/ Каталог / Песочница / cti-expert
← Все серверы ↗ GitHub
● Сообщество 7onez ⚡ Сразу

cti-expert

автор 7onez · 7onez/cti-expert

Defensive CTI + OSINT analysis skill for Claude Code — 67+ commands and 35 techniques, no API keys required.

cti-expert turns Claude Code into a junior cyber threat intelligence analyst: it enumerates analytic techniques (ACH, SATs, diamond model, kill-chain mapping), pulls OSINT from public sources, and writes up findings in structured formats (STIX-flavored, MITRE ATT&CK-aligned). It is a defensive skill — it does not include offensive or exploit tooling.

▶ Смотреть демо 📦 Установить 💡 Сценарии

Зачем использовать

Ключевые функции

Живое демо

Как выглядит на практике

cti-expert-skill.replay ▶ готово
0/0

Установка

Выберите клиент

~/Library/Application Support/Claude/claude_desktop_config.json  · Windows: %APPDATA%\Claude\claude_desktop_config.json
{
  "mcpServers": {
    "cti-expert-skill": {
      "command": "git",
      "args": [
        "clone",
        "https://github.com/7onez/cti-expert",
        "~/.claude/skills/cti-expert"
      ],
      "_inferred": true
    }
  }
}

Откройте Claude Desktop → Settings → Developer → Edit Config. Перезапустите после сохранения.

~/.cursor/mcp.json · .cursor/mcp.json
{
  "mcpServers": {
    "cti-expert-skill": {
      "command": "git",
      "args": [
        "clone",
        "https://github.com/7onez/cti-expert",
        "~/.claude/skills/cti-expert"
      ],
      "_inferred": true
    }
  }
}

Cursor использует ту же схему mcpServers, что и Claude Desktop. Конфиг проекта приоритетнее глобального.

VS Code → Cline → MCP Servers → Edit
{
  "mcpServers": {
    "cti-expert-skill": {
      "command": "git",
      "args": [
        "clone",
        "https://github.com/7onez/cti-expert",
        "~/.claude/skills/cti-expert"
      ],
      "_inferred": true
    }
  }
}

Щёлкните значок MCP Servers на боковой панели Cline, затем "Edit Configuration".

~/.codeium/windsurf/mcp_config.json
{
  "mcpServers": {
    "cti-expert-skill": {
      "command": "git",
      "args": [
        "clone",
        "https://github.com/7onez/cti-expert",
        "~/.claude/skills/cti-expert"
      ],
      "_inferred": true
    }
  }
}

Тот же формат, что и Claude Desktop. Перезапустите Windsurf для применения.

~/.continue/config.json
{
  "mcpServers": [
    {
      "name": "cti-expert-skill",
      "command": "git",
      "args": [
        "clone",
        "https://github.com/7onez/cti-expert",
        "~/.claude/skills/cti-expert"
      ]
    }
  ]
}

Continue использует массив объектов серверов, а не map.

~/.config/zed/settings.json
{
  "context_servers": {
    "cti-expert-skill": {
      "command": {
        "path": "git",
        "args": [
          "clone",
          "https://github.com/7onez/cti-expert",
          "~/.claude/skills/cti-expert"
        ]
      }
    }
  }
}

Добавьте в context_servers. Zed перезагружается автоматически.

claude mcp add cti-expert-skill -- git clone https://github.com/7onez/cti-expert ~/.claude/skills/cti-expert

Однострочная команда. Проверить: claude mcp list. Удалить: claude mcp remove.

Сценарии использования

Реальные сценарии: cti-expert

How to enrich a suspicious indicator (IP, domain, hash) with public OSINT

👤 SOC analysts, incident responders, blue-team engineers ⏱ ~15 min intermediate

Когда использовать: You have an IOC from an alert and need context before escalating.

Предварительные требования
  • Skill cloned — git clone https://github.com/7onez/cti-expert ~/.claude/skills/cti-expert
Поток
  1. Submit the indicator
    Enrich 185.234.218.95 using public OSINT — WHOIS, passive DNS (free sources), reputation feeds.✓ Скопировано
    → Structured context: ASN, geo, historical resolutions, known bad
  2. Map to MITRE ATT&CK if applicable
    If this matches a known campaign, map to ATT&CK tactics/techniques.✓ Скопировано
    → TTP list with ATT&CK IDs
  3. Write up
    Produce a tactical report: what it is, confidence level, recommended actions.✓ Скопировано
    → Short, decision-oriented write-up

Итог: A defensible enrichment you can attach to a ticket in minutes.

