claudeers.

🔓 unclaimed — this page was auto-generated from GitHub. Are you the creator?

Claim this page →
// Automation & Workflows

Anthropic-Cybersecurity-Skills

817 structured cybersecurity skills for AI agents · Mapped to 6 frameworks: MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS, D3FEND, NIST AI RMF & MITRE F3 (Fight Fr…

Actively maintained
100/100
last commit 13 days ago
last release 16 days ago
releases 4
open issues 13
// install
git clone https://github.com/mukul975/Anthropic-Cybersecurity-Skills

Anthropic Cybersecurity Skills

Anthropic Cybersecurity Skills

The largest open-source cybersecurity skills library for AI agents

817 production-grade cybersecurity skills · 29 security domains · 6 framework mappings · 26+ AI platforms

Get Started · What's Inside · Frameworks · Platforms · Contributing


⚠️ Community Project — This is an independent, community-created project. Not affiliated with Anthropic PBC.

Give any AI agent the security skills of a senior analyst

A junior analyst knows which Volatility3 plugin to run on a suspicious memory dump, which Sigma rules catch Kerberoasting, and how to scope a cloud breach across three providers. Your AI agent doesn't — unless you give it these skills.

This repo contains 817 structured cybersecurity skills spanning 29 security domains, each following the agentskills.io open standard. Every skill is mapped to six industry frameworks — MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS, MITRE D3FEND, NIST AI RMF, and the MITRE Fight Fraud Framework (F3) — making this the only open-source skills library with unified cross-framework coverage. Clone it, point your agent at it, and your next security investigation gets expert-level guidance in seconds.

Six frameworks, one skill library

No other open-source skills library maps every skill to all of these frameworks. One skill, six compliance checkboxes.

FrameworkVersionScope in this repoWhat it maps
MITRE ATT&CKv19.115 tactics · 286 techniquesAdversary behaviors and TTPs
NIST CSF 2.02.06 functions · 22 categoriesOrganizational security posture
MITRE ATLASv5.416 tactics · 84 techniquesAI/ML adversarial threats
MITRE D3FENDv1.37 categories · 267 techniquesDefensive countermeasures
NIST AI RMF1.04 functions · 72 subcategoriesAI risk management
MITRE F3 (Fight Fraud Framework)v1.1 (2026-04-09)8 tactics · 123 techniques · 94 fraud-relevant skillsCyber-enabled financial fraud TTPs

Example — a single skill maps across all six:

SkillATT&CKNIST CSFATLASD3FENDAI RMFF3
analyzing-network-traffic-of-malwareT1071DE.CMAML.T0047D3-NTAMEASURE-2.6
detecting-business-email-compromiseT1566DE.AEF1005.006 · monetization

🆕 MITRE Fight Fraud Framework (F3) — 94 fraud-relevant skills

The MITRE Fight Fraud Framework (F3) was released April 9, 2026 by MITRE's Center for Threat-Informed Defense (CTID), co-developed with JPMorganChase, Citigroup, Lloyds Banking Group, Standard Chartered, CrowdStrike, Verizon Business, FS-ISAC, and others. It is an ATT&CK-compatible TTP catalog for cyber-enabled financial fraud — filling the gap ATT&CK leaves after initial compromise.

F3 v1.1 adds two fraud-specific tactics that ATT&CK does not enumerate:

  • Positioning (FA0001) — actions taken after access to collect/manipulate data and prepare the fraud (synthetic-identity seeding, account warming, beneficiary setup, SIM-swap pre-positioning, banking-session hijack).
  • Monetization (FA0002) — converting stolen assets into usable funds (money-mule layering, APP fraud, crypto off-ramping, card cash-out, refund/chargeback abuse).

Fraud-specific techniques use F1XXX IDs (e.g. F1005.003 Add Beneficiary, F1025.003 Wire Transfer, F1007 Adversary-in-the-Browser); reused ATT&CK techniques keep their T1XXX IDs. Mappings live in each skill's mitre_f3: frontmatter block — all 123 F3 v1.1 technique IDs were verified against the upstream STIX bundle. See docs/mitre-f3-mapping.md for the schema.

MITRE ATT&CK v19.1 — 754/754 skills mapped

Every skill carries a mitre_attack frontmatter list validated against MITRE ATT&CK v19.1 (the latest release) using the official mitreattack-python library — 286 distinct techniques across all 15 Enterprise tactics, plus ICS and Mobile techniques where relevant. Zero revoked or deprecated IDs. v19.1's restructured Defense Evasion (now split into Stealth and Defense Impairment) is reflected below.

