building-threat-actor-profile-from-osint

by mukul975

building-threat-actor-profile-from-osint helps threat intelligence teams turn OSINT into structured threat actor profiles. It supports profiling named groups or campaigns, with ATT&CK mapping, infrastructure correlation, source traceability, and confidence notes for defensible analysis.

Stars0

Favorites0

Comments0

AddedMay 9, 2026

CategoryThreat Intelligence

Install Command

npx skills add mukul975/Anthropic-Cybersecurity-Skills --skill building-threat-actor-profile-from-osint

Curation Score

This skill scores 66/100, which means it is listable but only moderately strong for directory users. It has real, non-placeholder threat-intelligence workflow content and supporting code/reference files, but users will still need some domain knowledge to install and run it with confidence.

66/100

Strengths

Substantive OSINT threat-actor profiling workflow with clear domain focus on adversary motivations, infrastructure, and TTPs.
Good operational evidence from supporting assets: a Python script, an API reference, and repo/file references tied to MITRE ATT&CK, OTX, Malpedia, and ATT&CK Navigator.
No placeholder or test-only signals; the skill body is sizable and structurally complete with multiple headings and workflow-oriented sections.

Cautions

Triggering is only moderately clear: the "When to Use" section is generic and not tightly framed around exact agent tasks or invocation patterns.
Adoption may require external tooling and APIs (for example Shodan, SpiderFoot, Maltego, OTX, Malpedia), so execution is not self-contained.

Osint Threat Actor Mitre Attack Stix Maltego Spiderfoot Cybersecurity

Overview

Overview of building-threat-actor-profile-from-osint skill

What this skill does

The building-threat-actor-profile-from-osint skill helps you turn scattered public reporting into a structured threat actor profile. It is designed for threat intelligence work where you need to combine OSINT sources, map infrastructure, and summarize motivations, capabilities, and TTPs in a way analysts can use.

Best-fit use cases

Use the building-threat-actor-profile-from-osint skill when you need a defensible profile for a named group, suspected cluster, or campaign. It fits analysts who work with vendor reports, ATT&CK mapping, OTX-like pulse data, STIX references, and infrastructure correlation, rather than people looking for generic cyber news summaries.

What makes it useful

This skill is more practical than a free-form prompt because it points toward repeatable profiling steps and data structures. The included reference material and helper script suggest a workflow centered on ATT&CK data, OSINT enrichment, and structured output, which is useful if you need consistent threat intelligence deliverables.

How to Use building-threat-actor-profile-from-osint skill

Install and load it

Use the building-threat-actor-profile-from-osint install path in your skills workflow, then open skills/building-threat-actor-profile-from-osint/SKILL.md first. If you are using the broader repository install command, verify that the skill is present, then inspect the skill folder directly so you can see the reference and script files that actually drive the workflow.

Start with the right input

For strong building-threat-actor-profile-from-osint usage, give the skill a target that is specific enough to research: actor name, alias, campaign, suspected infrastructure, or a source bundle you want normalized. Better inputs include:

“Profile APT29 using public reporting, ATT&CK mapping, and known infrastructure.”
“Build a threat actor dossier for this group with confidence notes and source traceability.”
“Correlate public indicators and summarize likely TTPs, aliases, and defensive implications.”

Read these files first

For a quick building-threat-actor-profile-from-osint guide, review SKILL.md, then references/api-reference.md, then scripts/agent.py. SKILL.md gives the operating intent, the reference file exposes the external data formats and APIs the skill expects, and the script shows the actual extraction logic and what fields the workflow can produce.

Workflow that gets better results

Use the skill in three passes: identify the target, collect and normalize sources, then convert evidence into a profile with sourcing and confidence. The best building-threat-actor-profile-from-osint usage is to ask for a dossier that separates confirmed facts from inferred links, because attribution-heavy tasks fail when evidence and judgment are blended together.

building-threat-actor-profile-from-osint skill FAQ

Is this only for Threat Intelligence?

Yes, the building-threat-actor-profile-from-osint for Threat Intelligence use case is the main fit. It is strongest when you need analysis of adversary behavior, infrastructure, and public attribution signals, not general vulnerability management or incident response automation.

