hunt-apt
Hunt for a specific APT/threat actor in your environment. Use when you have a threat actor name or GTI collection ID and want to search for their TTPs and IOCs. Gathers intelligence from GTI, searches SIEM for IOCs and TTP-based indicators, and documents findings.
79
75%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/hunt-apt/SKILL.mdQuality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a well-crafted skill description that clearly defines its purpose, trigger conditions, and specific actions. It uses domain-appropriate terminology that security analysts would naturally use, includes an explicit 'Use when' clause with concrete trigger conditions, and occupies a distinct niche that minimizes conflict risk with other skills.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'Hunt for a specific APT/threat actor', 'Gathers intelligence from GTI', 'searches SIEM for IOCs and TTP-based indicators', 'documents findings'. These are concrete, domain-specific actions. | 3 / 3 |
Completeness | Clearly answers both what ('Gathers intelligence from GTI, searches SIEM for IOCs and TTP-based indicators, and documents findings') and when ('Use when you have a threat actor name or GTI collection ID and want to search for their TTPs and IOCs') with explicit trigger conditions. | 3 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'APT', 'threat actor', 'GTI collection ID', 'TTPs', 'IOCs', 'SIEM', 'threat actor name', 'hunt'. These are terms a security analyst would naturally use when requesting this capability. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive with a clear niche: APT/threat actor hunting using GTI and SIEM. The specific combination of threat actor hunting, GTI intelligence gathering, and SIEM searching creates a unique profile unlikely to conflict with other skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
50%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill provides a solid structural framework for APT threat hunting with clear step sequencing and specific tool calls. Its main weaknesses are the lack of concrete UDM query examples (critical for actionability), missing validation/error-handling checkpoints between steps, and some redundancy between the workflow steps and summary tables. The skill would benefit significantly from executable query examples and explicit decision criteria.
Suggestions
Add concrete UDM query examples for common IOC types (e.g., domain lookups, file hash searches, IP matches) in Steps 3 and 4 instead of saying 'construct UDM queries'
Add validation checkpoints: verify GTI returned data before proceeding to SIEM searches, define what constitutes a 'hit' vs noise, and specify criteria for escalation in Step 8
Replace placeholder `get_..._report` in Step 5 with specific function calls for each entity type (domains, IPs, files)
Remove the 'Key Intelligence Sources' table since it duplicates Step 1, or consolidate into a single reference
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Generally efficient but includes some redundancy — the 'Key Intelligence Sources' table repeats information already shown in Step 1, and the 'Required Outputs' table adds variables that aren't clearly used elsewhere. The outputs table and critical requirements section could be tighter. | 2 / 3 |
Actionability | Provides concrete tool calls with specific function names and parameters, which is good. However, several steps use pseudocode-level guidance rather than executable examples — Step 3 says 'construct UDM queries' without showing actual query syntax, Step 4 says 'formulate TTP-specific UDM queries' without examples, and Step 5 uses placeholder `get_..._report`. Key details for IOC-to-UDM query translation are missing. | 2 / 3 |
Workflow Clarity | The 8-step workflow is clearly sequenced with logical progression from intelligence gathering through hunting to reporting. However, there are no explicit validation checkpoints — no verification that GTI returned valid data before proceeding, no guidance on what to do if SIEM searches fail or return ambiguous results, and the escalation criteria in Step 8 lack specificity on what constitutes 'confirmed threat found' vs noise. | 2 / 3 |
Progressive Disclosure | The content is reasonably well-structured with clear sections and tables, but it's somewhat monolithic — all content is inline with no references to external files for detailed UDM query examples, IOC type handling specifics, or report templates. References to other skills (/find-relevant-case, /document-in-case, /generate-report) provide some disclosure but aren't linked to files. | 2 / 3 |
Total | 8 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- dandye/ai-runbooks
- Commit
086cbf6
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.