CtrlK
BlogDocsLog inGet started
Tessl Logo

analyzing-threat-actor-ttps-with-mitre-navigator

Map advanced persistent threat (APT) group tactics, techniques, and procedures (TTPs) to the MITRE ATT&CK framework using the ATT&CK Navigator and attackcti Python library. The analyst queries STIX/TAXII data for group-technique associations, generates Navigator layer files for visualization, and compares defensive coverage against adversary profiles. Activates for requests involving APT TTP mapping, ATT&CK Navigator layers, threat actor profiling, or MITRE technique coverage analysis.

58

Quality

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Passed

No known issues

SKILL.md
Quality
Evals
Security

Quality

Content

35%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

The body is a short, sectioned overview but is weak on actionability: the workflow steps are abstract with no executable code, and the bundled API reference and agent script are never linked. Conciseness, workflow clarity, and progressive disclosure are all mid-range due to redundant explanation, missing validation checkpoints, and un-signaled bundle files.

Suggestions

Replace the abstract Steps with executable code/commands (e.g., a concrete attackcti query snippet and layer-generation code), or link to scripts/agent.py with usage examples.

Add a validation/verification checkpoint (e.g., confirm the generated Navigator layer JSON parses and the technique IDs resolve) and a feedback loop for failures.

Reference the existing bundle files in the body — e.g., 'See [references/api-reference.md](references/api-reference.md) for attackcti method details' — so the API reference and agent script are surfaced for discovery.

DimensionReasoningScore

Conciseness

The Overview explains concepts Claude already knows ('The MITRE ATT&CK Navigator is a web application for annotating and visualizing ATT&CK matrices') and the 'When to Use' bullets are templated and somewhat circular ('When investigating security incidents that require analyzing threat actor ttps with mitre navigator'). It is mostly efficient but includes unnecessary explanation, so it is not the lean level-3 anchor.

2 / 3

Actionability

The five Steps are abstract descriptions ('Query ATT&CK STIX data for target threat group using attackcti') with no executable code or commands, and the bundled scripts/agent.py is never referenced; this matches the 'describes rather than instructs' anchor, not level 2 which requires at least some concrete or pseudocode guidance.

1 / 3

Workflow Clarity

Five steps are listed in a clear sequence but lack validation checkpoints or feedback loops for the generate-and-compare workflow, matching the 'sequence present but checkpoints missing' anchor; it is above level 1 because the ordering is explicit.

2 / 3

Progressive Disclosure

The body is organized into sections but the existing bundle files (references/api-reference.md and scripts/agent.py) are not referenced or signaled anywhere, so navigation to the detail materials is missing. It is not level 3 because the one-level-deep references are not clearly signaled, and not level 1 because the body itself is sectioned rather than a monolithic wall.

2 / 3

Total

7

/

12

Passed

Description

100%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

The description is strong: it states concrete third-person actions, provides natural trigger terms, explicitly covers both what and when, and occupies a clear niche unlikely to conflict with other skills. All dimensions score at the top of the scale.

DimensionReasoningScore

Specificity

Lists multiple concrete actions in third person: 'queries STIX/TAXII data for group-technique associations, generates Navigator layer files for visualization, and compares defensive coverage against adversary profiles'. This matches the multiple-specific-actions anchor and is not the level below, which only names a domain and some actions.

3 / 3

Completeness

It explicitly answers both what ('Map...TTPs to the MITRE ATT&CK framework...queries...generates...compares') and when (the explicit 'Activates for requests involving...' trigger clause), satisfying the explicit-triggers anchor; not level 2 because the 'when' is explicit rather than implied.

3 / 3

Trigger Term Quality

The 'Activates for requests involving APT TTP mapping, ATT&CK Navigator layers, threat actor profiling, or MITRE technique coverage analysis' clause gives good coverage of natural terms an analyst would say, not just technical jargon; it is above level 2 (which lacks common variations).

3 / 3

Distinctiveness Conflict Risk

Tightly scoped to the MITRE ATT&CK / Navigator / attackcti niche with distinct triggers, making conflict with unrelated skills unlikely; it is clearly above the level-2 anchor where overlap with similar skills remains.

3 / 3

Total

12

/

12

Passed

Validation

93%

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation15 / 16 Passed

Validation for skill structure

CriteriaDescriptionResult

frontmatter_unknown_keys

Unknown frontmatter key(s) found; consider removing or moving to metadata

Warning

Total

15

/

16

Passed

Repository
mukul975/Anthropic-Cybersecurity-Skills
Reviewed

Table of Contents

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.