TacticIDSkills
ReconnaissanceTA0043103
Resource DevelopmentTA004222
Initial AccessTA0001467
ExecutionTA0002350
PersistenceTA0003444
Privilege EscalationTA0004464
StealthTA0005442
Defense ImpairmentTA011292
Credential AccessTA0006202
DiscoveryTA0007237
Lateral MovementTA000868
CollectionTA0009172
Command and ControlTA0011123
ExfiltrationTA001082
ImpactTA004050

Quick start

# Option 1: npx (recommended)
npx skills add mukul975/Anthropic-Cybersecurity-Skills

# Option 2: Git clone
git clone https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
cd Anthropic-Cybersecurity-Skills

Works immediately with Claude Code, GitHub Copilot, OpenAI Codex CLI, Cursor, Gemini CLI, and any agentskills.io-compatible platform.

🌍 GARS-2026 — Global Agentic AI Readiness Survey

I'm running a global academic study measuring how ready security professionals, developers, and enterprise teams actually are for agentic AI — MCP servers, tool calling, governance, and human-in-the-loop workflows.

If you use this repo, your response would be a genuinely valuable data point.

📋 Take the survey (10 min): Survey Link

  • 60 questions · Anonymous · Supervised by SRH Berlin
  • You get 50 Casky Tokens for early access to casky.ai
  • Results published open access under CC-BY 4.0

🚀 Try it on the Playground

Experience Casky.ai hands-on — no setup required.

→ Launch Playground on Casky.ai

The playground lets you:

  • Run live cybersecurity skill exercises against real targets
  • See AI agents execute structured skills in real time
  • Explore MITRE ATT&CK mapped workflows interactively
  • Test threat hunting, DFIR, and penetration testing scenarios

No installation. No configuration. Just open and start.

Why this exists

The cybersecurity workforce gap hit 4.8 million unfilled roles globally in 2024 (ISC2). AI agents can help close that gap — but only if they have structured domain knowledge to work from. Today's agents can write code and search the web, but they lack the practitioner playbooks that turn a generic LLM into a capable security analyst.

Existing security tool repos give you wordlists, payloads, or exploit code. None of them give an AI agent the structured decision-making workflow a senior analyst follows: when to use each technique, what prerequisites to check, how to execute step-by-step, and how to verify results. That is the gap this project fills.

Anthropic Cybersecurity Skills is not a collection of scripts or checklists. It is an AI-native knowledge base built from the ground up for the agentskills.io standard — YAML frontmatter for sub-second discovery, structured Markdown for step-by-step execution, and reference files for deep technical context. Every skill encodes real practitioner workflows, not generated summaries.

What's inside — 29 security domains

DomainSkillsKey capabilities
Cloud Security66AWS, Azure, GCP hardening · CSPM · cloud attack emulation · cloud forensics
Threat Hunting58Hypothesis-driven hunts · LOTL detection · EVTX hunting · fleet hunting
Threat Intelligence52STIX/TAXII · MISP · OpenCTI · feed integration · actor profiling
Network Security43IDS/IPS · firewall rules · VLAN segmentation · traffic analysis
Web Application Security42OWASP Top 10 · SQLi · XSS · SSRF · deserialization
Digital Forensics41Disk imaging · memory forensics · Hayabusa/KAPE/Plaso timelines
Malware Analysis39Static/dynamic analysis · reverse engineering · sandboxing
Identity & Access Management37Entra ID/ROADtools · device-code phishing · PAM · zero trust identity
SOC Operations35Playbooks · escalation workflows · Graph-log detection · tabletop exercises
Red Teaming33ADCS/Certipy · BloodHound CE · Sliver/Havoc C2 · NTLM relay
Container Security33K8s RBAC · image scanning · Falco · container escape
Security Operations28SIEM correlation · log analysis · alert triage
OT/ICS Security28Modbus · DNP3 · IEC 62443 · historian defense · SCADA
API Security28GraphQL · REST · OWASP API Top 10 · WAF bypass
Incident Response26Breach containment · ransomware response · IR playbooks
Vulnerability Management25Nessus · scanning workflows · patch prioritization · CVSS
Penetration Testing21Network · web · cloud · mobile · NetExec lateral movement
DevSecOps18CI/CD security · Trivy IaC/image scanning · code signing
Zero Trust Architecture17BeyondCorp · CISA maturity model · microsegmentation
Endpoint Security17EDR · LOTL detection · fileless malware · persistence hunting
Cryptography16TLS · Ed25519 · post-quantum migration · key management
Phishing Defense15Email authentication · BEC detection · phishing IR
AI Security14LLM red-teaming (garak/PyRIT) · prompt injection · MCP/agentic security · guardrails
Mobile Security13Android/iOS analysis · mobile pentesting · MDM forensics
Ransomware Defense13Precursor detection · response · recovery · encryption analysis
Compliance & Governance9NIST 800-30/RMF · CMMC · HIPAA · TPRM · CIS benchmarks
Supply Chain Security8SBOMs · dependency confusion · malicious-package triage · SLSA/Sigstore
Deception Technology6Honeytokens · canarytokens · breach detection
Hardware & Firmware Security4CHIPSEC/UEFI audit · Secure Boot bypass · TPM attestation · bootkit hunting

