Agent skill

cyber-defense-team

Orchestrate a 4-agent cyber defense pipeline to analyze log files for threats. Use when investigating security logs, detecting anomalies in access patterns, classifying breach severity, or generating incident reports from nginx/auth/syslog files.

View SKILL.md on GitHub Repository
Stars 3,172
Forks 439

Install this agent skill to your Project

npx add-skill https://github.com/FlorianBruniaux/claude-code-ultimate-guide/tree/main/examples/skills/cyber-defense-team

SKILL.md

Cyber Defense Team Skill

Orchestrate a 4-agent pipeline that analyzes log files for security threats and produces an incident report.

Pipeline Architecture

[You] → Team Lead (this skill)
           │
           ├─[1]─→ log-ingestor    (haiku)  → cyber-defense-events.json
           │
           ├─[2]─→ anomaly-detector (sonnet) → cyber-defense-anomalies.json
           │                                    (reads events.json)
           ├─[3]─→ risk-classifier  (sonnet) → cyber-defense-risk.json
           │                                    (reads anomalies.json)
           └─[4]─→ threat-reporter  (sonnet) → cyber-defense-report.md
                                               (reads all 3 JSON files)

Stages 2 and 3 are sequential (each depends on previous output). Stage 4 runs after all data is ready.

Execution Steps

Step 1 — Validate Input

Check that the log file exists (or that log content was provided inline). If the path doesn't exist, tell the user immediately — don't proceed.

Step 2 — Spawn Log Ingestor

Use the Agent tool to spawn the log-ingestor agent:

Task: Parse the log file at [log_path] and write structured events to cyber-defense-events.json.
Log path: [log_path]

Wait for completion. Confirm cyber-defense-events.json was created.

Step 3 — Spawn Anomaly Detector

Use the Agent tool to spawn the anomaly-detector agent:

Task: Read cyber-defense-events.json and detect anomalies. Write results to cyber-defense-anomalies.json.

Wait for completion. If anomalies_found: 0, skip to Step 5 (reporter still runs).

Step 4 — Spawn Risk Classifier

Use the Agent tool to spawn the risk-classifier agent:

Task: Read cyber-defense-anomalies.json and classify overall risk. Write result to cyber-defense-risk.json.

Step 5 — Spawn Threat Reporter

Use the Agent tool to spawn the threat-reporter agent:

Task: Read cyber-defense-events.json, cyber-defense-anomalies.json, and cyber-defense-risk.json. Generate a complete incident report and save it to cyber-defense-report.md.

Step 6 — Summarize for User

Read cyber-defense-risk.json and present:

✅ Analysis complete

Risk Level : HIGH
Score      : 74/100
Threats    : 2 anomalies detected
Report     : cyber-defense-report.md

Primary threat: Brute force attack from 192.168.1.105
Immediate action required: [first recommended_action]

Error Handling

  • Agent fails at step 2: Tell user, stop pipeline, show raw error.
  • Agent fails at step 3+: Show partial results, note which stage failed.
  • Log file not found: "File [path] not found. Provide a valid path or paste log content."

Cost Estimate

Stage Model Typical tokens
log-ingestor haiku ~2K
anomaly-detector sonnet ~3K
risk-classifier sonnet ~2K
threat-reporter sonnet ~3K
Total ~10K

For large log files (>10K lines), log-ingestor may use up to 20K tokens.

Example Usage

/cyber-defense-team /var/log/nginx/access.log
/cyber-defense-team /tmp/auth.log

Recommended Agent Skills

Expand your agent's capabilities with these related and highly-rated skills.

FlorianBruniaux/claude-code-ultimate-guide

eval-skills

Audit all skills in the current project for frontmatter completeness, effort level appropriateness, allowed-tools scoping, and content quality. Produces a scored report with effort-level recommendations for each skill. Use when onboarding to a new project, reviewing skill quality before shipping, or adding effort fields to an existing skill library.

3,172 439
Explore
FlorianBruniaux/claude-code-ultimate-guide

git-ai-archaeology

Analyze AI config evolution in a git repo — first commits per path, monthly distribution, major PRs, maturity phases

3,172 439
Explore
FlorianBruniaux/claude-code-ultimate-guide

design-patterns

Detect, suggest, and evaluate GoF design patterns in TypeScript/JavaScript codebases. Use when refactoring code, applying singleton/factory/observer/strategy patterns, reviewing pattern quality, or finding stack-native alternatives for React, Angular, NestJS, and Vue.

3,172 439
Explore
FlorianBruniaux/claude-code-ultimate-guide

rtk-optimizer

Wrap high-verbosity shell commands with RTK to reduce token consumption. Use when running git log, git diff, cargo test, pytest, or other verbose CLI output that wastes context window tokens.

3,172 439
Explore
FlorianBruniaux/claude-code-ultimate-guide

pr-triage

4-phase PR backlog management with audit, deep code review, validated comments, and optional worktree setup. Use when triaging pull requests, catching up on pending code reviews, or managing a backlog of open PRs. Args: 'all' to review all, PR numbers to focus (e.g. '42 57'), 'en'/'fr' for language, no arg = audit only.

3,172 439
Explore
FlorianBruniaux/claude-code-ultimate-guide

guide-recap

Transform CHANGELOG entries into social content (LinkedIn, Twitter/X, Newsletter, Slack) in FR + EN. Use after releases or weekly to generate release notes, announcements, social media posts, or recap summaries from guide updates.

3,172 439
Explore

Didn't find tool you were looking for?

Be as detailed as possible for better results