threat detection AI Agent Skills
Browse 31 skills related to threat detection
perception-system
AI perception skill for sight, hearing, and threat detection systems.
siem-logging
Configure security information and event management (SIEM) systems for threat detection, log aggregation, and compliance. Use when implementing centralized security logging, writing detection rules, or meeting audit requirements across cloud and on-premise infrastructure.
analysing-attack
Analyse Mitre ATT&CK tactics, techniques and sub-techniques. Use when performing analysis of threat detections, threat models, security risks or cyber threat intelligence
cloud-security-configuration
Implement comprehensive cloud security across AWS, Azure, and GCP with IAM, encryption, network security, compliance, and threat detection.
security-analysis
This skill should be used when the user asks to "audit security", "check for vulnerabilities", "scan for malicious code", "analyze security risks", "detect data exfiltration", or mentions security patterns, threat detection, or codebase safety assessment.
detecting-process-injection-techniques
Detects and analyzes process injection techniques used by malware including classic DLL injection, process hollowing, APC injection, thread hijacking, and reflective loading. Uses memory forensics, API monitoring, and behavioral analysis to identify injection artifacts. Activates for requests involving process injection detection, code injection analysis, hollowed process investigation, or in-memory threat detection.
defend-colony
Implement layered collective defense using alarm signaling, role mobilization, and proportional response. Covers threat detection, alert propagation, immune response patterns, escalation tiers, and post-incident recovery for distributed systems and organizations. Use when designing defense-in-depth where no single guardian covers all threats, building incident response that scales with severity, or when current defense is over-reactive to every alert or under-reactive to genuine threats.
detecting-fileless-malware-techniques
Detects and analyzes fileless malware that operates entirely in memory using PowerShell, WMI, .NET reflection, registry-resident payloads, and living-off-the-land binaries (LOLBins) without writing traditional executable files to disk. Activates for requests involving fileless threat detection, in-memory malware investigation, LOLBin abuse analysis, or WMI persistence examination.
implementing-ot-network-traffic-analysis-with-nozomi
Deploy Nozomi Networks Guardian sensors for passive OT network traffic analysis to achieve comprehensive asset visibility, real-time threat detection, and vulnerability assessment across industrial control systems without disrupting operations, leveraging behavioral anomaly detection and protocol-aware monitoring.
detecting-compromised-cloud-credentials
Detecting compromised cloud credentials across AWS, Azure, and GCP by analyzing anomalous API activity, impossible travel patterns, unauthorized resource provisioning, and credential abuse indicators using GuardDuty, Defender for Identity, and SCC Event Threat Detection.
performing-insider-threat-investigation
Investigates insider threat incidents involving employees, contractors, or trusted partners who misuse authorized access to steal data, sabotage systems, or violate security policies. Combines digital forensics, user behavior analytics, and HR/legal coordination to build an evidence-based case. Activates for requests involving insider threat investigation, employee data theft, privilege misuse, user behavior anomaly, or internal threat detection.
awareness
AI situational awareness — internal threat detection for hallucination risk, scope creep, and context degradation. Maps Cooper color codes to reasoning states and OODA loop to real-time decisions. Use during any task where reasoning quality matters, when operating in unfamiliar territory, after detecting early warning signs such as an uncertain fact or suspicious tool result, or before high-stakes output like irreversible changes or architectural decisions.
deploying-edr-agent-with-crowdstrike
Deploys and configures CrowdStrike Falcon EDR agents across enterprise endpoints to enable real-time threat detection, behavioral analysis, and automated response. Use when onboarding endpoints to EDR coverage, configuring detection policies, or integrating Falcon telemetry with SIEM platforms. Activates for requests involving CrowdStrike deployment, Falcon sensor installation, EDR policy configuration, or endpoint detection and response.
configuring-suricata-for-network-monitoring
Deploys and configures Suricata IDS/IPS with Emerging Threats rulesets, EVE JSON logging, and custom rules for real-time network traffic inspection, threat detection, and integration with SIEM platforms for centralized security monitoring.
awareness
AI situational awareness — internal threat detection for hallucination risk, scope creep, and context degradation. Maps Cooper color codes to reasoning states and OODA loop to real-time decisions. Use during any task where reasoning quality matters, when operating in unfamiliar territory, after detecting early warning signs such as an uncertain fact or suspicious tool result, or before high-stakes output like irreversible changes or architectural decisions.
