Name: Anthropic-Cybersecurity-Skills AI Agent Skill
Availability: InStock
Rating: 4.5 (576 reviews)
Author: mukul975

Anthropic Cybersecurity Skills

The largest open-source cybersecurity skills library for AI agents

754 production-grade cybersecurity skills · 26 security domains · 5 framework mappings · 26+ AI platforms

Get Started · What's Inside · Frameworks · Platforms · Contributing

⚠️ Community Project — This is an independent, community-created project. Not affiliated with Anthropic PBC.

Give any AI agent the security skills of a senior analyst

A junior analyst knows which Volatility3 plugin to run on a suspicious memory dump, which Sigma rules catch Kerberoasting, and how to scope a cloud breach across three providers. Your AI agent doesn't — unless you give it these skills.

This repo contains 754 structured cybersecurity skills spanning 26 security domains, each following the agentskills.io open standard. Every skill is mapped to five industry frameworks — MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS, MITRE D3FEND, and NIST AI RMF — making this the only open-source skills library with unified cross-framework coverage. Clone it, point your agent at it, and your next security investigation gets expert-level guidance in seconds.

Five frameworks, one skill library

No other open-source skills library maps every skill to all five frameworks. One skill, five compliance checkboxes.

Framework	Version	Scope in this repo	What it maps
MITRE ATT&CK	v19.1	15 tactics · 286 techniques	Adversary behaviors and TTPs
NIST CSF 2.0	2.0	6 functions · 22 categories	Organizational security posture
MITRE ATLAS	v5.4	16 tactics · 84 techniques	AI/ML adversarial threats
MITRE D3FEND	v1.3	7 categories · 267 techniques	Defensive countermeasures
NIST AI RMF	1.0	4 functions · 72 subcategories	AI risk management

Example — a single skill maps across all five:

Skill	ATT&CK	NIST CSF	ATLAS	D3FEND	AI RMF
`analyzing-network-traffic-of-malware`	T1071	DE.CM	AML.T0047	D3-NTA	MEASURE-2.6

MITRE ATT&CK v19.1 — 754/754 skills mapped

Every skill carries a mitre_attack frontmatter list validated against MITRE ATT&CK v19.1 (the latest release) using the official mitreattack-python library — 286 distinct techniques across all 15 Enterprise tactics, plus ICS and Mobile techniques where relevant. Zero revoked or deprecated IDs. v19.1's restructured Defense Evasion (now split into Stealth and Defense Impairment) is reflected below.

Tactic	ID	Skills
Reconnaissance	TA0043	103
Resource Development	TA0042	22
Initial Access	TA0001	467
Execution	TA0002	350
Persistence	TA0003	444
Privilege Escalation	TA0004	464
Stealth	TA0005	442
Defense Impairment	TA0112	92
Credential Access	TA0006	202
Discovery	TA0007	237
Lateral Movement	TA0008	68
Collection	TA0009	172
Command and Control	TA0011	123
Exfiltration	TA0010	82
Impact	TA0040	50

Quick start

# Option 1: npx (recommended)
npx skills add mukul975/Anthropic-Cybersecurity-Skills

# Option 2: Git clone
git clone https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
cd Anthropic-Cybersecurity-Skills

Works immediately with Claude Code, GitHub Copilot, OpenAI Codex CLI, Cursor, Gemini CLI, and any agentskills.io-compatible platform.

🌍 GARS-2026 — Global Agentic AI Readiness Survey

I'm running a global academic study measuring how ready security professionals, developers, and enterprise teams actually are for agentic AI — MCP servers, tool calling, governance, and human-in-the-loop workflows.

If you use this repo, your response would be a genuinely valuable data point.

📋 Take the survey (10 min): Survey Link

60 questions · Anonymous · Supervised by SRH Berlin
You get 50 Casky Tokens for early access to casky.ai
Results published open access under CC-BY 4.0

🚀 Try it on the Playground

Experience Casky.ai hands-on — no setup required.

