bianco_skill
- Python
3
GitHub Stars
1
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill copyleftdev/sk1llz --skill bianco- SKILL.md15.2 KB
Overview
This skill applies David Bianco's threat hunting frameworks—Pyramid of Pain and the Threat Hunting Maturity Model—to prioritize detections and grow hunting capability. It helps you shift effort from low-value IOC matching toward TTP- and tool-focused detections that impose greater costs on adversaries. Use it to design detection portfolios, assess program maturity, and produce concrete roadmap recommendations.
How this skill works
The skill classifies detections by Pyramid of Pain level (hashes → TTPs) and scores them by adversary pain and false positive rate to inform investment priorities. It also evaluates hunting program attributes (telemetry, staffing, playbooks, automation) to calculate a maturity level and generate a tailored roadmap to advance. Outputs include coverage assessments, improvement recommendations, and playbook-friendly TTP hunt templates.
When to use it
- Designing a detection strategy to maximize operational impact
- Reviewing and prioritizing an existing rule/alert portfolio
- Assessing hunting program maturity and creating a roadmap
- Converting successful hunts into automated detections
- Building hypothesis-driven TTP hunts and playbooks
Best practices
- Prioritize TTP- and tool-based detections over hash/IP matching
- Measure detection value in terms of adversary pain, not just hits
- Document all hunts and convert repeatable workflows to automation
- Hunt with a hypothesis and required telemetry mapped to MITRE
- Retire stale IOC rules and shift effort to behavioral coverage
Example use cases
- Run a coverage report to see whether your detections skew toward low-value IOCs and get remediation steps
- Assess hunting maturity to decide whether to hire dedicated hunters or invest in automation
- Design a TTP-based hunt (e.g., LSASS memory access) with required telemetry and queries for multiple platforms
- Score detections by priority to inform quarterly engineering and SIG investments
- Create a roadmap that takes you from IOC searches to continuous, automated hunting
FAQ
No. Threat intel remains useful for context and lead generation. The skill recommends using intel while shifting primary investment to TTP-based detection and behavioral hunts.
How many TTP detections do we need?
Quality over quantity: aim to have a majority of your investable effort on TTPs and common tools. The sample portfolio flags <10 TTP detections as a clear area for investment.