Security specialty

Threat Intelligence

Browse every cataloged workflow for threat intelligence, with source context, tags, and security framework mappings intact.

Complete collection

Skills in this domain

52 skills

cybersecuritySkill

Analyzing APT Group with MITRE ATT&CK Navigator

Analyze advanced persistent threat (APT) group techniques using MITRE ATT&CK Navigator to create layered heatmaps of adversary TTPs for detection gap analysis and threat-informed defense.

Threat Intelligence
aptdetection-gapheatmapmitre-attack+4
ATT&CK, 6 mappingsNIST CSF, 4 mappingsD3FEND, 5 mappings
cybersecuritySkill

Analyzing Campaign Attribution Evidence

Campaign attribution analysis involves systematically evaluating evidence to determine which threat actor or group is responsible for a cyber operation. This skill covers collecting and weighting attribution indicators using the Diamond Model and ACH (Analysis of Competing Hypotheses), analyzing infrastructure overlaps, TTP consistency, malware code similarities, operational timing patterns, and language artifacts to build confidence-weighted attribution assessments.

Threat Intelligence
attributioncampaign-analysisctiioc+3
ATT&CK, 4 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Analyzing Certificate Transparency for Phishing

Monitor Certificate Transparency logs using crt.sh and Certstream to detect phishing domains, lookalike certificates, and unauthorized certificate issuance targeting your organization.

Threat Intelligence
certificate-transparencycertstreamcrt-shct-logs+4
ATT&CK, 5 mappingsNIST CSF, 4 mappingsATLAS, 1 mapping
cybersecuritySkill

Analyzing Cyber Kill Chain

Analyzes intrusion activity against the Lockheed Martin Cyber Kill Chain framework to identify which phases an adversary has completed, where defenses succeeded or failed, and what controls would have interrupted the attack at earlier phases. Use when conducting post-incident analysis, building prevention-focused security controls, or mapping detection gaps to kill chain phases. Activates for requests involving kill chain analysis, intrusion kill chain, attack phase mapping, or Lockheed Martin kill chain framework.

Threat Intelligence
defense-in-depthintrusion-analysiskill-chainlockheed-martin+2
ATT&CK, 6 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Analyzing Indicators of Compromise

Analyzes indicators of compromise (IOCs) including IP addresses, domains, file hashes, URLs, and email artifacts to determine maliciousness confidence, campaign attribution, and blocking priority. Use when triaging IOCs from phishing emails, security alerts, or external threat feeds; enriching raw IOCs with multi-source intelligence; or making block/monitor/whitelist decisions. Activates for requests involving VirusTotal, AbuseIPDB, MalwareBazaar, MISP, or IOC enrichment pipelines.

Threat Intelligence
abuseipdbiocmalwarebazaarmisp+4
ATT&CK, 4 mappingsNIST CSF, 4 mappingsATLAS, 1 mapping
cybersecuritySkill

Analyzing Malware Family Relationships with Malpedia

Use the Malpedia platform and API to research malware family relationships, track variant evolution, link families to threat actors, and integrate YARA rules for detection across malware lineages.

Threat Intelligence
malpediamalware-familymalware-intelligencemalware-tracking+4
ATT&CK, 3 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Analyzing Ransomware Leak Site Intelligence

Monitor and analyze ransomware group data leak sites (DLS) to track victim postings, extract threat intelligence on group tactics, and assess sector-specific ransomware risk for proactive defense.

Threat Intelligence
data-leakdlsextortionleak-site+4
ATT&CK, 4 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Analyzing Threat Actor TTPs with MITRE ATT&CK

MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics, techniques, and procedures (TTPs) based on real-world observations. This skill covers systematically mapping threat actor behavior to the ATT&CK framework, building technique coverage heatmaps using the ATT&CK Navigator, identifying detection gaps, and producing actionable intelligence reports that link observed IOCs to specific adversary techniques across the Enterprise, Mobile, and ICS matrices.

Threat Intelligence
ctiiocmitre-attackstix+3
ATT&CK, 6 mappingsNIST CSF, 4 mappingsD3FEND, 5 mappings
cybersecuritySkill

Analyzing Threat Actor TTPs with MITRE Navigator

Map advanced persistent threat (APT) group tactics, techniques, and procedures (TTPs) to the MITRE ATT&CK framework using the ATT&CK Navigator and attackcti Python library. The analyst queries STIX/TAXII data for group-technique associations, generates Navigator layer files for visualization, and compares defensive coverage against adversary profiles. Activates for requests involving APT TTP mapping, ATT&CK Navigator layers, threat actor profiling, or MITRE technique coverage analysis.

Threat Intelligence
aptattackctimitre-attacknavigator+3
ATT&CK, 5 mappingsNIST CSF, 4 mappingsATLAS, 3 mappingsD3FEND, 5 mappingsAI RMF, 3 mappings
cybersecuritySkill

Analyzing Threat Intelligence Feeds

Analyzes structured and unstructured threat intelligence feeds to extract actionable indicators, adversary tactics, and campaign context. Use when ingesting commercial or open-source CTI feeds, evaluating feed quality, normalizing data into STIX 2.1 format, or enriching existing IOCs with campaign attribution. Activates for requests involving ThreatConnect, Recorded Future, Mandiant Advantage, MISP, AlienVault OTX, or automated feed aggregation pipelines.

Threat Intelligence
ctiiocmispmitre-att&ck+5
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Analyzing Threat Landscape with MISP

Analyze the threat landscape using MISP (Malware Information Sharing Platform) by querying event statistics, attribute distributions, threat actor galaxy clusters, and tag trends over time. Uses PyMISP to pull event data, compute IOC type breakdowns, identify top threat actors and malware families, and generate threat landscape reports with temporal trends.

Threat Intelligence
ctiioc-analysismispthreat-intelligence+2
ATT&CK, 5 mappingsNIST CSF, 4 mappingsD3FEND, 5 mappings
cybersecuritySkill

Analyzing Typosquatting Domains with DNSTwist

Detect typosquatting, homograph phishing, and brand impersonation domains using dnstwist to generate domain permutations and identify registered lookalike domains targeting your organization.

Threat Intelligence
brand-protectiondnsdnstwistdomain-monitoring+4
ATT&CK, 4 mappingsNIST CSF, 4 mappingsATLAS, 2 mappings
cybersecuritySkill

Auditing TLS Certificate Transparency Logs

Monitors Certificate Transparency (CT) logs to detect unauthorized certificate issuance, discover subdomains via CT data, and alert on suspicious certificate activity for owned domains. Uses the crt.sh API and direct CT log querying based on RFC 6962 to build continuous monitoring pipelines that catch rogue certificates, track CA behavior, and map the external attack surface. Activates for requests involving certificate transparency monitoring, CT log auditing, subdomain discovery via certificates, or certificate issuance alerting.

Threat Intelligence
certificate-transparencycrt-shct-logsrfc-6962+2
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Automating IOC Enrichment

Automates the enrichment of raw indicators of compromise with multi-source threat intelligence context using SOAR platforms, Python pipelines, or TIP playbooks to reduce analyst triage time and standardize enrichment outputs. Use when building automated enrichment workflows integrated with SIEM alerts, email submission pipelines, or bulk IOC processing from threat feeds. Activates for requests involving SOAR enrichment, Cortex XSOAR, Splunk SOAR, TheHive, Python enrichment pipelines, or automated IOC processing.

Threat Intelligence
automationcortex-xsoarctienrichment+5
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Building Adversary Infrastructure Tracking System

Build an automated system to track adversary infrastructure using passive DNS, certificate transparency, WHOIS data, and IP enrichment to map and monitor threat actor command-and-control networks.

Threat Intelligence
c2domain-analysisinfrastructure-trackingpassive-dns+4
ATT&CK, 7 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Building Attack Pattern Library from CTI Reports

Extract and catalog attack patterns from cyber threat intelligence reports into a structured STIX-based library mapped to MITRE ATT&CK for detection engineering and threat-informed defense.

Threat Intelligence
attack-patterncti-reportsdetection-engineeringextraction+4
ATT&CK, 9 mappingsNIST CSF, 4 mappingsD3FEND, 5 mappings
cybersecuritySkill

Building IOC Defanging and Sharing Pipeline

Build an automated pipeline to defang indicators of compromise (URLs, IPs, domains, emails) for safe sharing and distribute them in STIX format through TAXII feeds and threat intelligence platforms.