Подводные камни
  • Treating reputation scores as ground truth — Record the source + date; note confidence explicitly
  • OSINT queries accidentally tip off the target — Only use passive sources; no active scanning
Сочетать с: filesystem

Draft a campaign write-up from a handful of artifacts

👤 CTI analysts producing internal reports ⏱ ~45 min advanced

Когда использовать: You've been asked to turn a pile of IOCs, TTPs, and notes into a readable brief.

Поток
  1. Collate the artifacts
    Here are the IOCs and notes. Cluster them by diamond-model facet (adversary, capability, infra, victim).✓ Скопировано
    → Diamond-model-shaped clustering
  2. Map to ATT&CK
    Map observed behaviors to ATT&CK; note coverage gaps.✓ Скопировано
    → Coverage matrix
  3. Write the brief
    Produce an executive section, a tactical section, and an IOC appendix.✓ Скопировано
    → 3-part report

Итог: A consistent, audience-tiered report ready for review.

Подводные камни
  • Inflating confidence language ('almost certainly') — Force IC-style qualifiers (high/moderate/low) with reasoning

Run an ACH (Analysis of Competing Hypotheses) walk-through

👤 Analysts wrestling with ambiguous attribution ⏱ ~30 min advanced

Когда использовать: Multiple actors could explain the evidence; you want structure before picking one.

Поток
  1. List hypotheses + evidence
    Hypotheses: H1, H2, H3. Evidence: E1–E10. Set up the ACH matrix.✓ Скопировано
    → Matrix with consistency marks per cell
  2. Identify diagnostic evidence
    Which evidence items have the highest diagnostic value?✓ Скопировано
    → Evidence ranked by ability to discriminate
  3. Report the least-inconsistent hypothesis
    Pick the least-inconsistent hypothesis and list what would flip it.✓ Скопировано
    → Selection + counter-evidence triggers

Итог: A transparent attribution decision with documented reasoning.

Подводные камни
  • Anchoring on the first hypothesis — Force the matrix first, conclusion last

Комбинации

Сочетайте с другими MCP — эффект x10

cti-expert-skill + filesystem

Process a directory of raw alerts into structured findings

Enrich every IOC under alerts/2025-04-01/ and produce a consolidated daily tactical report.✓ Скопировано

Инструменты

Что предоставляет этот MCP

ИнструментВходные данныеКогда вызыватьСтоимость
indicator-enrichment IOC (IP/domain/hash/URL) Triage of any incoming indicator free OSINT queries
attck-mapping observed behaviors When writing up campaigns or detections 0
structured-analytic-techniques hypotheses + evidence Ambiguous analysis problems 0
report-templates findings Final reporting step 0

Стоимость и лимиты

Во что обходится

Квота API
depends on the OSINT sources used; all default sources are free-tier
Токенов на вызов
2–10k tokens per indicator workflow
Деньги
free
Совет
Start with passive sources only; add paid feeds only if coverage gaps justify it

Безопасность

Права, секреты, радиус поражения

Хранение учётных данных: none by default; any paid feed API key lives in env vars
Исходящий трафик: only the OSINT endpoints you allow-list

Устранение неполадок

Частые ошибки и исправления

Rate limited by a public source

Throttle or switch to an alternate source — many OSINT endpoints are sensitive

Claude hallucinates an enrichment result

Require citations for every claim; reject unsourced enrichment

ATT&CK mapping is too generic

Provide concrete behaviors (processes, commands, network patterns), not high-level summaries

Альтернативы

cti-expert в сравнении

АльтернативаКогда использоватьКомпромисс
claude-cybersecurity-skillYou want broader security skills, not just CTIWider but shallower in CTI specifics
claude-security-research-skillYou're researching vulnerabilities rather than triaging indicatorsDifferent job entirely

Ещё

Ресурсы

📖 Читать официальный README на GitHub

🐙 Открытые задачи

🔍 Все 400+ MCP-серверов и Skills