MCPcopy
hub / github.com/mukul975/Anthropic-Cybersecurity-Skills

github.com/mukul975/Anthropic-Cybersecurity-Skills @v1.3.0 sqlite

repository ↗ · DeepWiki ↗ · release v1.3.0 ↗
8,889 symbols 32,219 edges 1,094 files 6,312 documented · 71%
README

Anthropic Cybersecurity Skills

Anthropic Cybersecurity Skills

The largest open-source cybersecurity skills library for AI agents

GARS-2026 Survey License Skills Frameworks MITRE F3 Domains Platforms GitHub stars GitHub forks Last Commit agentskills.io PRs Welcome Playground Hermes Agent

817 production-grade cybersecurity skills · 29 security domains · 6 framework mappings · 26+ AI platforms

Get Started · What's Inside · Frameworks · Platforms · Contributing


⚠️ Community Project — This is an independent, community-created project. Not affiliated with Anthropic PBC.

Give any AI agent the security skills of a senior analyst

A junior analyst knows which Volatility3 plugin to run on a suspicious memory dump, which Sigma rules catch Kerberoasting, and how to scope a cloud breach across three providers. Your AI agent doesn't — unless you give it these skills.

This repo contains 817 structured cybersecurity skills spanning 29 security domains, each following the agentskills.io open standard. Every skill is mapped to six industry frameworks — MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS, MITRE D3FEND, NIST AI RMF, and the MITRE Fight Fraud Framework (F3) — making this the only open-source skills library with unified cross-framework coverage. Clone it, point your agent at it, and your next security investigation gets expert-level guidance in seconds.

Six frameworks, one skill library

No other open-source skills library maps every skill to all of these frameworks. One skill, six compliance checkboxes.

Framework Version Scope in this repo What it maps
MITRE ATT&CK v19.1 15 tactics · 286 techniques Adversary behaviors and TTPs
NIST CSF 2.0 2.0 6 functions · 22 categories Organizational security posture
MITRE ATLAS v5.4 16 tactics · 84 techniques AI/ML adversarial threats
MITRE D3FEND v1.3 7 categories · 267 techniques Defensive countermeasures
NIST AI RMF 1.0 4 functions · 72 subcategories AI risk management
MITRE F3 (Fight Fraud Framework) v1.1 (2026-04-09) 8 tactics · 123 techniques · 94 fraud-relevant skills Cyber-enabled financial fraud TTPs

Example — a single skill maps across all six:

Skill ATT&CK NIST CSF ATLAS D3FEND AI RMF F3
analyzing-network-traffic-of-malware T1071 DE.CM AML.T0047 D3-NTA MEASURE-2.6
detecting-business-email-compromise T1566 DE.AE F1005.006 · monetization

🆕 MITRE Fight Fraud Framework (F3) — 94 fraud-relevant skills

MITRE F3

The MITRE Fight Fraud Framework (F3) was released April 9, 2026 by MITRE's Center for Threat-Informed Defense (CTID), co-developed with JPMorganChase, Citigroup, Lloyds Banking Group, Standard Chartered, CrowdStrike, Verizon Business, FS-ISAC, and others. It is an ATT&CK-compatible TTP catalog for cyber-enabled financial fraud — filling the gap ATT&CK leaves after initial compromise.

F3 v1.1 adds two fraud-specific tactics that ATT&CK does not enumerate: - Positioning (FA0001) — actions taken after access to collect/manipulate data and prepare the fraud (synthetic-identity seeding, account warming, beneficiary setup, SIM-swap pre-positioning, banking-session hijack). - Monetization (FA0002) — converting stolen assets into usable funds (money-mule layering, APP fraud, crypto off-ramping, card cash-out, refund/chargeback abuse).

Fraud-specific techniques use F1XXX IDs (e.g. F1005.003 Add Beneficiary, F1025.003 Wire Transfer, F1007 Adversary-in-the-Browser); reused ATT&CK techniques keep their T1XXX IDs. Mappings live in each skill's mitre_f3: frontmatter block — all 123 F3 v1.1 technique IDs were verified against the upstream STIX bundle. See docs/mitre-f3-mapping.md for the schema.

MITRE ATT&CK v19.1 — 754/754 skills mapped

Every skill carries a mitre_attack frontmatter list validated against MITRE ATT&CK v19.1 (the latest release) using the official mitreattack-python library — 286 distinct techniques across all 15 Enterprise tactics, plus ICS and Mobile techniques where relevant. Zero revoked or deprecated IDs. v19.1's restructured Defense Evasion (now split into Stealth and Defense Impairment) is reflected below.

