Red Team

Name: Red Team
Author: alirezarezvani

alirezarezvani/claude-skills

Plan red-team engagements by modeling MITRE ATT&CK attack paths, effort scores, and choke points toward crown-jewel assets.

Overview

red-team is an agent skill most often used in Ship (security) (also Validate scope, Operate monitoring) that builds ATT&CK attack-path graphs with effort scoring and choke-point analysis.

Install

npx skills add https://github.com/alirezarezvani/claude-skills --skill red-team

What is this skill?

Attack path directed graph: techniques, states, and crown-jewel nodes
Effort score formula: detection_risk × (prerequisite_count + 1)
Choke-point analysis via betweenness on high-value technique nodes
Node-type table: starting state, technique, tactic state, crown jewel
Engagement framing from initial access level to defined success targets
Effort score formula: effort_score = detection_risk × (prerequisite_count + 1)
Attack path graph defines 4 node types in the reference table

Compatible agents: Claude Code, Cursor, Codex, any compatible agent

Adoption & trust: 584 installs on skills.sh; 17.5k GitHub stars; 2/3 security scanners passed (skills.sh audits).

What problem does it solve?

You know attackers use ATT&CK techniques but lack a structured way to compare paths, effort, and crown-jewel exposure in your environment.

Who is it for?

Security-conscious founders scoping red-team exercises, purple-team drills, or pre-ship hardening on SaaS and API products.

Skip if: Builders seeking copy-paste exploit code without authorization, ROE, or a defined crown-jewel model.

When should I use this skill?

Planning authorized red-team or purple-team work that needs ATT&CK-aligned paths, effort weighting, and choke-point prioritization.

What do I get? / Deliverables

You get documented attack paths, weighted effort scores, and choke-point priorities to focus detections, fixes, and engagement scope.

Attack path graph model
Effort-scored technique edges
Choke-point prioritization for controls and detections

Recommended Skills

Azure Compliancemicrosoft/azure-skills

Azure Compliance is a Microsoft agent skill for solo builders and small teams who need structured security and complianc…373k installs·1.2k stars

Openclaw Secure Linux Cloudxixu-me/skills

OpenClaw Secure Linux Cloud guides a hardened VPS deployment—rootless Podman, loopback-only gateway, SSH-tunneled Contro…201k installs·61 stars

Entra Agent Idmicrosoft/azure-skills

entra-agent-id is a Microsoft-authored agent skill for provisioning and operating OAuth-capable identities tailored to A…99.1k installs·1.2k stars

Firebase Security Rules Auditorfirebase/agent-skills

Firebase Security Rules Auditor turns your agent into a senior penetration-style reviewer for Firestore rulesets. Solo b…40.3k installs·345 stars

Firestore Security Rules Auditorfirebase/agent-skills

Firestore-security-rules-auditor is a checker skill for solo builders and small teams shipping Firebase-backed apps who …20.3k installs·345 stars

Skill Vetteruseai-pro/openclaw-skills-security

Skill Vetter is a security-first OpenClaw agent skill that makes your coding agent behave like a pre-install auditor for…19.2k installs·62 stars

Journey fit

Spans multiple journey phases - primary shelf plus alternate fits below.

Primary fit

Attack-path planning is canonical on the security shelf before release or for hardened production targets. Graph-based ATT&CK paths, detection risk, and crown-jewel targeting are core appsec and offensive-assurance work.

Also useful

ValidateScope & plan

Also useful

OperateMonitoring & observability

Where it fits

Example use

ShipSecurity

Enumerate paths to the production admin API before GA and list choke-point controls to add.

Example use

ValidateScope & plan

Define crown jewels and starting access for a fixed-scope pentest proposal.

Example use

OperateMonitoring & observability

Rank ATT&CK techniques on highest betweenness to tune SIEM detection priorities.

How it compares

Planning methodology and graph scoring—not a passive dependency scanner or generic OWASP checklist skill.

Common Questions / FAQ

Who is red-team for?

Solo builders and small teams doing authorized security assessments, threat modeling, or red-team planning on systems they own or are contracted to test.

When should I use red-team?

In Ship (security) before launch hardening; in Validate (scope) when defining what ‘success’ means for an exercise; in Operate (monitoring) when prioritizing detections on choke-point techniques.

Is red-team safe to install?

Review the Security Audits panel on this Prism page; only use outputs inside signed rules of engagement—unauthorized testing is illegal.

SKILL.md

READMESKILL.md - Red Team

# Attack Path Methodology

Reference documentation for attack path graph construction, choke point scoring, and effort-vs-impact analysis used in red team engagement planning.

