analyzing-threat-actor-ttps-with-mitre-navigator
Map advanced persistent threat (APT) group tactics, techniques, and procedures (TTPs) to the MITRE ATT&CK framework using the ATT&CK Navigator and attackcti Python library. The analyst queries STIX/TAXII data for group-technique associations, generates Navigator layer files for visualization, and compares defensive coverage against adversary profiles. Activates for requests involving APT TTP mapping, ATT&CK Navigator layers, threat actor profiling, or MITRE technique coverage analysis.
49
53%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-threat-actor-ttps-with-mitre-navigator/SKILL.mdQuality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an excellent skill description that clearly defines a specific cybersecurity niche. It provides concrete actions, uses domain-appropriate trigger terms that analysts would naturally use, explicitly states both what the skill does and when it should activate, and occupies a highly distinctive space unlikely to conflict with other skills.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: querying STIX/TAXII data for group-technique associations, generating Navigator layer files for visualization, and comparing defensive coverage against adversary profiles. Very detailed and actionable. | 3 / 3 |
Completeness | Clearly answers both 'what' (map APT TTPs to MITRE ATT&CK, query STIX/TAXII data, generate Navigator layers, compare defensive coverage) and 'when' ('Activates for requests involving APT TTP mapping, ATT&CK Navigator layers, threat actor profiling, or MITRE technique coverage analysis'). | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural terms a security analyst would use: 'APT', 'TTPs', 'MITRE ATT&CK', 'ATT&CK Navigator', 'STIX/TAXII', 'threat actor profiling', 'technique coverage analysis', 'Navigator layers'. These are precisely the terms a user in this domain would naturally say. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive niche focused specifically on MITRE ATT&CK framework mapping with ATT&CK Navigator and attackcti library. The combination of APT profiling, STIX/TAXII querying, and Navigator layer generation is very unlikely to conflict with other skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
7%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill is essentially a high-level outline rather than actionable guidance. It lacks any executable code for using attackcti, provides only vague step descriptions, and pads the content with generic boilerplate sections. Claude already knows what MITRE ATT&CK is and how STIX works—the skill should focus exclusively on concrete, copy-paste-ready code and specific workflow instructions.
Suggestions
Replace the abstract 5-step list with executable Python code showing how to use attackcti to query a threat group (e.g., `lift = attack_client(); apt29 = lift.get_group_by_alias('APT29')`) and extract associated techniques.
Add a complete, executable function that generates a valid ATT&CK Navigator layer JSON file from the queried techniques, not just a partial output snippet.
Add validation checkpoints: verify the STIX query returned results, validate the generated layer JSON against the Navigator schema before export, and include error handling for common failures (e.g., network issues with TAXII server).
Remove the 'When to Use' and 'Overview' sections entirely—they add no actionable information—and replace with a concrete quick-start code block that Claude can immediately execute.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The 'When to Use' section is generic filler that adds no value. The 'Prerequisites' section explains things Claude already knows. The 'Overview' paragraph restates what ATT&CK Navigator and attackcti are—information Claude already has. Much of the content is padding rather than actionable instruction. | 1 / 3 |
Actionability | The 'Steps' section is entirely abstract—no executable code, no concrete commands, no actual Python snippets showing how to use attackcti to query groups, extract techniques, or generate layer JSON. The expected output is a partial JSON snippet but there's no code to produce it. This describes rather than instructs. | 1 / 3 |
Workflow Clarity | The five steps are vague descriptions without any concrete commands, validation checkpoints, or error handling. There's no feedback loop for verifying the STIX query returned valid data, no validation of the generated layer JSON, and no guidance on what to do if steps fail. | 1 / 3 |
Progressive Disclosure | The content is organized into clear sections (Overview, When to Use, Prerequisites, Steps, Expected Output), which provides some structure. However, there are no references to supporting files, and the content that exists is too thin to warrant splitting—the problem is lack of depth rather than poor organization. | 2 / 3 |
Total | 5 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
0445030
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.