待翻譯：Anthropic-Cybersecurity-Skills:817 structured cybersecurity skills for AI agents

AI 服務暫時不可用，以下為來源正文，待恢復後補全翻譯。

Uh oh! There was an error while loading. Please reload this page. Notifications You must be signed in to change notification settings Fork 2.3k Star 19.9k BranchesTags Open more actions menu Folders and files NameName Last commit message Last commit date Latest commit History 179 Commits 179 Commits .claude-plugin .claude-plugin .github .github assets assets docs docs mappings mappings skills skills tools tools .gitignore .gitignore ATTACK_COVERAGE.md ATTACK_COVERAGE.md CITATION.cff CITATION.cff CODE_OF_CONDUCT.md CODE_OF_CONDUCT.md CONTRIBUTING.md CONTRIBUTING.md LICENSE LICENSE README.md README.md SECURITY.md SECURITY.md index.json index.json Repository files navigation The largest open-source cybersecurity skills library for AI agents 817 production-grade cybersecurity skills · 29 security domains · 6 framework mappings · 26+ AI platforms Get Started · What's Inside · Frameworks · Platforms · Contributing ⚠️ Community Project — This is an independent, community-created project. Not affiliated with Anthropic PBC. Give any AI agent the security skills of a senior analyst A junior analyst knows which Volatility3 plugin to run on a suspicious memory dump, which Sigma rules catch Kerberoasting, and how to scope a cloud breach across three providers. Your AI agent doesn't — unless you give it these skills. This repo contains 817 structured cybersecurity skills spanning 29 security domains, each following the agentskills.io open standard. Every skill is mapped to six industry frameworks — MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS, MITRE D3FEND, NIST AI RMF, and the MITRE Fight Fraud Framework (F3) — making this the only open-source skills library with unified cross-framework coverage. Clone it, point your agent at it, and your next security investigation gets expert-level guidance in seconds. Six frameworks, one skill library No other open-source skills library maps every skill to all of these frameworks. One skill, six compliance checkboxes. Framework Version Scope in this repo What it maps MITRE ATT&CK v19.1 15 tactics · 286 techniques Adversary behaviors and TTPs NIST CSF 2.0 2.0 6 functions · 22 categories Organizational security posture MITRE ATLAS v5.4 16 tactics · 84 techniques AI/ML adversarial threats MITRE D3FEND v1.3 7 categories · 267 techniques Defensive countermeasures NIST AI RMF 1.0 4 functions · 72 subcategories AI risk management MITRE F3 (Fight Fraud Framework) v1.1 (2026-04-09) 8 tactics · 123 techniques · 94 fraud-relevant skills Cyber-enabled financial fraud TTPs Example — a single skill maps across all six: Skill ATT&CK NIST CSF ATLAS D3FEND AI RMF F3 analyzing-network-traffic-of-malware T1071 DE.CM AML.T0047 D3-NTA MEASURE-2.6 — detecting-business-email-compromise T1566 DE.AE — — — F1005.006 · monetization 🆕 MITRE Fight Fraud Framework (F3) — 94 fraud-relevant skills The MITRE Fight Fraud Framework (F3) was released April 9, 2026 by MITRE's Center for Threat-Informed Defense (CTID), co-developed with JPMorganChase, Citigroup, Lloyds Banking Group, Standard Chartered, CrowdStrike, Verizon Business, FS-ISAC, and others. It is an ATT&CK-compatible TTP catalog for cyber-enabled financial fraud — filling the gap ATT&CK leaves after initial compromise. F3 v1.1 adds two fraud-specific tactics that ATT&CK does not enumerate: Positioning (FA0001) — actions taken after access to collect/manipulate data and prepare the fraud (synthetic-identity seeding, account warming, beneficiary setup, SIM-swap pre-positioning, banking-session hijack). Monetization (FA0002) — converting stolen assets into usable funds (money-mule layering, APP fraud, crypto off-ramping, card cash-out, refund/chargeback abuse). Fraud-specific techniques use F1XXX IDs (e.g. F1005.003 Add Beneficiary, F1025.003 Wire Transfer, F1007 Adversary-in-the-Browser); reused ATT&CK techniques