profiling-threat-actor-groups▌
mukul975/Anthropic-Cybersecurity-Skills · updated May 25, 2026
MDX-style export adds YAML metadata + attribution linking explainx.ai and this canonical listing URL.
Develops comprehensive threat actor profiles for APT groups, criminal organizations, and hacktivist collectives by aggregating TTP documentation, historical campaign data, tooling fingerprints, and attribution indicators from multiple intelligence sources. Use when briefing executives on sector-specific threats, updating threat model assumptions, or prioritizing defensive controls against specific adversaries. Activates for requests involving MITRE ATT&CK Groups, Mandiant APT profiles, CrowdStrike adversary naming, or sector-specific threat briefings.
| name | profiling-threat-actor-groups |
| description | 'Develops comprehensive threat actor profiles for APT groups, criminal organizations, and hacktivist collectives by aggregating TTP documentation, historical campaign data, tooling fingerprints, and attribution indicators from multiple intelligence sources. Use when briefing executives on sector-specific threats, updating threat model assumptions, or prioritizing defensive controls against specific adversaries. Activates for requests involving MITRE ATT&CK Groups, Mandiant APT profiles, CrowdStrike adversary naming, or sector-specific threat briefings. ' |
| domain | cybersecurity |
| subdomain | threat-intelligence |
| tags | - MITRE-ATT&CK - threat-actor - APT - CrowdStrike - Mandiant - attribution - kill-chain - NIST-CSF |
| version | 1.0.0 |
| author | mahipal |
| license | Apache-2.0 |
| nist_csf | - ID.RA-01 - ID.RA-05 - DE.CM-01 - DE.AE-02 |
Profiling Threat Actor Groups
When to Use
Use this skill when:
- Updating the organization's threat model with profiles of adversary groups recently observed targeting your sector
- Preparing an executive briefing on APT groups that align with geopolitical events affecting your business
- Enabling SOC analysts to understand attacker objectives and TTPs to improve detection tuning
Do not use this skill for real-time incident attribution — attribution during active incidents should be deprioritized in favor of containment. Profile refinement occurs post-incident.
Prerequisites
- Access to MITRE ATT&CK Groups database (https://attack.mitre.org/groups/)
- Commercial threat intelligence subscription (Mandiant Advantage, CrowdStrike Falcon Intelligence, or Recorded Future)
- Sector-specific ISAC membership for targeted intelligence (FS-ISAC, H-ISAC, E-ISAC)
- Structured profile template (see workflow below)
Workflow
Step 1: Identify Relevant Threat Actors
Cross-reference your organization's sector, geography, and technology stack against known adversary targeting patterns. Sources:
- MITRE ATT&CK Groups: 130+ documented nation-state and criminal groups with TTP mappings
- CrowdStrike Annual Threat Report: adversary naming by nation-state (BEAR=Russia, PANDA=China, KITTEN=Iran, CHOLLIMA=North Korea)
- Mandiant M-Trends: annual report with sector-specific targeting statistics
- CISA Known Exploited Vulnerabilities (KEV) catalog: identifies vulnerabilities actively exploited by specific threat actors
Shortlist 5–10 groups most likely to target your organization based on sector alignment and recent activity.
Step 2: Collect Profile Data
For each adversary, document across standard dimensions:
Identity: ATT&CK Group ID (e.g., G0016 for APT29), aliases (Cozy Bear, The Dukes, Midnight Blizzard), suspected nation-state sponsor
Motivations: Espionage, financial gain, disruption, intellectual property theft
Targeting: Sectors, geographies, organization sizes, technology targets (OT/IT, cloud, supply chain)
Capabilities: Custom malware (e.g., APT29's SUNBURST, MiniDuke), exploitation of 0-days vs. known CVEs, supply chain attack capability
Campaign History: Notable operations with dates (SolarWinds 2020, Exchange Server 2021, etc.)
