This skill takes threat intelligence about APT groups, campaigns, and TTP sets and produces structured outputs for detection engineering teams. It maps adversary behavior to MITRE ATT&CK techniques and generates functional JSON layer specifications compatible with the ATT&CK Navigator for visualization. By comparing actor techniques against EDR, SIEM, and NDR rule sets, it identifies coverage holes — areas where monitoring is absent or insufficient — and surfaces them as a prioritized engineering backlog.
A key design constraint is evidence-gating: a technique is only marked as detected when supporting evidence is present, preventing false assurance about coverage that does not exist. Detection prioritization weighs actor usage frequency, data source feasibility, and environment relevance, so the engineering team addresses the highest-probability threats first.
The skill also generates threat profiles that summarize intrusion sets and campaigns with precise technique-to-tactic mapping, and produces human-readable risk summaries alongside the machine-readable Navigator JSON. This dual-format output is intended to bridge raw threat intelligence and day-to-day SOC operations without requiring manual translation between the two. The skill follows a stated appliance-neutral defensive methodology, meaning its gap analysis is not tied to a specific vendor’s tooling. It is a skill-type capability with no listed environment variables or external transport dependencies.