campaign-attribution-evidence-analysis
by LocoLoboZ
Professional CTI analysis skill for structured attribution using ACH, Diamond Model, and confidence scoring.
- Build a professional ACH matrix for competing threat actor hypotheses.
- Generate a Diamond Model summary of a cyber campaign for executive briefings.
- Evaluate the strength and provenance of CTI evidence to assign confidence levels.
Secure checkout via Stripe
Included in download
- Build a professional ACH matrix for competing threat actor hypotheses.
- Generate a Diamond Model summary of a cyber campaign for executive briefings.
- terminal automation included
- Ready for including Claude Code
Sample Output
A real example of what this skill produces.
The skill confirms scope and audience, builds an evidence register from the analyst notes and MISP export classifying each item by category, source, date, confidence, and independence, then applies the Diamond Model to structure adversary, capability, infrastructure, and victim evidence. The ACH matrix tests each evidence item against APT29, an alternative actor hypothesis, and an unknown actor hypothesis, with consistency and inconsistency ratings for each. The attribution confidence assessment explains why the confidence level is moderate rather than high given the infrastructure overlap may indicate shared tooling rather than unique actor attribution. The report includes key supporting evidence, key inconsistent evidence, alternative explanations, intelligence gaps, and recommended next steps for the CTI team.
Professional CTI analysis skill for structured attribution using ACH, Diamond Model, and confidence scoring.
Secure checkout via Stripe
Included in download
- Build a professional ACH matrix for competing threat actor hypotheses.
- Generate a Diamond Model summary of a cyber campaign for executive briefings.
- terminal automation included
- Ready for including Claude Code
- Instant install
Sample Output
A real example of what this skill produces.
The skill confirms scope and audience, builds an evidence register from the analyst notes and MISP export classifying each item by category, source, date, confidence, and independence, then applies the Diamond Model to structure adversary, capability, infrastructure, and victim evidence. The ACH matrix tests each evidence item against APT29, an alternative actor hypothesis, and an unknown actor hypothesis, with consistency and inconsistency ratings for each. The attribution confidence assessment explains why the confidence level is moderate rather than high given the infrastructure overlap may indicate shared tooling rather than unique actor attribution. The report includes key supporting evidence, key inconsistent evidence, alternative explanations, intelligence gaps, and recommended next steps for the CTI team.
About This Skill
High-Confidence Threat Actor Attribution
Moving from a "hunch" to a defensible attribution assessment is one of the hardest tasks for CTI analysts. This skill provides a rigorous, analytical framework to evaluate cyber campaign evidence, helping you move beyond simple indicator matching to structured intelligence analysis.
What it does
This skill processes CTI reports, incident artifacts, and TTPs to generate a comprehensive attribution profile. It uses industry-standard methodologies to ensure your findings are objective and resilient to scrutiny. It supports:
- Diamond Model Mapping: Structuring adversary, capability, infrastructure, and victim relationships.
- Analysis of Competing Hypotheses (ACH): Testing evidence against multiple actor profiles to eliminate bias.
- Confidence Scoring: Assigning standardized ratings (High/Med/Low) based on source provenance and evidence strength.
- Evidence Register: Building a traceable log of indicators, malware overlaps, and timing patterns.
Why use this skill?
Prompting an AI for attribution often results in "hallucinated" certainty or generic summaries. This skill enforces analytical rigor by requiring alternative hypotheses and identifying intelligence gaps. It filters out weak signals like publicly available tools or easily faked language artifacts, ensuring your report holds up in a briefing or board meeting.
Output
The output is a structured analyst report including an ACH matrix, a Diamond Model summary, a formal confidence statement, and defensive recommendations for SOC and IR teams.
Use Cases
- Build a professional ACH matrix for competing threat actor hypotheses.
- Generate a Diamond Model summary of a cyber campaign for executive briefings.
- Evaluate the strength and provenance of CTI evidence to assign confidence levels.
- Identify intelligence gaps and validation questions for incident responders.
How to Install
mkdir -p ~/.claude/skills && curl -sL https://www.agensi.io/api/install/campaign-attribution-evidence-analysis | tar xz -C ~/.claude/skills/Free skills install directly. Paid skills require purchase - use the download button above after buying.
Reviews
No reviews yet - be the first to share your experience.
Only users who have downloaded or purchased this skill can leave a review.
Early access skill
Be the first to review this skill.
Only users who have downloaded or purchased this skill can leave a review.
Security Scanned
Passed automated security review
Permissions
Tags
Works with any agent that supports the Universal SKILL.md Standard, including Claude Code, Codex CLI, Cursor, VS Code Copilot, Gemini CLI, OpenClaw, and 20+ compatible agents. No external connectors required - operates from user-supplied CTI source material and incident evidence.
Creator
I design and publish skills built from real professional practice across three areas: cyber security consulting, business operations, and AI workflow engineering. My cyber security skills draw on active advisory work spanning governance, risk, compliance, assurance, and executive reporting. They are built for practitioners who need structured, defensible outputs - not generic templates. My business operations skills cover the day-to-day work of running a consulting practice: bookkeeping, financial tracking, expense reconciliation, and marketing content - designed to reduce repetitive overhead and keep outputs consistent. My AI platform and workflow skills are built for people who want to get more out of Claude and similar platforms - covering prompt engineering, skill architecture, automation pipelines, and agent enhancement. Every skill I publish has been tested in production use before it reaches the marketplace. If it is here, it works.
Frequently Asked Questions
Learn More About AI Agent Skills
More Premium Skills
designing-hybrid-context-layers
Architects the right retrieval strategy for every query — teaching your agent when to use RAG, a knowledge graph, or a temporal index instead of defaulting to vector search for everything.
consumer-motivation-analyzer
Go beyond surface-level feedback to uncover the psychological drivers and hidden motivations behind buyer behavior.
Bounty Security Pattern Master Library — 399 Vulnerability Patterns
A premium library of 399 vulnerability patterns and DeFi attack vectors for AI-driven bug hunting and security audits.
diagnosing-rag-failure-modes
RAG fails quietly. It retrieves documents, returns confident-looking answers, and misses the question entirely — because the question required connecting facts across documents, reasoning about sequence, or tracing causation. This skill gives you a five-question diagnostic checklist that classifies any failing query as either RAG-safe or structurally RAG-incompatible, then maps it to the specific failure pattern and the architectural fix that resolves it.