building-attack-pattern-library-from-cti-reports
Extract and catalog attack patterns from cyber threat intelligence reports into a structured STIX-based library mapped to MITRE ATT&CK for detection engineering and threat-informed defense.
66
58%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/building-attack-pattern-library-from-cti-reports/SKILL.mdQuality
Discovery
67%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description is strong in specificity and distinctiveness, clearly carving out a niche in cyber threat intelligence with concrete actions and domain-specific terminology. However, it lacks an explicit 'Use when...' clause, which is critical for Claude to know when to select this skill, and could benefit from more natural trigger term variations that users might actually say.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks to analyze threat intelligence reports, extract TTPs, build attack pattern libraries, or map threats to MITRE ATT&CK.'
Include common user-facing trigger term variations such as 'CTI', 'TTPs', 'threat intel', 'threat reports', 'IOCs', and 'adversary techniques' to improve matching against natural user language.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'Extract and catalog attack patterns', 'structured STIX-based library', 'mapped to MITRE ATT&CK', and specifies purposes 'detection engineering and threat-informed defense'. | 3 / 3 |
Completeness | Clearly answers 'what does this do' (extract and catalog attack patterns into a STIX-based library mapped to MITRE ATT&CK), but lacks an explicit 'Use when...' clause or equivalent trigger guidance, which caps this at 2 per the rubric. | 2 / 3 |
Trigger Term Quality | Includes domain-specific keywords like 'cyber threat intelligence', 'STIX', 'MITRE ATT&CK', 'attack patterns', 'detection engineering', but misses common user variations like 'CTI', 'TTPs', 'threat reports', 'IOCs', or 'threat intel'. The terms are somewhat jargon-heavy and may not match how all users naturally phrase requests. | 2 / 3 |
Distinctiveness Conflict Risk | Highly distinctive niche combining cyber threat intelligence, STIX formatting, MITRE ATT&CK mapping, and detection engineering. Very unlikely to conflict with other skills due to the specificity of the domain and tooling references. | 3 / 3 |
Total | 10 / 12 Passed |
Implementation
50%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides genuinely actionable, executable code for a complex CTI workflow, which is its primary strength. However, it is significantly over-verbose with unnecessary conceptual explanations (Key Concepts, When to Use) that Claude doesn't need, and it lacks integrated validation checkpoints between pipeline steps. The monolithic structure would benefit from splitting detailed code into referenced files while keeping the SKILL.md as a concise overview.
Suggestions
Remove the 'Key Concepts' and 'When to Use' sections entirely—Claude already understands STIX, ATT&CK, and detection engineering concepts, and the 'When to Use' bullets are generic boilerplate.
Add explicit validation checkpoints between steps, e.g., verify extracted behaviors are non-empty before mapping, validate STIX bundle with `bundle.serialize()` before export, and include error handling for failed ATT&CK lookups.
Move the full class implementations to a referenced file (e.g., `cti_parser.py`) and keep only a concise usage example in the SKILL.md showing the end-to-end pipeline in ~20 lines.
Remove the Prerequisites section's explanatory items ('Understanding of ATT&CK technique structure') which are not actionable prerequisites but assumed knowledge.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is extremely verbose at ~250+ lines. It explains concepts Claude already knows (what STIX is, what CTI reports are, what detection engineering involves), includes lengthy 'Key Concepts' sections that are purely definitional, and the 'When to Use' section is generic boilerplate. The code examples, while useful, include excessive comments and print statements that pad the content. | 1 / 3 |
Actionability | The skill provides fully executable Python code across three well-defined steps: parsing CTI reports, mapping to ATT&CK, and creating STIX objects. Code is copy-paste ready with concrete classes, methods, and a sample report demonstrating the full pipeline including detection template generation. | 3 / 3 |
Workflow Clarity | The three steps are clearly sequenced and logically ordered, but there are no explicit validation checkpoints between steps. The 'Validation Criteria' section is a post-hoc checklist rather than integrated feedback loops. There's no error handling guidance—e.g., what to do when technique mapping fails or when STIX objects fail validation. | 2 / 3 |
Progressive Disclosure | The content is largely monolithic—all code and explanations are inline in a single file with no references to supplementary files for advanced topics like NLP-based extraction, custom technique taxonomies, or detailed Sigma rule generation. The References section links to external resources but doesn't organize content into discoverable layers. | 2 / 3 |
Total | 8 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
888bbe4
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.