building-attack-pattern-library-from-cti-reports
Extract and catalog attack patterns from cyber threat intelligence reports into a structured STIX-based library mapped to MITRE ATT&CK for detection engineering and threat-informed defense.
55
62%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/building-attack-pattern-library-from-cti-reports/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong, domain-specific description with excellent specificity and trigger term coverage for cybersecurity professionals. Its main weakness is the absence of an explicit 'Use when...' clause, which would help Claude know exactly when to select this skill over others. The description is concise, uses third person voice correctly, and carves out a clear niche.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks about extracting TTPs from threat reports, building attack pattern libraries, mapping threats to MITRE ATT&CK, or creating STIX objects from CTI data.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'Extract and catalog attack patterns', 'structured STIX-based library', 'mapped to MITRE ATT&CK', and specifies purposes 'detection engineering and threat-informed defense'. | 3 / 3 |
Completeness | Clearly answers 'what does this do' (extract and catalog attack patterns into STIX library mapped to ATT&CK), but lacks an explicit 'Use when...' clause specifying when Claude should select this skill. The 'when' is only implied by the domain context. | 2 / 3 |
Trigger Term Quality | Includes strong natural keywords a cybersecurity professional would use: 'attack patterns', 'cyber threat intelligence', 'STIX', 'MITRE ATT&CK', 'detection engineering', 'threat-informed defense'. These are terms users in this domain would naturally mention. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive with a very specific niche combining CTI reports, STIX formatting, MITRE ATT&CK mapping, and detection engineering. Unlikely to conflict with other skills due to the specialized domain terminology. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
42%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides genuinely useful, executable code for a complex CTI workflow, which is its primary strength. However, it is excessively verbose with unnecessary conceptual explanations (Key Concepts, When to Use), large inline data structures that could be externalized, and lacks integrated validation checkpoints between workflow steps. The monolithic structure makes it token-inefficient for context window usage.
Suggestions
Remove the 'Key Concepts' and 'When to Use' sections entirely—Claude already understands STIX, ATT&CK, and CTI concepts, and the 'When to Use' is generic boilerplate.
Extract the large dictionaries (TECHNIQUE_KEYWORDS, TOOL_PATTERNS, BEHAVIOR_INDICATORS) into a separate reference file and reference it from SKILL.md to reduce inline bulk.
Add explicit validation checkpoints between steps: validate STIX bundle with `bundle.serialize()`, verify ATT&CK technique IDs exist, and add error handling for failed mappings.
Split detection template generation into a separate referenced file since it's a distinct concern from the core attack pattern library building.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Significant verbosity throughout. The 'Key Concepts' section explains what STIX Attack Patterns are, what CTI reports contain, and what detection engineering involves—all concepts Claude already knows. The 'When to Use' section is generic boilerplate. The BEHAVIOR_INDICATORS, TOOL_PATTERNS, and TECHNIQUE_KEYWORDS dictionaries are extensive inline data that bloat the skill. The 'Overview' paragraph restates the description. | 1 / 3 |
Actionability | The skill provides fully executable Python code across three well-defined steps: parsing CTI reports, mapping to ATT&CK, and building a STIX library. Code is copy-paste ready with concrete classes, methods, and a sample report demonstrating end-to-end usage. Detection template generation is also included with concrete output format. | 3 / 3 |
Workflow Clarity | The three steps are clearly sequenced and logically ordered, but validation is only listed as a checklist of criteria at the end rather than integrated into the workflow. There are no explicit validation checkpoints between steps (e.g., verifying STIX bundle validity, checking ATT&CK mapping accuracy, or handling cases where no techniques match). No error recovery or feedback loops are present. | 2 / 3 |
Progressive Disclosure | The skill is a monolithic wall of content with ~300 lines of inline code and explanatory text. There are no bundle files, yet the content would clearly benefit from splitting—the large keyword dictionaries, tool patterns, and detection template logic could be in separate reference files. The References section links externally but there's no internal content organization beyond flat sections. | 1 / 3 |
Total | 7 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
9a588e6
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.