Attack Pattern Library Builder is a skill for security engineers and cyber threat intelligence (CTI) analysts that automates the extraction and structuring of adversary behaviors from raw threat intelligence sources such as incident reports, advisories, and malware write-ups. Rather than summarizing content generically, it applies strict evidence requirements: every MITRE ATT&CK technique mapping must be tied to a specific source sentence, and the skill refuses to produce mappings without supporting evidence. This design prevents coverage gaps caused by hallucinated or unsupported technique associations.
From a given CTI source, the skill extracts evidenced procedures, maps them to specific ATT&CK techniques with source provenance recorded, and separates tool usage from attacker procedures. It also translates attacker TTPs into telemetry requirements and detection opportunities, producing output suitable for detection engineering backlogs.
Supported output formats include structured JSON in a STIX 2.1-inspired schema, markdown tables, detection backlogs, and ATT&CK Navigator-compatible layer files. These outputs are designed for ingestion into threat intelligence platforms (TIPs), SIEMs, EDRs, or GRC platforms.
This skill is not a general-purpose summarization tool. It is scoped to CTI-to-ATT&CK mapping workflows and defensive library construction. Organizations without a threat-informed defense program or without access to structured CTI sources will find limited value here.