Anthropic-Cybersecurity-Skills is a free, Apache-2.0 library of 754 AI-native security analyst playbooks covering 26 domains, from threat hunting to cloud forensics to incident response. For any business currently paying an MSSP $50 to $200 per user per month for managed security coverage, this repo is the starting point for a serious audit of whether that contract is still earning its fee.

Anthropic-Cybersecurity-Skills is a free, Apache-2.0 library of 754 structured security analyst playbooks that any AI agent can use to perform real security work, and for any business paying a managed security services provider (MSSP) between $50 and $200 per user per month for monitoring, threat hunting, and incident response, it is the most direct question mark that has landed on GitHub trending in months.

The repo does not replace an MSSP in every sense. But it encodes exactly the structured decision-making that makes an MSSP worth paying for.

What the repo actually contains

Most security tool repos give you exploit code, wordlists, or scanning scripts. This one gives an AI agent the practitioner workflow a senior analyst follows when responding to an alert: which questions to ask first, what prerequisites to check, how to execute step by step, and how to interpret the result.

There are 754 of these playbooks across 26 domains: threat hunting, cloud security across AWS, Azure, and GCP, malware analysis, digital forensics, incident response, identity and access management, SOC operations, container security, OT and ICS environments, and web application security, among others. Each playbook is structured Markdown with YAML frontmatter for machine-readable discovery, so an AI agent can find the right skill in under a second and execute it without improvising.

The library maps to five frameworks simultaneously: MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS, D3FEND, and the NIST AI Risk Management Framework. That mapping is not decoration. Every playbook traces back to a compliance control, which turns the library into audit evidence as well as operational tooling.

Installation is one command.

npx skills add mukul975/Anthropic-Cybersecurity-Skills

After that it works immediately with Claude Code, GitHub Copilot, Cursor, Gemini CLI, OpenAI Codex CLI, and any other platform that follows the agentskills.io standard.

The MSSP cost picture

A 100-person company paying a fully managed MSSP at $100 per user per month is spending $10,000 monthly, or $120,000 annually. That is before compliance reporting add-ons, incident response labor overages, or cloud infrastructure monitoring fees that frequently layer on top of the base contract.

What that contract buys, in most mid-market cases, is 24/7 alert monitoring, a SIEM feeding into a SOC, periodic threat hunting, and someone to call when things go wrong. The human judgment that makes those services worth paying for is the structured playbook knowledge a trained analyst brings to an alert: which questions to ask, when an IAM log anomaly is a misconfiguration versus active lateral movement.

That is exactly what this library encodes.

For businesses with an internal IT person or a small security team who is currently handing off alert response to an MSSP primarily because the team lacks that deep playbook knowledge, this changes the math. One analyst augmented by 754 structured AI workflows can cover ground that previously required either dedicated security headcount or an external contract.

The honest limits

This is not a drop-in MSSP replacement for most organizations, and overstating that case does not help anyone.

An MSSP brings 24/7 staffed response. A human being who will pick up the phone at 2 AM and start containment while your IT team is asleep. This library cannot do that. It encodes what to do, but it does not automatically do it. Someone still needs to be watching, and someone still needs to act.

The library also requires an AI agent platform to run on. You need Claude Code, Copilot, Cursor, or a comparable tool already integrated into your security workflow. If your team is not already working in an AI-augmented environment, the setup overhead is real, even if it is measured in days rather than months.

And 754 playbooks is a lot of structure to customize. The library ships as general-purpose practitioner workflows, not as playbooks tailored to your specific environment, your stack, your cloud configuration, or your compliance regime. Making these playbooks genuinely useful at the level of specificity that a good MSSP delivers requires a meaningful customization investment upfront.

Where this actually moves the needle

The clearest use case is not replacing an MSSP wholesale. It is using this library to audit whether your current MSSP contract is calibrated correctly.

If your 50-person company is paying $6,000 a month for managed detection and response but your team handles tier-1 triage internally and only escalates real incidents, you are likely paying for response depth you are not using. A co-managed model at the lower end of the pricing range, augmented by AI-assisted playbooks for routine triage, can get you to similar risk coverage at a fraction of that cost.

The second use case is filling the gap that exists at organizations too large for no security coverage but too small to justify a full MSSP contract. That window, roughly 20 to 75 employees, is where MSSP pricing starts at $3,000 to $5,000 a month and the coverage often feels mismatched to the actual risk surface. A single IT generalist with this library on their AI agent can handle threat hunting, log triage, and incident response workflows with the structured confidence of someone who has done it a hundred times.

The third use case is compliance readiness. Every playbook in this library maps back to NIST CSF 2.0 and MITRE ATT&CK, which means running a threat hunt or an IAM audit through one of these skills generates traceable evidence of control execution. For organizations preparing for SOC 2, ISO 27001, or cyber insurance renewal, that trail has direct dollar value.

What the star count says

The repo crossed 10,000 GitHub stars in roughly the same timeframe that knowledge-work-plugins took to clear 20,000. Security professionals are a more specific audience than general knowledge workers, so the pace is different. But 880 stars in a single day, from that audience, is a signal worth reading. Security engineers are not casual GitHub stargazers. When they star a repo, something in it solved a problem they actually have.

There are 4.8 million unfilled cybersecurity roles globally, according to ISC2's 2024 workforce study. That is not a recruiting problem with a recruiting solution. It is a knowledge transfer problem, and a library of 754 structured AI playbooks is one of the more direct attempts anyone has made to address it.

The most expensive part of any security program is the accumulated judgment of people who have seen enough incidents to know what matters. This project is an attempt to make that judgment transferable, searchable, and automatable. Whether it earns its place in your stack depends on what you are currently paying for, and what problem you are actually trying to solve.