Files
Anthropic-Cybersecurity-Skills/skills/assessing-vector-and-embedding-weaknesses/references/standards.md
T
mukul975 8cae0648ec Add 55 new skills across 3 new domains + 6 undercovered areas (762 -> 817)
Demand-driven expansion targeting the fastest-growing 2025-2026 threat and
skills categories (ISC2/WEF/CrowdStrike/Mandiant signals):

- AI Security (NEW domain, 12 skills): LLM red-teaming with garak/PyRIT,
  prompt injection (direct/indirect/RAG), MCP tool-poisoning, agentic tool
  invocation, guardrails, model/data poisoning, system-prompt leakage,
  embedding/vector weaknesses, model extraction, continuous red-teaming
- Supply Chain Security (NEW domain, 5 skills): SBOMs, dependency confusion,
  malicious-npm triage, typosquatting, SLSA/Sigstore provenance
- Hardware & Firmware Security (NEW domain, 4 skills): CHIPSEC/UEFI audit,
  Secure Boot bypass, TPM measured-boot attestation, ESP bootkit hunting
- Identity (10): Entra ID/ROADtools, GraphRunner, AADInternals, ADCS/Certipy,
  shadow credentials, coercion, BloodHound CE, device-code phishing, SSO abuse
- Cloud-native (8): Stratus, Pacu, CloudFox, container escape, K8s RBAC,
  Falco, Trivy, kube-bench
- Offensive C2 (6): Sliver, Havoc, NetExec, DPAPI, NTLM relay ESC8, redirectors
- DFIR (6): Hayabusa, Chainsaw, KAPE, Velociraptor, EZ Tools, Plaso
- Backfill (4): OpenCTI, MISP, honeytokens, post-quantum crypto migration

Each skill follows the repo taxonomy (SKILL.md + references/{standards,api-reference}.md
+ scripts/agent.py + LICENSE), with researched real tool commands (no placeholders),
complete frontmatter, and ATT&CK/ATLAS + NIST CSF mappings. Updates README domain
table, skill count, and index.json.
2026-06-22 19:08:16 +02:00

1.9 KiB

Standards and Framework Mapping

NIST AI Risk Management Framework (AI RMF 1.0 / GenAI Profile NIST AI 600-1)

ID Name Rationale
MEASURE-2.7 AI system security and resilience are evaluated and documented Assessing inversion, membership, isolation, and poisoning weaknesses measures the security/resilience of the RAG vector layer.

MITRE ATLAS

ID Name Rationale
AML.T0024 Exfiltration via ML Inference API Parent technique: query/embedding access is abused to exfiltrate source data.
AML.T0024.000 Infer Training Data Membership Membership-inference probe determines whether a record is in the corpus.
AML.T0024.001 Invert ML Model Embedding inversion reconstructs source text from vectors.
AML.T0020 Poison Training Data Knowledge-base poisoning inserts adversarial chunks into the corpus.
AML.T0051.001 LLM Prompt Injection: Indirect Injection payloads surviving in retrieved chunks.

OWASP Top 10 for LLM Applications (2025)

ID Name Rationale
LLM08 Vector and Embedding Weaknesses The core risk class under test (inversion, leakage, poisoning).
LLM02 Sensitive Information Disclosure Inversion/membership leakage discloses sensitive source data.
LLM01 Prompt Injection Indirect injection delivered through poisoned retrieval.

Weakness class to control mapping

Weakness Control
Embedding inversion Authenticate + rate-limit embedding endpoint; avoid exposing raw scores.
Membership inference Restrict similarity-score exposure; add query auditing.
Cross-tenant leakage Server-side tenant filters or per-tenant collections/namespaces.
Knowledge-base poisoning Provenance tagging, content validation, per-source retrieval caps.
Indirect injection in chunks Sanitize retrieved text; apply output guardrails.