Threat Intelligence
automationdefangingindicatorioc+4
ATT&CK, 4 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Building IOC Enrichment Pipeline with OpenCTI

OpenCTI is an open-source platform for managing cyber threat intelligence knowledge, built on STIX 2.1 as its native data model. This skill covers building an automated IOC enrichment pipeline using OpenCTI's connector ecosystem to enrich indicators with context from VirusTotal, Shodan, AbuseIPDB, GreyNoise, and other sources. The pipeline automatically enriches newly ingested indicators, correlates them with known threat actors and campaigns, and scores them for analyst prioritization.

Threat Intelligence
ctienrichmentiocmitre-attack+4
ATT&CK, 6 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Building Threat Actor Profile from OSINT

Build comprehensive threat actor profiles using open-source intelligence (OSINT) techniques to document adversary motivations, capabilities, infrastructure, and TTPs for proactive defense.

Threat Intelligence
attributionmaltegoosintreconnaissance+4
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Building Threat Feed Aggregation with MISP

Deploy MISP (Malware Information Sharing Platform) to aggregate, correlate, and distribute threat intelligence feeds from multiple sources for centralized IOC management and automated SIEM integration.

Threat Intelligence
aggregationcorrelationindicatormisp+4
ATT&CK, 3 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Building Threat Intelligence Platform

Building a Threat Intelligence Platform (TIP) involves deploying and integrating multiple CTI tools into a unified system for collecting, analyzing, enriching, and disseminating threat intelligence. This skill covers designing TIP architecture using open-source tools (MISP, OpenCTI, TheHive, Cortex), configuring feed ingestion pipelines, establishing enrichment workflows, implementing STIX/TAXII interoperability, and building analyst dashboards for CTI operations.

Threat Intelligence
ctiiocmispmitre-attack+4
ATT&CK, 3 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Collecting Open-Source Intelligence

Collects and synthesizes open-source intelligence (OSINT) about threat actors, malicious infrastructure, and attack campaigns using publicly available data sources, passive reconnaissance tools, and dark web monitoring. Use when investigating external threat actor infrastructure, performing pre-engagement reconnaissance for authorized red team assessments, or enriching CTI reports with publicly available adversary context. Activates for requests involving Maltego, Shodan, OSINT framework, SpiderFoot, or infrastructure reconnaissance.

Threat Intelligence
att&ck-t1591maltegonist-csfosint+4
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Collecting Threat Intelligence with MISP

MISP (Malware Information Sharing Platform) is an open-source threat intelligence platform for gathering, sharing, storing, and correlating Indicators of Compromise (IOCs) of targeted attacks, threat intelligence, financial fraud information, vulnerability information, or counter-terrorism information. This skill covers deploying MISP, configuring threat feeds, using the PyMISP API for programmatic access, and building automated collection pipelines that aggregate IOCs from multiple community and commercial sources.

Threat Intelligence
ctiiocmispmitre-attack+4
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Correlating Threat Campaigns

Correlates disparate security incidents, IOCs, and adversary behaviors across time and organizations to identify unified threat campaigns, attribute them to common threat actors, and extract shared indicators for improved detection. Use when multiple incidents exhibit overlapping indicators, when sector-wide attack campaigns require cross-organizational analysis, or when building campaign-level intelligence products. Activates for requests involving campaign analysis, incident clustering, cross-organizational IOC correlation, or MISP correlation engine.

Threat Intelligence
att&ckcampaign-analysisclusteringcorrelation+4
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Evaluating Threat Intelligence Platforms

Evaluates and selects Threat Intelligence Platform (TIP) products based on organizational requirements including feed integration capability, STIX/TAXII support, workflow automation, analyst interface, and total cost of ownership. Use when conducting a TIP procurement, migrating between TIP solutions, or assessing whether the current TIP meets program maturity requirements. Activates for requests involving ThreatConnect, MISP, OpenCTI, Anomali, EclecticIQ, or TIP procurement decisions.

