explaingit

meltedinhex/analyst-ai-pack

Analysis updated 2026-05-18

10PythonAudience · ops devopsComplexity · 4/5LicenseSetup · moderate

TLDR

A library of 118 runnable security analyst skills for AI agents, covering malware analysis, reverse engineering, and threat hunting, each mapped to MITRE ATT&CK, D3FEND, and CAR.

Mindmap

mindmap
  root((analyst-ai-pack))
    Subdomains
      Malware analysis
      Reverse engineering
      Threat hunting
      Lab foundations
    How it works
      118 runnable skills
      Python scripts
      Agent compatible
    Framework mappings
      MITRE ATT&CK
      MITRE D3FEND
      MITRE CAR
    AI agent use
      GitHub Copilot
      Claude Code
      Cursor
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Triage an unknown executable through malware analysis steps using an AI agent that chains skills automatically

USE CASE 2

Extract Cobalt Strike beacon configurations and defang IOCs for use in a SIEM or detection pipeline

USE CASE 3

Write Sigma or YARA detection rules from threat hunting findings and validate ATT&CK coverage

USE CASE 4

Add a vetted security skill set to an AI agent (Claude Code, Copilot, Cursor) for security analysis workflows

What is it built with?

PythonMITRE ATT&CKSigmaYARASuricata

How does it compare?

meltedinhex/analyst-ai-packalsgur9865-sketch/second-brain-enginecompumaxx/gba-video-studio
Stars101010
LanguagePythonPythonPython
Setup difficultymoderatemoderatehard
Complexity4/53/54/5
Audienceops devopsdeveloperdeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · moderate Time to first run · 30min

Requires cloning the repo and pointing an AI agent at the skills directory, some skills have optional dependencies (Volatility, radare2) that need separate installation.

Use freely for any purpose including commercial use as long as you include the license and copyright notice.

In plain English

AnalystAIPack is a library of 118 ready-made skills designed to give an AI agent the working knowledge of a security analyst. The skills cover four tightly focused areas: malware analysis, reverse engineering, threat hunting, and shared lab foundations. Each skill is a structured procedure file paired with a runnable Python script that performs actual analysis rather than just written instructions. The library is designed to be used with AI coding assistants and agents such as GitHub Copilot, Claude Code, Cursor, or anything that follows the agentskills.io format. You clone the repository, point your agent at the skills directory, and the agent can then chain skills together to run multi-step analysis workflows. A worked example in the README shows how to take a suspicious executable from initial triage through static analysis, unpacking, config extraction, IOC handling, network traffic hunting, and writing a detection rule, all by chaining skills in sequence. Every Python script uses only the standard library where possible, with optional dependencies that degrade gracefully when missing. Scripts perform read-only static analysis and never execute the sample being analyzed. Output is structured JSON with indicators of compromise defanged (rendered in a format that prevents accidental interaction with malicious addresses). Each skill follows a consistent structure with sections for when to use it, when not to use it, the workflow, validation steps, and known pitfalls. The skills are mapped to three MITRE frameworks: ATT&CK for attacker techniques, D3FEND for defensive countermeasures, and CAR for detection analytics. This lets you look up which skills cover a particular ATT&CK technique or find defensive coverage gaps in your environment. The library is aimed at SOC analysts triaging unknown files, malware analysts extracting configurations from packed samples, threat hunters writing Sigma and YARA detection rules, and developers building security-focused AI agents. It is Apache 2.0 licensed with a CI pipeline that smoke-tests every script.

Copy-paste prompts

Prompt 1
I want to triage a suspicious EXE using AnalystAIPack. Walk me through chaining triaging-an-unknown-sample, performing-static-pe-analysis, and extracting-cobalt-strike-beacon-config from start to finish.
Prompt 2
How do I load AnalystAIPack skills into GitHub Copilot Agent mode so I can ask it to hunt for LOLBin abuse in a CSV of Windows events?
Prompt 3
Show me how AnalystAIPack's SKILL.md frontmatter format works and how the agentskills.io standard maps to ATT&CK technique IDs.
Prompt 4
I want to use AnalystAIPack to write a Sigma detection rule from a threat hunting finding. Which skills should I chain and what does the output JSON look like?

Frequently asked questions

What is analyst-ai-pack?

A library of 118 runnable security analyst skills for AI agents, covering malware analysis, reverse engineering, and threat hunting, each mapped to MITRE ATT&CK, D3FEND, and CAR.

What language is analyst-ai-pack written in?

Mainly Python. The stack also includes Python, MITRE ATT&CK, Sigma.

What license does analyst-ai-pack use?

Use freely for any purpose including commercial use as long as you include the license and copyright notice.

How hard is analyst-ai-pack to set up?

Setup difficulty is rated moderate, with roughly 30min to a first successful run.

Who is analyst-ai-pack for?

Mainly ops devops.

Open on GitHub → Explain another repo

This repo across BitVibe Labs

Scan in gitsafehub Deploy in gitdeployhub meltedinhex on gitmyhub

Verify against the repo before relying on details.