analyzing-apt-group-with-mitre-navigator
Analyze advanced persistent threat (APT) group techniques using MITRE ATT&CK Navigator to create layered heatmaps of adversary TTPs for detection gap analysis and threat-informed defense.
72
66%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-apt-group-with-mitre-navigator/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong, domain-specific description with excellent specificity and trigger term coverage for cybersecurity threat intelligence professionals. Its main weakness is the absence of an explicit 'Use when...' clause, which would help Claude know precisely when to select this skill. Adding trigger guidance would elevate this from good to excellent.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks about APT groups, MITRE ATT&CK mappings, threat coverage analysis, or creating ATT&CK Navigator layers.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: analyze APT group techniques, create layered heatmaps of adversary TTPs, perform detection gap analysis, and support threat-informed defense. These are concrete, domain-specific actions. | 3 / 3 |
Completeness | The 'what' is well-covered (analyze APT techniques, create layered heatmaps, detection gap analysis), but there is no explicit 'Use when...' clause or equivalent trigger guidance. Per the rubric, a missing 'Use when...' clause caps completeness at 2. | 2 / 3 |
Trigger Term Quality | Includes strong natural keywords users in this domain would use: 'APT', 'MITRE ATT&CK', 'Navigator', 'heatmaps', 'TTPs', 'detection gap analysis', 'threat-informed defense', 'adversary'. These are terms a security analyst would naturally mention. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive with a clear niche: MITRE ATT&CK Navigator, APT group analysis, layered heatmaps, and detection gap analysis. This is unlikely to conflict with other skills due to its very specific cybersecurity threat intelligence focus. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
50%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides genuinely useful, executable Python code for ATT&CK Navigator layer generation and APT group analysis, which is its primary strength. However, it is significantly bloated with explanatory content Claude doesn't need (Key Concepts, Overview, When to Use sections), and the workflow lacks integrated validation steps between stages. The monolithic structure would benefit from splitting advanced analyses into separate files.
Suggestions
Remove the 'Key Concepts' section entirely and trim the 'Overview' to 1-2 sentences — Claude already understands ATT&CK, Navigator layers, and STIX objects.
Remove or drastically shorten the 'When to Use' section, which is generic and adds no actionable value.
Add inline validation after Step 2 (e.g., validate the JSON schema before writing, or load and verify the layer renders key fields) and after Step 1 (verify technique count is non-zero before proceeding).
Split Steps 3-5 into a separate ADVANCED_ANALYSIS.md file and reference it from the main skill, keeping the core skill focused on Steps 1-2 and gap analysis.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is excessively verbose with unnecessary explanations of concepts Claude already knows (what ATT&CK Navigator is, what layers are, what APT group profiles contain, what multi-layer analysis is). The 'Key Concepts' section is entirely redundant background. The 'When to Use' section is generic filler. The overview paragraph explains things at a level Claude doesn't need. | 1 / 3 |
Actionability | The code examples are fully executable with proper imports, concrete API calls, complete JSON structure generation, and specific group IDs. The code is copy-paste ready and covers the full workflow from data querying through layer generation and gap analysis. | 3 / 3 |
Workflow Clarity | The 5-step workflow is clearly sequenced and logically ordered, but lacks validation checkpoints between steps. There's no verification that the ATT&CK data query succeeded before proceeding, no validation that the generated JSON is well-formed before saving, and the 'Validation Criteria' section is a post-hoc checklist rather than integrated feedback loops. For a workflow generating JSON files that will be loaded into external tools, inline validation is important. | 2 / 3 |
Progressive Disclosure | The content is a monolithic document with everything inline. The Key Concepts section, detailed code for multi-group comparison, tactic breakdown analysis, and gap analysis could all be split into separate referenced files. References are listed at the end but there's no structured navigation to supplementary materials within the skill itself. | 2 / 3 |
Total | 8 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
c15f73d
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.