Apt Group Mitre Navigator Analysis

Transform APT threat intelligence into MITRE ATT&CK Navigator layers and prioritized detection gap analyses.

Install
cmdop skills install agensi-apt-group-mitre-navigator-analysis

This skill takes threat intelligence about APT groups, campaigns, and TTP sets and produces structured outputs for detection engineering teams. It maps adversary behavior to MITRE ATT&CK techniques and generates functional JSON layer specifications compatible with the ATT&CK Navigator for visualization. By comparing actor techniques against EDR, SIEM, and NDR rule sets, it identifies coverage holes — areas where monitoring is absent or insufficient — and surfaces them as a prioritized engineering backlog.

A key design constraint is evidence-gating: a technique is only marked as detected when supporting evidence is present, preventing false assurance about coverage that does not exist. Detection prioritization weighs actor usage frequency, data source feasibility, and environment relevance, so the engineering team addresses the highest-probability threats first.

The skill also generates threat profiles that summarize intrusion sets and campaigns with precise technique-to-tactic mapping, and produces human-readable risk summaries alongside the machine-readable Navigator JSON. This dual-format output is intended to bridge raw threat intelligence and day-to-day SOC operations without requiring manual translation between the two. The skill follows a stated appliance-neutral defensive methodology, meaning its gap analysis is not tied to a specific vendor’s tooling. It is a skill-type capability with no listed environment variables or external transport dependencies.

Use cases

  • Generate ATT&CK Navigator JSON layers from an APT group's known TTP set for team visualization
  • Identify detection gaps by comparing a threat actor's techniques against existing EDR and SIEM rule sets
  • Produce a prioritized detection engineering backlog ranked by actor usage and data source feasibility
  • Create threat profiles that map intrusion set behavior to specific MITRE ATT&CK tactics and techniques
  • Validate that no technique is marked as covered without supporting evidence to avoid false coverage assurance
  • Summarize campaign activity into human-readable risk reports for SOC briefings

When to use it

  • When a detection engineering team needs to map a specific APT group's TTPs to their existing security stack
  • When preparing ATT&CK Navigator layers from threat intelligence for visualization or sharing
  • When prioritizing which detection rules to write next based on real actor behavior
  • When a SOC needs both machine-readable JSON and human-readable summaries from the same threat intel source

When not to use it

  • When real-time or live threat detection is needed — this skill performs analysis, not active monitoring
  • When the required output format is something other than ATT&CK Navigator JSON or prose summaries
  • When no threat intelligence or TTP data about a target actor is available to analyze
  • When the task requires direct integration with a SIEM or EDR platform via API, as no tool integrations are listed