Manage world migrations, handle breaking changes, and upgrade Dojo versions. Use when updating deployed worlds, migrating to new versions, or handling schema changes.

Initialize new Dojo projects with proper directory structure, configuration files, and dependencies. Use when starting a new Dojo game project or setting up the initial project structure.

Set up and configure Torii indexer for GraphQL queries, gRPC subscriptions, and SQL access. Use when indexing your deployed world for client queries or real-time updates.

Deploy Dojo worlds to local Katana, testnet, or mainnet. Configure Katana sequencer and manage deployments with sozo. Use when deploying your game or starting local development environment.

Configure Scarb.toml, dojo profiles, world settings, and dependencies. Use when setting up project configuration, managing dependencies, or configuring deployment environments.

Integrate Dojo with game clients for JavaScript, Unity, Unreal, Rust, and other platforms. Generate typed bindings and connection code. Use when connecting frontends or game engines to your Dojo world.

Triage suspicious login alerts like impossible travel, untrusted location, or multiple failures. Use when investigating authentication anomalies. Analyzes user history, source IP reputation, login patterns, and determines if escalation is needed.

Triage a suspected malicious file hash. Use when investigating malware alerts or suspicious files. Analyzes GTI file report, behavioral indicators, identifies affected hosts, enriches network IOCs, and recommends containment actions.

Triage a security alert or case. Use when given an ALERT_ID or CASE_ID to assess if it's a real threat. Enriches IOCs, searches SIEM for context, and determines if the alert should be closed (false positive) or escalated for investigation.

Respond to a ransomware incident following PICERL methodology. Use when ransomware is detected or suspected. Orchestrates identification, containment, eradication, and recovery phases. Requires CASE_ID and initial indicators.

Respond to a reported phishing email following PICERL methodology. Use when a phishing email is reported or detected. Analyzes artifacts, identifies recipients who clicked, contains malicious IOCs, and removes emails from mailboxes.

Respond to a malware incident following PICERL methodology. Use when malware is detected on endpoints. Orchestrates triage, containment, eradication, and recovery. Works with triage-malware skill for analysis.

Respond to a potentially compromised user account. Use when impossible travel, credential stuffing, successful phishing, or suspicious activity indicates account compromise. Investigates activity, contains the account, removes persistence, and restores access.

Explore GTI relationships for an IOC to discover related entities. Use to expand investigation by finding connected domains, IPs, files, or threat actors. Takes an IOC and relationship types to query.

Systematic cataloging of information assets. Creates comprehensive inventories of all content with metadata and characteristics.

Conduct proactive, hypothesis-driven threat hunting. Use when performing advanced hunting based on threat intelligence, TTPs, or anomalies. For Tier 3 analysts or dedicated threat hunters. Supports iterative search, pivoting, and comprehensive documentation.

Hunt for lateral movement using PsExec, WMI, or similar techniques. Use when proactively searching for attackers moving through your network using admin tools. Searches for service installations, remote process execution, and suspicious network correlations.

Hunt for specific IOCs across your environment. Use when you have a list of IPs, domains, hashes, or URLs from threat intel and want to check if they appear in your SIEM. Systematic searching with enrichment and documentation.

Hunt for credential access techniques like LSASS dumping or browser credential theft. Use when searching for evidence of credential harvesting. Takes MITRE technique IDs and searches for behavioral indicators in SIEM.

Hunt for a specific APT/threat actor in your environment. Use when you have a threat actor name or GTI collection ID and want to search for their TTPs and IOCs. Gathers intelligence from GTI, searches SIEM for IOCs and TTP-based indicators, and documents findings.