bianco_skill

This skill helps you design threat detection using the Pyramid of Pain and Threat Hunting Maturity Model to maximize adversary pain.
  • Python

3

GitHub Stars

1

Bundled Files

2 months ago

Catalog Refreshed

4 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill copyleftdev/sk1llz --skill bianco

  • SKILL.md15.2 KB

Overview

This skill applies David Bianco's threat hunting frameworks—Pyramid of Pain and the Threat Hunting Maturity Model—to prioritize detections and grow hunting capability. It helps you shift effort from low-value IOC matching toward TTP- and tool-focused detections that impose greater costs on adversaries. Use it to design detection portfolios, assess program maturity, and produce concrete roadmap recommendations.

How this skill works

The skill classifies detections by Pyramid of Pain level (hashes → TTPs) and scores them by adversary pain and false positive rate to inform investment priorities. It also evaluates hunting program attributes (telemetry, staffing, playbooks, automation) to calculate a maturity level and generate a tailored roadmap to advance. Outputs include coverage assessments, improvement recommendations, and playbook-friendly TTP hunt templates.

When to use it

  • Designing a detection strategy to maximize operational impact
  • Reviewing and prioritizing an existing rule/alert portfolio
  • Assessing hunting program maturity and creating a roadmap
  • Converting successful hunts into automated detections
  • Building hypothesis-driven TTP hunts and playbooks

Best practices

  • Prioritize TTP- and tool-based detections over hash/IP matching
  • Measure detection value in terms of adversary pain, not just hits
  • Document all hunts and convert repeatable workflows to automation
  • Hunt with a hypothesis and required telemetry mapped to MITRE
  • Retire stale IOC rules and shift effort to behavioral coverage

Example use cases

  • Run a coverage report to see whether your detections skew toward low-value IOCs and get remediation steps
  • Assess hunting maturity to decide whether to hire dedicated hunters or invest in automation
  • Design a TTP-based hunt (e.g., LSASS memory access) with required telemetry and queries for multiple platforms
  • Score detections by priority to inform quarterly engineering and SIG investments
  • Create a roadmap that takes you from IOC searches to continuous, automated hunting

FAQ

No. Threat intel remains useful for context and lead generation. The skill recommends using intel while shifting primary investment to TTP-based detection and behavioral hunts.

How many TTP detections do we need?

Quality over quantity: aim to have a majority of your investable effort on TTPs and common tools. The sample portfolio flags <10 TTP detections as a clear area for investment.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational