deep-dive-ioc
Perform exhaustive analysis of a critical IOC. Use when an IOC needs Tier 2+ investigation beyond basic enrichment - includes GTI pivoting, deep SIEM searches, correlation with related entities, and threat attribution. For escalated IOCs requiring comprehensive investigation.
88
86%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Quality
Discovery
85%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong skill description that clearly defines its scope for advanced IOC investigation with specific actions and explicit escalation triggers. The main weakness is reliance on technical jargon (GTI, SIEM, IOC) without spelling out common variations that users might naturally say. The description effectively differentiates itself from basic enrichment skills through explicit Tier 2+ positioning.
Suggestions
Consider expanding trigger terms to include natural language variations like 'indicator of compromise', 'deep investigation', 'investigate thoroughly', or 'malware analysis' to improve discoverability
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'exhaustive analysis', 'GTI pivoting', 'deep SIEM searches', 'correlation with related entities', and 'threat attribution'. These are concrete, domain-specific actions. | 3 / 3 |
Completeness | Clearly answers both what ('exhaustive analysis', 'GTI pivoting', 'deep SIEM searches', 'correlation', 'threat attribution') AND when ('Tier 2+ investigation beyond basic enrichment', 'escalated IOCs requiring comprehensive investigation'). Has explicit trigger guidance. | 3 / 3 |
Trigger Term Quality | Includes relevant terms like 'IOC', 'Tier 2+', 'GTI', 'SIEM', 'threat attribution', and 'escalated'. However, these are technical/jargon terms that analysts would use, but missing common variations like 'indicator of compromise', 'deep dive', 'investigate', or 'malware analysis'. | 2 / 3 |
Distinctiveness Conflict Risk | Very clear niche targeting escalated/Tier 2+ IOC investigations specifically. The 'beyond basic enrichment' clause explicitly distinguishes it from simpler IOC lookup skills. Unlikely to conflict with basic enrichment or other security skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
87%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a well-structured, actionable skill for deep IOC analysis that efficiently communicates a complex multi-step workflow. The skill excels at providing concrete tool calls and clear organization, but could benefit from explicit validation checkpoints between investigation phases to ensure findings are verified before proceeding to synthesis.
Suggestions
Add validation checkpoints after Steps 2-4 (e.g., 'If GTI returns no results, document as clean and consider alternative analysis paths')
Include a brief error handling note for when SIEM searches return no events or GTI pivoting yields no related entities
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is lean and efficient, using tables and structured formatting to convey information without unnecessary explanation. It assumes Claude understands security concepts like IOCs, SIEM, and GTI without defining them. | 3 / 3 |
Actionability | Provides specific tool calls with exact parameter names, clear tables mapping IOC types to appropriate tools, and concrete examples of what to record at each step. Commands are copy-paste ready. | 3 / 3 |
Workflow Clarity | Steps are clearly sequenced and numbered, but lacks explicit validation checkpoints. For a multi-step investigation involving pivoting and correlation, there's no feedback loop for verifying findings before proceeding or handling cases where GTI returns no results. | 2 / 3 |
Progressive Disclosure | Well-organized with clear sections, references to other skills (/pivot-on-ioc, /enrich-ioc, /correlate-ioc) for detailed operations, and a helpful comparison table at the end. Content is appropriately structured without being monolithic. | 3 / 3 |
Total | 11 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- dandye/ai-runbooks
- Commit
4d132c7
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.