Anthropic-Cybersecurity-Skills/mappings/README.md

# Security Framework Mappings

This directory maps the 607+ cybersecurity skills in this repository to industry-standard security frameworks, enabling practitioners and AI agents to discover relevant skills through the lens of established security models.

## Supported Frameworks

### MITRE ATT&CK v15

The [MITRE ATT&CK](https://attack.mitre.org/) framework is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. Skills are mapped to:

- **Tactics** (TA00xx) -- the adversary's tactical goals during an operation
- **Techniques** (T1xxx) -- the specific methods used to achieve those goals
- **Sub-techniques** (T1xxx.xxx) -- more granular variations of techniques

See [`mitre-attack/`](mitre-attack/) for the full mapping and coverage analysis.

### NIST Cybersecurity Framework 2.0

The [NIST CSF 2.0](https://www.nist.gov/cyberframework) provides a taxonomy of high-level cybersecurity outcomes organized into 6 core functions:

| Function | Code | Description |
|----------|------|-------------|
| Govern | GV | Establishing and monitoring cybersecurity risk management strategy |
| Identify | ID | Understanding organizational cybersecurity risk |
| Protect | PR | Safeguarding assets through security controls |
| Detect | DE | Finding and analyzing cybersecurity events |
| Respond | RS | Taking action regarding detected incidents |
| Recover | RC | Restoring capabilities after an incident |

See [`nist-csf/`](nist-csf/) for the full alignment and category mapping.

### OWASP Top 10 (2025)

The [OWASP Top 10](https://owasp.org/www-project-top-ten/) represents the most critical security risks to web applications. Skills are mapped to each risk category to provide hands-on remediation and testing capabilities.

See [`owasp/`](owasp/) for the full mapping.

## How Mappings Work

Each skill in this repository has YAML frontmatter with `domain`, `subdomain`, and `tags` fields. Framework mappings aggregate skills by subdomain relevance and tag correlation:

```
Skill YAML frontmatter
  -> subdomain (e.g., "penetration-testing")
  -> tags (e.g., ["mitre-attack", "privilege-escalation"])
  -> Framework mapping (e.g., ATT&CK TA0004 Privilege Escalation)
```

Mappings are maintained at the subdomain level for scalability. Individual skills may also carry framework-specific tags in their frontmatter for precise lookups.

## Subdomain Distribution (607 skills)

| Subdomain | Skills | Primary Frameworks |
|-----------|--------|--------------------|
| cloud-security | 48 | ATT&CK, NIST CSF |
| threat-intelligence | 43 | ATT&CK, NIST CSF |
| web-application-security | 41 | ATT&CK, OWASP |
| threat-hunting | 35 | ATT&CK, NIST CSF |
| digital-forensics | 34 | ATT&CK, NIST CSF |
| malware-analysis | 34 | ATT&CK, NIST CSF |
| identity-access-management | 33 | ATT&CK, NIST CSF |
| network-security | 33 | ATT&CK, NIST CSF |
| soc-operations | 33 | ATT&CK, NIST CSF |
| api-security | 28 | OWASP, ATT&CK |
| ot-ics-security | 28 | ATT&CK (ICS), NIST CSF |
| container-security | 26 | ATT&CK, NIST CSF |
| incident-response | 24 | ATT&CK, NIST CSF |
| vulnerability-management | 24 | ATT&CK, NIST CSF, OWASP |
| penetration-testing | 23 | ATT&CK |
| red-teaming | 24 | ATT&CK |
| devsecops | 16 | NIST CSF, OWASP |
| endpoint-security | 16 | ATT&CK, NIST CSF |
| phishing-defense | 16 | ATT&CK, NIST CSF |
| cryptography | 13 | NIST CSF |
| zero-trust-architecture | 13 | NIST CSF |
| mobile-security | 12 | ATT&CK (Mobile), OWASP |
| compliance-governance | 5 | NIST CSF |
| ransomware-defense | 5 | ATT&CK, NIST CSF |

## Contributing

To add or update a framework mapping:

1. Identify the skill subdomain and relevant framework category
2. Update the corresponding mapping file in the framework directory
3. Ensure the skill's YAML frontmatter tags reflect the mapping
4. Submit a pull request with the mapping justification