Security expertise
that scales with
your team.
754 structured skills across 28 security domains — purpose-built for Claude Code. Practitioners get AI that thinks in TTPs, not search results.
The Shift
Generic AI fails security teams. Not because the models are weak — because security is a practice, not a text corpus. When a detection engineer asks how to hunt for lateral movement via WMI, they need a workflow grounded in the specific telemetry their stack emits. They get a paragraph from a blog post published in 2021.
The problem is specificity. Security work lives at the intersection of attacker behavior, defender tooling, and organizational context. A prompt like “write a detection for credential dumping” is underspecified by design — the right answer depends on your SIEM, your log sources, and your threat model. Generic AI collapses that complexity into the most common answer.
Practitioners need AI that thinks in TTPs, frameworks, and adversary behavior. That knows the difference between a hunt hypothesis and a detection rule. That can reason about MITRE ATT&CK techniques without being told what ATT&CK is. That treats incident response as a structured methodology, not a list of steps.
That's what structured skills are for. Not RAG over documentation. Not a chatbot that knows your tools exist. A library of verified, opinionated workflows — each one telling Claude Code exactly when to invoke it, what to do, and how to verify the result.
The Methodology
Five maturity levels. Each one is a distinct capability — not a score, not a certification.
Awareness
Knows what questions to ask. Identifies relevant frameworks, names the right threat model, surfaces the gap between what the team knows and what the threat requires.
Guided execution
Follows structured workflows end to end. Runs a vulnerability assessment, writes a detection rule, produces an incident timeline — with verified steps and explicit outputs.
Contextual reasoning
Adapts to environment and threat landscape. Adjusts methodology based on your stack, your log sources, your regulatory constraints. The generic answer is replaced by the right answer.
Adversarial thinking
Models attacker behavior. Generates hunt hypotheses from TTPs. Reasons about attacker objectives, pivots, and evasion without needing the scenario spelled out.
Autonomous operation
Designs detections, hunts independently, produces artifacts. Given a threat, produces a complete detection engineering package — rule, test case, documentation, rollout plan.
754 skills. 28 domains.
About
A personal project built through daily security work. 754 skills across 28 domains, each structured for Claude Code — symlinked into ~/.claude/skills/so it's always available, in every session.
The library is open-sourced under Apache-2.0. Every skill follows the agentskills.io SKILL.md standard: YAML frontmatter, a description written for skill matching, and a verified workflow. Nothing is generated and shipped without review.