and generate threat landscape reports with temporal
-  trends.
+description: Analyze the threat landscape using MISP (Malware Information Sharing
+  Platform) by querying event statistics, attribute distributions, threat actor galaxy
+  clusters, and tag trends over time. Uses PyMISP to pull event data, compute IOC
+  type breakdowns, identify top threat actors and malware families, and generate threat
+  landscape reports with temporal trends.
 domain: cybersecurity
 subdomain: threat-intelligence
 tags:
- analyzing
- threat
- landscape
- with
+- threat-intelligence
+- misp
+- threat-landscape
+- ioc-analysis
+- cti
+- threat-sharing
 version: '1.0'
 author: mahipal
 license: Apache-2.0
@@ -25,6 +28,12 @@ nist_csf:
 - ID.RA-05
 - DE.CM-01
 - DE.AE-02
+mitre_attack:
+- T1566
+- T1071.001
+- T1568
+- T1583.001
+- T1102
 ---


@@ -1,17 +1,20 @@
 ---
 name: analyzing-tls-certificate-transparency-logs
-description: 'Queries Certificate Transparency logs via crt.sh and pycrtsh to detect phishing domains, unauthorized certificate
-  issuance, and shadow IT. Monitors newly issued certificates for typosquatting and brand impersonation using Levenshtein
+description: 'Queries Certificate Transparency logs via crt.sh and pycrtsh to detect
+  phishing domains, unauthorized certificate issuance, and shadow IT. Monitors newly
+  issued certificates for typosquatting and brand impersonation using Levenshtein
  distance. Use for proactive phishing domain detection and certificate monitoring.

  '
 domain: cybersecurity
 subdomain: security-operations
 tags:
- analyzing
- tls
- certificate
- transparency
+- certificate-transparency
+- ct-logs
+- crt-sh
+- phishing-detection
+- tls-monitoring
+- security-operations
 version: '1.0'
 author: mahipal
 license: Apache-2.0
@@ -23,6 +26,11 @@ nist_csf:
 - RS.MA-01
 - GV.OV-01
 - DE.AE-02
+mitre_attack:
+- T1583.001
+- T1566.002
+- T1598.003
+- T1583.006
 ---

 # Analyzing TLS Certificate Transparency Logs
@@ -1,7 +1,8 @@
 ---
 name: analyzing-typosquatting-domains-with-dnstwist
-description: Detect typosquatting, homograph phishing, and brand impersonation domains using dnstwist to generate domain permutations
-  and identify registered lookalike domains targeting your organization.
+description: Detect typosquatting, homograph phishing, and brand impersonation domains
+  using dnstwist to generate domain permutations and identify registered lookalike
+  domains targeting your organization.
 domain: cybersecurity
 subdomain: threat-intelligence
 tags:
@@ -24,6 +25,11 @@ nist_csf:
 - ID.RA-05
 - DE.CM-01
 - DE.AE-02
+mitre_attack:
+- T1583.001
+- T1566.002
+- T1598.003
+- T1583.006
 ---
 # Analyzing Typosquatting Domains with DNSTwist

@@ -1,10 +1,12 @@
 ---
 name: analyzing-uefi-bootkit-persistence
-description: 'Analyzes UEFI bootkit persistence mechanisms including firmware implants in SPI flash, EFI System Partition
-  (ESP) modifications, Secure Boot bypass techniques, and UEFI variable manipulation. Covers detection of known bootkit families
-  (BlackLotus, LoJax, MosaicRegressor, MoonBounce, CosmicStrand), ESP partition forensic inspection, chipsec-based firmware
-  integrity verification, and Secure Boot configuration auditing. Activates for requests involving UEFI malware analysis,
-  firmware persistence investigation, boot chain integrity verification, or Secure Boot bypass detection.
+description: 'Analyzes UEFI bootkit persistence mechanisms including firmware implants
+  in SPI flash, EFI System Partition (ESP) modifications, Secure Boot bypass techniques,
+  and UEFI variable manipulation. Covers detection of known bootkit families (BlackLotus,
+  LoJax, MosaicRegressor, MoonBounce, CosmicStrand), ESP partition forensic inspection,
+  chipsec-based firmware integrity verification, and Secure Boot configuration auditing.
+  Activates for requests involving UEFI malware analysis, firmware persistence investigation,
+  boot chain integrity verification, or Secure Boot bypass detection.