How AI agents use these skills

Each skill costs ~30 tokens to scan (frontmatter only) and 500–2,000 tokens to fully load (complete workflow). This progressive disclosure architecture lets agents search all 817 skills in a single pass without blowing context windows.

User prompt: "Analyze this memory dump for signs of credential theft"

Agent's internal process:

  1. Scans 817 skill frontmatters (~30 tokens each)
     → identifies 12 relevant skills by matching tags, description, domain

  2. Loads top 3 matches:
     • performing-memory-forensics-with-volatility3
     • hunting-for-credential-dumping-lsass
     • analyzing-windows-event-logs-for-credential-access

  3. Executes the structured Workflow section step-by-step
     → runs Volatility3 plugins, checks LSASS access patterns,
        correlates with event log evidence

  4. Validates results using the Verification section
     → confirms IOCs, maps findings to ATT&CK T1003 (Credential Dumping)

Without these skills, the agent guesses at tool commands and misses critical steps. With them, it follows the same playbook a senior DFIR analyst would use.

Skill anatomy

Every skill follows a consistent directory structure:

skills/performing-memory-forensics-with-volatility3/
├── SKILL.md              ← Skill definition (YAML frontmatter + Markdown body)
├── references/
│   ├── standards.md      ← MITRE ATT&CK, ATLAS, D3FEND, NIST mappings
│   └── workflows.md      ← Deep technical procedure reference
├── scripts/
│   └── process.py        ← Working helper scripts
└── assets/
    └── template.md       ← Filled-in checklists and report templates

YAML frontmatter (real example)

---
name: performing-memory-forensics-with-volatility3
description: >-
  Analyze memory dumps to extract running processes, network connections,
  injected code, and malware artifacts using the Volatility3 framework.
domain: cybersecurity
subdomain: digital-forensics
tags: [forensics, memory-analysis, volatility3, incident-response, dfir]
atlas_techniques: [AML.T0047]
d3fend_techniques: [D3-MA, D3-PSMD]
nist_ai_rmf: [MEASURE-2.6]
nist_csf: [DE.CM-01, RS.AN-03]
version: "1.2"
author: mukul975
license: Apache-2.0
---

Markdown body sections

## When to Use
Trigger conditions — when should an AI agent activate this skill?

## Prerequisites
Required tools, access levels, and environment setup.

## Workflow
Step-by-step execution guide with specific commands and decision points.

## Verification
How to confirm the skill was executed successfully.

Frontmatter fields: name (kebab-case, 1–64 chars), description (keyword-rich for agent discovery), domain, subdomain, tags, atlas_techniques (MITRE ATLAS IDs), d3fend_techniques (MITRE D3FEND IDs), nist_ai_rmf (NIST AI RMF references), nist_csf (NIST CSF 2.0 categories). MITRE ATT&CK technique mappings are documented in each skill's references/standards.md file and in the ATT&CK Navigator layer included with releases.

📊 MITRE ATT&CK Enterprise coverage — all 14 tactics

 

TacticIDCoverageKey skills
ReconnaissanceTA0043StrongOSINT, subdomain enumeration, DNS recon
Resource DevelopmentTA0042ModeratePhishing infrastructure, C2 setup detection
Initial AccessTA0001StrongPhishing simulation, exploit detection, forced browsing
ExecutionTA0002StrongPowerShell analysis, fileless malware, script block logging
PersistenceTA0003StrongScheduled tasks, registry, service accounts, LOTL
Privilege EscalationTA0004StrongKerberoasting, AD attacks, cloud privilege escalation
Defense EvasionTA0005StrongObfuscation, rootkit analysis, evasion detection
Credential AccessTA0006StrongMimikatz detection, pass-the-hash, credential dumping
DiscoveryTA0007ModerateBloodHound, AD enumeration, network scanning
Lateral MovementTA0008StrongSMB exploits, lateral movement detection with Splunk
CollectionTA0009ModerateEmail forensics, data staging detection
Command and ControlTA0011StrongC2 beaconing, DNS tunneling, Cobalt Strike analysis
ExfiltrationTA0010StrongDNS exfiltration, DLP controls, data loss detection
ImpactTA0040StrongRansomware defense, encryption analysis, recovery

An ATT&CK Navigator layer file is included in the v1.0.0 release assets for visual coverage mapping.

