Anthropic Cybersecurity Skills: 754 structured skills for AI agents mapped to major frameworks
May 29, 2026 · Edited by Oleksandr Kuzmenko
A new open-source repository provides 754 structured cybersecurity skills for AI agents, mapped to five major industry frameworks like MITRE ATT&CK and NIST. This structured knowledge base allows agents to perform precise security tasks, from threat hunting to compliance checks, by translating high-level prompts into specific, actionable steps. It directly addresses the need for reliable, domain-specific agent tooling.
Why it matters
You can immediately use this structured skill set to build more precise and reliable AI agents for security auditing, threat simulation, or compliance automation within your development or infrastructure workflows.
Key takeaways
- Integrate the 754 pre-defined cybersecurity skills as a prompt library or tool-calling schema to give your AI agent instant domain expertise.
- Map agent tasks directly to established frameworks (MITRE ATT&CK, NIST) for audits and reports that align with industry standards.
- Reduce prompt engineering overhead and token waste by referencing skill IDs instead of re-describing complex security procedures.
- Orchestrate multi-phase security workflows by chaining skills from different categories like Reconnaissance and Detection.
The Anthropic Cybersecurity Skills repository is a structured dataset, not a tool or an application. It breaks down the complex domain of cybersecurity into 754 discrete, executable 'skills' that an AI agent can be prompted to perform. Each skill is mapped to one of five major frameworks: MITRE ATT&CK, NIST Cybersecurity Framework (CSF), NIST Special Publication 800-53, CIS Critical Security Controls, and the Cyber Kill Chain. This mapping is crucial because it grounds the agent's capabilities in established industry standards, moving beyond vague instructions.
For you as a developer building or using agentic systems in Claude Code, Cursor, or via the Claude Agent SDK, this repository acts as a high-quality prompt library and a planning scaffold. Instead of prompting an agent with 'analyze this network for threats,' you can now direct it to 'execute skill ID ATT&CK.TA0002.003: Credential Dumping detection via analysis of Windows Security event logs for specific Event IDs.' This precision reduces hallucination and misalignment, as the agent has a clear, structured definition of the task's goal and boundaries.
The skills are categorized into phases like Reconnaissance, Initial Access, Execution, and Post-Exploitation, mirroring real-world attack lifecycles. This structure enables you to orchestrate multi-step security workflows. You could configure an agent to first run a set of reconnaissance skills, then based on the findings, automatically trigger relevant detection or hardening skills from the NIST or CIS frameworks. This turns a general-purpose coding assistant into a domain-specialized security co-pilot.
Implementing this requires you to integrate the skill definitions—provided in JSON and YAML—into your agent's prompt context or as part of a tool-calling specification. The efficiency gain comes from pre-caching this domain knowledge, so you're not burning tokens repeatedly explaining what 'lateral movement detection' entails. The repository is a foundational component; you combine it with an agent's ability to execute code, query APIs, or analyze logs to bring these skills to life. It exemplifies the move from general AI assistants towards composable, expert skill sets that can be reliably invoked.
Source: Github ↗