  '
 domain: cybersecurity
@@ -30,6 +32,12 @@ nist_csf:
 - ID.RA-01
 - PR.PS-01
 - PR.PS-02
+mitre_attack:
+- T1542.001
+- T1542.003
+- T1553.006
+- T1542
+- T1014
 ---

 # Analyzing UEFI Bootkit Persistence
@@ -1,7 +1,7 @@
 ---
 name: analyzing-usb-device-connection-history
-description: Investigate USB device connection history from Windows registry, event logs, and setupapi logs to track removable
-  media usage and potential data exfiltration.
+description: Investigate USB device connection history from Windows registry, event
+  logs, and setupapi logs to track removable media usage and potential data exfiltration.
 domain: cybersecurity
 subdomain: digital-forensics
 tags:
@@ -19,6 +19,12 @@ nist_csf:
 - RS.AN-03
 - DE.AE-02
 - RS.MA-01
+mitre_attack:
+- T1052.001
+- T1025
+- T1091
+- T1005
+- T1074.001
 ---

 # Analyzing USB Device Connection History
@@ -1,15 +1,20 @@
 ---
 name: analyzing-web-server-logs-for-intrusion
-description: Parse Apache and Nginx access logs to detect SQL injection attempts, local file inclusion, directory traversal,
-  web scanner fingerprints, and brute-force patterns. Uses regex-based pattern matching against OWASP attack signatures, GeoIP
-  enrichment for source attribution, and statistical anomaly detection for request frequency and response size outliers.
+description: Parse Apache and Nginx access logs to detect SQL injection attempts,
+  local file inclusion, directory traversal, web scanner fingerprints, and brute-force
+  patterns. Uses regex-based pattern matching against OWASP attack signatures, GeoIP
+  enrichment for source attribution, and statistical anomaly detection for request
+  frequency and response size outliers.
 domain: cybersecurity
 subdomain: security-operations
 tags:
- analyzing
- web
- server
- logs
+- web-log-analysis
+- apache-logs
+- nginx-logs
+- sql-injection-detection
+- lfi-detection
+- directory-traversal
+- intrusion-detection
 version: '1.0'
 author: mahipal
 license: Apache-2.0
@@ -18,6 +23,12 @@ nist_csf:
 - RS.MA-01
 - GV.OV-01
 - DE.AE-02
+mitre_attack:
+- T1190
+- T1059.007
+- T1110
+- T1595.002
+- T1505.003
 ---


@@ -1,9 +1,12 @@
 ---
 name: analyzing-windows-amcache-artifacts
-description: 'Parses and analyzes the Windows Amcache.hve registry hive to extract evidence of program execution, application
-  installation, and driver loading for digital forensics investigations. Uses Eric Zimmerman''s AmcacheParser and Timeline
-  Explorer for artifact extraction, SHA-1 hash correlation with threat intel, and timeline reconstruction. Activates for requests
-  involving Amcache forensics, program execution evidence, Windows artifact analysis, or application compatibility cache investigation.
+description: 'Parses and analyzes the Windows Amcache.hve registry hive to extract
+  evidence of program execution, application installation, and driver loading for
+  digital forensics investigations. Uses Eric Zimmerman''s AmcacheParser and Timeline
+  Explorer for artifact extraction, SHA-1 hash correlation with threat intel, and
+  timeline reconstruction. Activates for requests involving Amcache forensics, program
+  execution evidence, Windows artifact analysis, or application compatibility cache
+  investigation.

  '
 domain: cybersecurity
@@ -24,6 +27,12 @@ nist_csf:
 - RS.AN-03
 - DE.AE-02
 - RS.MA-01
+mitre_attack:
+- T1070.004
+- T1070.006
+- T1036.005
+- T1014
+- T1005
 ---

 # Analyzing Windows Amcache Artifacts
@@ -1,9 +1,10 @@
 ---
 name: analyzing-windows-event-logs-in-splunk
-description: 'Analyzes Windows Security, System, and Sysmon event logs in Splunk to detect authentication attacks, privilege
-  escalation, persistence mechanisms, and lateral movement using SPL queries mapped to MITRE ATT&CK techniques. Use when SOC
-  analysts need to investigate Windows-based threats, build detection queries, or perform forensic timeline analysis of Windows
-  endpoints and domain controllers.
+description: 'Analyzes Windows Security, System, and Sysmon event logs in Splunk to
+  detect authentication attacks, privilege escalation, persistence mechanisms, and
+  lateral movement using SPL queries mapped to MITRE ATT&CK techniques. Use when SOC
+  analysts need to investigate Windows-based threats, build detection queries, or
+  perform forensic timeline analysis of Windows endpoints and domain controllers.

  '
 domain: cybersecurity
@@ -30,6 +31,13 @@ nist_csf:
 - DE.AE-02
 - RS.MA-01
 - DE.AE-06
+mitre_attack:
+- T1110
+- T1053.005
+- T1547.001
+- T1021.002
+- T1558.003
+- T1003.006
 ---
 # Analyzing Windows Event Logs in Splunk

@@ -1,7 +1,7 @@
 ---
 name: analyzing-windows-lnk-files-for-artifacts
-description: Parse Windows LNK shortcut files to extract target paths, timestamps, volume information, and machine identifiers
-  for forensic timeline reconstruction.
+description: Parse Windows LNK shortcut files to extract target paths, timestamps,
+  volume information, and machine identifiers for forensic timeline reconstruction.
 domain: cybersecurity
 subdomain: digital-forensics
 tags:
@@ -19,6 +19,12 @@ nist_csf:
 - RS.AN-03
 - DE.AE-02
 - RS.MA-01
+mitre_attack:
+- T1547.001
+- T1204.002
+- T1005
+- T1025
+- T1074.001
 ---