Note: ATT&CK v19 lands April 28, 2026 — splitting Defense Evasion (TA0005) into two new tactics: Stealth and Impair Defenses. Skill mappings will be updated in a forthcoming release.

📊 NIST CSF 2.0 alignment — all 6 functions

 

FunctionSkillsExamples
Govern (GV)30+Risk strategy, policy frameworks, roles & responsibilities
Identify (ID)120+Asset discovery, threat landscape assessment, risk analysis
Protect (PR)150+IAM hardening, WAF rules, zero trust, encryption
Detect (DE)200+Threat hunting, SIEM correlation, anomaly detection
Respond (RS)160+Incident response, forensics, breach containment
Recover (RC)40+Ransomware recovery, BCP, disaster recovery

NIST CSF 2.0 (February 2024) added the Govern function and expanded scope from critical infrastructure to all organizations. Skill mappings align to all 22 categories and reference 106 subcategories.

📊 Framework deep dive — ATLAS, D3FEND, AI RMF

 

MITRE ATLAS v5.4 — AI/ML adversarial threats

ATLAS maps adversarial tactics, techniques, and case studies specific to AI and machine learning systems. Version 5.4 covers 16 tactics and 84 techniques including agentic AI attack vectors added in late 2025: AI agent context poisoning, tool invocation abuse, MCP server compromises, and malicious agent deployment. Skills mapped to ATLAS help agents identify and defend against threats to ML pipelines, model weights, inference APIs, and autonomous workflows.

MITRE D3FEND v1.3 — Defensive countermeasures

D3FEND is an NSA-funded knowledge graph of 267 defensive techniques organized across 7 tactical categories: Model, Harden, Detect, Isolate, Deceive, Evict, and Restore. Built on OWL 2 ontology, it uses a shared Digital Artifact layer to bidirectionally map defensive countermeasures to ATT&CK offensive techniques. Skills tagged with D3FEND identifiers let agents recommend specific countermeasures for detected threats.

NIST AI RMF 1.0 + GenAI Profile (AI 600-1)

The AI Risk Management Framework defines 4 core functions — Govern, Map, Measure, Manage — with 72 subcategories for trustworthy AI development. The GenAI Profile (AI 600-1, July 2024) adds 12 risk categories specific to generative AI, from confabulation and data privacy to prompt injection and supply chain risks. Colorado's AI Act (effective February 2026) provides a legal safe harbor for organizations complying with NIST AI RMF, making these mappings directly relevant to regulatory compliance.

Compatible platforms

AI code assistants Claude Code (Anthropic) · GitHub Copilot (Microsoft) · Cursor · Windsurf · Cline · Aider · Continue · Roo Code · Amazon Q Developer · Tabnine · Sourcegraph Cody · JetBrains AI

CLI agents OpenAI Codex CLI · Gemini CLI (Google)

Autonomous agents Devin · Replit Agent · SWE-agent · OpenHands

Agent frameworks & SDKs LangChain · CrewAI · AutoGen · Semantic Kernel · Haystack · Vercel AI SDK · Any MCP-compatible agent

All platforms that support the agentskills.io standard can load these skills with zero configuration.

What people are saying

"A database of real, organized security skills that any AI agent can plug into and use. Not tutorials. Not blog posts."Hasan Toor (@hasantoxr), AI/tech creator

"This is not a random collection of security scripts. It's a structured operational knowledge base designed for AI-driven security workflows."fazal-sec, Medium

WhereTypeLink
awesome-agent-skillsAwesome List (1,000+ skills index)VoltAgent/awesome-agent-skills
awesome-ai-securityAwesome List (AI security tools)ottosulin/awesome-ai-security
awesome-codex-cliAwesome List (Codex CLI resources)RoggeOhta/awesome-codex-cli
SkillsLLMSkills directory & marketplaceskillsllm.com/skill/anthropic-cybersecurity-skills
OpenflowsSignal analysis & trackingopenflows.org
NeverSight skills_feedAutomated skills indexNeverSight/skills_feed

Star history

Star History Chart

Releases

VersionDateHighlights
v1.0.0March 11, 2026734 skills · 26 domains · MITRE ATT&CK + NIST CSF 2.0 mapping · ATT&CK Navigator layer

Skills have continued to grow on main since v1.0.0 — the library now contains 817 skills with 6-framework mapping (MITRE ATLAS, D3FEND, NIST AI RMF, and the MITRE Fight Fraud Framework added post-release). Check Releases for the latest tagged version.

