skillsSource-backedReview first Safety ✓ Privacy ✓
Community Cybersecurity Agent Skills
Independent community library of 754 cybersecurity Agent Skills mapped to MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS, D3FEND, and NIST AI RMF for defensive security analysis, incident response, forensics, cloud security, SOC operations, and governed red-team workflows.
HarnessClaude CodeCodexWindsurfGeminiCursorCLI
Level:expertType:capability-packVerified:validated
Review first — review before installing
Open the source and read safety notes before installing.
Safety notes
- This is an independent community project, not an official Anthropic project, even though the upstream repository name contains `Anthropic`.
- Cybersecurity skills can include dual-use topics such as penetration testing, red teaming, malware analysis, identity-abuse investigation, cloud breach investigation, and vulnerability management.
- Use these skills only for authorized defensive work, sanctioned assessments, training labs, or internal security operations.
- Do not use the skills to attack third-party systems, evade detection, misuse secrets, deploy malware, persist in environments, or bypass access controls.
- Keep potentially destructive actions, exploit validation, live cloud changes, quarantine operations, and report publication behind human review.
Privacy notes
- Security workflows can expose memory dumps, disk images, network captures, logs, SIEM queries, secrets embedded in evidence, malware samples, customer records, internal hostnames, IP addresses, cloud subscription IDs, and incident timelines.
- Agent prompts and tool calls may reveal sensitive indicators, detections, internal controls, incident scope, and defensive gaps to the model provider or connected tooling.
- Redact secrets, customer data, private infrastructure details, and regulated evidence before sharing prompts, examples, issues, PRs, screenshots, or generated reports.
- Follow evidence handling, chain-of-custody, malware containment, legal, and disclosure requirements for the environment being investigated.
Prerequisites
- An Agent Skills compatible host or local skill installer.
- Explicit authorization for the systems, logs, samples, accounts, networks, cloud resources, or artifacts being analyzed.
- A defined defensive, incident-response, forensics, audit, training, or approved red-team objective before loading sensitive skills.
- Relevant security tools installed only when a specific skill requires them, such as Volatility 3, SIEM access, cloud CLIs, malware-analysis sandboxes, or forensic utilities.
- Data-handling rules for evidence, customer data, malware samples, credentials, logs, and generated reports.
Schema details
- Install type
- package
- Reading time
- 8 min
- Difficulty score
- 88
- Troubleshooting
- Yes
- Breaking changes
- No
Source repository stats
- Scope
- Source repo
Package metadata
Skill and platform metadata
- Skill type
- capability-pack
- Skill level
- expert
- Verification
- validated
- Verified at
- 2026-06-18
Retrieval sources
https://github.com/mukul975/Anthropic-Cybersecurity-Skillshttps://raw.githubusercontent.com/mukul975/Anthropic-Cybersecurity-Skills/main/README.mdhttps://raw.githubusercontent.com/mukul975/Anthropic-Cybersecurity-Skills/main/skills/performing-memory-forensics-with-volatility3/SKILL.mdhttps://raw.githubusercontent.com/mukul975/Anthropic-Cybersecurity-Skills/main/skills/analyzing-azure-activity-logs-for-threats/SKILL.mdhttps://raw.githubusercontent.com/mukul975/Anthropic-Cybersecurity-Skills/main/skills/analyzing-email-headers-for-phishing-investigation/SKILL.mdhttps://raw.githubusercontent.com/mukul975/Anthropic-Cybersecurity-Skills/main/LICENSEhttps://www.mahipal.engineer/Anthropic-Cybersecurity-Skills/
Tested platforms
Claude CodeCodexGitHub CopilotCursorGemini CLIAgent Skills compatible hosts
| Platform | Support | Install path |
|---|---|---|
| claude-code | Native | .claude/skills/<skill-name>/SKILL.md |
| codex | Native | .agents/skills/<skill-name>/SKILL.md |
| windsurf | Native | .windsurf/skills/<skill-name>/SKILL.md |
| gemini | Native | .gemini/skills/<skill-name>/SKILL.md or .agents/skills/<skill-name>/SKILL.md |
| cursor | Adapter | .cursor/rules/<skill-name>.mdc |
| cli | Manual | AGENTS.md or tool-specific context file |
Tool listing metadata
Full copyable content
npx skills add mukul975/Anthropic-Cybersecurity-Skills
# Update installed skills
npx skills updateAbout this resource
Community Cybersecurity Agent Skills
mukul975/Anthropic-Cybersecurity-Skills is an independent community library of
cybersecurity Agent Skills. The README states that it contains 754 structured
skills across 26 security domains, mapped to MITRE ATT&CK, NIST CSF 2.0, MITRE
ATLAS, MITRE D3FEND, and NIST AI RMF.
