v1.3.0

This release grows the library from 762 to 817 skills, adds a sixth framework (MITRE F3), and fixes the plugin version that installs were reporting as 1.0.

55 new skills

Built around the fastest-growing attack and skills areas from the 2025-2026 ISC2, WEF, CrowdStrike, and Mandiant reports. Three new domains, plus depth in six existing ones.

New domains:

• AI Security (12 skills) covers LLM red-teaming with garak and PyRIT, direct and indirect prompt injection, RAG poisoning, MCP tool-poisoning, agentic tool-invocation controls, and runtime guardrails.
• Supply Chain Security (5 skills) covers SBOM generation, dependency confusion, malicious npm package triage, typosquatting detection, and SLSA/Sigstore provenance.
• Hardware and Firmware Security (4 skills) covers CHIPSEC UEFI audits, Secure Boot bypass detection, TPM measured-boot attestation, and bootkit hunting in the EFI System Partition.

Expanded coverage:

• Identity: 10 skills on Entra ID and ADCS attacks (ROADtools, GraphRunner, AADInternals, Certipy, BloodHound CE, device-code phishing) since stolen credentials and valid-account abuse now lead initial access.
• Cloud-native: 8 skills (Stratus Red Team, Pacu, CloudFox, container escape, Kubernetes RBAC, Falco, Trivy, kube-bench).
• Offensive C2 and lateral movement: 6 skills (Sliver, Havoc, NetExec, DPAPI, NTLM relay to ESC8, redirector infrastructure).
• DFIR: 6 skills (Hayabusa, Chainsaw, KAPE, Velociraptor, Eric Zimmerman tools, Plaso).
• Backfill for thin domains: OpenCTI, MISP, honeytokens, and post-quantum cryptography migration.

Every skill ships with the full folder layout (SKILL.md, references, runnable scripts/agent.py, LICENSE), real tool commands sourced from each project's docs, and ATT&CK or ATLAS plus NIST CSF mappings.

MITRE Fight Fraud Framework (F3 v1.1)

All 94 fraud-relevant skills now carry an mitre_f3 frontmatter block alongside mitre_attack. F3 adds two tactics that ATT&CK does not have, Positioning and Monetization, so a single skill can trace a cyber intrusion through to the financial loss it causes. Every F3 technique ID was checked against the upstream STIX bundle. This makes F3 the sixth mapped framework after ATT&CK, NIST CSF 2.0, ATLAS, D3FEND, and NIST AI RMF.

MITRE ATT&CK v19.1

All skills were revalidated against ATT&CK v19.1 using the official mitreattack-python library. Revoked and restructured IDs were remapped (the T1562 Impair Defenses family and T1070.001 moved to the new T1685 family), and v19's tactic split (Defense Evasion into Stealth and Defense Impairment) is reflected in the README.

Fixes and automation

• plugin.json was stuck at version 1.0.0, so installs showed 1.0 everywhere. It now tracks the release version.
• The skill count syncs into the README, marketplace.json, and plugin.json automatically on every skills change, so the number stays correct without manual edits.
• Releases now bump plugin.json as well as marketplace.json.

Full diff: v1.2.0...v1.3.0

Cybersecurity Agent Skills v1.2.0 — Five Framework Coverage

The world's first open-source cybersecurity skills library mapped to 5 industry frameworks.

v1.2.0 adds MITRE ATLAS v5.5, MITRE D3FEND v1.3, and NIST AI RMF 1.0 mappings to every skill — joining the existing MITRE ATT&CK Enterprise and NIST CSF 2.0 coverage. No other open-source library maps cybersecurity skills for AI agents across all five frameworks simultaneously.

What's new in v1.2.0

Three new framework mappings

Updated skill frontmatter

Every SKILL.md now includes dedicated framework fields:

atlas_techniques: [AML.T0051, AML.T0054]
d3fend_techniques: [D3-NTA, D3-PA]
nist_ai_rmf: [MEASURE-2.7, GOVERN-6.1]
nist_csf: [DE.CM-01, RS.AN-03]

Full framework coverage

Platform compatibility

Works with 26+ AI agent platforms: Claude Code, GitHub Copilot, Cursor, Windsurf, Cline, Aider, Continue, Roo Code, Amazon Q, OpenAI Codex CLI, Gemini CLI, Devin, Replit Agent, LangChain, CrewAI, AutoGen, and any MCP-compatible agent.

Install

npx skills add mukul975/Anthropic-Cybersecurity-Skills

Community

4,100+ stars. 436 forks. Listed on SkillsLLM, awesome-agent-skills, awesome-ai-security, and awesome-codex-cli.

Thank you to every contributor and community member who helped make this the largest open-source cybersecurity skills library for AI agents.

Full changelog: v1.1.0...v1.2.0

What's New in v1.1.0

753 structured cybersecurity skills across web security, penetration testing, DFIR, threat intelligence, cloud security, OT/SCADA, AI security, and more.