 # Analyzing Windows LNK Files for Artifacts
@@ -1,7 +1,8 @@
 ---
 name: analyzing-windows-prefetch-with-python
-description: Parse Windows Prefetch files using the windowsprefetch Python library to reconstruct application execution history,
-  detect renamed or masquerading binaries, and identify suspicious program execution patterns.
+description: Parse Windows Prefetch files using the windowsprefetch Python library
+  to reconstruct application execution history, detect renamed or masquerading binaries,
+  and identify suspicious program execution patterns.
 domain: cybersecurity
 subdomain: digital-forensics
 tags:
@@ -12,9 +13,11 @@ tags:
 - incident-response
 - malware-analysis
 mitre_attack:
- T1059
- T1204
- T1036
+- T1036.005
+- T1070.004
+- T1070
+- T1003.001
+- T1057
 version: '1.0'
 author: mahipal
 license: Apache-2.0
@@ -1,7 +1,7 @@
 ---
 name: analyzing-windows-registry-for-artifacts
-description: Extract and analyze Windows Registry hives to uncover user activity, installed software, autostart entries, and
-  evidence of system compromise.
+description: Extract and analyze Windows Registry hives to uncover user activity,
+  installed software, autostart entries, and evidence of system compromise.
 domain: cybersecurity
 subdomain: digital-forensics
 tags:
@@ -19,6 +19,12 @@ nist_csf:
 - RS.AN-03
 - DE.AE-02
 - RS.MA-01
+mitre_attack:
+- T1012
+- T1547.001
+- T1112
+- T1003.002
+- T1025
 ---

 # Analyzing Windows Registry for Artifacts
@@ -1,8 +1,8 @@
 ---
 name: analyzing-windows-shellbag-artifacts
-description: Analyze Windows Shellbag registry artifacts to reconstruct folder browsing activity, detect access to removable
-  media and network shares, and establish user interaction with directories even after deletion using SBECmd and ShellBags
-  Explorer.
+description: Analyze Windows Shellbag registry artifacts to reconstruct folder browsing
+  activity, detect access to removable media and network shares, and establish user
+  interaction with directories even after deletion using SBECmd and ShellBags Explorer.
 domain: cybersecurity
 subdomain: digital-forensics
 tags:
@@ -24,6 +24,12 @@ nist_csf:
 - RS.AN-03
 - DE.AE-02
 - RS.MA-01
+mitre_attack:
+- T1083
+- T1074.001
+- T1135
+- T1025
+- T1070.004
 ---

 # Analyzing Windows Shellbag Artifacts
@@ -1,7 +1,8 @@
 ---
 name: auditing-aws-s3-bucket-permissions
-description: 'Systematically audit AWS S3 bucket permissions to identify publicly accessible buckets, overly permissive ACLs,
-  misconfigured bucket policies, and missing encryption settings using AWS CLI, S3audit, and Prowler to enforce least-privilege
+description: 'Systematically audit AWS S3 bucket permissions to identify publicly
+  accessible buckets, overly permissive ACLs, misconfigured bucket policies, and missing
+  encryption settings using AWS CLI, S3audit, and Prowler to enforce least-privilege
  data access controls.

  '
@@ -22,6 +23,12 @@ nist_csf:
 - ID.AM-08
 - GV.SC-06
 - DE.CM-01
+mitre_attack:
+- T1530
+- T1619
+- T1078.004
+- T1537
+- T1567.002
 ---

 # Auditing AWS S3 Bucket Permissions
@@ -1,7 +1,8 @@
 ---
 name: auditing-azure-active-directory-configuration
-description: 'Auditing Microsoft Entra ID (Azure Active Directory) configuration to identify risky authentication policies,
-  overly permissive role assignments, stale accounts, conditional access gaps, and guest user risks using AzureAD PowerShell,
+description: 'Auditing Microsoft Entra ID (Azure Active Directory) configuration to
+  identify risky authentication policies, overly permissive role assignments, stale
+  accounts, conditional access gaps, and guest user risks using AzureAD PowerShell,
  Microsoft Graph API, and ScoutSuite.

  '
@@ -22,6 +23,12 @@ nist_csf:
 - ID.AM-08
 - GV.SC-06
 - DE.CM-01
+mitre_attack:
+- T1078.004
+- T1098.003
+- T1556.006
+- T1069.003
+- T1526
 ---

 # Auditing Azure Active Directory Configuration
@@ -1,9 +1,10 @@
 ---
 name: auditing-cloud-with-cis-benchmarks
-description: 'This skill details how to conduct cloud security audits using Center for Internet Security benchmarks for AWS,
-  Azure, and GCP. It covers interpreting CIS Foundations Benchmark controls, running automated assessments with tools like
-  Prowler and ScoutSuite, remediating failed controls, and maintaining continuous compliance monitoring against CIS v5 for
-  AWS, v4 for Azure, and v4 for GCP.
+description: 'This skill details how to conduct cloud security audits using Center
+  for Internet Security benchmarks for AWS, Azure, and GCP. It covers interpreting
+  CIS Foundations Benchmark controls, running automated assessments with tools like
+  Prowler and ScoutSuite, remediating failed controls, and maintaining continuous
+  compliance monitoring against CIS v5 for AWS, v4 for Azure, and v4 for GCP.