Tactic ID Skills
Reconnaissance TA0043 103
Resource Development TA0042 22
Initial Access TA0001 467
Execution TA0002 350
Persistence TA0003 444
Privilege Escalation TA0004 464
Stealth TA0005 442
Defense Impairment TA0112 92
Credential Access TA0006 202
Discovery TA0007 237
Lateral Movement TA0008 68
Collection TA0009 172
Command and Control TA0011 123
Exfiltration TA0010 82
Impact TA0040 50

Quick start

# Option 1: npx (recommended)
npx skills add mukul975/Anthropic-Cybersecurity-Skills

# Option 2: Git clone
git clone https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
cd Anthropic-Cybersecurity-Skills

Works immediately with Claude Code, GitHub Copilot, OpenAI Codex CLI, Cursor, Gemini CLI, and any agentskills.io-compatible platform.

🌍 GARS-2026 — Global Agentic AI Readiness Survey

I'm running a global academic study measuring how ready security professionals, developers, and enterprise teams actually are for agentic AI — MCP servers, tool calling, governance, and human-in-the-loop workflows.

If you use this repo, your response would be a genuinely valuable data point.

📋 Take the survey (10 min): Survey Link

  • 60 questions · Anonymous · Supervised by SRH Berlin
  • You get 50 Casky Tokens for early access to casky.ai
  • Results published open access under CC-BY 4.0

🚀 Try it on the Playground

Experience Casky.ai hands-on — no setup required.

→ Launch Playground on Casky.ai

The playground lets you: - Run live cybersecurity skill exercises against real targets - See AI agents execute structured skills in real time - Explore MITRE ATT&CK mapped workflows interactively - Test threat hunting, DFIR, and penetration testing scenarios

No installation. No configuration. Just open and start.

Why this exists

The cybersecurity workforce gap hit 4.8 million unfilled roles globally in 2024 (ISC2). AI agents can help close that gap — but only if they have structured domain knowledge to work from. Today's agents can write code and search the web, but they lack the practitioner playbooks that turn a generic LLM into a capable security analyst.

Existing security tool repos give you wordlists, payloads, or exploit code. None of them give an AI agent the structured decision-making workflow a senior analyst follows: when to use each technique, what prerequisites to check, how to execute step-by-step, and how to verify results. That is the gap this project fills.

Anthropic Cybersecurity Skills is not a collection of scripts or checklists. It is an AI-native knowledge base built from the ground up for the agentskills.io standard — YAML frontmatter for sub-second discovery, structured Markdown for step-by-step execution, and reference files for deep technical context. Every skill encodes real practitioner workflows, not generated summaries.

What's inside — 29 security domains

Domain Skills Key capabilities
Cloud Security 66 AWS, Azure, GCP hardening · CSPM · cloud attack emulation · cloud forensics
Threat Hunting 58 Hypothesis-driven hunts · LOTL detection · EVTX hunting · fleet hunting
Threat Intelligence 52 STIX/TAXII · MISP · OpenCTI · feed integration · actor profiling
Network Security 43 IDS/IPS · firewall rules · VLAN segmentation · traffic analysis
Web Application Security 42 OWASP Top 10 · SQLi · XSS · SSRF · deserialization
Digital Forensics 41 Disk imaging · memory forensics · Hayabusa/KAPE/Plaso timelines
Malware Analysis 39 Static/dynamic analysis · reverse engineering · sandboxing
Identity & Access Management 37 Entra ID/ROADtools · device-code phishing · PAM · zero trust identity
SOC Operations 35 Playbooks · escalation workflows · Graph-log detection · tabletop exercises
Red Teaming 33 ADCS/Certipy · BloodHound CE · Sliver/Havoc C2 · NTLM relay
Container Security 33 K8s RBAC · image scanning · Falco · container escape
Security Operations 28 SIEM correlation · log analysis · alert triage
OT/ICS Security 28 Modbus · DNP3 · IEC 62443 · historian defense · SCADA
API Security 28 GraphQL · REST · OWASP API Top 10 · WAF bypass
Incident Response 26 Breach containment · ransomware response · IR playbooks
Vulnerability Management 25 Nessus · scanning workflows · patch prioritization · CVSS
Penetration Testing 21 Network · web · cloud · mobile · NetExec lateral movement
DevSecOps 18 CI/CD security · Trivy IaC/image scanning · code signing
Zero Trust Architecture 17 BeyondCorp · CISA maturity model · microsegmentation
Endpoint Security 17 EDR · LOTL detection · fileless malware · persistence hunting
Cryptography 16 TLS · Ed25519 · post-quantum migration · key management
Phishing Defense 15 Email authentication · BEC detection · phishing IR
AI Security 14 LLM red-teaming (garak/PyRIT) · prompt injection · MCP/agentic security · guardrails
Mobile Security 13 Android/iOS analysis · mobile pentesting · MDM forensics
Ransomware Defense 13 Precursor detection · response · recovery · encryption analysis
Compliance & Governance 9 NIST 800-30/RMF · CMMC · HIPAA · TPRM · CIS benchmarks
Supply Chain Security 8 SBOMs · dependency confusion · malicious-package triage · SLSA/Sigstore
Deception Technology 6 Honeytokens · canarytokens · breach detection
Hardware & Firmware Security 4 CHIPSEC/UEFI audit · Secure Boot bypass · TPM attestation · bootkit hunting