Threat Intelligence
anomalicti-programeclecticiqmisp+5
ATT&CK, 4 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Generating Threat Intelligence Reports

Generates structured cyber threat intelligence reports at strategic, operational, and tactical levels tailored to specific audiences including executives, security operations teams, and technical analysts. Use when producing finished intelligence products from raw collection data, creating sector threat briefings, or delivering post-incident intelligence assessments. Activates for requests involving CTI report writing, threat briefings, intelligence products, finished intelligence, or executive security reporting.

Threat Intelligence
ctiintelligence-productsnist-csfpir+3
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Hunting Advanced Persistent Threats

Proactively hunts for Advanced Persistent Threat (APT) activity within enterprise environments using hypothesis-driven searches across endpoint telemetry, network logs, and memory artifacts. Use when conducting scheduled threat hunting cycles, investigating anomalous behavior flagged by UEBA, or validating that known APT TTPs are not present in the environment. Activates for requests involving MITRE ATT&CK, Velociraptor, osquery, Zeek, or threat hunting playbooks.

Threat Intelligence
aptedrmitre-att&cknist-csf+5
ATT&CK, 12 mappingsNIST CSF, 4 mappingsD3FEND, 5 mappings
cybersecuritySkill

Implementing Diamond Model Analysis

The Diamond Model of Intrusion Analysis provides a structured framework for analyzing cyber intrusions by examining four core features - Adversary, Capability, Infrastructure, and Victim. This skill covers implementing the Diamond Model programmatically to classify and correlate intrusion events, build activity threads, and generate pivot-ready intelligence.

Threat Intelligence
ctidiamond-modelintrusion-analysisioc+3
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Implementing Security Information Sharing with STIX 2.1

Create, validate, and share STIX 2.1 threat intelligence objects using the stix2 Python library. Covers indicators, malware, campaigns, relationships, bundles, and TAXII 2.1 publishing.

Threat Intelligence
intelligence-exchangestixtaxiithreat-sharing
ATT&CK, 5 mappingsNIST CSF, 4 mappingsD3FEND, 5 mappings
cybersecuritySkill

Implementing STIX/TAXII Feed Integration

STIX (Structured Threat Information eXpression) and TAXII (Trusted Automated eXchange of Intelligence Information) are OASIS open standards for representing and transporting cyber threat intelligence. This skill covers implementing a STIX/TAXII 2.1 feed consumer and producer using Python, configuring TAXII server discovery, collection management, polling for new intelligence, parsing STIX 2.1 objects, and integrating feeds into SIEM and TIP platforms.

Threat Intelligence
ctifeed-integrationiocmitre-attack+4
ATT&CK, 4 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Implementing TAXII Server with OpenTAXII

Deploy and configure an OpenTAXII server to share and consume STIX-formatted cyber threat intelligence using the TAXII 2.1 protocol for automated indicator exchange between organizations.

Threat Intelligence
automationctiindicator-exchangeopentaxii+4
ATT&CK, 4 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Implementing Threat Intelligence Lifecycle Management

Implement a structured threat intelligence lifecycle encompassing planning, collection, processing, analysis, dissemination, and feedback stages to produce actionable intelligence for organizational decision-making.

Threat Intelligence
analysiscollectioncti-programdissemination+4
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Managing Intelligence Lifecycle

Manages the end-to-end cyber threat intelligence lifecycle from planning and direction through collection, processing, analysis, dissemination, and feedback to ensure intelligence products meet stakeholder requirements and continuously improve. Use when establishing or maturing a CTI program, defining intelligence requirements with business stakeholders, or building feedback loops between intelligence consumers and producers. Activates for requests involving CTI program maturity, intelligence requirements, PIRs, or intelligence lifecycle management.

Threat Intelligence
ctiintelligence-lifecyclenist-csfnist-sp-800-150+2
ATT&CK, 4 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Mapping MITRE ATT&CK Techniques

Maps observed adversary behaviors, security alerts, and detection rules to MITRE ATT&CK techniques and sub-techniques to quantify detection coverage and guide control prioritization. Use when building an ATT&CK-based coverage heatmap, tagging SIEM alerts with technique IDs, aligning security controls to adversary playbooks, or reporting threat exposure to executives. Activates for requests involving ATT&CK Navigator, Sigma rules, MITRE D3FEND, or coverage gap analysis.