Contributing

This project grows through community contributions. Here is how to get involved:

Add a new skill — Domains like Deception Technology (2 skills) and Compliance & Governance (5 skills) need the most help. Follow the template in CONTRIBUTING.md and submit a PR with the title Add skill: your-skill-name.

Improve existing skills — Add framework mappings, fix workflows, update tool references, or contribute scripts and templates.

Report issues — Found an inaccurate procedure or broken script? Open an issue.

Every PR is reviewed for technical accuracy and agentskills.io standard compliance within 48 hours. Check good first issues for a starting point.

This project follows the Contributor Covenant. By participating, you agree to uphold this code.

Community

💬 Discussions — Questions, ideas, and roadmap conversations 🐛 Issues — Bug reports and feature requests 🔒 Security Policy — Responsible disclosure process (48-hour acknowledgment)

Citation

If you use this project in research or publications:

@software{anthropic_cybersecurity_skills,
  author       = {Jangra, Mahipal},
  title        = {Anthropic Cybersecurity Skills},
  year         = {2026},
  url          = {https://github.com/mukul975/Anthropic-Cybersecurity-Skills},
  license      = {Apache-2.0},
  note         = {817 structured cybersecurity skills for AI agents,
                  mapped to MITRE ATT\&CK, NIST CSF 2.0, MITRE ATLAS,
                  MITRE D3FEND, and NIST AI RMF}
}

License

This project is licensed under the Apache License 2.0. You are free to use, modify, and distribute these skills in both personal and commercial projects.


If this project helps your security work, consider giving it a ⭐

⭐ Star · 🍴 Fork · 💬 Discuss · 📝 Contribute

Community project by @mukul975. Not affiliated with Anthropic PBC.

// compatibility

Platformscli, api, web, mobile
Operating systems
AI compatibilityclaude
LicenseApache-2.0
Pricingopen-source
LanguagePython

// faq

What is Anthropic-Cybersecurity-Skills?

817 structured cybersecurity skills for AI agents · Mapped to 6 frameworks: MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS, D3FEND, NIST AI RMF & MITRE F3 (Fight Fraud) · agentskills.io standard · Works with Claude Code, GitHub Copilot, Codex CLI, Cursor, Gemini CLI & 20+ platforms · 29 security domains · Apache 2.0. It is open-source on GitHub.

Is Anthropic-Cybersecurity-Skills free to use?

Anthropic-Cybersecurity-Skills is open-source under the Apache-2.0 license, so it is free to use.

What category does Anthropic-Cybersecurity-Skills belong to?

Anthropic-Cybersecurity-Skills is listed under security in the Claudeers registry of Claude-compatible tools.

0 views
24,185 stars
unclaimed
updated 15 days ago

// embed badge

Anthropic-Cybersecurity-Skills on Claudeers
[![Claudeers](https://claudeers.com/api/badge/anthropic-cybersecurity-skills.svg)](https://claudeers.com/anthropic-cybersecurity-skills)

// retro hit counter

Anthropic-Cybersecurity-Skills hit counter
[![Hits](https://claudeers.com/api/counter/anthropic-cybersecurity-skills.svg)](https://claudeers.com/anthropic-cybersecurity-skills)

// reviews

// guestbook

0/500

// related in Automation & Workflows

🔓

The agent that grows with you

// automationNousResearch/Python211,605MIT[ claude ]
🔓

The API to search, scrape, and interact with the web at scale. 🔥

// automationfirecrawl/TypeScript143,720AGPL-3.0[ claude ]
🔓

🌐 Make websites accessible for AI agents. Automate tasks online with ease.

// automationbrowser-use/Python103,709MIT[ claude ]
🔓

An open-source long-horizon SuperAgent harness that researches, codes, and creates. With the help of sandboxes, memories, tools, skill, subagents and message…

// automationbytedance/Python76,016MIT[ claude ]

// built by

Connectorlinks several projects together across the ecosystem · 5 connections

1 of its contributors also build on official projectsclaude-agent-sdk-python

→ see how Anthropic-Cybersecurity-Skills connects across the ecosystem