keep their T1XXX IDs. Mappings live in each skill's mitre_f3: frontmatter block — all 123 F3 v1.1 technique IDs were verified against the upstream STIX bundle. See docs/mitre-f3-mapping.md for the schema. MITRE ATT&CK v19.1 — 754/754 skills mapped Every skill carries a mitre_attack frontmatter list validated against MITRE ATT&CK v19.1 (the latest release) using the official mitreattack-python library — 286 distinct techniques across all 15 Enterprise tactics, plus ICS and Mobile techniques where relevant. Zero revoked or deprecated IDs. v19.1's restructured Defense Evasion (now split into Stealth and Defense Impairment) is reflected below. Tactic ID Skills Reconnaissance TA0043 103 Resource Development TA0042 22 Initial Access TA0001 467 Execution TA0002 350 Persistence TA0003 444 Privilege Escalation TA0004 464 Stealth TA0005 442 Defense Impairment TA0112 92 Credential Access TA0006 202 Discovery TA0007 237 Lateral Movement TA0008 68 Collection TA0009 172 Command and Control TA0011 123 Exfiltration TA0010 82 Impact TA0040 50 Quick start # Option 1: npx (recommended) npx skills add mukul975/Anthropic-Cybersecurity-Skills # Option 2: Git clone git clone https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git cd Anthropic-Cybersecurity-Skills Works immediately with Claude Code, GitHub Copilot, OpenAI Codex CLI, Cursor, Gemini CLI, and any agentskills.io-compatible platform. 🌍 GARS-2026 — Global Agentic AI Readiness Survey I'm running a global academic study measuring how ready security professionals, developers, and enterprise teams actually are for agentic AI — MCP servers, tool calling, governance, and human-in-the-loop workflows. If you use this repo, your response would be a genuinely valuable data point. 📋 Take the survey (10 min): Survey Link 60 questions · Anonymous · Supervised by SRH Berlin You get 50 Casky Tokens for early access to casky.ai Results published open access under CC-BY 4.0 🚀 Try it on the Playground Experience Casky.ai hands-on — no setup required. → Launch Playground on Casky.ai The playground lets you: Run live cybersecurity skill exercises against real targets See AI agents execute structured skills in real time Explore MITRE ATT&CK mapped workflows interactively Test threat hunting, DFIR, and penetration testing scenarios No installation. No configuration. Just open and start. Why this exists The cybersecurity workforce gap hit 4.8 million unfilled roles globally in 2024 (ISC2). AI agents can help close that gap — but only if they have structured domain knowledge to work from. Today's agents can write code and search the web, but they lack the practitioner playbooks that turn a generic LLM into a capable security analyst. Existing security tool repos give you wordlists, payloads, or exploit code. None of them give an AI agent the structured decision-making workflow a senior analyst follows: when to use each technique, what prerequisites to check, how to execute step-by-step, and how to verify results. That is the gap this project fills. Anthropic Cybersecurity Skills is not a collection of scripts or checklists. It is an AI-native knowledge base built from the ground up for the agentskills.io standard — YAML frontmatter for sub-second discovery, structured Markdown for step-by-step execution, and reference files for deep technical context. Every skill encodes real practitioner workflows, not generated summaries. What's inside — 29 security domains Domain Skills Key capabilities Cloud Security 66 AWS, Azure, GCP hardening · CSPM · cloud attack emulation · cloud forensics Threat Hunting 58 Hypothesis-driven hunts · LOTL detection · EVTX hunting · fleet hunting Threat Intelligence 52 STIX/TAXII · MISP · OpenCTI · feed integration · actor profiling Network Security 43 IDS/IPS · firewall rules · VLAN segmentation · traffic analysis Web Application Security 42 OWASP Top 10 · SQLi · XSS · SSRF · deserialization Digital Forensics 41 Disk imaging · memory