  '
 domain: cybersecurity
@@ -26,6 +27,12 @@ nist_csf:
 - ID.AM-08
 - GV.SC-06
 - DE.CM-01
+mitre_attack:
+- T1078.004
+- T1530
+- T1098.003
+- T1685.002
+- T1580
 ---

 # Auditing Cloud with CIS Benchmarks
@@ -1,7 +1,8 @@
 ---
 name: auditing-gcp-iam-permissions
-description: 'Auditing Google Cloud Platform IAM permissions to identify overly permissive bindings, primitive role usage,
-  service account key proliferation, and cross-project access risks using gcloud CLI, Policy Analyzer, and IAM Recommender.
+description: 'Auditing Google Cloud Platform IAM permissions to identify overly permissive
+  bindings, primitive role usage, service account key proliferation, and cross-project
+  access risks using gcloud CLI, Policy Analyzer, and IAM Recommender.

  '
 domain: cybersecurity
@@ -21,6 +22,12 @@ nist_csf:
 - ID.AM-08
 - GV.SC-06
 - DE.CM-01
+mitre_attack:
+- T1078.004
+- T1098.003
+- T1528
+- T1548.005
+- T1580
 ---

 # Auditing GCP IAM Permissions
@@ -1,7 +1,8 @@
 ---
 name: auditing-kubernetes-cluster-rbac
-description: 'Auditing Kubernetes cluster RBAC configurations to identify overly permissive roles, wildcard permissions, dangerous
-  ClusterRoleBindings, service account abuse, and privilege escalation paths using kubectl, rbac-tool, KubiScan, and Kubeaudit.
+description: 'Auditing Kubernetes cluster RBAC configurations to identify overly permissive
+  roles, wildcard permissions, dangerous ClusterRoleBindings, service account abuse,
+  and privilege escalation paths using kubectl, rbac-tool, KubiScan, and Kubeaudit.

  '
 domain: cybersecurity
@@ -22,6 +23,12 @@ nist_csf:
 - ID.AM-08
 - GV.SC-06
 - DE.CM-01
+mitre_attack:
+- T1098.006
+- T1552.007
+- T1611
+- T1613
+- T1078.004
 ---

 # Auditing Kubernetes Cluster RBAC
@@ -1,7 +1,8 @@
 ---
 name: auditing-terraform-infrastructure-for-security
-description: 'Auditing Terraform infrastructure-as-code for security misconfigurations using Checkov, tfsec, Terrascan, and
-  OPA/Rego policies to detect overly permissive IAM policies, public resource exposure, missing encryption, and insecure defaults
+description: 'Auditing Terraform infrastructure-as-code for security misconfigurations
+  using Checkov, tfsec, Terrascan, and OPA/Rego policies to detect overly permissive
+  IAM policies, public resource exposure, missing encryption, and insecure defaults
  before cloud deployment.

  '
@@ -22,6 +23,12 @@ nist_csf:
 - ID.AM-08
 - GV.SC-06
 - DE.CM-01
+mitre_attack:
+- T1078.004
+- T1530
+- T1190
+- T1552.001
+- T1580
 ---

 # Auditing Terraform Infrastructure for Security
@@ -1,10 +1,12 @@
 ---
 name: auditing-tls-certificate-transparency-logs
-description: 'Monitors Certificate Transparency (CT) logs to detect unauthorized certificate issuance, discover subdomains
-  via CT data, and alert on suspicious certificate activity for owned domains. Uses the crt.sh API and direct CT log querying
-  based on RFC 6962 to build continuous monitoring pipelines that catch rogue certificates, track CA behavior, and map the
-  external attack surface. Activates for requests involving certificate transparency monitoring, CT log auditing, subdomain
-  discovery via certificates, or certificate issuance alerting.
+description: 'Monitors Certificate Transparency (CT) logs to detect unauthorized certificate
+  issuance, discover subdomains via CT data, and alert on suspicious certificate activity
+  for owned domains. Uses the crt.sh API and direct CT log querying based on RFC 6962
+  to build continuous monitoring pipelines that catch rogue certificates, track CA
+  behavior, and map the external attack surface. Activates for requests involving
+  certificate transparency monitoring, CT log auditing, subdomain discovery via certificates,
+  or certificate issuance alerting.

  '
 domain: cybersecurity
@@ -24,6 +26,12 @@ nist_csf:
 - ID.RA-05
 - DE.CM-01
 - DE.AE-02
+mitre_attack:
+- T1596.003
+- T1583.001
+- T1587.003
+- T1593
+- T1566.002
 ---
 # Auditing TLS Certificate Transparency Logs

@@ -1,10 +1,12 @@
 ---
 name: automating-ioc-enrichment
-description: 'Automates the enrichment of raw indicators of compromise with multi-source threat intelligence context using
-  SOAR platforms, Python pipelines, or TIP playbooks to reduce analyst triage time and standardize enrichment outputs. Use
-  when building automated enrichment workflows integrated with SIEM alerts, email submission pipelines, or bulk IOC processing
-  from threat feeds. Activates for requests involving SOAR enrichment, Cortex XSOAR, Splunk SOAR, TheHive, Python enrichment
-  pipelines, or automated IOC processing.
+description: 'Automates the enrichment of raw indicators of compromise with multi-source
+  threat intelligence context using SOAR platforms, Python pipelines, or TIP playbooks
+  to reduce analyst triage time and standardize enrichment outputs. Use when building
+  automated enrichment workflows integrated with SIEM alerts, email submission pipelines,
+  or bulk IOC processing from threat feeds. Activates for requests involving SOAR
+  enrichment, Cortex XSOAR, Splunk SOAR, TheHive, Python enrichment pipelines, or
+  automated IOC processing.

