Stix

building-ioc-defanging-and-sharing-pipeline skill for extracting IOCs, defanging URLs, IPs, domains, emails, and hashes, then converting and sharing them as STIX 2.1 via TAXII or MISP for security audit and threat intel workflows.

analyzing-campaign-attribution-evidence helps analysts weigh infrastructure overlap, ATT&CK consistency, malware similarity, timing, and language artifacts for defensible campaign attribution. Use this analyzing-campaign-attribution-evidence guide for CTI, incident analysis, and Security Audit reviews.

evaluating-threat-intelligence-platforms helps you compare TIP products by feed ingestion, STIX/TAXII support, automation, analyst workflow, integrations, and total cost of ownership. Use this evaluating-threat-intelligence-platforms guide for procurement, migration, or maturity planning, including evaluating-threat-intelligence-platforms for Threat Modeling when platform choice affects traceability and evidence sharing.

correlating-threat-campaigns helps Threat Intelligence analysts correlate incidents, IOCs, and TTPs into campaign-level evidence. Use it to compare historical events, separate strong links from weak matches, and build defensible clustering for MISP, SIEM, and CTI reporting.

The collecting-threat-intelligence-with-misp skill helps you collect, normalize, search, and export threat intelligence in MISP. Use this collecting-threat-intelligence-with-misp guide for feeds, PyMISP workflows, event filtering, warninglist reduction, and practical collecting-threat-intelligence-with-misp for Threat Modeling and CTI operations.

collecting-indicators-of-compromise skill for extracting, enriching, scoring, and exporting IOCs from incident evidence. Use it for Security Audit workflows, threat intel sharing, and STIX 2.1 output when you need a practical collecting-indicators-of-compromise guide instead of a generic incident-response prompt.

building-threat-intelligence-platform skill for designing, deploying, and reviewing a threat intelligence platform with MISP, OpenCTI, TheHive, Cortex, STIX/TAXII, and Elasticsearch. Use it for installation guidance, usage workflows, and Security Audit planning backed by repository references and scripts.

building-threat-actor-profile-from-osint helps threat intelligence teams turn OSINT into structured threat actor profiles. It supports profiling named groups or campaigns, with ATT&CK mapping, infrastructure correlation, source traceability, and confidence notes for defensible analysis.

Analyzing-threat-intelligence-feeds helps you ingest CTI feeds, normalize indicators, assess feed quality, and enrich IOCs for STIX 2.1 workflows. This analyzing-threat-intelligence-feeds skill is built for threat intel operations and Data Analysis, with practical guidance for TAXII, MISP, and commercial feeds.

The analyzing-threat-actor-ttps-with-mitre-attack skill helps map threat reports to MITRE ATT&CK tactics, techniques, and sub-techniques, build coverage views, and prioritize detection gaps. It includes a reporting template, ATT&CK references, and scripts for technique lookup and gap analysis, making it useful for CTI, SOC, detection engineering, and threat modeling.

Analyzing-indicators-of-compromise helps triage IOCs such as IPs, domains, URLs, file hashes, and email artifacts. It supports threat-intelligence workflows for enrichment, confidence scoring, and block/monitor/whitelist decisions using source-backed checks and clear analyst context.