Do I need OSINT tooling already?

Not necessarily, but it helps. The repository references tools and data sources such as ATT&CK STIX data, AlienVault OTX, Maltego, and SpiderFoot, so the skill is best if you can access at least some of those inputs or equivalent public sources.

Is it better than a plain prompt?

Usually yes, because the skill gives you a more repeatable structure for profiling, source collection, and ATT&CK alignment. A plain prompt can ask for a profile, but building-threat-actor-profile-from-osint skill setup is better when you need a workflow that is easier to rerun, review, and adapt.

When should I not use it?

Do not use it if you need a quick one-paragraph summary, or if you lack any target identity and source material. This skill is more valuable when you have enough OSINT to justify a real profile, not when you want speculative attribution from a single clue.

How to Improve building-threat-actor-profile-from-osint skill

Give evidence, not just a name

The biggest quality gain comes from supplying source material alongside the actor name. For better building-threat-actor-profile-from-osint skill results, include links, excerpts, IOCs, published reports, aliases, ATT&CK techniques, and dates so the output can distinguish correlation from assumption.

Ask for the profile shape you need

Be explicit about the deliverable: executive summary, analyst dossier, ATT&CK mapping, infrastructure table, or confidence-rated assessment. If you want the result to support briefings, ask for a short conclusion plus an evidence appendix; if you want investigations, ask for a source-first format with indicators and pivot points.

Common failure modes to avoid

The most common miss is under-specifying the target, which leads to broad or noisy output. Another failure mode is asking for attribution certainty without enough evidence. For building-threat-actor-profile-from-osint install decisions, the skill is worth it when you can feed it enough material to support correlation; otherwise, output will stay shallow.

Iterate with a tighter second pass

After the first pass, refine the profile by asking for gaps, disputed claims, and missing infrastructure or TTP coverage. The best building-threat-actor-profile-from-osint guide workflow is iterative: first build the dossier, then request a confidence review, then ask for a defensive summary tailored to your team’s needs.

Ratings & Reviews

No ratings yet

Share your review

0/10000

Latest reviews

Saving...

more skill

evaluating-threat-intelligence-platforms

by mukul975

evaluating-threat-intelligence-platforms helps you compare TIP products by feed ingestion, STIX/TAXII support, automation, analyst workflow, integrations, and total cost of ownership. Use this evaluating-threat-intelligence-platforms guide for procurement, migration, or maturity planning, including evaluating-threat-intelligence-platforms for Threat Modeling when platform choice affects traceability and evidence sharing.

Threat Modeling

Favorites 0GitHub 0

detecting-privilege-escalation-attempts

by mukul975

detecting-privilege-escalation-attempts helps hunt privilege escalation on Windows and Linux, including token manipulation, UAC bypass, unquoted service paths, kernel exploits, and sudo/doas abuse. Built for threat hunting teams that need a practical workflow, reference queries, and helper scripts.

Threat Hunting

Favorites 0GitHub 0

detecting-insider-threat-behaviors

by mukul975

detecting-insider-threat-behaviors helps analysts hunt insider-risk signals like unusual data access, off-hours activity, mass downloads, privilege abuse, and resignation-correlated theft. Use this detecting-insider-threat-behaviors guide for threat hunting, UEBA-style triage, and threat modeling with workflow templates, SIEM query examples, and risk weights.

Threat Modeling

Favorites 0GitHub 0

detecting-credential-dumping-techniques

by mukul975

The detecting-credential-dumping-techniques skill helps you detect LSASS access, SAM export, NTDS.dit theft, and comsvcs.dll MiniDump abuse using Sysmon Event ID 10, Windows Security logs, and SIEM correlation rules. It is built for threat hunting, detection engineering, and Security Audit workflows.

Security Audit

Favorites 0GitHub 0

detecting-command-and-control-over-dns

by mukul975

detecting-command-and-control-over-dns is a cybersecurity skill for spotting C2 over DNS, including tunneling, beaconing, DGA domains, and TXT/CNAME abuse. It supports SOC analysts, threat hunters, and security audits with entropy checks, passive DNS correlation, and Zeek or Suricata-style detection workflows.

