deep-dive-ioc
Perform exhaustive analysis of a critical IOC. Use when an IOC needs Tier 2+ investigation beyond basic enrichment - includes GTI pivoting, deep SIEM searches, correlation with related entities, and threat attribution. For escalated IOCs requiring comprehensive investigation.
88
Does it follow best practices?
If you maintain this skill, you can automatically optimize it using the tessl CLI to improve its score:
npx tessl skill review --optimize ./path/to/skillValidation for skill structure
Discovery
85%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a well-structured description that clearly defines its scope as advanced IOC investigation distinct from basic enrichment. It excels at specificity and completeness with explicit 'Use when' guidance. The main weakness is reliance on technical jargon (GTI, SIEM, IOC) without including natural language variations users might employ.
Suggestions
Add natural language trigger terms alongside technical jargon, such as 'investigate suspicious IP', 'analyze malicious hash', 'deep dive on indicator', or 'escalate threat analysis'
Consider including common IOC types users might mention: 'IP address', 'file hash', 'domain', 'URL' to improve trigger matching
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'GTI pivoting, deep SIEM searches, correlation with related entities, and threat attribution.' Also specifies 'Tier 2+ investigation beyond basic enrichment.' | 3 / 3 |
Completeness | Clearly answers both what ('exhaustive analysis...includes GTI pivoting, deep SIEM searches, correlation, threat attribution') and when ('Use when an IOC needs Tier 2+ investigation', 'For escalated IOCs requiring comprehensive investigation'). | 3 / 3 |
Trigger Term Quality | Includes relevant security terms like 'IOC', 'GTI', 'SIEM', 'threat attribution', and 'escalated', but these are technical jargon. Missing natural user phrases like 'investigate indicator', 'deep dive', 'analyze suspicious IP/hash/domain'. | 2 / 3 |
Distinctiveness Conflict Risk | Clear niche distinguishing it from basic IOC enrichment with explicit 'Tier 2+' and 'beyond basic enrichment' qualifiers. The escalation context and comprehensive investigation scope create distinct triggers unlikely to conflict with simpler IOC lookup skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
87%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a well-structured, actionable skill for deep IOC analysis that efficiently communicates a complex multi-step workflow. The skill excels at providing concrete tool calls and clear decision tables. The main weakness is the lack of validation checkpoints and error handling guidance for a workflow that involves multiple external tool calls that could fail or return empty results.
Suggestions
Add validation checkpoints after critical steps (e.g., 'If GTI report returns no data, document as unknown IOC and proceed with SIEM-only analysis')
Include error handling guidance for common failure scenarios (tool timeouts, no SIEM results, rate limiting)
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is lean and efficient, using tables and structured formatting to convey information without unnecessary explanation. It assumes Claude understands security concepts like IOCs, SIEM, and GTI without defining them. | 3 / 3 |
Actionability | Provides specific tool calls with exact parameter names, clear tables mapping IOC types to appropriate tools, and concrete examples of what to record and search for. Commands are copy-paste ready. | 3 / 3 |
Workflow Clarity | Steps are clearly sequenced (1-7) with logical progression, but lacks explicit validation checkpoints. No feedback loops for error recovery - if a GTI lookup fails or SIEM search returns nothing, there's no guidance on how to proceed. | 2 / 3 |
Progressive Disclosure | Well-organized with clear sections, references to other skills (/pivot-on-ioc, /enrich-ioc, /correlate-ioc) for detailed operations, and appropriate use of tables for quick reference. Content is appropriately scoped for a skill file. | 3 / 3 |
Total | 11 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.