Analysis updated 2026-05-18
Triage an unknown executable through malware analysis steps using an AI agent that chains skills automatically
Extract Cobalt Strike beacon configurations and defang IOCs for use in a SIEM or detection pipeline
Write Sigma or YARA detection rules from threat hunting findings and validate ATT&CK coverage
Add a vetted security skill set to an AI agent (Claude Code, Copilot, Cursor) for security analysis workflows
| meltedinhex/analyst-ai-pack | alsgur9865-sketch/second-brain-engine | compumaxx/gba-video-studio | |
|---|---|---|---|
| Stars | 10 | 10 | 10 |
| Language | Python | Python | Python |
| Setup difficulty | moderate | moderate | hard |
| Complexity | 4/5 | 3/5 | 4/5 |
| Audience | ops devops | developer | developer |
Figures from each repo's GitHub metadata at analysis time.
Requires cloning the repo and pointing an AI agent at the skills directory, some skills have optional dependencies (Volatility, radare2) that need separate installation.
AnalystAIPack is a library of 118 ready-made skills designed to give an AI agent the working knowledge of a security analyst. The skills cover four tightly focused areas: malware analysis, reverse engineering, threat hunting, and shared lab foundations. Each skill is a structured procedure file paired with a runnable Python script that performs actual analysis rather than just written instructions. The library is designed to be used with AI coding assistants and agents such as GitHub Copilot, Claude Code, Cursor, or anything that follows the agentskills.io format. You clone the repository, point your agent at the skills directory, and the agent can then chain skills together to run multi-step analysis workflows. A worked example in the README shows how to take a suspicious executable from initial triage through static analysis, unpacking, config extraction, IOC handling, network traffic hunting, and writing a detection rule, all by chaining skills in sequence. Every Python script uses only the standard library where possible, with optional dependencies that degrade gracefully when missing. Scripts perform read-only static analysis and never execute the sample being analyzed. Output is structured JSON with indicators of compromise defanged (rendered in a format that prevents accidental interaction with malicious addresses). Each skill follows a consistent structure with sections for when to use it, when not to use it, the workflow, validation steps, and known pitfalls. The skills are mapped to three MITRE frameworks: ATT&CK for attacker techniques, D3FEND for defensive countermeasures, and CAR for detection analytics. This lets you look up which skills cover a particular ATT&CK technique or find defensive coverage gaps in your environment. The library is aimed at SOC analysts triaging unknown files, malware analysts extracting configurations from packed samples, threat hunters writing Sigma and YARA detection rules, and developers building security-focused AI agents. It is Apache 2.0 licensed with a CI pipeline that smoke-tests every script.
A library of 118 runnable security analyst skills for AI agents, covering malware analysis, reverse engineering, and threat hunting, each mapped to MITRE ATT&CK, D3FEND, and CAR.
Mainly Python. The stack also includes Python, MITRE ATT&CK, Sigma.
Use freely for any purpose including commercial use as long as you include the license and copyright notice.
Setup difficulty is rated moderate, with roughly 30min to a first successful run.
Mainly ops devops.
This repo across BitVibe Labs
Verify against the repo before relying on details.