Use this listing for the community skills library itself. It is not affiliated with Anthropic PBC; the upstream README explicitly labels it as an independent community project.
Knowledge Freshness
Security frameworks, tools, cloud audit APIs, detection logic, malware-analysis methods, and attack techniques change frequently. The README references current framework coverage, but users should verify framework versions, tool commands, cloud APIs, detections, and legal constraints before applying a workflow to real evidence or live systems.
Use these skills as structured workflow guidance for authorized security work, then check current vendor docs, security-tool manuals, organizational policy, and local evidence-handling requirements.
Retrieval Sources
This listing is grounded in:
- The upstream repository README.
- The upstream license file.
- Representative skill files for memory forensics, Azure activity-log analysis, and phishing email-header investigation.
- The public project website.
- Current GitHub repository metadata.
Core Workflow
Install the skills library:
npx skills add mukul975/Anthropic-Cybersecurity-Skills
Update installed skills:
npx skills update
Then invoke it with an authorized, scoped security task:
Use the community cybersecurity Agent Skills for this authorized incident-response investigation.
Before executing any workflow, confirm the target scope, authorization, allowed tools, evidence-handling rules, and whether the work is defensive analysis, training, audit, or a sanctioned assessment.
Capability Scope
The README describes 26 security domains:
| Domain | Example scope |
|---|---|
| Digital forensics | Memory, disk, browser, timeline, and artifact analysis |
| Incident response | Containment, ransomware response, breach analysis, and recovery |
| Threat hunting | Hypothesis-driven hunts, log analysis, and behavioral analytics |
| SOC operations | Alert triage, SIEM correlation, escalation, and metrics |
| Malware analysis | Static and dynamic analysis, sandboxing, and reverse engineering |
| Cloud security | AWS, Azure, GCP hardening, CSPM, and cloud forensics |
| Container security | Kubernetes, image scanning, runtime detection, and container forensics |
| API and web security | OWASP API and web application security workflows |
| Identity and access | IAM, PAM, zero trust, Okta, and SailPoint workflows |
| DevSecOps | CI/CD security, Terraform auditing, and code-signing checks |
| Compliance | CIS, SOC 2, regulatory, and governance workflows |
The repository structure described by the README uses per-skill folders with
SKILL.md, optional references/, optional scripts/, and optional assets/
for report templates or checklists.
Production Rules
Use these skills with security-operations discipline:
- Confirm authorization before loading or executing a skill against any system, sample, account, network, log source, cloud resource, or customer artifact.
- Prefer defensive and investigative workflows over exploit execution.
- Keep malware samples, memory dumps, disk images, pcap files, and secrets embedded in evidence in controlled environments.
- Treat scripts and commands from community skills as untrusted until reviewed.
- Record evidence provenance and preserve chain-of-custody where required.
- Redact sensitive data before sharing summaries or generated reports.
- Separate training-lab use from production incident response.
- Do not publish exploit instructions, live secrets, customer indicators, or internal defensive gaps in public artifacts.
Use Cases
- Use a DFIR skill to guide memory forensics with Volatility 3 in an authorized incident investigation.
- Ask an agent to map a finding to MITRE ATT&CK, NIST CSF, ATLAS, D3FEND, or AI RMF categories for reporting.
- Guide SOC triage workflows for phishing, suspicious authentication, cloud log analysis, or endpoint alerts.
- Use cloud security skills to inspect Azure, AWS, or GCP evidence inside an approved tenant or lab.
- Use training-lab scenarios to teach analysts how to structure investigation steps without exposing production data.
Source Review
- The README states the project is an independent community project and not affiliated with Anthropic PBC.
- The README describes 754 structured cybersecurity skills across 26 domains.
- The README says skills follow the agentskills.io open standard and map to MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS, MITRE D3FEND, and NIST AI RMF.