---

## Attack Path Graph Model

An attack path is a directed graph where:
- **Nodes** are ATT&CK techniques or system states (initial access, crown jewel reached)
- **Edges** represent prerequisite relationships between techniques
- **Weight** on each edge is the effort score for the destination technique

The goal is to find all paths from the starting node (access level) to each crown jewel node, and to identify which nodes have the highest betweenness centrality (choke points).

### Node Types

| Node Type | Description | Example |
|-----------|-------------|---------|
| Starting state | Attacker's initial access level | external, internal, credentialed |
| Technique node | A MITRE ATT&CK technique | T1566.001, T1003.001, T1550.002 |
| Tactic state | Intermediate state achieved after completing a tactic | initial_access_achieved, persistence_established |
| Crown jewel node | Target asset — defines engagement success | Domain Controller, S3 Data Lake |

---

## Effort Score Formula

Each technique is scored by how hard it is to execute in the environment without triggering detection:

```
effort_score = detection_risk × (prerequisite_count + 1)
```

Where:
- `detection_risk` is 0.0–1.0 (0 = trivial to execute, 1 = will be detected with high probability)
- `prerequisite_count` is the number of earlier techniques that must succeed before this one can be executed

A path's total effort score is the sum of effort scores for all techniques in the path.

### Technique Effort Score Reference

| Technique | Detection Risk | Prerequisites | Effort Score | Tactic |
|-----------|---------------|---------------|-------------|--------|
| T1566.001 Spearphishing Link | 0.40 | 0 | 0.40 | initial_access |
| T1190 Exploit Public-Facing Application | 0.55 | 0 | 0.55 | initial_access |
| T1078 Valid Accounts | 0.35 | 0 | 0.35 | initial_access |
| T1059.001 PowerShell | 0.70 | 1 | 1.40 | execution |
| T1047 WMI Execution | 0.60 | 1 | 1.20 | execution |
| T1053.005 Scheduled Task | 0.50 | 1 | 1.00 | persistence |
| T1543.003 Windows Service | 0.55 | 1 | 1.10 | persistence |
| T1003.001 LSASS Dump | 0.80 | 1 | 1.60 | credential_access |
| T1558.003 Kerberoasting | 0.65 | 1 | 1.30 | credential_access |
| T1110 Brute Force | 0.75 | 0 | 0.75 | credential_access |
| T1021.006 WinRM | 0.65 | 2 | 1.95 | lateral_movement |
| T1550.002 Pass-the-Hash | 0.60 | 2 | 1.80 | lateral_movement |
| T1078.002 Domain Account | 0.40 | 2 | 1.20 | lateral_movement |
| T1074.001 Local Data Staging | 0.45 | 3 | 1.80 | collection |
| T1048.003 Exfil via HTTP | 0.55 | 3 | 2.20 | exfiltration |
| T1486 Ransomware | 0.90 | 3 | 3.60 | impact |

---

## Choke Point Identification

A choke point is a technique node that:
1. Lies on multiple paths to crown jewel assets, AND
2. Has no alternative technique that achieves the same prerequisite state

### Choke Point Score

```
choke_point_score = (paths_through_node / total_paths_to_all_crown_jewels) × detection_risk
```

Techniques with a high choke point score have high defensive leverage — a detection rule for that technique covers the most attack paths.

### Common Choke Points by Environment

**Active Directory Domain:**
- T1003 (Credential Access) — required for Pass-the-Hash and most lateral movement
- T1558 (Kerberos Tickets) — Kerberoasting provides service account credentials for privilege escalation

**AWS Cloud:**
- iam:PassRole — required for most cloud privilege escalation paths
- T1078.004 (Valid Cloud Accounts) — credential compromise required for all cloud attack paths

**Hybrid Environment:**
- T1078.002 (Domain Accounts) — once domain credentials are obtained, both on-prem and cloud paths open
- T1021.001 (Remote Desktop Protocol) — primary lateral movement mechanism in Windows environments

---

## Effort-vs-Impact Matrix

Plot each pa

What is this skill?

Attack path directed graph: techniques, states, and crown-jewel nodes

Effort score formula: detection_risk × (prerequisite_count + 1)

Choke-point analysis via betweenness on high-value technique nodes

Node-type table: starting state, technique, tactic state, crown jewel

Engagement framing from initial access level to defined success targets

Effort score formula: effort_score = detection_risk × (prerequisite_count + 1)

Attack path graph defines 4 node types in the reference table

Compatible agents: Claude Code, Cursor, Codex, any compatible agent

Adoption & trust: 584 installs on skills.sh; 17.5k GitHub stars; 2/3 security scanners passed (skills.sh audits).

Journey fit

Spans multiple journey phases - primary shelf plus alternate fits below.

Primary fit

Also useful

Also useful

OperateMonitoring & observability

Where it fits

Example use

ShipSecurity

Enumerate paths to the production admin API before GA and list choke-point controls to add.