→ Launch Playground on Casky.ai

The playground lets you:

Run live cybersecurity skill exercises against real targets
See AI agents execute structured skills in real time
Explore MITRE ATT&CK mapped workflows interactively
Test threat hunting, DFIR, and penetration testing scenarios

No installation. No configuration. Just open and start.

Why this exists

The cybersecurity workforce gap hit 4.8 million unfilled roles globally in 2024 (ISC2). AI agents can help close that gap — but only if they have structured domain knowledge to work from. Today's agents can write code and search the web, but they lack the practitioner playbooks that turn a generic LLM into a capable security analyst.

Existing security tool repos give you wordlists, payloads, or exploit code. None of them give an AI agent the structured decision-making workflow a senior analyst follows: when to use each technique, what prerequisites to check, how to execute step-by-step, and how to verify results. That is the gap this project fills.

Anthropic Cybersecurity Skills is not a collection of scripts or checklists. It is an AI-native knowledge base built from the ground up for the agentskills.io standard — YAML frontmatter for sub-second discovery, structured Markdown for step-by-step execution, and reference files for deep technical context. Every skill encodes real practitioner workflows, not generated summaries.

What's inside — 26 security domains

Domain	Skills	Key capabilities
Cloud Security	60	AWS, Azure, GCP hardening · CSPM · cloud forensics
Threat Hunting	55	Hypothesis-driven hunts · LOTL detection · behavioral analytics
Threat Intelligence	50	STIX/TAXII · MISP · feed integration · actor profiling
Web Application Security	42	OWASP Top 10 · SQLi · XSS · SSRF · deserialization
Network Security	40	IDS/IPS · firewall rules · VLAN segmentation · traffic analysis
Malware Analysis	39	Static/dynamic analysis · reverse engineering · sandboxing
Digital Forensics	37	Disk imaging · memory forensics · timeline reconstruction
Security Operations	36	SIEM correlation · log analysis · alert triage
Identity & Access Management	35	IAM policies · PAM · zero trust identity · Okta · SailPoint
SOC Operations	33	Playbooks · escalation workflows · metrics · tabletop exercises
Container Security	30	K8s RBAC · image scanning · Falco · container forensics
OT/ICS Security	28	Modbus · DNP3 · IEC 62443 · historian defense · SCADA
API Security	28	GraphQL · REST · OWASP API Top 10 · WAF bypass
Vulnerability Management	25	Nessus · scanning workflows · patch prioritization · CVSS
Incident Response	25	Breach containment · ransomware response · IR playbooks
Red Teaming	24	Full-scope engagements · AD attacks · phishing simulation
Penetration Testing	23	Network · web · cloud · mobile · wireless pentesting
Endpoint Security	17	EDR · LOTL detection · fileless malware · persistence hunting
DevSecOps	17	CI/CD security · code signing · Terraform auditing
Phishing Defense	16	Email authentication · BEC detection · phishing IR
Cryptography	14	TLS · Ed25519 · certificate transparency · key management
Zero Trust Architecture	13	BeyondCorp · CISA maturity model · microsegmentation
Mobile Security	12	Android/iOS analysis · mobile pentesting · MDM forensics
Ransomware Defense	7	Precursor detection · response · recovery · encryption analysis
Compliance & Governance	5	CIS benchmarks · SOC 2 · regulatory frameworks
Deception Technology	2	Honeytokens · breach detection canaries

How AI agents use these skills

Each skill costs ~30 tokens to scan (frontmatter only) and 500–2,000 tokens to fully load (complete workflow). This progressive disclosure architecture lets agents search all 754 skills in a single pass without blowing context windows.