Threat Intelligence
att&ck-navigatord3fenddetection-engineeringmitre-att&ck+3
ATT&CK, 6 mappingsNIST CSF, 4 mappingsATLAS, 3 mappingsD3FEND, 5 mappingsAI RMF, 3 mappings
cybersecuritySkill

Modeling Threats with OpenCTI

Model threat actors, intrusion sets, campaigns, and TTPs as a STIX 2.1 knowledge graph in OpenCTI (Filigran) using the pycti Python client, connectors, and import workers for structured cyber threat intelligence.

Threat Intelligence
ctiknowledge-graphmitre-attackopencti+4
ATT&CK, 1 mappingNIST CSF, 1 mapping
cybersecuritySkill

Monitoring Dark Web Sources

Monitors dark web forums, marketplaces, paste sites, and ransomware leak sites for mentions of organizational assets, leaked credentials, threatened attacks, and threat actor communications to provide early warning intelligence. Use when establishing dark web monitoring coverage, investigating specific data breach claims, or enriching incident investigations with dark web context. Activates for requests involving dark web OSINT, leak site monitoring, credential exposure, Recorded Future dark web, or Tor hidden service intelligence.

Threat Intelligence
credential-monitoringctidark-webosint+3
ATT&CK, 5 mappingsNIST CSF, 4 mappingsATLAS, 3 mappingsAI RMF, 3 mappings
cybersecuritySkill

Operationalizing MISP Threat Feeds

Run MISP, curate feeds, and auto-generate detections for Wazuh, Sigma, and Suricata.

Threat Intelligence
detection-engineeringiocmisppymisp+4
ATT&CK, 4 mappingsNIST CSF, 1 mapping
cybersecuritySkill

Performing AI-Driven OSINT Correlation

Use AI and LLM-based reasoning to correlate findings across multiple OSINT sources—username enumeration, email lookups, social media profiles, domain records, breach databases, and dark-web mentions—into unified intelligence profiles with confidence scoring and link analysis.

Threat Intelligence
ai-correlationlink-analysismaltegoosint+6
ATT&CK, 5 mappingsNIST CSF, 4 mappingsATLAS, 3 mappingsD3FEND, 5 mappingsAI RMF, 4 mappings
cybersecuritySkill

Performing Brand Monitoring for Impersonation

Monitor for brand impersonation attacks across domains, social media, mobile apps, and dark web channels to detect phishing campaigns, fake sites, and unauthorized brand usage targeting your organization.

Threat Intelligence
brand-monitoringbrand-protectiondomain-monitoringimpersonation+3
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Performing Dark Web Monitoring for Threats

Dark web monitoring involves systematically scanning Tor hidden services, underground forums, paste sites, and dark web marketplaces to identify threats targeting an organization, including leaked credentials, data breaches, threat actor discussions, vulnerability exploitation tools, and planned attacks. This skill covers setting up monitoring infrastructure, using Tor-based collection tools, implementing automated alerting for brand mentions and credential leaks, and analyzing dark web intelligence for actionable threat indicators.

Threat Intelligence
ctidark-webiocmitre-attack+4
ATT&CK, 7 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Performing Indicator Lifecycle Management

Indicator lifecycle management tracks IOCs from initial discovery through validation, enrichment, deployment, monitoring, and eventual retirement. This skill covers implementing systematic processes for IOC quality assessment, aging policies, confidence scoring decay, false positive tracking, hit-rate monitoring, and automated expiration to maintain a high-quality, actionable indicator database that minimizes analyst fatigue and maximizes detection efficacy.

Threat Intelligence
ctiindicator-lifecycleiocioc-management+3
ATT&CK, 4 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Performing IP Reputation Analysis with Shodan

Analyze IP address reputation using the Shodan API to identify open ports, running services, known vulnerabilities, and hosting context for threat intelligence enrichment and incident triage.

Threat Intelligence
apienrichmentinternet-scanningip-reputation+4
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Performing Malware Hash Enrichment with VirusTotal

Enrich malware file hashes using the VirusTotal API to retrieve detection rates, behavioral analysis, YARA matches, and contextual threat intelligence for incident triage and IOC validation.

