The cybersecurity industry faces a staggering 4.8 million unfilled roles globally. The ISC2 workforce study paints a grim picture: organizations can’t hire enough analysts, and those they have are drowning in alert fatigue. But what if AI agents could step in — not as replacements, but as force multipliers equipped with the same structured playbooks senior analysts use?
Enter Anthropic Cybersecurity Skills, the largest open-source library of structured cybersecurity playbooks for AI agents. Now at version 1.3.0 with 817 skills across 29 security domains, this repository by Mahipal Jangra (mukul975/Anthropic-Cybersecurity-Skills) is transforming how AI agents handle security operations. With over 21,000 GitHub stars and Apache 2.0 licensing, it has become the de facto standard for agentic cybersecurity.
From Generic Chatbot to Expert SOC Analyst
Today’s AI agents can write code and search the web, but they generally cannot do the things that separate a junior analyst from a senior one: pick the right Volatility3 plugin for a suspicious memory dump, know which Sigma rules catch Kerberoasting, or scope a cloud breach consistently across AWS, Azure, and GCP. That’s where structured playbooks come in.
Each of the 817 skills in the library follows the agentskills.io open standard — YAML frontmatter for machine discovery and structured Markdown for execution. A skill contains four required sections: When to Use (trigger conditions), Prerequisites (tools and access), Workflow (step-by-step execution), and Verification (how to confirm success). This format allows AI agents to scan all 817 skills in a single pass using roughly 30 tokens per skill, then load only the matching playbooks at 500–2,000 tokens each.
▶️ Watch on YouTube
Anthropic Cybersecurity Skills is featured as one of the top AI agent trends in this May 2026 analysis of GitHub’s exploding agent ecosystem.
Six Frameworks, One Skill Library
What sets Anthropic Cybersecurity Skills apart from every other open-source security resource is its six-framework mapping. Every single skill is cross-referenced against all major industry frameworks simultaneously:
MITRE ATT&CK v19.1 — 286 techniques across 15 Enterprise tactics, with zero revoked or deprecated IDs
NIST CSF 2.0 — 6 functions: Govern, Identify, Protect, Detect, Respond, Recover
MITRE ATLAS v5.4 — 84 AI/ML adversarial techniques for model-specific threats
MITRE D3FEND v1.3 — 267 defensive countermeasure labels
NIST AI RMF 1.0 — 72 subcategories for AI governance and compliance
MITRE Fight Fraud (F3) v1.1 — 123 fraud-specific techniques across 94 skills, co-developed with JPMorganChase, Citigroup, and CrowdStrike
This cross-framework coverage means a single skill execution — such as analyzing-network-traffic-of-malware — simultaneously satisfies ATT&CK T1071, NIST CSF DE.CM, ATLAS AML.T0047, D3FEND D3-NTA, and AI RMF MEASURE-2.6. For compliance teams, this is transformative: one investigation step, five compliance checkboxes ticked.
29 Security Domains Covered
The library spans a remarkable range of security disciplines. Cloud Security leads with 66 skills, followed by Threat Hunting (58), Threat Intelligence (52), Network Security (43), and Web Application Security (42). Digital Forensics (41), Malware Analysis (39), Identity & Access Management (37), and SOC Operations / Red Teaming (35) round out the top tier.
Emerging domains reflect the evolving threat landscape: AI Security (14 skills) provides playbooks for securing ML pipelines, Supply Chain Security (8 skills) addresses software supply chain risks, and Hardware & Firmware Security (4 skills) covers low-level system integrity. Container Security (33), DevSecOps (17), Zero Trust (17), and Ransomware (15) round out modern enterprise coverage.
▶️ Watch on YouTube
Anthropic’s Jackie Bow demonstrates CLUE (Claude Looks Up Evidence), showing how structured playbooks and AI agents are deployed in real SOC environments.
Progressive Disclosure: Optimized for Agent Context Windows
The library’s architectural insight is its progressive disclosure design. Every skill directory follows a consistent structure:
skills/performing-memory-forensics-with-volatility3/
├── SKILL.md ← YAML frontmatter + Markdown body
├── references/
│ ├── standards.md ← Framework mappings
│ └── workflows.md ← Deep technical procedure
├── scripts/
│ └── process.py ← Helper scripts
└── assets/
└── template.md ← Checklist templates
The YAML frontmatter enables an elegant agent workflow: scan 817 frontmatters at ~30 tokens each to identify relevant matches, then load only the top matching playbooks at full depth (500–2,000 tokens each). This token-budget-conscious design means even the largest AI models can search the entire library without exhausting context windows.
Platform Compatibility: 26+ AI Runtimes
The library works with essentially every major AI coding and agent platform. Claude Code, GitHub Copilot, OpenAI Codex CLI, Cursor, and Gemini CLI all support the agentskills.io format natively. For agent orchestration frameworks like LangChain, CrewAI, and MCP-based agents, the skills can be mounted as tool descriptions with tags serving as retrieval routing.
