mukul975/Anthropic-Cybersecurity-Skills

Source: https://github.com/mukul975/Anthropic-Cybersecurity-Skills

⚠️ Community Project — This is an independent, community-created project. Not affiliated with Anthropic PBC.

Give any AI agent the security skills of a senior analyst

A junior analyst knows which Volatility3 plugin to run on a suspicious memory dump, which Sigma rules catch Kerberoasting, and how to scope a cloud breach across three providers. Your AI agent doesn’t — unless you give it these skills.

This repo contains 754 structured cybersecurity skills spanning 26 security domains, each following the agentskills.io open standard. Every skill is mapped to five industry frameworks — MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS, MITRE D3FEND, and NIST AI RMF — making this the only open-source skills library with unified cross-framework coverage. Clone it, point your agent at it, and your next security investigation gets expert-level guidance in seconds.

Five frameworks, one skill library

No other open-source skills library maps every skill to all five frameworks. One skill, five compliance checkboxes.

Example — a single skill maps across all five:

Quick start

# Option 1: npx (recommended)
npx skills add mukul975/Anthropic-Cybersecurity-Skills

# Option 2: Git clone
git clone https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
cd Anthropic-Cybersecurity-Skills

Works immediately with Claude Code, GitHub Copilot, OpenAI Codex CLI, Cursor, Gemini CLI, and any agentskills.io-compatible platform.

🌍 GARS-2026 — Global Agentic AI Readiness Survey

I’m running a global academic study measuring how ready security professionals, developers, and enterprise teams actually are for agentic AI — MCP servers, tool calling, governance, and human-in-the-loop workflows.

If you use this repo, your response would be a genuinely valuable data point.

📋 Take the survey (10 min): Survey Link

• 60 questions · Anonymous · Supervised by SRH Berlin
• You get 50 Casky Tokens for early access to casky.ai
• Results published open access under CC-BY 4.0

🚀 Try it on the Playground

Experience Casky.ai hands-on — no setup required.

→ Launch Playground on Casky.ai

The playground lets you:

• Run live cybersecurity skill exercises against real targets
• See AI agents execute structured skills in real time
• Explore MITRE ATT&CK mapped workflows interactively
• Test threat hunting, DFIR, and penetration testing scenarios

No installation. No configuration. Just open and start.

Why this exists

The cybersecurity workforce gap hit 4.8 million unfilled roles globally in 2024 (ISC2). AI agents can help close that gap — but only if they have structured domain knowledge to work from. Today’s agents can write code and search the web, but they lack the practitioner playbooks that turn a generic LLM into a capable security analyst.

Existing security tool repos give you wordlists, payloads, or exploit code. None of them give an AI agent the structured decision-making workflow a senior analyst follows: when to use each technique, what prerequisites to check, how to execute step-by-step, and how to verify results. That is the gap this project fills.

Anthropic Cybersecurity Skills is not a collection of scripts or checklists. It is an AI-native knowledge base built from the ground up for the agentskills.io standard — YAML frontmatter for sub-second discovery, structured Markdown for step-by-step execution, and reference files for deep technical context. Every skill encodes real practitioner workflows, not generated summaries.

What’s inside — 26 security domains

How AI agents use these skills

Each skill costs ~30 tokens to scan (frontmatter only) and 500–2,000 tokens to fully load (complete workflow). This progressive disclosure architecture lets agents search all 754 skills in a single pass without blowing context windows.

User prompt: "Analyze this memory dump for signs of credential theft"

Agent's internal process:

  1. Scans 754 skill frontmatters (~30 tokens each)
     → identifies 12 relevant skills by matching tags, description, domain

  2. Loads top 3 matches:
     • performing-memory-forensics-with-volatility3
     • hunting-for-credential-dumping-lsass
     • analyzing-windows-event-logs-for-credential-access

  3. Executes the structured Workflow section step-by-step
     → runs Volatility3 plugins, checks LSASS access patterns,
        correlates with event log evidence

  4. Validates results using the Verification section
     → confirms IOCs, maps findings to ATT&CK T1003 (Credential Dumping)

Without these skills, the agent guesses at tool commands and misses critical steps. With them, it follows the same playbook a senior DFIR analyst would use.

