hunt-apt

Hunt for a specific APT/threat actor in your environment. Use when you have a threat actor name or GTI collection ID and want to search for their TTPs and IOCs. Gathers intelligence from GTI, searches SIEM for IOCs and TTP-based indicators, and documents findings.

Quality

75%

Does it follow best practices?

Impact

—

No eval scenarios have been run

Securityby

Passed

No known issues

Optimize this skill with Tessl

npx tessl skill review --optimize ./skills/hunt-apt/SKILL.md

Quality

Content

50%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

This skill provides a solid structural framework for APT threat hunting with clear step sequencing and specific tool calls. Its main weaknesses are the lack of concrete UDM query examples (critical for actionability), missing validation/error-handling checkpoints between steps, and some redundancy between the workflow steps and summary tables. The skill would benefit significantly from executable query examples and explicit decision criteria.

Suggestions

Add concrete UDM query examples for common IOC types (e.g., domain lookups, file hash searches, IP matches) in Steps 3 and 4 instead of saying 'construct UDM queries'

Add validation checkpoints: verify GTI returned data before proceeding to SIEM searches, define what constitutes a 'hit' vs noise, and specify criteria for escalation in Step 8

Replace placeholder `get_..._report` in Step 5 with specific function calls for each entity type (domains, IPs, files)

Remove the 'Key Intelligence Sources' table since it duplicates Step 1, or consolidate into a single reference

Dimension	Reasoning	Score
Conciseness	Generally efficient but includes some redundancy — the 'Key Intelligence Sources' table repeats information already shown in Step 1, and the 'Required Outputs' table adds variables that aren't clearly used elsewhere. The outputs table and critical requirements section could be tighter.	2 / 3
Actionability	Provides concrete tool calls with specific function names and parameters, which is good. However, several steps use pseudocode-level guidance rather than executable examples — Step 3 says 'construct UDM queries' without showing actual query syntax, Step 4 says 'formulate TTP-specific UDM queries' without examples, and Step 5 uses placeholder `get_..._report`. Key details for IOC-to-UDM query translation are missing.	2 / 3
Workflow Clarity	The 8-step workflow is clearly sequenced with logical progression from intelligence gathering through hunting to reporting. However, there are no explicit validation checkpoints — no verification that GTI returned valid data before proceeding, no guidance on what to do if SIEM searches fail or return ambiguous results, and the escalation criteria in Step 8 lack specificity on what constitutes 'confirmed threat found' vs noise.	2 / 3
Progressive Disclosure	The content is reasonably well-structured with clear sections and tables, but it's somewhat monolithic — all content is inline with no references to external files for detailed UDM query examples, IOC type handling specifics, or report templates. References to other skills (/find-relevant-case, /document-in-case, /generate-report) provide some disclosure but aren't linked to files.	2 / 3
	Total	8 / 12 Passed

Description

100%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

This is a well-crafted skill description that clearly defines its purpose, trigger conditions, and specific actions. It uses domain-appropriate terminology that security analysts would naturally use, includes an explicit 'Use when' clause with concrete trigger conditions, and occupies a distinct niche that minimizes conflict risk with other skills.

Dimension	Reasoning	Score
Specificity	Lists multiple specific concrete actions: 'Hunt for a specific APT/threat actor', 'Gathers intelligence from GTI', 'searches SIEM for IOCs and TTP-based indicators', 'documents findings'. These are concrete, domain-specific actions.	3 / 3
Completeness	Clearly answers both what ('Gathers intelligence from GTI, searches SIEM for IOCs and TTP-based indicators, and documents findings') and when ('Use when you have a threat actor name or GTI collection ID and want to search for their TTPs and IOCs') with explicit trigger conditions.	3 / 3
Trigger Term Quality	Includes strong natural keywords users would say: 'APT', 'threat actor', 'GTI collection ID', 'TTPs', 'IOCs', 'SIEM', 'threat actor name', 'hunt'. These are terms a security analyst would naturally use when requesting this capability.	3 / 3
Distinctiveness Conflict Risk	Highly distinctive with a clear niche: APT/threat actor hunting using GTI and SIEM. The specific combination of threat actor hunting, GTI intelligence gathering, and SIEM searching creates a unique profile unlikely to conflict with other skills.	3 / 3
	Total	12 / 12 Passed

Validation

90%

Warnings & errors only

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation — 10 / 11 Passed

Validation for skill structure

Criteria	Description	Result
frontmatter_unknown_keys	Unknown frontmatter key(s) found; consider removing or moving to metadata	Warning

	Total	10 / 11 Passed

Repository: dandye/ai-runbooks
Commit: 086cbf6

Reviewed: 2 months ago

Table of Contents

Discovery Implementation Validation

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.