forensics · Hayabusa/KAPE/Plaso timelines Malware Analysis 39 Static/dynamic analysis · reverse engineering · sandboxing Identity & Access Management 37 Entra ID/ROADtools · device-code phishing · PAM · zero trust identity SOC Operations 35 Playbooks · escalation workflows · Graph-log detection · tabletop exercises Red Teaming 33 ADCS/Certipy · BloodHound CE · Sliver/Havoc C2 · NTLM relay Container Security 33 K8s RBAC · image scanning · Falco · container escape Security Operations 28 SIEM correlation · log analysis · alert triage OT/ICS Security 28 Modbus · DNP3 · IEC 62443 · historian defense · SCADA API Security 28 GraphQL · REST · OWASP API Top 10 · WAF bypass Incident Response 26 Breach containment · ransomware response · IR playbooks Vulnerability Management 25 Nessus · scanning workflows · patch prioritization · CVSS Penetration Testing 21 Network · web · cloud · mobile · NetExec lateral movement DevSecOps 18 CI/CD security · Trivy IaC/image scanning · code signing Zero Trust Architecture 17 BeyondCorp · CISA maturity model · microsegmentation Endpoint Security 17 EDR · LOTL detection · fileless malware · persistence hunting Cryptography 16 TLS · Ed25519 · post-quantum migration · key management Phishing Defense 15 Email authentication · BEC detection · phishing IR AI Security 14 LLM red-teaming (garak/PyRIT) · prompt injection · MCP/agentic security · guardrails Mobile Security 13 Android/iOS analysis · mobile pentesting · MDM forensics Ransomware Defense 13 Precursor detection · response · recovery · encryption analysis Compliance & Governance 9 NIST 800-30/RMF · CMMC · HIPAA · TPRM · CIS benchmarks Supply Chain Security 8 SBOMs · dependency confusion · malicious-package triage · SLSA/Sigstore Deception Technology 6 Honeytokens · canarytokens · breach detection Hardware & Firmware Security 4 CHIPSEC/UEFI audit · Secure Boot bypass · TPM attestation · bootkit hunting How AI agents use these skills Each skill costs ~30 tokens to scan (frontmatter only) and 500–2,000 tokens to fully load (complete workflow). This progressive disclosure architecture lets agents search all 817 skills in a single pass without blowing context windows. User prompt: "Analyze this memory dump for signs of credential theft" Agent's internal process: 1. Scans 817 skill frontmatters (~30 tokens each) → identifies 12 relevant skills by matching tags, description, domain 2. Loads top 3 matches: • performing-memory-forensics-with-volatility3 • hunting-for-credential-dumping-lsass • analyzing-windows-event-logs-for-credential-access 3. Executes the structured Workflow section step-by-step → runs Volatility3 plugins, checks LSASS access patterns, correlates with event log evidence 4. Validates results using the Verification section → confirms IOCs, maps findings to ATT&CK T1003 (Credential Dumping) Without these skills, the agent guesses at tool commands and misses critical steps. With them, it follows the same playbook a senior DFIR analyst would use. Skill anatomy Every skill follows a consistent directory structure: skills/performing-memory-forensics-with-volatility3/ ├── SKILL.md ← Skill definition (YAML frontmatter + Markdown body) ├── references/ │ ├── standards.md ← MITRE ATT&CK, ATLAS, D3FEND, NIST mappings │ └── workflows.md ← Deep technical procedure reference ├── scripts/ │ └── process.py ← Working helper scripts └── assets/ └── template.md ← Filled-in checklists and report templates YAML frontmatter (real example) --- name: performing-memory-forensics-with-volatility3 description: >- Analyze memory dumps to extract running processes, network connections, injected code, and malware artifacts using the Volatility3 framework. domain: cybersecurity subdomain: digital-forensics tags: [forensics, memory-analysis, volatility3, incident-response, dfir] atlas_techniques: [AML.T0047] d3fend_techniques: [D3-MA, D3-PSMD] nist_ai_rmf: [MEASURE-2.6] nist_csf: [DE.CM-01, RS.AN-03] [truncated for AI cost control]