  '
 domain: cybersecurity
@@ -27,6 +29,12 @@ nist_csf:
 - ID.RA-05
 - DE.CM-01
 - DE.AE-02
+mitre_attack:
+- T1071.001
+- T1583.001
+- T1588.001
+- T1590.005
+- T1596
 ---
 # Automating IOC Enrichment

@@ -1,7 +1,8 @@
 ---
 name: building-adversary-infrastructure-tracking-system
-description: Build an automated system to track adversary infrastructure using passive DNS, certificate transparency, WHOIS
-  data, and IP enrichment to map and monitor threat actor command-and-control networks.
+description: Build an automated system to track adversary infrastructure using passive
+  DNS, certificate transparency, WHOIS data, and IP enrichment to map and monitor
+  threat actor command-and-control networks.
 domain: cybersecurity
 subdomain: threat-intelligence
 tags:
@@ -21,6 +22,12 @@ nist_csf:
 - ID.RA-05
 - DE.CM-01
 - DE.AE-02
+mitre_attack:
+- T1583.001
+- T1583.004
+- T1596.001
+- T1590.002
+- T1071.001
 ---
 # Building Adversary Infrastructure Tracking System

@@ -1,7 +1,8 @@
 ---
 name: building-attack-pattern-library-from-cti-reports
-description: Extract and catalog attack patterns from cyber threat intelligence reports into a structured STIX-based library
-  mapped to MITRE ATT&CK for detection engineering and threat-informed defense.
+description: Extract and catalog attack patterns from cyber threat intelligence reports
+  into a structured STIX-based library mapped to MITRE ATT&CK for detection engineering
+  and threat-informed defense.
 domain: cybersecurity
 subdomain: threat-intelligence
 tags:
@@ -27,6 +28,12 @@ nist_csf:
 - ID.RA-05
 - DE.CM-01
 - DE.AE-02
+mitre_attack:
+- T1566.001
+- T1059.001
+- T1003.001
+- T1558.003
+- T1550.002
 ---
 # Building Attack Pattern Library from CTI Reports

@@ -1,8 +1,10 @@
 ---
 name: building-automated-malware-submission-pipeline
-description: 'Builds an automated malware submission and analysis pipeline that collects suspicious files from endpoints and
-  email gateways, submits them to sandbox environments and multi-engine scanners, and generates verdicts with IOCs for SIEM
-  integration. Use when SOC teams need to scale malware analysis beyond manual sandbox submissions for high-volume alert triage.
+description: 'Builds an automated malware submission and analysis pipeline that collects
+  suspicious files from endpoints and email gateways, submits them to sandbox environments
+  and multi-engine scanners, and generates verdicts with IOCs for SIEM integration.
+  Use when SOC teams need to scale malware analysis beyond manual sandbox submissions
+  for high-volume alert triage.

  '
 domain: cybersecurity
@@ -24,6 +26,12 @@ nist_csf:
 - DE.AE-02
 - RS.MA-01
 - DE.AE-06
+mitre_attack:
+- T1204.002
+- T1566.001
+- T1027
+- T1055
+- T1497
 ---
 # Building Automated Malware Submission Pipeline

@@ -1,7 +1,8 @@
 ---
 name: building-c2-infrastructure-with-sliver-framework
-description: Build and configure a resilient command-and-control infrastructure using BishopFox's Sliver C2 framework with
-  redirectors, HTTPS listeners, and multi-operator support for authorized red team engagements.
+description: Build and configure a resilient command-and-control infrastructure using
+  BishopFox's Sliver C2 framework with redirectors, HTTPS listeners, and multi-operator
+  support for authorized red team engagements.
 domain: cybersecurity
 subdomain: red-teaming
 tags:
@@ -25,6 +26,13 @@ nist_csf:
 - ID.RA-01
 - GV.OV-02
 - DE.AE-07
+mitre_attack:
+- T1071.001
+- T1071.004
+- T1573.002
+- T1090.002
+- T1105
+- T1572
 ---
 # Building C2 Infrastructure with Sliver Framework

@@ -1,9 +1,10 @@
 ---
 name: building-cloud-siem-with-sentinel
-description: 'This skill covers deploying Microsoft Sentinel as a cloud-native SIEM and SOAR platform for centralized security
-  operations. It details configuring data connectors for multi-cloud log ingestion, writing KQL detection queries, building
-  automated response playbooks with Logic Apps, and leveraging the Sentinel data lake for petabyte-scale threat hunting across
-  AWS, Azure, and GCP security telemetry.
+description: 'This skill covers deploying Microsoft Sentinel as a cloud-native SIEM
+  and SOAR platform for centralized security operations. It details configuring data
+  connectors for multi-cloud log ingestion, writing KQL detection queries, building
+  automated response playbooks with Logic Apps, and leveraging the Sentinel data lake
+  for petabyte-scale threat hunting across AWS, Azure, and GCP security telemetry.

  '
 domain: cybersecurity
@@ -30,6 +31,12 @@ nist_csf:
 - ID.AM-08
 - GV.SC-06
 - DE.CM-01
+mitre_attack:
+- T1078.004
+- T1548.005
+- T1485
+- T1530
+- T1021.007
 ---

 # Building Cloud SIEM with Sentinel
@@ -1,7 +1,7 @@
 ---
 name: building-detection-rule-with-splunk-spl
-description: Build effective detection rules using Splunk Search Processing Language (SPL) correlation searches to identify
-  security threats in SOC environments.
+description: Build effective detection rules using Splunk Search Processing Language
+  (SPL) correlation searches to identify security threats in SOC environments.
 domain: cybersecurity
 subdomain: soc-operations
 tags:
@@ -27,6 +27,13 @@ nist_csf:
 - DE.AE-02
 - RS.MA-01
 - DE.AE-06
+mitre_attack:
+- T1059.001
+- T1003.001
+- T1021.002
+- T1110.003
+- T1053.005
+- T1048
 ---

 # Building Detection Rules with Splunk SPL
@@ -1,9 +1,10 @@
 ---
 name: building-detection-rules-with-sigma
-description: 'Builds vendor-agnostic detection rules using the Sigma rule format for threat detection across SIEM platforms
-  including Splunk, Elastic, and Microsoft Sentinel. Use when creating portable detection logic from threat intelligence,
-  mapping rules to MITRE ATT&CK techniques, or converting community Sigma rules into platform-specific queries using sigmac
-  or pySigma backends.
+description: 'Builds vendor-agnostic detection rules using the Sigma rule format for
+  threat detection across SIEM platforms including Splunk, Elastic, and Microsoft
+  Sentinel. Use when creating portable detection logic from threat intelligence, mapping
+  rules to MITRE ATT&CK techniques, or converting community Sigma rules into platform-specific
+  queries using sigmac or pySigma backends.

  '
 domain: cybersecurity
@@ -31,6 +32,12 @@ nist_csf:
 - DE.AE-02
 - RS.MA-01
 - DE.AE-06
+mitre_attack:
+- T1059.001
+- T1003.001
+- T1055
+- T1053.005
+- T1547.001
 ---
 # Building Detection Rules with Sigma

@@ -1,7 +1,7 @@
 ---
 name: building-devsecops-pipeline-with-gitlab-ci
-description: Design and implement a comprehensive DevSecOps pipeline in GitLab CI/CD integrating SAST, DAST, container scanning,
-  dependency scanning, and secret detection.
+description: Design and implement a comprehensive DevSecOps pipeline in GitLab CI/CD
+  integrating SAST, DAST, container scanning, dependency scanning, and secret detection.
 domain: cybersecurity
 subdomain: devsecops
 tags:
@@ -21,6 +21,12 @@ nist_csf:
 - GV.SC-07
 - ID.IM-04
 - PR.PS-04
+mitre_attack:
+- T1195.001
+- T1195.002
+- T1552.001
+- T1190
+- T1610
 ---

 # Building DevSecOps Pipeline with GitLab CI
@@ -1,7 +1,8 @@
 ---
 name: building-identity-federation-with-saml-azure-ad
-description: Establish SAML 2.0 identity federation between on-premises Active Directory and Azure AD (Microsoft Entra ID)
-  for seamless cross-domain authentication and SSO to cloud applications.
+description: Establish SAML 2.0 identity federation between on-premises Active Directory
+  and Azure AD (Microsoft Entra ID) for seamless cross-domain authentication and SSO
+  to cloud applications.
 domain: cybersecurity
 subdomain: identity-access-management
 tags:
@@ -21,6 +22,12 @@ nist_csf:
 - PR.AA-02
 - PR.AA-05
 - PR.AA-06
+mitre_attack:
+- T1606.002
+- T1556.007
+- T1484.002
+- T1078.004
+- T1110.003
 ---

 # Building Identity Federation with SAML Azure AD
@@ -1,9 +1,10 @@
 ---
 name: building-identity-governance-lifecycle-process
-description: 'Builds comprehensive identity governance and lifecycle management processes including joiner-mover-leaver automation,
-  role mining, access request workflows, periodic recertification, and orphaned account remediation using IGA platforms. Activates
-  for requests involving identity lifecycle management, JML processes, role-based access provisioning, or identity governance
-  program design.
+description: 'Builds comprehensive identity governance and lifecycle management processes
+  including joiner-mover-leaver automation, role mining, access request workflows,
+  periodic recertification, and orphaned account remediation using IGA platforms.
+  Activates for requests involving identity lifecycle management, JML processes, role-based
+  access provisioning, or identity governance program design.

