Apply the NATO Admiralty System (AJP-2.1) to assess source reliability and information credibility in cyber threat intelligence, OSINT, and breach analysis. Use this skill whenever you need to evaluate a CTI report, breach claim, dark web forum post, threat actor advertisement, vendor blog, social media intel claim, leaked database listing, or any source plus information pair where trust matters. Trigger phrases include "assess this source", "rate this report", "is this breach real", "evaluate credibility", "source assessment", "should I trust this claim", "admiralty rating", "A1 to F6", and any review of CTI or OSINT material where you need to decide how much weight to give it. Use proactively when the user shares a breach post, threat actor claim, or vendor report and asks for analysis, even if they do not explicitly mention the Admiralty System. Also use when teaching, building courseware, or producing a training example around source evaluation.
Build structured threat actor profiles using the 5W1H framework and the Diamond Model. Use this skill whenever the user wants to profile a threat actor, create a TA report, analyze an APT group, build an adversary profile, assess threat actor capability, map TTPs to MITRE ATT&CK for a specific group, or produce any intelligence deliverable about a threat actor. Also trigger when the user mentions threat actor names (e.g. APT29, Lazarus, FIN7), asks about victimology, modus operandi, or wants to structure threat intelligence around an adversary. This skill applies to both internal tracking profiles and incident-driven analytical deliverables.
Help users write, validate, and troubleshoot osquery SQL queries using provided osquery table schemas as the authoritative source.
Professional malware analysis workflow for PE executables and suspicious files. Triggers on file uploads with requests like "analyze this malware", "analyze this sample", "what does this executable do", "check this file for malware", or any request to examine suspicious files. Performs static analysis, threat intelligence triage, behavioral inference, and produces analyst-grade reports with reasoned conclusions.
Analyse Mitre ATT&CK tactics, techniques and sub-techniques. Use when performing analysis of threat detections, threat models, security risks or cyber threat intelligence
Create a targeted intrusion timeline for a Windows incident using whatever artifacts are available (event logs, EDR, SIEM exports, triage notes).
Hypothesis-driven hunt plan for suspicious PowerShell, plus query snippets for common telemetry.
First-hour intake checklist + questions that produce an actionable scope and evidence plan.