analyzing-threat-actor-ttps-with-mitre-navigator
Map advanced persistent threat (APT) group tactics, techniques, and procedures (TTPs) to the MITRE ATT&CK framework using the ATT&CK Navigator and attackcti Python library. The analyst queries STIX/TAXII data for group-technique associations, generates Navigator layer files for visualization, and compares defensive coverage against adversary profiles. Activates for requests involving APT TTP mapping, ATT&CK Navigator layers, threat actor profiling, or MITRE technique coverage analysis.
62
53%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-threat-actor-ttps-with-mitre-navigator/SKILL.mdQuality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an excellent skill description that clearly defines specific capabilities (TTP mapping, STIX/TAXII querying, Navigator layer generation, defensive coverage comparison), includes rich domain-specific trigger terms that practitioners would naturally use, and explicitly states both what the skill does and when it should activate. The only minor note is the use of third person 'The analyst' which is acceptable but slightly unusual compared to the more standard verb-first pattern.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: mapping APT TTPs to MITRE ATT&CK, querying STIX/TAXII data for group-technique associations, generating Navigator layer files, and comparing defensive coverage against adversary profiles. | 3 / 3 |
Completeness | Clearly answers both 'what' (map APT TTPs to MITRE ATT&CK, query STIX/TAXII data, generate Navigator layers, compare defensive coverage) and 'when' with explicit triggers ('Activates for requests involving APT TTP mapping, ATT&CK Navigator layers, threat actor profiling, or MITRE technique coverage analysis'). | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural terms a security analyst would use: 'APT', 'TTPs', 'MITRE ATT&CK', 'ATT&CK Navigator', 'threat actor profiling', 'STIX/TAXII', 'technique coverage analysis', 'Navigator layers'. These are the exact terms practitioners use. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive niche focused specifically on MITRE ATT&CK framework mapping with ATT&CK Navigator and attackcti library. The combination of APT profiling, STIX/TAXII querying, and Navigator layer generation is very unlikely to conflict with other skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
7%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill is essentially a high-level outline with no actionable content. It lacks any executable code (no attackcti API calls, no layer generation code, no STIX query examples), making it useless as a practical guide. The content is padded with generic descriptions and boilerplate sections while missing the concrete implementation details that would make it valuable.
Suggestions
Add complete, executable Python code showing how to use attackcti to query a threat group (e.g., `from attackcti import attack_client; lift = attack_client.AttackClient(); group = lift.get_groups_by_alias('APT29')`) and extract associated techniques.
Add a complete function that generates a valid ATT&CK Navigator layer JSON file from the queried techniques, including the full layer schema (version, description, filters, gradient, etc.).
Add a validation step after layer generation (e.g., checking required fields, verifying technique IDs exist in the ATT&CK matrix) and include error handling for failed STIX/TAXII queries.
Remove the generic 'When to Use' and 'Prerequisites' sections and replace with a concrete quick-start example that goes from query to exported .json layer file in a single code block.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The 'When to Use' section is generic filler that adds no value. The 'Prerequisites' section explains things Claude already knows. The 'Overview' paragraph restates what ATT&CK Navigator and attackcti are, which is unnecessary context padding. | 1 / 3 |
Actionability | There is no executable code anywhere in the skill. The steps are entirely abstract descriptions ('Query ATT&CK STIX data', 'Extract techniques') with no concrete commands, API calls, or Python code. The expected output is a partial JSON snippet but not tied to any executable workflow. | 1 / 3 |
Workflow Clarity | The five steps are vague descriptions without any concrete commands, validation checkpoints, or error handling. There is no feedback loop for verifying the generated layer JSON is valid or that STIX queries returned expected results. This is essentially a high-level outline, not a workflow. | 1 / 3 |
Progressive Disclosure | The content is organized into clear sections (Overview, When to Use, Prerequisites, Steps, Expected Output), which provides some structure. However, there are no references to external files for advanced topics like coverage gap analysis or multi-group comparison, and the inline content is too shallow rather than too deep. | 2 / 3 |
Total | 5 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
c15f73d
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.