Threat Intelligence
apidetectionhash-enrichmentioc+4
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Performing Malware IOC Extraction

Malware IOC extraction is the process of analyzing malicious software to identify actionable indicators of compromise including file hashes, network indicators (C2 domains, IP addresses, URLs), registry modifications, mutex names, embedded strings, and behavioral artifacts. This skill covers static analysis with PE parsing and string extraction, dynamic analysis with sandbox detonation, automated IOC extraction using tools like YARA, and formatting results as STIX 2.1 indicators for sharing.

Threat Intelligence
ctiiocmalware-analysismitre-attack+4
ATT&CK, 6 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Performing OSINT with SpiderFoot

Automate OSINT collection using SpiderFoot REST API and CLI for target profiling, module-based reconnaissance, and structured result analysis across 200+ data sources

Threat Intelligence
attack-surfaceosintreconnaissancespiderfoot+2
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Performing Paste Site Monitoring for Credentials

Monitor paste sites like Pastebin and GitHub Gists for leaked credentials, API keys, and sensitive data dumps using automated scraping and keyword matching to detect breaches early.

Threat Intelligence
credential-leakdata-breachearly-warningosint+3
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Performing Threat Emulation with Atomic Red Team

Executes Atomic Red Team tests for MITRE ATT&CK technique validation using the atomic-operator Python framework. Loads test definitions from YAML atomics, runs attack simulations, and validates detection coverage. Use when testing SIEM detection rules, validating EDR coverage, or conducting purple team exercises.

Threat Intelligence
adversary-emulationatomic-operatoratomic-red-teammitre-attack+2
ATT&CK, 12 mappingsNIST CSF, 4 mappingsATLAS, 3 mappingsD3FEND, 5 mappingsAI RMF, 3 mappings
cybersecuritySkill

Performing Threat Intelligence Sharing with MISP

Use PyMISP to create, enrich, and share threat intelligence events on a MISP platform, including IOC management, feed integration, STIX export, and community sharing workflows.

Threat Intelligence
information-sharingioc-sharingmisppymisp+4
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Performing Threat Landscape Assessment for Sector

Conduct a sector-specific threat landscape assessment by analyzing threat actor targeting patterns, common attack vectors, and industry-specific vulnerabilities to inform organizational risk management.

Threat Intelligence
ctiindustry-targetingrisk-assessmentsector-analysis+3
ATT&CK, 5 mappingsNIST CSF, 4 mappingsD3FEND, 5 mappings
cybersecuritySkill

Processing STIX/TAXII Feeds

Processes STIX 2.1 threat intelligence bundles delivered via TAXII 2.1 servers, normalizing objects into platform-native schemas and routing them to appropriate consuming systems. Use when onboarding new TAXII collection endpoints, automating bi-directional intelligence sharing with ISACs, or building pipeline validation for malformed STIX bundles. Activates for requests involving OASIS STIX, TAXII server configuration, MISP TAXII, or Cortex XSOAR feed integrations.

Threat Intelligence
ctiiocmispnist-sp-800-150+4
ATT&CK, 4 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Profiling Threat Actor Groups

Develops comprehensive threat actor profiles for APT groups, criminal organizations, and hacktivist collectives by aggregating TTP documentation, historical campaign data, tooling fingerprints, and attribution indicators from multiple intelligence sources. Use when briefing executives on sector-specific threats, updating threat model assumptions, or prioritizing defensive controls against specific adversaries. Activates for requests involving MITRE ATT&CK Groups, Mandiant APT profiles, CrowdStrike adversary naming, or sector-specific threat briefings.

Threat Intelligence
aptattributioncrowdstrikekill-chain+4
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Tracking Threat Actor Infrastructure

Threat actor infrastructure tracking involves monitoring and mapping adversary-controlled assets including command-and-control (C2) servers, phishing domains, exploit kit hosts, bulletproof hosting, and staging servers. This skill covers using passive DNS, certificate transparency logs, Shodan/Censys scanning, WHOIS analysis, and network fingerprinting to discover, track, and pivot across threat actor infrastructure over time.

Threat Intelligence
censysctiinfrastructure-trackingioc+5
ATT&CK, 5 mappingsNIST CSF, 4 mappings