Attack Pattern Library Builder

Transform CTI reports into structured attack pattern libraries mapped to MITRE ATT&CK for threat-informed defense.

Install
cmdop skills install agensi-attack-pattern-library-builder

Attack Pattern Library Builder is a skill for security engineers and cyber threat intelligence (CTI) analysts that automates the extraction and structuring of adversary behaviors from raw threat intelligence sources such as incident reports, advisories, and malware write-ups. Rather than summarizing content generically, it applies strict evidence requirements: every MITRE ATT&CK technique mapping must be tied to a specific source sentence, and the skill refuses to produce mappings without supporting evidence. This design prevents coverage gaps caused by hallucinated or unsupported technique associations.

From a given CTI source, the skill extracts evidenced procedures, maps them to specific ATT&CK techniques with source provenance recorded, and separates tool usage from attacker procedures. It also translates attacker TTPs into telemetry requirements and detection opportunities, producing output suitable for detection engineering backlogs.

Supported output formats include structured JSON in a STIX 2.1-inspired schema, markdown tables, detection backlogs, and ATT&CK Navigator-compatible layer files. These outputs are designed for ingestion into threat intelligence platforms (TIPs), SIEMs, EDRs, or GRC platforms.

This skill is not a general-purpose summarization tool. It is scoped to CTI-to-ATT&CK mapping workflows and defensive library construction. Organizations without a threat-informed defense program or without access to structured CTI sources will find limited value here.

Use cases

  • Extract evidenced adversary procedures from a vendor incident report and map them to ATT&CK technique IDs
  • Generate a STIX 2.1-style JSON attack pattern library from malware write-ups for ingestion into a TIP
  • Produce an ATT&CK Navigator-compatible layer file from a threat advisory
  • Build a detection engineering backlog by translating attacker TTPs into telemetry requirements
  • Create a markdown table of technique mappings with source provenance for a GRC audit
  • Separate tool usage from attacker procedures across multiple CTI reports to avoid double-counting coverage

When to use it

  • Building or maintaining a threat-informed detection library backed by specific CTI sources
  • Mapping incident report findings to ATT&CK before loading into a SIEM or EDR
  • Producing Navigator layers from advisories for red/blue team exercises
  • Enforcing evidence-based quality gates on ATT&CK coverage claims

When not to use it

  • General threat report summarization without need for ATT&CK mapping
  • Environments that do not use MITRE ATT&CK as a framework
  • Use cases requiring real-time threat feed ingestion or automated IOC extraction
  • Workflows that need output formats other than JSON, markdown, detection backlogs, or Navigator layers