---
id: concept:cybersec-skill-library
type: concept
title: Cybersecurity Skill Library
status: active
confidence: 0.85
sources:
  - 2026-05-09-cybersec-library-overview.md
  - 2026-05-09-cybersec-attack-coverage.md
created: 2026-05-09
updated: 2026-05-09
updated_log:
  - 2026-05-09: created
tiers: semantic
half_life_days: 180
tags: [library, agentskills, foundation]
---

# Cybersecurity Skill Library

## Summary

The [Anthropic-Cybersecurity-Skills](https://github.com/mukul975/Anthropic-Cybersecurity-Skills) library is the largest open-source cybersecurity skills library for AI agents — a structured knowledge base that gives any [[concept:agentskills-io-standard]]-compatible agent the practitioner playbooks of a senior security analyst. It contains 754 production-grade skills spanning 26 security domains, each cross-mapped to 5 industry frameworks ([[framework:mitre-attack]], [[framework:nist-csf-20]], [[framework:mitre-atlas]], [[framework:mitre-d3fend]], [[framework:nist-ai-rmf]]). Clone it, point an agent at it, and your next investigation gets expert-level guidance in seconds.

## Claims

- The library contains 754 production-grade cybersecurity skills spanning 26 security domains, all under Apache-2.0 license. `[src: raw/2026-05-09-cybersec-library-overview.md] {conf: 0.9}`
- Every skill is mapped to all five industry frameworks (MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS, MITRE D3FEND, NIST AI RMF), making it the only open-source skills library with unified cross-framework coverage. `[src: raw/2026-05-09-cybersec-library-overview.md] {conf: 0.85}`
- It exists to fill the AI-agent knowledge gap — generic LLMs lack the structured decision-making workflow a senior analyst follows (when to use a technique, prerequisites, step-by-step execution, verification). The library encodes real practitioner workflows, not generated summaries. `[src: raw/2026-05-09-cybersec-library-overview.md] {conf: 0.8}`
- Each skill costs ~30 tokens to scan (frontmatter only) and 500–2,000 tokens to fully load — progressive disclosure that lets agents search all 754 skills in a single pass without blowing context windows. `[src: raw/2026-05-09-cybersec-library-overview.md] {conf: 0.8}`
- The largest domains are Cloud Security (60 skills), Threat Hunting (55), Threat Intelligence (50), Web App Security (42), and Network Security (40); smallest are Deception Technology (2) and Compliance & Governance (5). `[src: raw/2026-05-09-cybersec-library-overview.md] {conf: 0.85}`
- v1.0.0 (March 11, 2026) shipped with 734 skills + ATT&CK and NIST CSF mappings; the library has grown to 754 skills on `main` with ATLAS, D3FEND, and AI RMF added post-release. `[src: raw/2026-05-09-cybersec-library-overview.md] {conf: 0.8}`
- The library covers 291 unique MITRE ATT&CK techniques across all 14 Enterprise tactics (149 parent techniques + 142 sub-techniques). `[src: raw/2026-05-09-cybersec-attack-coverage.md] {conf: 0.85}`

## Relationships

- composes → [[concept:agentskills-io-standard]] `{conf: 0.85}`
- maps-to → [[framework:mitre-attack]] `{conf: 0.9}`
- maps-to → [[framework:nist-csf-20]] `{conf: 0.85}`
- maps-to → [[framework:mitre-atlas]] `{conf: 0.6}`
- maps-to → [[framework:mitre-d3fend]] `{conf: 0.6}`
- maps-to → [[framework:nist-ai-rmf]] `{conf: 0.6}`
- uses → [[pattern:installing-skills]] `{conf: 0.8}`

## Open questions

- [ ] Which specific skills span all 5 frameworks vs. only a subset? The README example (`analyzing-network-traffic-of-malware`) is the only fully-mapped example in raw sources.

## Changelog

- 2026-05-09 — created