Security Audit

Favorites 0GitHub 0

correlating-security-events-in-qradar

by mukul975

correlating-security-events-in-qradar helps SOC and detection teams correlate IBM QRadar offenses with AQL, offense context, custom rules, and reference data. Use this guide to investigate incidents, reduce false positives, and build stronger correlation logic for Incident Response.

Incident Response

Favorites 0GitHub 0

auditing-tls-certificate-transparency-logs

by mukul975

The auditing-tls-certificate-transparency-logs skill helps security teams monitor Certificate Transparency logs for owned domains, detect unauthorized certificate issuance, discover certificate-exposed subdomains, and track suspicious CA activity with a repeatable Security Audit workflow.

Security Audit

Favorites 0GitHub 0

analyzing-windows-event-logs-in-splunk

by mukul975

The analyzing-windows-event-logs-in-splunk skill helps SOC analysts investigate Windows Security, System, and Sysmon logs in Splunk for authentication attacks, privilege escalation, persistence, and lateral movement. Use it for incident triage, detection engineering, and timeline analysis with mapped SPL patterns and event ID guidance.

Incident Triage

Favorites 0GitHub 0

analyzing-windows-amcache-artifacts

by mukul975

The analyzing-windows-amcache-artifacts skill parses Windows Amcache.hve data to recover evidence of program execution, installed software, device activity, and driver loading for DFIR and security audit workflows. It uses AmcacheParser and regipy-based guidance to support artifact extraction, SHA-1 correlation, and timeline review.

Security Audit

Favorites 0GitHub 0

analyzing-powershell-empire-artifacts

by mukul975

analyzing-powershell-empire-artifacts skill helps Security Audit teams detect PowerShell Empire artifacts in Windows logs using Script Block Logging, Base64 launcher patterns, stager IOCs, module signatures, and detection references for triage and rule writing.

Security Audit

Favorites 0GitHub 0

analyzing-network-traffic-of-malware

by mukul975

analyzing-network-traffic-of-malware helps inspect PCAPs and telemetry from sandbox runs or incident response to find C2, exfiltration, payload downloads, DNS tunneling, and detection ideas. It is a practical analyzing-network-traffic-of-malware guide for Security Audit and malware triage.

Security Audit

Favorites 0GitHub 0

analyzing-indicators-of-compromise

by mukul975

Analyzing-indicators-of-compromise helps triage IOCs such as IPs, domains, URLs, file hashes, and email artifacts. It supports threat-intelligence workflows for enrichment, confidence scoring, and block/monitor/whitelist decisions using source-backed checks and clear analyst context.

Threat Intelligence

Favorites 0GitHub 0

analyzing-cyber-kill-chain

by mukul975

analyzing-cyber-kill-chain helps map intrusion activity to the Lockheed Martin Cyber Kill Chain to show what happened, where defenses held or failed, and which controls could have stopped the attack earlier. It is useful for incident response, detection-gap analysis, and analyzing-cyber-kill-chain for Threat Intelligence.

Threat Intelligence

Favorites 0GitHub 0

collecting-indicators-of-compromise

by mukul975

collecting-indicators-of-compromise skill for extracting, enriching, scoring, and exporting IOCs from incident evidence. Use it for Security Audit workflows, threat intel sharing, and STIX 2.1 output when you need a practical collecting-indicators-of-compromise guide instead of a generic incident-response prompt.

Security Audit

Favorites 0GitHub 0

detecting-business-email-compromise

by mukul975

The detecting-business-email-compromise skill helps analysts, SOC teams, and incident responders identify BEC attempts using email-header checks, social-engineering clues, detection logic, and response-oriented workflows. Use it as a practical detecting-business-email-compromise guide for triage, validation, and containment.

Incident Response

Favorites 0GitHub 6.1k

analyzing-command-and-control-communication

by mukul975

analyzing-command-and-control-communication helps analyze malware C2 traffic to identify beaconing, decode commands, map infrastructure, and support Security Audit, threat hunting, and malware triage with PCAP-based evidence and practical workflow guidance.

Security Audit

Favorites 0GitHub 0