How AI agents use these skills

Each skill costs ~30 tokens to scan (frontmatter only) and 500–2,000 tokens to fully load (complete workflow). This progressive disclosure architecture lets agents search all 817 skills in a single pass without blowing context windows.

User prompt: "Analyze this memory dump for signs of credential theft"

Agent's internal process:

  1. Scans 817 skill frontmatters (~30 tokens each)
     → identifies 12 relevant skills by matching tags, description, domain

  2. Loads top 3 matches:
     • performing-memory-forensics-with-volatility3
     • hunting-for-credential-dumping-lsass
     • analyzing-windows-event-logs-for-credential-access

  3. Executes the structured Workflow section step-by-step
     → runs Volatility3 plugins, checks LSASS access patterns,
        correlates with event log evidence

  4. Validates results using the Verification section
     → confirms IOCs, maps findings to ATT&CK T1003 (Credential Dumping)

Without these skills, the agent guesses at tool commands and misses critical steps. With them, it follows the same playbook a senior DFIR analyst would use.

Skill anatomy

Every skill follows a consistent directory structure:

``` skills/

Core symbols most depended-on inside this repo

get
called by 15320
skills/configuring-pfsense-firewall-rules/scripts/agent.py
run
called by 720
skills/implementing-security-chaos-engineering/scripts/agent.py
add
called by 317
skills/hardening-docker-containers-for-production/scripts/process.py
load
called by 246
skills/monitoring-scada-modbus-traffic-anomalies/scripts/agent.py
post
called by 221
skills/configuring-pfsense-firewall-rules/scripts/agent.py
load
called by 41
skills/performing-indicator-lifecycle-management/scripts/process.py
resolve
called by 40
skills/building-soc-escalation-matrix/scripts/process.py
parse
called by 29
skills/scanning-infrastructure-with-nessus/scripts/process.py

Shape

Function 6,314
Method 2,095
Class 456
Route 24

Languages

Python100%

Modules by API surface

skills/implementing-attack-surface-management/scripts/agent.py43 symbols
skills/implementing-gdpr-data-subject-access-request/scripts/agent.py42 symbols
skills/implementing-hardware-security-key-authentication/scripts/agent.py38 symbols
skills/implementing-scim-provisioning-with-okta/scripts/process.py37 symbols
skills/monitoring-scada-modbus-traffic-anomalies/scripts/agent.py28 symbols
skills/performing-phishing-simulation-with-gophish/scripts/process.py26 symbols
skills/implementing-llm-guardrails-for-security/scripts/agent.py26 symbols
skills/detecting-ransomware-precursors-in-network/scripts/process.py26 symbols
skills/deploying-active-directory-honeytokens/scripts/agent.py26 symbols
skills/conducting-post-incident-lessons-learned/scripts/process.py25 symbols
skills/implementing-canary-tokens-for-network-intrusion/scripts/agent.py23 symbols
skills/exploiting-active-directory-with-bloodhound/scripts/process.py23 symbols

Datastores touched

appdbDatabase · 1 repos
(mongodb)Database · 1 repos
(mysql)Database · 1 repos
appDatabase · 1 repos
boundaryDatabase · 1 repos
mydbDatabase · 1 repos
productionDatabase · 1 repos

For agents

$ claude mcp add Anthropic-Cybersecurity-Skills \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact