Anthropic-Cybersecurity-Skills
754の構造化されたサイバーセキュリティスキルを提供し、AIエージェントを強化します。これらのスキルは26のセキュリティ領域をカバーし、MITRE ATT&CKやNIST CSF 2.0などの5つの主要な業界フレームワークにマッピングされており、AIエージェントがシニアアナリストレベルのセキュリティ知識とガイダンスを獲得できるようにし、セキュリティ調査と対応を加速させます。
git clone https://github.com/mukul975/Anthropic-Cybersecurity-Skills.gitBefore / After 効果比較
4 组Anthropic Cybersecurity Skills
The largest open-source cybersecurity skills library for AI agents
754 production-grade cybersecurity skills · 26 security domains · 5 framework mappings · 26+ AI platforms
Get Started · What's Inside · Frameworks · Platforms · Contributing
⚠️ Community Project — This is an independent, community-created project. Not affiliated with Anthropic PBC.
Give any AI agent the security skills of a senior analyst
A junior analyst knows which Volatility3 plugin to run on a suspicious memory dump, which Sigma rules catch Kerberoasting, and how to scope a cloud breach across three providers. Your AI agent doesn't — unless you give it these skills.
This repo contains 754 structured cybersecurity skills spanning 26 security domains, each following the agentskills.io open standard. Every skill is mapped to five industry frameworks — MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS, MITRE D3FEND, and NIST AI RMF — making this the only open-source skills library with unified cross-framework coverage. Clone it, point your agent at it, and your next security investigation gets expert-level guidance in seconds.
Five frameworks, one skill library
No other open-source skills library maps every skill to all five frameworks. One skill, five compliance checkboxes.
| Framework | Version | Scope in this repo | What it maps |
|---|---|---|---|
| MITRE ATT&CK | v19.1 | 15 tactics · 286 techniques | Adversary behaviors and TTPs |
| NIST CSF 2.0 | 2.0 | 6 functions · 22 categories | Organizational security posture |
| MITRE ATLAS | v5.4 | 16 tactics · 84 techniques | AI/ML adversarial threats |
| MITRE D3FEND | v1.3 | 7 categories · 267 techniques | Defensive countermeasures |
| NIST AI RMF | 1.0 | 4 functions · 72 subcategories | AI risk management |
Example — a single skill maps across all five:
| Skill | ATT&CK | NIST CSF | ATLAS | D3FEND | AI RMF |
|---|---|---|---|---|---|
analyzing-network-traffic-of-malware | T1071 | DE.CM | AML.T0047 | D3-NTA | MEASURE-2.6 |
MITRE ATT&CK v19.1 — 754/754 skills mapped
Every skill carries a mitre_attack frontmatter list validated against MITRE ATT&CK v19.1 (the latest release) using the official mitreattack-python library — 286 distinct techniques across all 15 Enterprise tactics, plus ICS and Mobile techniques where relevant. Zero revoked or deprecated IDs. v19.1's restructured Defense Evasion (now split into Stealth and Defense Impairment) is reflected below.
| Tactic | ID | Skills |
|---|---|---|
| Reconnaissance | TA0043 | 103 |
| Resource Development | TA0042 | 22 |
| Initial Access | TA0001 | 467 |
| Execution | TA0002 | 350 |
| Persistence | TA0003 | 444 |
| Privilege Escalation | TA0004 | 464 |
| Stealth | TA0005 | 442 |
| Defense Impairment | TA0112 | 92 |
| Credential Access | TA0006 | 202 |
| Discovery | TA0007 | 237 |
| Lateral Movement | TA0008 | 68 |
| Collection | TA0009 | 172 |
| Command and Control | TA0011 | 123 |
| Exfiltration | TA0010 | 82 |
| Impact | TA0040 | 50 |
Quick start
# Option 1: npx (recommended)
npx skills add mukul975/Anthropic-Cybersecurity-Skills
# Option 2: Git clone
git clone https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
cd Anthropic-Cybersecurity-Skills
Works immediately with Claude Code, GitHub Copilot, OpenAI Codex CLI, Cursor, Gemini CLI, and any agentskills.io-compatible platform.
🌍 GARS-2026 — Global Agentic AI Readiness Survey
I'm running a global academic study measuring how ready security professionals, developers, and enterprise teams actually are for agentic AI — MCP servers, tool calling, governance, and human-in-the-loop workflows.
If you use this repo, your response would be a genuinely valuable data point.
📋 Take the survey (10 min): Survey Link
- 60 questions · Anonymous · Supervised by SRH Berlin
- You get 50 Casky Tokens for early access to casky.ai
- Results published open access under CC-BY 4.0
🚀 Try it on the Playground
Experience Casky.ai hands-on — no setup required.
→ Launch Playground on Casky.ai
The playground lets you:
- Run live cybersecurity skill exercises against real targets
- See AI agents execute structured skills in real time
- Explore MITRE ATT&CK mapped workflows interactively
- Test threat hunting, DFIR, and penetration testing scenarios
No installation. No configuration. Just open and start.
Why this exists
The cybersecurity workforce gap hit 4.8 million unfilled roles globally in 2024 (ISC2). AI agents can help close that gap — but only if they have structured domain knowledge to work from. Today's agents can write code and search the web, but they lack the practitioner playbooks that turn a generic LLM into a capable security analyst.
Existing security tool repos give you wordlists, payloads, or exploit code. None of them give an AI agent the structured decision-making workflow a senior analyst follows: when to use each technique, what prerequisites to check, how to execute step-by-step, and how to verify results. That is the gap this project fills.
Anthropic Cybersecurity Skills is not a collection of scripts or checklists. It is an AI-native knowledge base built from the ground up for the agentskills.io standard — YAML frontmatter for sub-second discovery, structured Markdown for step-by-step execution, and reference files for deep technical context. Every skill encodes real practitioner workflows, not generated summaries.
What's inside — 26 security domains
| Domain | Skills | Key capabilities |
|---|---|---|
| Cloud Security | 60 | AWS, Azure, GCP hardening · CSPM · cloud forensics |
| Threat Hunting | 55 | Hypothesis-driven hunts · LOTL detection · behavioral analytics |
| Threat Intelligence | 50 | STIX/TAXII · MISP · feed integration · actor profiling |
| Web Application Security | 42 | OWASP Top 10 · SQLi · XSS · SSRF · deserialization |
| Network Security | 40 | IDS/IPS · firewall rules · VLAN segmentation · traffic analysis |
| Malware Analysis | 39 | Static/dynamic analysis · reverse engineering · sandboxing |
| Digital Forensics | 37 | Disk imaging · memory forensics · timeline reconstruction |
| Security Operations | 36 | SIEM correlation · log analysis · alert triage |
| Identity & Access Management | 35 | IAM policies · PAM · zero trust identity · Okta · SailPoint |
| SOC Operations | 33 | Playbooks · escalation workflows · metrics · tabletop exercises |
| Container Security | 30 | K8s RBAC · image scanning · Falco · container forensics |
| OT/ICS Security | 28 | Modbus · DNP3 · IEC 62443 · historian defense · SCADA |
| API Security | 28 | GraphQL · REST · OWASP API Top 10 · WAF bypass |
| Vulnerability Management | 25 | Nessus · scanning workflows · patch prioritization · CVSS |
| Incident Response | 25 | Breach containment · ransomware response · IR playbooks |
| Red Teaming | 24 | Full-scope engagements · AD attacks · phishing simulation |
| Penetration Testing | 23 | Network · web · cloud · mobile · wireless pentesting |
| Endpoint Security | 17 | EDR · LOTL detection · fileless malware · persistence hunting |
| DevSecOps | 17 | CI/CD security · code signing · Terraform auditing |
| Phishing Defense | 16 | Email authentication · BEC detection · phishing IR |
| Cryptography | 14 | TLS · Ed25519 · certificate transparency · key management |
| Zero Trust Architecture | 13 | BeyondCorp · CISA maturity model · microsegmentation |
| Mobile Security | 12 | Android/iOS analysis · mobile pentesting · MDM forensics |
| Ransomware Defense | 7 | Precursor detection · response · recovery · encryption analysis |
| Compliance & Governance | 5 | CIS benchmarks · SOC 2 · regulatory frameworks |
| Deception Technology | 2 | Honeytokens · breach detection canaries |
How AI agents use these skills
Each skill costs ~30 tokens to scan (frontmatter only) and 500–2,000 tokens to fully load (complete workflow). This progressive disclosure architecture lets agents search all 754 skills in a single pass without blowing context windows.
User prompt: "Analyze this memory dump for signs of credential theft"
Agent's internal process:
1. Scans 754 skill frontmatters (~30 tokens each)
→ identifies 12 relevant skills by matching tags, description, domain
2. Loads top 3 matches:
• performing-memory-forensics-with-volatility3
• hunting-for-credential-dumping-lsass
• analyzing-windows-event-logs-for-credential-access
3. Executes the structured Workflow section step-by-step
→ runs Volatility3 plugins, checks LSASS access patterns,
correlates with event log evidence
4. Validates results using the Verification section
→ confirms IOCs, maps findings to ATT&CK T1003 (Credential Dumping)
Without these skills, the agent guesses at tool commands and misses critical steps. With them, it follows the same playbook a senior DFIR analyst would use.
Skill anatomy
Every skill follows a consistent directory structure:
skills/performing-memory-forensics-with-volatility3/
├── SKILL.md ← Skill definition (YAML frontmatter + Markdown body)
├── references/
│ ├── standards.md ← MITRE ATT&CK, ATLAS, D3FEND, NIST mappings
│ └── workflows.md ← Deep technical procedure reference
├── scripts/
│ └── process.py ← Working helper scripts
└── assets/
└── template.md ← Filled-in checklists and report templates
YAML frontmatter (real example)
---
name: performing-memory-forensics-with-volatility3
description: >-
Analyze memory dumps to extract running processes, network connections,
injected code, and malware artifacts using the Volatility3 framework.
domain: cybersecurity
subdomain: digital-forensics
tags: [forensics, memory-analysis, volatility3, incident-response, dfir]
atlas_techniques: [AML.T0047]
d3fend_techniques: [D3-MA, D3-PSMD]
nist_ai_rmf: [MEASURE-2.6]
nist_csf: [DE.CM-01, RS.AN-03]
version: "1.2"
author: mukul975
license: Apache-2.0
---
Markdown body sections
## When to Use
Trigger conditions — when should an AI agent activate this skill?
## Prerequisites
Required tools, access levels, and environment setup.
## Workflow
Step-by-step execution guide with specific commands and decision points.
## Verification
How to confirm the skill was executed successfully.
Frontmatter fields: name (kebab-case, 1–64 chars), description (keyword-rich for agent discovery), domain, subdomain, tags, atlas_techniques (MITRE ATLAS IDs), d3fend_techniques (MITRE D3FEND IDs), nist_ai_rmf (NIST AI RMF references), nist_csf (NIST CSF 2.0 categories). MITRE ATT&CK technique mappings are documented in each skill's references/standards.md file and in the ATT&CK Navigator layer included with releases.
| Tactic | ID | Coverage | Key skills |
|---|---|---|---|
| Reconnaissance | TA0043 | Strong | OSINT, subdomain enumeration, DNS recon |
| Resource Development | TA0042 | Moderate | Phishing infrastructure, C2 setup detection |
| Initial Access | TA0001 | Strong | Phishing simulation, exploit detection, forced browsing |
| Execution | TA0002 | Strong | PowerShell analysis, fileless malware, script block logging |
| Persistence | TA0003 | Strong | Scheduled tasks, registry, service accounts, LOTL |
| Privilege Escalation | TA0004 | Strong | Kerberoasting, AD attacks, cloud privilege escalation |
| Defense Evasion | TA0005 | Strong | Obfuscation, rootkit analysis, evasion detection |
| Credential Access | TA0006 | Strong | Mimikatz detection, pass-the-hash, credential dumping |
| Discovery | TA0007 | Moderate | BloodHound, AD enumeration, network scanning |
| Lateral Movement | TA0008 | Strong | SMB exploits, lateral movement detection with Splunk |
| Collection | TA0009 | Moderate | Email forensics, data staging detection |
| Command and Control | TA0011 | Strong | C2 beaconing, DNS tunneling, Cobalt Strike analysis |
| Exfiltration | TA0010 | Strong | DNS exfiltration, DLP controls, data loss detection |
| Impact | TA0040 | Strong | Ransomware defense, encryption analysis, recovery |
An ATT&CK Navigator layer file is included in the [v1.0.0 release assets](https://github.com/mukul975/Anthropic-Cybersecurity-Sk
...
ユーザーレビュー (0)
レビューを書く
レビューなし
統計データ
ユーザー評価
この Skill を評価