building-attack-pattern-library-from-cti-reports
Extract and catalog attack patterns from cyber threat intelligence reports into a structured STIX-based library mapped to MITRE ATT&CK for detection engineering and threat-informed defense.
55
62%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/building-attack-pattern-library-from-cti-reports/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong, domain-specific description with excellent specificity and trigger term coverage for cybersecurity practitioners. Its main weakness is the absence of an explicit 'Use when...' clause, which would help Claude know precisely when to select this skill. Adding trigger guidance would elevate this from good to excellent.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks to parse threat intelligence reports, extract TTPs, build attack pattern libraries, or map threats to MITRE ATT&CK.'
Consider adding common file/format variations users might mention, such as 'CTI reports', 'TTPs', 'threat reports', 'IOCs', or 'STIX bundles'.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'extract and catalog attack patterns', 'structured STIX-based library', 'mapped to MITRE ATT&CK', and specifies purposes 'detection engineering and threat-informed defense'. | 3 / 3 |
Completeness | Clearly answers 'what does this do' (extract and catalog attack patterns into a STIX-based library mapped to ATT&CK), but lacks an explicit 'Use when...' clause or equivalent trigger guidance, which caps this at 2 per the rubric. | 2 / 3 |
Trigger Term Quality | Includes strong natural keywords a user in this domain would use: 'attack patterns', 'cyber threat intelligence', 'STIX', 'MITRE ATT&CK', 'detection engineering', 'threat-informed defense'. These are terms practitioners naturally use. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive niche combining CTI reports, STIX formatting, MITRE ATT&CK mapping, and detection engineering. Very unlikely to conflict with other skills due to the specific domain and technical scope. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
42%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides genuinely actionable, executable Python code for a complex CTI workflow, which is its primary strength. However, it is excessively verbose—explaining concepts Claude already knows, including generic 'When to Use' boilerplate, and inlining large data structures that should be in separate files. The workflow lacks integrated validation checkpoints and error recovery loops, and the monolithic structure misses opportunities for progressive disclosure.
Suggestions
Remove the 'Key Concepts' and 'When to Use' sections entirely—Claude already understands STIX, ATT&CK, and CTI report structures. This would save ~30 lines of unnecessary context.
Extract the TECHNIQUE_KEYWORDS dictionary, TOOL_PATTERNS, and BEHAVIOR_INDICATORS into a separate reference file (e.g., PATTERNS_REFERENCE.md) and reference it from the main skill.
Add explicit validation checkpoints within the workflow steps—e.g., validate the STIX bundle with `bundle.serialize()` before writing to disk, check for unmapped behaviors and log them, and verify the output file is valid JSON after export.
Integrate error handling and feedback loops: what to do when a behavior doesn't map to any technique, when the ATT&CK data fails to load, or when STIX object creation fails.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Significant verbosity throughout: the 'Key Concepts' section explains what STIX Attack Patterns are, what CTI reports contain, and what detection engineering involves—all concepts Claude already knows. The 'When to Use' section is generic boilerplate. The BEHAVIOR_INDICATORS, TOOL_PATTERNS, and TECHNIQUE_KEYWORDS dictionaries are extensive inline data that bloat the skill without proportional value. The overview paragraph restates the description. | 1 / 3 |
Actionability | The skill provides fully executable Python code across three well-defined steps: parsing CTI reports, mapping to ATT&CK, and building a STIX library with export and detection template generation. Code is copy-paste ready with concrete classes, methods, and a sample report demonstrating usage. | 3 / 3 |
Workflow Clarity | The three steps are clearly sequenced and logically ordered. However, validation is only listed as a checklist at the end ('Validation Criteria') rather than being integrated as explicit checkpoints within the workflow. There are no feedback loops for error recovery—e.g., no validation that STIX objects are well-formed before export, no handling of unmapped behaviors, and no verification step after the bundle is written. | 2 / 3 |
Progressive Disclosure | The skill is a monolithic wall of text with ~250+ lines of inline code and explanatory sections. Content like the keyword-to-technique mapping dictionaries, tool pattern lists, and the full detection template generator could be split into separate reference files. There are no references to supporting bundle files, and the References section at the end is just external links rather than structured navigation to companion materials. | 1 / 3 |
Total | 7 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
0445030
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.