User prompt: "Analyze this memory dump for signs of credential theft"

Agent's internal process:

  1. Scans 754 skill frontmatters (~30 tokens each)
     → identifies 12 relevant skills by matching tags, description, domain

  2. Loads top 3 matches:
     • performing-memory-forensics-with-volatility3
     • hunting-for-credential-dumping-lsass
     • analyzing-windows-event-logs-for-credential-access

  3. Executes the structured Workflow section step-by-step
     → runs Volatility3 plugins, checks LSASS access patterns,
        correlates with event log evidence

  4. Validates results using the Verification section
     → confirms IOCs, maps findings to ATT&CK T1003 (Credential Dumping)

Without these skills, the agent guesses at tool commands and misses critical steps. With them, it follows the same playbook a senior DFIR analyst would use.

Skill anatomy

Every skill follows a consistent directory structure:

skills/performing-memory-forensics-with-volatility3/
├── SKILL.md              ← Skill definition (YAML frontmatter + Markdown body)
├── references/
│   ├── standards.md      ← MITRE ATT&CK, ATLAS, D3FEND, NIST mappings
│   └── workflows.md      ← Deep technical procedure reference
├── scripts/
│   └── process.py        ← Working helper scripts
└── assets/
    └── template.md       ← Filled-in checklists and report templates

YAML frontmatter (real example)

---
name: performing-memory-forensics-with-volatility3
description: >-
  Analyze memory dumps to extract running processes, network connections,
  injected code, and malware artifacts using the Volatility3 framework.
domain: cybersecurity
subdomain: digital-forensics
tags: [forensics, memory-analysis, volatility3, incident-response, dfir]
atlas_techniques: [AML.T0047]
d3fend_techniques: [D3-MA, D3-PSMD]
nist_ai_rmf: [MEASURE-2.6]
nist_csf: [DE.CM-01, RS.AN-03]
version: "1.2"
author: mukul975
license: Apache-2.0
---

Markdown body sections

## When to Use
Trigger conditions — when should an AI agent activate this skill?

## Prerequisites
Required tools, access levels, and environment setup.

## Workflow
Step-by-step execution guide with specific commands and decision points.

## Verification
How to confirm the skill was executed successfully.

Frontmatter fields: name (kebab-case, 1–64 chars), description (keyword-rich for agent discovery), domain, subdomain, tags, atlas_techniques (MITRE ATLAS IDs), d3fend_techniques (MITRE D3FEND IDs), nist_ai_rmf (NIST AI RMF references), nist_csf (NIST CSF 2.0 categories). MITRE ATT&CK technique mappings are documented in each skill's references/standards.md file and in the ATT&CK Navigator layer included with releases.

Tactic	ID	Coverage	Key skills
Reconnaissance	TA0043	Strong	OSINT, subdomain enumeration, DNS recon
Resource Development	TA0042	Moderate	Phishing infrastructure, C2 setup detection
Initial Access	TA0001	Strong	Phishing simulation, exploit detection, forced browsing
Execution	TA0002	Strong	PowerShell analysis, fileless malware, script block logging
Persistence	TA0003	Strong	Scheduled tasks, registry, service accounts, LOTL
Privilege Escalation	TA0004	Strong	Kerberoasting, AD attacks, cloud privilege escalation
Defense Evasion	TA0005	Strong	Obfuscation, rootkit analysis, evasion detection
Credential Access	TA0006	Strong	Mimikatz detection, pass-the-hash, credential dumping
Discovery	TA0007	Moderate	BloodHound, AD enumeration, network scanning
Lateral Movement	TA0008	Strong	SMB exploits, lateral movement detection with Splunk
Collection	TA0009	Moderate	Email forensics, data staging detection
Command and Control	TA0011	Strong	C2 beaconing, DNS tunneling, Cobalt Strike analysis
Exfiltration	TA0010	Strong	DNS exfiltration, DLP controls, data loss detection
Impact	TA0040	Strong	Ransomware defense, encryption analysis, recovery

An ATT&CK Navigator layer file is included in the [v1.0.0 release assets](https://github.com/mukul975/Anthropic-Cybersecurity-Sk

...

Anthropic-Cybersecurity-Skills

Before / After Comparison