implementing-dragos-platform-for-ot-monitoring
Deploy and configure the Dragos Platform for OT network monitoring, leveraging its 600+ industrial protocol parsers, intelligence-driven threat detection analytics, and asset visibility capabilities to protect ICS environments against threat groups like VOLTZITE, GRAPHITE, and BAUXITE.
defend-colony
Implement layered collective defense using alarm signaling, role mobilization, and proportional response. Covers threat detection, alert propagation, immune response patterns, escalation tiers, and post-incident recovery for distributed systems and organizations. Use when designing defense-in-depth where no single guardian covers all threats, building incident response that scales with severity, or when current defense is over-reactive to every alert or under-reactive to genuine threats.
configuring-windows-event-logging-for-detection
Configures Windows Event Logging with advanced audit policies to generate high-fidelity security events for threat detection and forensic investigation. Use when enabling audit policies for logon events, process creation, privilege use, and object access to feed SIEM detection rules. Activates for requests involving Windows audit policy, event log configuration, security logging, or detection-oriented logging.
detecting-cloud-threats-with-guardduty
This skill teaches security teams how to deploy and operationalize Amazon GuardDuty for continuous threat detection across AWS accounts and workloads. It covers enabling protection plans for S3, EKS, EC2 runtime monitoring, and Lambda, interpreting finding severity levels, and building automated response workflows using EventBridge and Lambda.
performing-network-traffic-analysis-with-zeek
Deploy Zeek network security monitor to capture, parse, and analyze network traffic metadata for threat detection, anomaly identification, and forensic investigation.
implementing-cloud-trail-log-analysis
Implementing AWS CloudTrail log analysis for security monitoring, threat detection, and forensic investigation using Athena, CloudWatch Logs Insights, and SIEM integration to identify unauthorized access, privilege escalation, and suspicious API activity.
detecting-aws-guardduty-findings-automation
Automate AWS GuardDuty threat detection findings processing using EventBridge and Lambda to enable real-time incident response, automatic quarantine of compromised resources, and security notification workflows.
performing-ssl-tls-inspection-configuration
Configure SSL/TLS inspection on network security devices to decrypt, inspect, and re-encrypt HTTPS traffic for threat detection while managing certificates, exemptions, and privacy compliance.
building-detection-rules-with-sigma
Builds vendor-agnostic detection rules using the Sigma rule format for threat detection across SIEM platforms including Splunk, Elastic, and Microsoft Sentinel. Use when creating portable detection logic from threat intelligence, mapping rules to MITRE ATT&CK techniques, or converting community Sigma rules into platform-specific queries using sigmac or pySigma backends.
implementing-runtime-security-with-tetragon
Implement eBPF-based runtime security observability and enforcement in Kubernetes clusters using Cilium Tetragon for kernel-level threat detection and policy enforcement.
de-half-light
Disco Elysium HALF LIGHT skill: threat detection and danger assessment. Activates near deployments, database changes, deletions, security-adjacent code, env variables, production data, or any change that could cause irreversible damage.
de-half-light
Disco Elysium HALF LIGHT skill: threat detection and danger assessment. Activates near deployments, database changes, deletions, security-adjacent code, env variables, production data, or any change that could cause irreversible damage.
security-monitoring-threat-detection
Enterprise-grade skill for implementing 24/7 security monitoring and threat detection on OpenClaw AI agent infrastructure. Use whenever setting up logging, alerting, intrusion detection, SIEM integration, or real-time monitoring for AI agent systems. Also trigger for log analysis, anomaly detection, incident response procedures, SOC operations for AI infrastructure, security event correlation, or any continuous monitoring pattern for autonomous AI agent deployments.
VirusTotal
URL, file, domain, and IP scanning via VirusTotal CLI and API. Threat detection, reputation checks, malware analysis, phishing detection.
gcp-injection
Use this skill when users need to audit, detect, or remediate Injection vulnerabilities (OWASP A03:2021) on Google Cloud Platform. This includes SQL injection, Cross-Site Scripting (XSS), command injection, LDAP injection, and any scenario where untrusted data is sent to an interpreter. Covers configuring Cloud Armor WAF preconfigured rule sets (sqli-stable, xss-stable, rce-stable, php-stable), reviewing Security Command Center findings for injection-related threats (Container Threat Detection, Web Security Scanner), and auditing Apigee API proxies for JSON/XML threat protection. Activate for GCP WAF hardening, injection prevention, or OWASP A03 compliance.
Audit Guard
Provides multi-level risk assessment, dynamic threat detection, and a master-approval gateway to govern high-risk operations performed by Agents; when a high risk is detected it intercepts and freezes the operation and waits for master approval before releasing.