
from Anthropic Cybersecurity Skills23,316
Collect and analyze ransomware data-leak site (DLS) postings to extract victim, group, sector, and timeline intelligence for threat hunting and risk assessment.
This skill provides a reproducible workflow for safely collecting and analyzing ransomware data-leak site (DLS) information. It shows how to ingest public tracking feeds (e.g., Ransomwatch), extract structured victim and group metadata, compute group activity trends, and produce sector- and country-level risk assessments and intelligence reports. The included examples and scripts focus on safe collection practices (Tor-isolated VMs or commercial feeds) and downstream analysis in Python (pandas, plotting, counters).
Use this skill when investigating security incidents that may involve data exfiltration, when building detection rules or threat-hunting queries for ransomware activity, or when assessing sector-specific ransomware exposure for an organization or supply chain. Also useful for SOC analysts producing periodic intelligence reports.
Practical for agents and tooling that support Python script execution and network access to public feeds (Claude Code, Copilot/Codex-based runners, Cursor, Gemini CLI).
This skill guides agents through collecting and analyzing ransomware data-leak site intelligence from public feeds like Ransomwatch and ransomware.live. The SKILL.md is well-structured with solid conceptual explanations and NIST CSF mappings, and the bundled agent.py script has good error handling and clean Python code. However, the primary API endpoint (api.ransomware.live/recentvictims) returns 404 — the URL is outdated and the script is non-functional at runtime. The secondary ransomlook.io API was not tested but may also have availability issues.
Legitimate cybersecurity threat intelligence skill. The 404 on the API is likely due to endpoint migration at ransomware.live rather than a code bug — the API may have moved to a different path. Skill would benefit from updating the API URL and adding a fallback to the Ransomwatch GitHub raw JSON (which is also referenced in the SKILL.md but not in agent.py). No security concerns — all collection is from authorized public sources as the SKILL.md correctly emphasizes.
Evaluating Threat Intelligence Platforms
Guides procurement, evaluation, and proof-of-concept testing for Threat Intelligence Platforms (MISP, OpenCTI, ThreatConnect, Anomali, EclecticIQ) based on inte
Performing Threat Modeling with OWASP Threat Dragon
Use OWASP Threat Dragon to create data-flow diagrams, apply STRIDE/LINDDUN threat classifications, and generate threat-model reports to guide secure design revi
Testing for XSS Vulnerabilities with Burp Suite
Guided workflow to identify, validate, and document reflected, stored, and DOM-based XSS using Burp Suite (scanner, repeater, intruder, DOM Invader).
Hunting for Cobalt Strike Beacons
Detect Cobalt Strike beacon network activity using TLS certificate signatures, JA3/JA3S/JARM fingerprints, HTTP profile matching, and timing analysis in Zeek/Su
Conducting Domain Persistence with DCSync
Guided procedures to identify DCSync-capable accounts and extract Active Directory credential hashes (KRBTGT, admin) for authorized red-team testing and validat
Testing for JSON Web Token (JWT) Vulnerabilities
Techniques and checks to find and exploit common JWT misconfigurations (alg none, alg confusion, kid/JKU injection, weak secrets).
NIST SP 800-30 Cyber Risk Assessment
Conducts comprehensive cybersecurity risk assessments using the NIST SP 800-30 Rev 1 methodology to identify threats, vulnerabilities, and impact.