analyzing-threat-actor-ttps-with-mitre-navigator
Map advanced persistent threat (APT) group tactics, techniques, and procedures (TTPs) to the MITRE ATT&CK framework using the ATT&CK Navigator and attackcti Python library. The analyst queries STIX/TAXII data for group-technique associations, generates Navigator layer files for visualization, and compares defensive coverage against adversary profiles. Activates for requests involving APT TTP mapping, ATT&CK Navigator layers, threat actor profiling, or MITRE technique coverage analysis.
62
53%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-threat-actor-ttps-with-mitre-navigator/SKILL.mdQuality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an excellent skill description that clearly defines specific capabilities (TTP mapping, STIX/TAXII querying, Navigator layer generation, defensive coverage comparison), includes rich domain-specific trigger terms that practitioners would naturally use, and explicitly states both what the skill does and when it should activate. The only minor note is the use of third person 'The analyst' which is acceptable but slightly unusual phrasing; overall this is a strong, well-crafted description.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: mapping APT TTPs to MITRE ATT&CK, querying STIX/TAXII data for group-technique associations, generating Navigator layer files, and comparing defensive coverage against adversary profiles. | 3 / 3 |
Completeness | Clearly answers both 'what' (map APT TTPs to MITRE ATT&CK, query STIX/TAXII data, generate Navigator layers, compare defensive coverage) and 'when' with explicit triggers ('Activates for requests involving APT TTP mapping, ATT&CK Navigator layers, threat actor profiling, or MITRE technique coverage analysis'). | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural terms a security analyst would use: 'APT', 'TTPs', 'MITRE ATT&CK', 'ATT&CK Navigator', 'threat actor profiling', 'STIX/TAXII', 'technique coverage analysis', 'Navigator layers'. These are the exact terms practitioners use. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive niche focused specifically on MITRE ATT&CK framework mapping and Navigator layer generation. The combination of ATT&CK Navigator, attackcti library, STIX/TAXII, and APT profiling creates a very clear and unique scope unlikely to conflict with other skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
7%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill is essentially a high-level outline with no actionable content. It lacks any executable code (no attackcti API calls, no layer generation code, no STIX query examples), making it useless as a practical guide. The content is padded with generic descriptions and boilerplate sections while missing the concrete implementation details that would make it valuable.
Suggestions
Add complete, executable Python code showing how to use attackcti to query a threat group's techniques (e.g., `from attackcti import attack_client; lift = attack_client.AttackClient(); group = lift.get_group_by_alias('APT29')`)
Include a full working function that generates a valid ATT&CK Navigator layer JSON file from queried STIX data, not just a partial output snippet
Add validation steps such as verifying the STIX query returned results, checking the generated layer JSON against the Navigator schema, and confirming technique IDs are valid
Remove the generic 'When to Use' and 'Prerequisites' sections and replace with concrete examples of coverage gap analysis comparing group TTPs against detection rules
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The 'When to Use' section is generic filler that adds no value. The 'Prerequisites' section explains things Claude already knows. The 'Overview' paragraph restates what ATT&CK Navigator and attackcti are, which is unnecessary context padding. | 1 / 3 |
Actionability | There is no executable code anywhere in the skill. The steps are entirely abstract descriptions ('Query ATT&CK STIX data', 'Extract techniques') with no concrete commands, API calls, or Python code. The expected output is a partial JSON snippet but not tied to any executable workflow. | 1 / 3 |
Workflow Clarity | The five steps are vague descriptions without any concrete commands, validation checkpoints, or error handling. There is no feedback loop for verifying the generated layer JSON is valid or that STIX queries returned expected results. This is essentially a high-level outline, not a workflow. | 1 / 3 |
Progressive Disclosure | The content is organized into clear sections (Overview, When to Use, Prerequisites, Steps, Expected Output), which provides some structure. However, there are no references to external files for advanced topics like coverage gap analysis or multi-group comparison, and the inline content is too shallow rather than too deep. | 2 / 3 |
Total | 5 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
888bbe4
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.