Example use

ValidateScope & plan

Define crown jewels and starting access for a fixed-scope pentest proposal.

Example use

OperateMonitoring & observability

Rank ATT&CK techniques on highest betweenness to tune SIEM detection priorities.

SKILL.md

READMESKILL.md - Red Team

# Attack Path Methodology

Reference documentation for attack path graph construction, choke point scoring, and effort-vs-impact analysis used in red team engagement planning.

---

## Attack Path Graph Model

An attack path is a directed graph where:
- **Nodes** are ATT&CK techniques or system states (initial access, crown jewel reached)
- **Edges** represent prerequisite relationships between techniques
- **Weight** on each edge is the effort score for the destination technique

The goal is to find all paths from the starting node (access level) to each crown jewel node, and to identify which nodes have the highest betweenness centrality (choke points).

### Node Types

| Node Type | Description | Example |
|-----------|-------------|---------|
| Starting state | Attacker's initial access level | external, internal, credentialed |
| Technique node | A MITRE ATT&CK technique | T1566.001, T1003.001, T1550.002 |
| Tactic state | Intermediate state achieved after completing a tactic | initial_access_achieved, persistence_established |
| Crown jewel node | Target asset — defines engagement success | Domain Controller, S3 Data Lake |

---

## Effort Score Formula

Each technique is scored by how hard it is to execute in the environment without triggering detection:

```
effort_score = detection_risk × (prerequisite_count + 1)
```

Where:
- `detection_risk` is 0.0–1.0 (0 = trivial to execute, 1 = will be detected with high probability)
- `prerequisite_count` is the number of earlier techniques that must succeed before this one can be executed

A path's total effort score is the sum of effort scores for all techniques in the path.

### Technique Effort Score Reference

| Technique | Detection Risk | Prerequisites | Effort Score | Tactic |
|-----------|---------------|---------------|-------------|--------|
| T1566.001 Spearphishing Link | 0.40 | 0 | 0.40 | initial_access |
| T1190 Exploit Public-Facing Application | 0.55 | 0 | 0.55 | initial_access |
| T1078 Valid Accounts | 0.35 | 0 | 0.35 | initial_access |
| T1059.001 PowerShell | 0.70 | 1 | 1.40 | execution |
| T1047 WMI Execution | 0.60 | 1 | 1.20 | execution |
| T1053.005 Scheduled Task | 0.50 | 1 | 1.00 | persistence |
| T1543.003 Windows Service | 0.55 | 1 | 1.10 | persistence |
| T1003.001 LSASS Dump | 0.80 | 1 | 1.60 | credential_access |
| T1558.003 Kerberoasting | 0.65 | 1 | 1.30 | credential_access |
| T1110 Brute Force | 0.75 | 0 | 0.75 | credential_access |
| T1021.006 WinRM | 0.65 | 2 | 1.95 | lateral_movement |
| T1550.002 Pass-the-Hash | 0.60 | 2 | 1.80 | lateral_movement |
| T1078.002 Domain Account | 0.40 | 2 | 1.20 | lateral_movement |
| T1074.001 Local Data Staging | 0.45 | 3 | 1.80 | collection |
| T1048.003 Exfil via HTTP | 0.55 | 3 | 2.20 | exfiltration |
| T1486 Ransomware | 0.90 | 3 | 3.60 | impact |

---

## Choke Point Identification

A choke point is a technique node that:
1. Lies on multiple paths to crown jewel assets, AND
2. Has no alternative technique that achieves the same prerequisite state

### Choke Point Score

```
choke_point_score = (paths_through_node / total_paths_to_all_crown_jewels) × detection_risk
```

Techniques with a high choke point score have high defensive leverage — a detection rule for that technique covers the most attack paths.

### Common Choke Points by Environment

**Active Directory Domain:**
- T1003 (Credential Access) — required for Pass-the-Hash and most lateral movement
- T1558 (Kerberos Tickets) — Kerberoasting provides service account credentials for privilege escalation

**AWS Cloud:**
- iam:PassRole — required for most cloud privilege escalation paths
- T1078.004 (Valid Cloud Accounts) — credential compromise required for all cloud attack paths

**Hybrid Environment:**
- T1078.002 (Domain Accounts) — once domain credentials are obtained, both on-prem and cloud paths open
- T1021.001 (Remote Desktop Protocol) — primary lateral movement mechanism in Windows environments

---

## Effort-vs-Impact Matrix

Plot each pa

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Where it fits

Who is red-team for?

When should I use red-team?

Is red-team safe to install?

SKILL.md

This week for builders

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Where it fits

Who is red-team for?

When should I use red-team?

Is red-team safe to install?

SKILL.md