- Representative
SKILL.mdfiles include YAML frontmatter with domain, subdomain, tags, version, author, license, and framework mappings. - The memory-forensics skill includes prerequisites and a stepwise workflow around Volatility 3.
- The repository reports Apache-2.0 license terms.
Duplicate Review
Checked current content/skills/, content/mcp/, content/agents/,
content/tools/, open pull requests, and repository-wide content for
mukul975/Anthropic-Cybersecurity-Skills, Community Cybersecurity Agent Skills,
Anthropic Cybersecurity Skills, cybersecurity Agent Skills, MITRE ATT&CK skills,
DFIR AI skills, SOC agent skills, and agentskills cybersecurity. Existing
security content covers narrower MCP servers, scanners, and review agents, but
no dedicated community cybersecurity Agent Skills library entry, exact source
URL duplicate, target file, or open duplicate PR was found.
Disclosure
Editorial listing. No paid placement or affiliate link is used. This is an independent community project by Mahipal Nehra and is not affiliated with Anthropic PBC.
Source citations
Add this badge to your README
Show that Community Cybersecurity Agent Skills is listed on HeyClaude. Paste this Markdown into your README — it renders the badge and links back to this page.
[](https://heyclau.de/entry/skills/community-cybersecurity-agent-skills)How it compares
Community Cybersecurity Agent Skills side by side with 3 alternatives on trust, install, platform support, and disclosed safety notes — all from reviewed registry metadata.
| Field | Community Cybersecurity Agent Skills Independent community library of 754 cybersecurity Agent Skills mapped to MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS, D3FEND, and NIST AI RMF for defensive security analysis, incident response, forensics, cloud security, SOC operations, and governed red-team workflows. Open dossier | .NET Agent Skills Microsoft .NET team skill marketplace for AI coding agents working on .NET, C#, ASP.NET Core, Blazor, MAUI, diagnostics, MSBuild, NuGet, upgrades, tests, AI workflows, RAG pipelines, and C# MCP servers. Open dossier | Anthropic Agent Skills Anthropic's public Agent Skills repository for Claude, with example skills, document skills, the Agent Skills specification pointer, a template skill, Claude Code plugin installation, Claude.ai usage guidance, and Claude API skill creation references. Open dossier | Azure Skills Plugin Official Microsoft Azure Skills Plugin for coding agents, combining Azure Agent Skills, Azure MCP Server configuration, and Foundry MCP workflows for build, deploy, diagnostics, cost, compliance, AI, Kubernetes, storage, RBAC, and migration scenarios. Open dossier |
|---|---|---|---|---|
| Trust | ||||
| Install risk | Review first | Review first | Review first | Review first |
| Notes | Safety ✓ Privacy ✓ | Safety ✓ Privacy ✓ | Safety ✓ Privacy ✓ | Safety ✓ Privacy ✓ |
| Category | skills | skills | skills | skills |
| Source | source-backed | source-backed | source-backed | source-backed |
| Author | Mahipal Nehra | .NET Team at Microsoft | Anthropic | Microsoft |
| Added | 2026-06-18 | 2026-06-18 | 2026-06-18 | 2026-06-18 |
| Platforms | Claude CodeCodexWindsurfGeminiCursorCLI | Claude CodeCodexWindsurfGeminiCursorCLIVS Code | Claude CodeCodexWindsurfGeminiCursorCLI | Claude CodeCodexWindsurfGeminiCursorCLI |
| Source repo | — | — | — | — |
| Safety notes | ✓This is an independent community project, not an official Anthropic project, even though the upstream repository name contains `Anthropic`. Cybersecurity skills can include dual-use topics such as penetration testing, red teaming, malware analysis, identity-abuse investigation, cloud breach investigation, and vulnerability management. Use these skills only for authorized defensive work, sanctioned assessments, training labs, or internal security operations. Do not use the skills to attack third-party systems, evade detection, misuse secrets, deploy malware, persist in environments, or bypass access controls. Keep potentially destructive actions, exploit validation, live cloud changes, quarantine operations, and report publication behind human review. | ✓.NET build, test, upgrade, package, template, publish, and migration tasks can modify project files, lock files, generated code, packages, app settings, and deployment artifacts. Diagnostics skills may suggest collecting traces, dumps, counters, crash data, MSBuild binlogs, or performance profiles; collect those artifacts only with explicit approval and storage controls. MCP server skills can expose local code, files, APIs, credentials, or production services as callable tools; review tool descriptions, parameter validation, authorization, and transport choice before connecting clients. NuGet and publish workflows can push packages or artifacts to public or private feeds; verify package IDs, versions, API keys, feed