30 New Skills

AI Security

• detecting-ai-model-prompt-injection-attacks
• implementing-llm-guardrails-for-security

Supply Chain Security

• analyzing-sbom-for-supply-chain-vulnerabilities
• implementing-sigstore-for-software-signing
• detecting-typosquatting-packages-in-npm-pypi

Firmware Analysis

• analyzing-uefi-bootkit-persistence
• performing-firmware-extraction-with-binwalk

Mobile Security

• performing-ios-app-security-assessment
• detecting-bluetooth-low-energy-attacks

Cloud Native

• implementing-aws-nitro-enclave-security
• detecting-serverless-function-injection
• implementing-ebpf-security-monitoring

Compliance

• performing-soc2-type2-audit-preparation
• implementing-gdpr-data-subject-access-request

Deception Technology

• deploying-active-directory-honeytokens
• implementing-canary-tokens-for-network-intrusion

Cryptography

• implementing-hardware-security-key-authentication
• performing-post-quantum-cryptography-migration

Threat Hunting

• hunting-for-dcom-lateral-movement
• detecting-ntlm-relay-with-event-correlation
• detecting-command-and-control-over-dns
• detecting-deepfake-audio-in-vishing-attacks

Purple Team

• performing-purple-team-atomic-testing

OT/SCADA

• monitoring-scada-modbus-traffic-anomalies

Privacy

• performing-privacy-impact-assessment
• implementing-data-loss-prevention-with-microsoft-purview
• implementing-browser-isolation-for-zero-trust

DFIR

• performing-cloud-log-forensics-with-athena
• auditing-tls-certificate-transparency-logs
• detecting-deepfake-audio-in-vishing-attacks

Attack Surface

• implementing-attack-surface-management

5 Skills Upgraded to Full Content

By the Numbers

• 753 structured cybersecurity skills
• 30 new skills across 12 new domains
• 125 files added
• 47,908 lines of new content
• 291+ MITRE ATT&CK techniques covered (14/14 tactics)
• Apache 2.0 licensed

Install

```bash
npx skills add mukul975/Anthropic-Cybersecurity-Skills
```

Works with Claude Code, GitHub Copilot, Cursor, Windsurf, Gemini CLI, and 20+ AI agent platforms.

Full MITRE ATT&CK coverage: ATTACK_COVERAGE.md

Cybersecurity Agent Skills v1.0.0

The largest open-source cybersecurity skills library for AI coding agents. 734 hands-on, structured skills spanning 26 security domains -- from threat hunting and malware analysis to cloud security and OT/ICS defense.

Highlights

• 734 skills across 26 cybersecurity domains
• Full MITRE ATT&CK coverage -- all 14 Enterprise tactics mapped
• Aligned to NIST CSF 2.0 functions (Identify, Protect, Detect, Respond, Recover)
• Works with 26+ AI agent platforms via the agentskills.io standard
• Each skill includes structured workflows, scripts, reference configs, and validation steps

Domain Coverage

Total: 734 skills

MITRE ATT&CK Enterprise Coverage

All 14 tactics in the MITRE ATT&CK Enterprise Matrix (v18) are covered:

NIST CSF 2.0 Alignment

Compatible Platforms

Directly tested with:

• Claude Code (Anthropic)
• GitHub Copilot
• OpenAI Codex
• Gemini CLI (Google)
• Cursor

Compatible with 26+ AI agent platforms via the agentskills.io open standard, including Windsurf, Cline, Aider, Continue, and more.

Quick Start

Option 1: Clone and use directly

git clone https://github.com/anthropics/cybersecurity-skills.git
cd cybersecurity-skills
# Point your AI agent at any skill directory

Option 2: Use a specific skill

# Copy a single skill into your project
cp -r skills/hunting-for-command-and-control-beaconing/ ./my-project/

Option 3: Browse by domain

# List all cloud security skills
ls skills/ | grep -i cloud
# List all threat hunting skills
ls skills/ | grep -i hunting

What's New in v1.0.0

This is the initial stable release of the Cybersecurity Agent Skills library.

• 734 structured skills with workflows, scripts, reference configs, and validation
• Full MITRE ATT&CK mapping -- every Enterprise tactic has corresponding skills
• NIST CSF 2.0 alignment across all five core functions
• Standardized SKILL.md format with consistent frontmatter (name, domain, subdomain, tags, version)
• Issue templates for contributing new skills, reporting bugs, and requesting features
• ATT&CK Navigator layer for visual coverage mapping
• Apache 2.0 license -- free for commercial and personal use

Breaking Changes

None. This is the first release.

Repository Structure

skills/
  <skill-name>/
    SKILL.md          # Skill definition with frontmatter and workflow
    scripts/          # Automation scripts (Python, Bash, PowerShell)
    references/       # Reference configs, sample data, templates

Contributing

We welcome contributions! See CONTRIBUTING.md for guidelines.

• Use the New Skill issue template to propose additions
• Each skill must include SKILL.md with standard frontmatter
• Scripts should be functional, not placeholder code
• Include validation steps so users can verify their work

Contributors

Thanks to all contributors who made this release possible. See the contributors page.

License

Apache License 2.0 -- see LICENSE for details.

Links

• Repository
• agentskills.io Standard
• Issue Tracker
• MITRE ATT&CK
• NIST CSF 2.0