CtrlK
BlogDocsLog inGet started
Tessl Logo

building-attack-pattern-library-from-cti-reports

Extract and catalog attack patterns from cyber threat intelligence reports into a structured STIX-based library mapped to MITRE ATT&CK for detection engineering and threat-informed defense.

57

Quality

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Passed

No known issues

SKILL.md
Quality
Evals
Security

Quality

Content

65%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

The body delivers executable, well-sequenced code but is padded with conceptual explanation Claude already knows, lacks inline validation feedback loops for the batch operation, and fails to link the bundled reference and script files.

Suggestions

Trim the "Key Concepts" explanations of STIX/ATT&CK basics and the generic "When to Use" boilerplate; assume Claude's competence and keep only what is non-obvious.

Add an inline validation checkpoint in the workflow (e.g. after mapping, verify each behavior resolved to a known technique and re-extract unmatched sentences before building the STIX bundle) to form a validate→fix→retry loop.

Link the existing bundle files from the body — reference references/api-reference.md for the technique/IOC regex tables and scripts/agent.py for the runnable pipeline — instead of leaving them orphaned.

DimensionReasoningScore

Conciseness

Mostly efficient with sequenced code, but the "Key Concepts" section restates STIX/ATT&CK fundamentals Claude already knows (e.g. "STIX defines Attack Pattern as a Structured Domain Object") and the boilerplate "When to Use" bullets ("When deploying or configuring building attack pattern library from cti reports capabilities") add little; could be tightened.

2 / 3

Actionability

Provides fully executable Python using real libraries (stix2, attackcti) with a runnable sample report threaded through all three steps and copy-paste-ready class implementations.

3 / 3

Workflow Clarity

Steps are clearly sequenced (Step 1–3) with a terminal Validation Criteria checklist, but for a batch library-building operation there is no inline validate→fix→retry feedback loop; checkpoints are implicit rather than embedded, capping this at 2 per the batch-operation guideline.

2 / 3

Progressive Disclosure

The body has clear internal sections but does not reference the existing bundle files — references/api-reference.md and scripts/agent.py are orphaned (the References section lists only external URLs), and large code blocks are inline rather than split out.

2 / 3

Total

9

/

12

Passed

Description

67%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

The description is specific and distinctive, naming concrete actions in a clear niche, but it lacks an explicit "Use when..." trigger clause and several natural keyword variations users would say.

Suggestions

Add an explicit "Use when..." clause naming concrete trigger situations, e.g. 'Use when processing cyber threat intelligence (CTI) reports, mapping adversary behavior to MITRE ATT&CK, or building a STIX attack-pattern library for detection engineering.'

Include natural keyword variations users would actually say, such as 'CTI', 'threat intel', 'Sigma rules', 'YARA', and 'threat actor', to improve trigger-term coverage.

DimensionReasoningScore

Specificity

Lists multiple concrete actions — "Extract and catalog attack patterns", "structured STIX-based library", "mapped to MITRE ATT&CK", "detection engineering and threat-informed defense" — matching the multi-action anchor; written in third person.

3 / 3

Completeness

Clearly answers what the skill does but provides no "Use when..." clause or equivalent explicit trigger guidance; per the judging guidelines, a missing explicit trigger caps completeness at 2.

2 / 3

Trigger Term Quality

Contains relevant domain terms ("cyber threat intelligence reports", "MITRE ATT&CK", "STIX", "detection engineering") but omits common natural variations a user would say, such as "CTI", "threat intel", "Sigma", "YARA", or "threat actor".

2 / 3

Distinctiveness Conflict Risk

The niche is highly specific — building a STIX attack-pattern library from CTI reports mapped to MITRE ATT&CK for detection engineering — making it unlikely to trigger for unrelated skills.

3 / 3

Total

10

/

12

Passed

Validation

93%

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation15 / 16 Passed

Validation for skill structure

CriteriaDescriptionResult

frontmatter_unknown_keys

Unknown frontmatter key(s) found; consider removing or moving to metadata

Warning

Total

15

/

16

Passed

Repository
mukul975/Anthropic-Cybersecurity-Skills
Reviewed

Table of Contents

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.