Installation is a single command: npx skills add mukul975/Anthropic-Cybersecurity-Skills. For teams needing offline access, git clone works equally well.
Real-World Impact: Closing the 4.8M Workforce Gap
The practical implication is that a single AI agent, equipped with these 817 playbooks, can operate at the level of an analyst with years of experience. When a SOC analyst asks an agent to analyze a memory dump for credential theft, the agent scans the skill library, identifies 12 relevant matches, loads the top three (memory forensics, LSASS dumping, event log analysis), and executes the structured workflows step by step — mapping findings to ATT&CK T1003 as it goes.
This capability arrives at a crucial moment. The agent economy is rapidly maturing, with payment rails and infrastructure being built to support autonomous AI workers. Meanwhile, open-source agentic systems are exploding in popularity across domains. The cybersecurity skills library brings this same agentic paradigm to security operations — arguably the domain that needs it most urgently.
MITRE F3: Fraud-Fighting Gets Its Own Framework
The addition of MITRE Fight Fraud (F3) v1.1 in the latest release is significant. Co-developed by JPMorganChase, Citigroup, and CrowdStrike, F3 fills a gap that MITRE ATT&CK has historically left open: what happens after initial compromise. F3 introduces two new tactics — Positioning (FA0001) and Monetization (FA0002) — that cover the fraud lifecycle post-breach. With 123 fraud-specific techniques mapped across 94 skills, this makes the library directly relevant for financial services compliance.
Colorado’s AI Act, passed in February 2026, provides a legal safe harbor for organizations complying with NIST AI RMF — and since every skill in the library maps to AI RMF subcategories, using these playbooks also strengthens regulatory compliance posture.
Validation and Quality Assurance
The library isn’t just crowdsourced content. Every skill includes a validate-skill.py pipeline that enforces required fields, and all pull requests undergo technical accuracy review within 48 hours. The MITRE ATT&CK v19.1 mappings are validated via mitreattack-python and contain zero revoked or deprecated IDs — a level of quality assurance rarely seen in open-source security projects.
The AI harness engineering paradigm — where structured tools and skills bridge the gap between raw model capability and real-world application — is precisely what this library embodies. It’s not about making AI smarter; it’s about giving AI the right structured knowledge to apply what it already knows.
How to Get Started
Getting started takes less than a minute:
Install the skills:
npx skills add mukul975/Anthropic-Cybersecurity-SkillsPoint your AI agent at the
skills/directory — Claude Code, Cursor, Copilot, and Codex CLI all auto-detect agentskills.io formatTry a security prompt like “Analyze this network capture for signs of C2 traffic” — your agent will scan the library and load the relevant playbook automatically
For teams already using agent-driven development workflows, the library plugs directly into existing toolchains. The community-driven validation ensures skills stay current as frameworks evolve — and with Apache 2.0 licensing, organizations can fork and customize playbooks for internal use without restriction.
The ongoing AI security landscape makes clear that the intersection of AI and cybersecurity will define the next decade of technology. With 817 structured playbooks, six-framework mapping, and zero-config compatibility with 26+ platforms, Anthropic Cybersecurity Skills is turning that promise into practice — one playbook at a time.
Frequently Asked Questions
What is Anthropic Cybersecurity Skills?
It is the largest open-source library of 817 structured cybersecurity playbooks for AI agents, built on the agentskills.io standard. Each skill maps to six industry frameworks including MITRE ATT&CK, NIST CSF 2.0, and NIST AI RMF. It is a community project by Mahipal Jangra, not affiliated with Anthropic PBC.
How many skills and frameworks does it cover?
Version 1.3.0 includes 817 skills across 29 security domains, mapped to six frameworks: MITRE ATT&CK v19.1, NIST CSF 2.0, MITRE ATLAS v5.4, MITRE D3FEND v1.3, NIST AI RMF 1.0, and MITRE Fight Fraud (F3) v1.1.
Which AI platforms support these skills?
The skills work with Claude Code, GitHub Copilot, OpenAI Codex CLI, Cursor, Gemini CLI, Hermes Agent, and over 20 additional platforms that support the agentskills.io standard. Agent orchestration frameworks like LangChain and CrewAI can also mount them as tool descriptions.
How do AI agents use these playbooks efficiently?
Through progressive disclosure: agents scan all 817 skill frontmatters in a single pass (~30 tokens each) to identify relevant matches, then load only the matching playbooks at full depth (500-2,000 tokens each). This preserves context window budget while maintaining comprehensive coverage.
Is this project affiliated with Anthropic PBC?
No. This is a community-led open-source project by Mahipal Jangra (mukul975). Despite the name, it is not officially affiliated with Anthropic PBC. It is released under the Apache 2.0 license and has received over 21,000 GitHub stars.
Featured image generated using AI. Anthropic Cybersecurity Skills is a community project by Mahipal Jangra, not affiliated with Anthropic PBC.
This article was originally published on TekMag.
Disclaimer: This is a community-led project under Apache 2.0 licensing, not officially affiliated with Anthropic PBC.
Top comments (0)