TTPs by ATT&CK Phase: Document top 5 techniques per tactic phase
Step 3: Map TTPs to ATT&CK
Using mitreattack-python:
from mitreattack.stix20 import MitreAttackData
mitre = MitreAttackData("enterprise-attack.json")
apt29 = mitre.get_object_by_attack_id("G0016", "groups")
techniques = mitre.get_techniques_used_by_group(apt29)
profile = {}
for item in techniques:
tech = item["object"]
tid = tech["external_references"][0]["external_id"]
tactic = [p["phase_name"] for p in tech.get("kill_chain_phases", [])]
profile[tid] = {"name": tech["name"], "tactics": tactic}
Step 4: Assess Detection Coverage Against Profile
Compare the adversary's technique list against your detection coverage matrix (from ATT&CK Navigator layer). Identify:
- Techniques used by this group where you have no detection (critical gaps)
- Techniques where you have partial coverage (logging but no alerting)
- Compensating controls where detection is not feasible (network segmentation as mitigation for lateral movement)
Step 5: Package Profile for Distribution
Structure the final profile for different audiences:
- Executive summary (1 page): Who, motivation, recent campaigns, top risk to our organization, recommended priority actions
- SOC analyst brief (3–5 pages): Full TTP list with detection status, IOC list, hunt hypotheses
- Technical appendix: YARA rules, Sigma detections, STIX JSON object for TIP import
Classify TLP:AMBER for internal distribution; seek ISAC approval before external sharing.
Key Concepts
| Term | Definition |
|---|---|
| APT | Advanced Persistent Threat — well-resourced, sophisticated adversary (typically nation-state or sophisticated criminal) conducting long-term targeted operations |
| TTPs | Tactics, Techniques, Procedures — behavioral fingerprint of an adversary group, more durable than IOCs which change frequently |
| Aliases | Threat actors receive different names from different vendors (APT29 = Cozy Bear = The Dukes = Midnight Blizzard = YTTRIUM) |
| Attribution | Process of associating an attack with a specific threat actor; requires multiple independent corroborating data points and carries inherent uncertainty |
| Cluster | A group of related intrusion activity that may or may not be attributable to a single actor; used when attribution is uncertain |
| Intrusion Set | STIX SDO type representing a grouped set of adversarial behaviors with common objectives, even if actor identity is unknown |
Tools & Systems
- MITRE ATT&CK Groups: Free, community-maintained database of 130+ documented adversary groups with referenced campaign reports
- Mandiant Advantage Threat Intelligence: Commercial platform with detailed APT profiles, malware families, and campaign analysis
- CrowdStrike Falcon Intelligence: Commercial feed with adversary-centric profiles and real-time attribution updates
- Recorded Future Threat Intelligence: Combines OSINT, dark web, and technical intelligence for adversary profiling
- OpenCTI: Graph-based visualization of threat actor relationships, tooling, and campaign linkages
Common Pitfalls
- IOC-centric profiles: Building profiles around IP addresses and domains rather than TTPs means the profile becomes stale within weeks as infrastructure rotates.
- Vendor alias confusion: Conflating two different threat actor groups due to shared malware or infrastructure leads to incorrect threat model assumptions.
- Binary attribution: Treating attribution as certain when it is probabilistic. Always qualify attribution confidence level (Low/Medium/High).
- Neglecting insider and criminal groups: Overemphasis on nation-state APTs while ignoring ransomware groups (Cl0p, LockBit, ALPHV) which represent higher probability threats for most organizations.
- Profile staleness: Adversary TTPs evolve. Profiles not updated quarterly may miss technique changes, new malware, or targeting shifts.
How to use profiling-threat-actor-groups on Cursor
AI-first code editor with Composer
Prerequisites
Before installing skills in Cursor, ensure your development environment meets these requirements:
- ›Cursor installed and configured on your development machine
- ›Node.js version 16.0+ with npm package manager (verify with
node --version) - ›Active project directory or workspace where you want to add profiling-threat-actor-groups
Execute installation command
Execute the skills CLI command in your project's root directory to begin installation:
The skills CLI fetches profiling-threat-actor-groups from GitHub repository mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.