targets, and release policy before publishing. Upgrade and modernization guidance should be verified against each application's framework support window, deployment target, package compatibility, and rollback plan. | ✓The repository is explicitly presented as demonstration and educational material; behavior available in Claude products can differ from repository examples. Document skills can read, transform, and create files such as PDFs, Word documents, PowerPoint decks, and spreadsheets, so review generated artifacts before sharing or publishing them. The MCP builder skill guides agents through creating MCP servers and evaluations; generated servers still need security review, least-privilege tool design, authentication review, and transport testing. The skill creator workflow can generate instructions, scripts, references, and assets; review all generated resources before installing them into an agent host. | ✓Azure Skills can guide agents through live cloud actions including infrastructure generation, validation, deployment, diagnostics, cost analysis, RBAC, Kubernetes, storage, AI services, and migration work. The included MCP configuration starts the Azure MCP server, which can expose structured tools across Azure services when the local account is authenticated. Deployment skills require plan and validation phases before live deployment. Do not skip `azure-prepare` or `azure-validate` steps when the upstream skill requires them. Live Azure changes can create cost, modify production resources, change access control, deploy workloads, query logs, or expose service data. Keep human review around write operations. For sovereign clouds, configure the Azure MCP server cloud argument explicitly instead of assuming Azure Public Cloud. |
| Privacy notes | ✓Security workflows can expose memory dumps, disk images, network captures, logs, SIEM queries, secrets embedded in evidence, malware samples, customer records, internal hostnames, IP addresses, cloud subscription IDs, and incident timelines. Agent prompts and tool calls may reveal sensitive indicators, detections, internal controls, incident scope, and defensive gaps to the model provider or connected tooling. Redact secrets, customer data, private infrastructure details, and regulated evidence before sharing prompts, examples, issues, PRs, screenshots, or generated reports. Follow evidence handling, chain-of-custody, malware containment, legal, and disclosure requirements for the environment being investigated. | ✓.NET repositories may contain connection strings, appsettings secrets, user secrets, certificates, environment variables, telemetry keys, logs, traces, dumps, package credentials, and production data. MSBuild binlogs, crash dumps, profiler output, and test artifacts can contain source paths, dependency graphs, request data, exception payloads, configuration values, and environment details. MCP servers created with these skills may forward prompts and tool inputs to local processes, HTTP services, databases, cloud APIs, or third-party model providers depending on the implementation. Keep private NuGet credentials, signing keys, deployment secrets, customer data, dumps, and proprietary source out of public prompts, issues, pull requests, and shared artifacts. | ✓Skill usage can expose documents, spreadsheets, slide decks, prompts, company workflows, brand guidelines, MCP designs, API details, and generated artifacts to Claude or the configured model/runtime. Do not upload or commit customer documents, regulated data, private brand assets, secrets, credentials, or unreleased business plans unless the environment and account policy allow that data. When creating custom skills, check bundled scripts, references, and assets for private data before sharing a repository, plugin, or ZIP archive. | ✓Azure work can expose subscription IDs, tenant IDs, resource group names, resource inventories, cost data, log queries, Application Insights telemetry, storage paths, RBAC assignments, model deployment names, and cloud architecture details. Authenticated MCP tools can read or operate on live Azure and Foundry resources according to the local account's permissions. Keep Azure credentials, service principals, connection strings, keys, SAS tokens, deployment outputs, logs with customer data, and private topology details out of prompts, commits, issue comments, screenshots, and shared reports. Review Microsoft, MCP host, model provider, and organization retention policies before routing production telemetry, cost data, or customer-sensitive resource context through an agent. |
| Prerequisites |
|
|
|
|
| Install | | | | |
| Config | — | — | — | — |
| Citations | ||||
| Claim | Unclaimed | Unclaimed | Unclaimed | Unclaimed |
Signals
Loading live community signals…
More like this, weekly
A short, calm digest of reviewed Claude resources. Unsubscribe any time.