Skill anatomy

Every skill follows a consistent directory structure:

skills/performing-memory-forensics-with-volatility3/
├── SKILL.md              ← Skill definition (YAML frontmatter + Markdown body)
├── references/
│   ├── standards.md      ← MITRE ATT&CK, ATLAS, D3FEND, NIST mappings
│   └── workflows.md      ← Deep technical procedure reference
├── scripts/
│   └── process.py        ← Working helper scripts
└── assets/
    └── template.md       ← Filled-in checklists and report templates

YAML frontmatter (real example)

---
name: performing-memory-forensics-with-volatility3
description: >-
  Analyze memory dumps to extract running processes, network connections,
  injected code, and malware artifacts using the Volatility3 framework.
domain: cybersecurity
subdomain: digital-forensics
tags: [forensics, memory-analysis, volatility3, incident-response, dfir]
atlas_techniques: [AML.T0047]
d3fend_techniques: [D3-MA, D3-PSMD]
nist_ai_rmf: [MEASURE-2.6]
nist_csf: [DE.CM-01, RS.AN-03]
version: "1.2"
author: mukul975
license: Apache-2.0
---

Markdown body sections

## When to Use
Trigger conditions — when should an AI agent activate this skill?

## Prerequisites
Required tools, access levels, and environment setup.

## Workflow
Step-by-step execution guide with specific commands and decision points.

## Verification
How to confirm the skill was executed successfully.

Frontmatter fields: name (kebab-case, 1–64 chars), description (keyword-rich for agent discovery), domain, subdomain, tags, atlas_techniques (MITRE ATLAS IDs), d3fend_techniques (MITRE D3FEND IDs), nist_ai_rmf (NIST AI RMF references), nist_csf (NIST CSF 2.0 categories). MITRE ATT&CK technique mappings are documented in each skill’s references/standards.md file and in the ATT&CK Navigator layer included with releases.

Compatible platforms

AI code assistants Claude Code (Anthropic) · GitHub Copilot (Microsoft) · Cursor · Windsurf · Cline · Aider · Continue · Roo Code · Amazon Q Developer · Tabnine · Sourcegraph Cody · JetBrains AI

CLI agents OpenAI Codex CLI · Gemini CLI (Google)

Autonomous agents Devin · Replit Agent · SWE-agent · OpenHands

Agent frameworks & SDKs LangChain · CrewAI · AutoGen · Semantic Kernel · Haystack · Vercel AI SDK · Any MCP-compatible agent

All platforms that support the agentskills.io standard can load these skills with zero configuration.

What people are saying

“A database of real, organized security skills that any AI agent can plug into and use. Not tutorials. Not blog posts.” — Hasan Toor (@hasantoxr), AI/tech creator

“This is not a random collection of security scripts. It’s a structured operational knowledge base designed for AI-driven security workflows.” — fazal-sec, Medium

Featured in

Star history

Releases

Skills have continued to grow on main since v1.0.0 — the library now contains 754 skills with 5-framework mapping (MITRE ATLAS, D3FEND, and NIST AI RMF added post-release). Check Releases for the latest tagged version.

Contributing

This project grows through community contributions. Here is how to get involved:

Add a new skill — Domains like Deception Technology (2 skills) and Compliance & Governance (5 skills) need the most help. Follow the template in CONTRIBUTING.md and submit a PR with the title Add skill: your-skill-name.

Improve existing skills — Add framework mappings, fix workflows, update tool references, or contribute scripts and templates.

Report issues — Found an inaccurate procedure or broken script? Open an issue.

Every PR is reviewed for technical accuracy and agentskills.io standard compliance within 48 hours. Check good first issues for a starting point.

This project follows the Contributor Covenant. By participating, you agree to uphold this code.

Community

💬 Discussions — Questions, ideas, and roadmap conversations 🐛 Issues — Bug reports and feature requests 🔒 Security Policy — Responsible disclosure process (48-hour acknowledgment)

Citation

If you use this project in research or publications:

@software{anthropic_cybersecurity_skills,
  author       = {Jangra, Mahipal},
  title        = {Anthropic Cybersecurity Skills},
  year         = {2026},
  url          = {https://github.com/mukul975/Anthropic-Cybersecurity-Skills},
  license      = {Apache-2.0},
  note         = {754 structured cybersecurity skills for AI agents,
                  mapped to MITRE ATT\&CK, NIST CSF 2.0, MITRE ATLAS,
                  MITRE D3FEND, and NIST AI RMF}
}

License

This project is licensed under the Apache License 2.0. You are free to use, modify, and distribute these skills in both personal and commercial projects.