  '
 domain: cybersecurity
@@ -27,6 +28,12 @@ nist_csf:
 - PR.AA-02
 - PR.AA-05
 - PR.AA-06
+mitre_attack:
+- T1098
+- T1136
+- T1078
+- T1531
+- T1087
 ---

 # Building Identity Governance Lifecycle Process
@@ -1,8 +1,10 @@
 ---
 name: building-incident-response-dashboard
-description: 'Builds real-time incident response dashboards in Splunk, Elastic, or Grafana to provide SOC analysts and leadership
-  with situational awareness during active incidents, tracking affected systems, containment status, IOC spread, and response
-  timeline. Use when IR teams need unified visibility during incident coordination and post-incident reporting.
+description: 'Builds real-time incident response dashboards in Splunk, Elastic, or
+  Grafana to provide SOC analysts and leadership with situational awareness during
+  active incidents, tracking affected systems, containment status, IOC spread, and
+  response timeline. Use when IR teams need unified visibility during incident coordination
+  and post-incident reporting.

  '
 domain: cybersecurity
@@ -23,6 +25,12 @@ nist_csf:
 - DE.AE-02
 - RS.MA-01
 - DE.AE-06
+mitre_attack:
+- T1486
+- T1071.001
+- T1021.002
+- T1041
+- T1566
 ---
 # Building Incident Response Dashboard

@@ -1,9 +1,11 @@
 ---
 name: building-incident-response-playbook
-description: 'Designs and documents structured incident response playbooks that define step-by-step procedures for specific
-  incident types aligned with NIST SP 800-61r3 and SANS PICERL frameworks. Covers playbook structure, decision trees, escalation
-  criteria, RACI matrices, and integration with SOAR platforms. Activates for requests involving IR playbook creation, incident
-  response procedure documentation, response runbook development, or SOAR playbook design.
+description: 'Designs and documents structured incident response playbooks that define
+  step-by-step procedures for specific incident types aligned with NIST SP 800-61r3
+  and SANS PICERL frameworks. Covers playbook structure, decision trees, escalation
+  criteria, RACI matrices, and integration with SOAR platforms. Activates for requests
+  involving IR playbook creation, incident response procedure documentation, response
+  runbook development, or SOAR playbook design.

  '
 domain: cybersecurity
@@ -15,8 +17,10 @@ tags:
 - SOAR-integration
 - response-procedures
 mitre_attack:
- T1190
+- T1486
 - T1566
+- T1190
+- T1041
 - T1078
 version: 1.0.0
 author: mahipal
@@ -1,7 +1,8 @@
 ---
 name: building-incident-timeline-with-timesketch
-description: Build collaborative forensic incident timelines using Timesketch to ingest, normalize, and analyze multi-source
-  event data for attack chain reconstruction and investigation documentation.
+description: Build collaborative forensic incident timelines using Timesketch to ingest,
+  normalize, and analyze multi-source event data for attack chain reconstruction and
+  investigation documentation.
 domain: cybersecurity
 subdomain: incident-response
 tags:
@@ -13,9 +14,11 @@ tags:
 - incident-investigation
 - collaborative-forensics
 mitre_attack:
- T1070
- T1059
- T1053
+- T1059.001
+- T1021.002
+- T1547.001
+- T1053.005
+- T1070.006
 version: '1.0'
 author: mahipal
 license: Apache-2.0
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
mukul975	04450304b1	chore: auto-update index.json	2026-06-01 10:15:47 +00:00
mukul975	cb8d79e068	Map all 754 skills to MITRE ATT&CK v19.1 - Add validated mitre_attack frontmatter to all 754 skills (286 distinct techniques), verified against MITRE ATT&CK v19.1 via the official mitreattack-python library: 0 revoked, deprecated, or invalid IDs - Curate precise per-skill technique IDs for forensics, malware-analysis, threat-intel, and red-team skills (e.g. DCSync -> T1003.006, Kerberoasting -> T1558.003, Pass-the-Ticket -> T1550.003) - Reconcile v19.1 tactic restructuring: Defense Evasion split into Stealth (TA0005) and Defense Impairment (TA0112); revoked T1562.* family and T1070.001/.002 remapped to active equivalents (T1685.*) - Normalize word-split tags across 35 skills (remove filename-derived stopword tags, add semantic cybersecurity tags) - Add api-reference.md for 3 skills that were missing it - Update README ATT&CK section with accurate v19.1 tactic distribution	2026-06-01 12:13:29 +02:00
mukul975	9a588e643e	chore: auto-update index.json	2026-05-30 09:32:08 +00:00
Mahipal	868465b4e4	Merge pull request #58 from Bortlesboat/fix/objection-skill-description Fix description YAML for Objection iOS skill	2026-05-30 11:32:00 +02:00
Andrew Barnes	2338e0371c	Fix Objection skill description frontmatter Normalize YAML description so tools can reliably parse it.	2026-05-25 09:04:36 -04:00
Mahipal	0f429d0f96	Update README.md	2026-05-13 11:07:15 +02:00
Mahipal	15b63716a4	Update README.md	2026-05-13 10:56:27 +02:00
mukul975	77d5d9d686	chore: auto-update index.json	2026-04-26 12:03:37 +00:00
Mahipal	812db448e0	Merge PR #44 : Normalize tags in 3 skills	2026-04-26 14:03:28 +02:00
Mahipal	fcc73ea471	Merge PR #28 : Add bulk skill metadata validation script	2026-04-26 14:03:24 +02:00
claude[bot]	fbc47b7ac2	fix: replace word-split tags with domain-specific cybersecurity tags Three SKILL.md files had tags that were simply words split from the skill name (e.g., "analyzing", "block", "with", "logs") rather than meaningful discovery keywords. Replace with domain-specific terms that agents and search tools can actually use for routing. - analyzing-powershell-script-block-logging: [powershell, script-block-logging, event-id-4104, obfuscation-detection, windows-forensics, endpoint-security] - analyzing-azure-activity-logs-for-threats: [azure, cloud-security, azure-monitor, kql, threat-hunting, activity-logs] - analyzing-memory-forensics-with-lime-and-volatility: [memory-forensics, linux-forensics, lime, volatility, incident-response, kernel-modules] Co-Authored-By: Claude Code <noreply@anthropic.com>	2026-04-21 00:35:35 +00:00
Mahipal	888bbe4c6e	Delete star.yml	2026-04-18 02:09:43 +02:00
Mahipal	c60cb4aa7b	Update star.yml	2026-04-15 22:43:16 +02:00
Mahipal	d5f3fa3248	Update star.yml	2026-04-15 22:37:28 +02:00
Mahipal	91a087aacc	Update star.yml	2026-04-15 22:35:07 +02:00
Mahipal	780757902b	Create star.yml	2026-04-15 19:15:45 +02:00
Mahipal	9e8a8cda80	Add Hermes Agent badge to README	2026-04-15 00:51:53 +02:00
Mahipal	efbbbba5e2	Add Casky.ai Playground section to README Added a section for the Casky.ai Playground with details on its features and usage.	2026-04-11 15:04:51 +02:00
Mahipal	c715f0b36e	Revise README for improved clarity and structure Updated README to enhance project visibility and clarify project scope.	2026-04-11 00:46:21 +02:00
mukul975	4ae0be7f48	chore: bump marketplace version to v1.2.0	2026-04-06 12:26:39 +02:00
mukul975	dcc2dc32fd	fix: jq command line continuation in sync-marketplace workflow	2026-04-06 12:25:16 +02:00
Julio César Suástegui	efc9598525	fix(validator): address all remaining review feedback from @mukul975 Three issues fixed: 1. Description list check — added elif isinstance(desc, list) branch that emits 'Description must be a string value, not a list'. Previously the block was silently skipped when YAML returned a list, causing the skill to pass without validating the description field. 2. tools/README.md synced — updated description constraint from '20-500 characters' to 'at least 50 characters (no upper limit)' to match the current code (DESCRIPTION_MIN_CHARS=50, no max enforced). 3. --all with wrong CWD now exits 1 — if glob returns no skill dirs, the script prints an error and exits with code 1 instead of reporting 'Total: 0 Passed: 0 Failed: 0' and exiting 0, which would cause CI to silently pass while validating nothing. All 754 skills continue to pass (0 regressions).	2026-04-04 05:34:31 -06:00
Julio César Suástegui	31f745385b	fix(validator): address all review feedback from @mukul975 Required changes: - Error handling: IOError and UnicodeDecodeError already wrapped in try/except from previous commit — still present and correct. - ALLOWED_SUBDOMAINS: synced with actual repo usage (audited all 754 skills). identity-access-management (34 skills) added; identity-security was the placeholder in its place. New in this commit: 1. Description minimum: raised from 20 → 50 chars to align with other repo tooling as requested. 2. Folded scalar support: parse_frontmatter now handles YAML `>-` and `>` folded scalars, preventing incorrect parse of multi-line descriptions. Added a comment documenting the one remaining edge case (value-less key followed by non-list content — treated as no-value, acceptable for well-formed SKILL.md files). 3. Canonical subdomain warnings: alias subdomain values (e.g. security-operations vs soc-operations) now print a WARN line pointing to the canonical form, but are non-blocking. A _SUBDOMAIN_ALIASES dict documents canonical/alias pairs explicitly. 4. Description upper limit: removed hard cap — folded scalars legitimately produce long strings in existing skills. 5. PR description: removed false mention of type hints (there are none in this file). Validator now passes 754/754 skills in the repo with 0 errors.	2026-04-03 09:51:27 -06:00
Julio César Suástegui	b53f3d4991	fix: add error handling for IOError/UnicodeDecodeError + sync ALLOWED_SUBDOMAINS - Wrap open() call in try/except for IOError and UnicodeDecodeError to report clean errors instead of crashing on encoding issues - Add all subdomains actually used by existing skills in the repo: identity-access-management (33 skills), security-operations (28), identity-and-access-management, zero-trust, ot-security, purple-team, red-team, ai-security, social-engineering-defense, and others - Remove identity-security as the canonical form is identity-access-management	2026-04-03 09:49:04 -06:00