Select Cursor when prompted
The CLI will show a list of available agents. Use arrow keys to navigate and space to select Cursor:
Verify installation
Confirm successful installation by checking the skill directory location:
Reload or restart Cursor to activate profiling-threat-actor-groups. Access the skill through slash commands (e.g., /profiling-threat-actor-groups) or your agent's skill management interface.
Security & Verification Notice
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your development environment. Always verify the publisher's identity, review recent commits, and test in isolated environments before production deployment.
List & Monetize Your Skill
Submit your Claude Code skill and start earning
Use Cases▌
Task Automation & Efficiency
Automate repetitive workflows and reduce manual effort
Example
Generate reports, summarize documents, draft communications
Save 3-5 hours per week on routine tasks
Knowledge Enhancement
Learn new skills, understand complex topics, get expert guidance
Example
Explain concepts, provide examples, suggest learning resources
Accelerate learning and skill development by 2x
Quality Improvement
Enhance output quality through reviews, suggestions, and refinements
Example
Review drafts, suggest improvements, catch errors
Improve work quality by 30-40% with less effort
Implementation Guide▌
Prerequisites
- ›Claude Desktop or compatible AI client with skill support
- ›Clear understanding of task or problem to solve
- ›Willingness to iterate and refine outputs
Time Estimate
15-45 minutes depending on use case complexity
Installation Steps
- 1.Install skill using provided installation command
- 2.Test with simple use case relevant to your work
- 3.Evaluate output quality and relevance
- 4.Iterate on prompts to improve results
- 5.Integrate into regular workflow if valuable
Common Pitfalls
- ⚠Expecting perfect results without iteration
- ⚠Not providing enough context in prompts
- ⚠Using skill for tasks outside its intended scope
- ⚠Accepting outputs without review and validation
Best Practices▌
✓ Do
- +Start with clear, specific prompts
- +Provide relevant context and constraints
- +Review and refine all outputs before using
- +Iterate to improve output quality
- +Document successful prompt patterns
✗ Don't
- −Don't use without understanding skill limitations
- −Don't skip validation of outputs
- −Don't share sensitive information in prompts
- −Don't expect skill to replace human judgment
💡 Pro Tips
- ★Be specific about desired format and style
- ★Ask for multiple options to choose from
- ★Request explanations to understand reasoning
- ★Combine AI efficiency with human expertise
When to Use This▌
✓ Use When
Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.
✗ Avoid When
Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.
Learning Path▌
- 1Familiarize yourself with skill capabilities and limitations
- 2Start with low-risk, non-critical tasks
- 3Progress to more complex and valuable use cases
- 4Build expertise through regular use and experimentation
Discussion
Product Hunt–style comments (not star reviews)- No comments yet — start the thread.
Ratings
4.6★★★★★73 reviews- ★★★★★Sakura Chen· Dec 24, 2024
profiling-threat-actor-groups is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
- ★★★★★Chinedu Choi· Dec 20, 2024
Useful defaults in profiling-threat-actor-groups — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
- ★★★★★Chinedu Lopez· Dec 16, 2024
Solid pick for teams standardizing on skills: profiling-threat-actor-groups is focused, and the summary matches what you get after install.
- ★★★★★Ren Li· Dec 12, 2024
I recommend profiling-threat-actor-groups for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
- ★★★★★Chaitanya Patil· Dec 8, 2024
I recommend profiling-threat-actor-groups for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
- ★★★★★Piyush G· Nov 27, 2024
Solid pick for teams standardizing on skills: profiling-threat-actor-groups is focused, and the summary matches what you get after install.
- ★★★★★Aanya Rao· Nov 15, 2024
Keeps context tight: profiling-threat-actor-groups is the kind of skill you can hand to a new teammate without a long onboarding doc.
- ★★★★★Ishan Yang· Nov 11, 2024
We added profiling-threat-actor-groups from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
- ★★★★★Chinedu Bansal· Nov 7, 2024
I recommend profiling-threat-actor-groups for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
- ★★★★★Sakura Yang· Nov 3, 2024
Solid pick for teams standardizing on skills: profiling-threat-actor-groups is focused, and the summary matches what you get after install.
showing 1-10 of 73