mhaggis/ATT&CK Navigator Layer Generator
.claude/skills/attack-navigator-generator/SKILL.md
Generate MITRE ATT&CK Navigator layers for coverage visualization, threat actor mapping, and gap analysis. Produces JSON files compatible with the Navigator web app.
$ install --global
skillsauthnpx skillsauth add mhaggis/security-detections-mcp ATT&CK Navigator Layer GeneratorInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 16, 2026, 5:57 AM15.7s1 file scanned
SKILL.md
- name:
- ATT&CK Navigator Layer Generator
- description:
- Generate MITRE ATT&CK Navigator layers for coverage visualization, threat actor mapping, and gap analysis. Produces JSON files compatible with the Navigator web app.
ATT&CK Navigator Layer Generator Skill
Overview
ATT&CK Navigator layers are JSON files that visualize technique coverage on the MITRE ATT&CK matrix. This skill covers generating layers for three primary use cases:
- Coverage heatmaps — Show which techniques have detections (and how many)
- Threat actor mapping — Highlight techniques used by a specific group
- Gap analysis — Compare your coverage against a threat profile
Navigator Layer JSON Format
Every layer follows this structure:
{
"name": "Layer Name",
"versions": {
"attack": "18.1",
"navigator": "5.3.1",
"layer": "4.5"
},
"domain": "enterprise-attack",
"description": "Layer description",
"techniques": [
{
"techniqueID": "T1059.001",
"tactic": "execution",
"score": 75,
"color": "#66b2ff",
"comment": "3 Sigma rules, 2 Splunk ESCU rules",
"enabled": true
}
],
"gradient": {
"colors": ["#ff6666", "#ffe766", "#8ec843"],
"minValue": 0,
"maxValue": 100
}
}
Key Fields
| Field | Type | Purpose |
|-------|------|---------|
| techniqueID | string | MITRE technique ID (e.g., T1059.001) |
| tactic | string | Tactic shortname (required for sub-techniques that appear in multiple tactics) |
| score | number | 0–100, drives gradient coloring |
| color | string | Hex color override (takes precedence over score gradient) |
| comment | string | Hover text with details |
| enabled | boolean | Whether technique is visible |
Color Conventions
| Color | Meaning |
|-------|---------|
| #8ec843 (green) | Good coverage (score 70–100) |
| #ffe766 (yellow) | Partial coverage (score 30–69) |
| #ff6666 (red) | Weak/no coverage (score 0–29) |
| #6baed6 (blue) | Threat actor uses this technique |
| #ffffff (white) | Not assessed / not applicable |
Use Case 1: Coverage Heatmap
Visualize detection coverage across all techniques. Score is based on number and quality of detections.
Using MCP tools:
1. get_technique_ids() → Get all covered technique IDs
2. analyze_coverage() → Get tactic-level breakdown
3. generate_coverage_layer(covered_ids) → Generate the layer JSON
Scoring formula (suggested):
- 1 detection = score 25
- 2–3 detections = score 50
- 4–5 detections = score 75
- 6+ detections = score 100
- Bonus: +10 for each additional source type (Sigma + Splunk + Elastic)
Use Case 2: Threat Actor Mapping
Highlight all techniques attributed to a specific threat group.
Using MCP tools:
1. search_groups("APT29") → Find group ID (G0016)
2. get_group_techniques("G0016") → Get technique list
3. generate_group_layer("G0016", "APT29") → Generate the layer
Use Case 3: Gap Analysis
Compare your detection coverage against a target set of techniques (e.g., a threat actor's TTPs).
Using MCP tools:
1. get_technique_ids() → Your covered IDs
2. get_group_techniques("G0016") → Target IDs
3. generate_gap_layer(covered, target, "APT29 Gaps") → Gap layer
Gap layer color scheme:
- Green = covered (you have detections AND the threat actor uses it)
- Red = gap (threat actor uses it but you have NO detection)
- Gray = not used by this actor
Generating Layers Programmatically
If MCP tools aren't available, build the JSON directly:
import json
def make_layer(name, techniques, description=""):
return {
"name": name,
"versions": {"attack": "18.1", "navigator": "5.3.1", "layer": "4.5"},
"domain": "enterprise-attack",
"description": description,
"techniques": techniques,
"gradient": {
"colors": ["#ff6666", "#ffe766", "#8ec843"],
"minValue": 0,
"maxValue": 100,
},
}
techniques = [
{"techniqueID": "T1059.001", "score": 80, "comment": "5 detections"},
{"techniqueID": "T1053.005", "score": 40, "comment": "1 detection"},
]
layer = make_layer("My Coverage", techniques, "Detection coverage as of 2026-02")
with open("coverage_layer.json", "w") as f:
json.dump(layer, f, indent=2)
Viewing Layers
- Open ATT&CK Navigator
- Click Open Existing Layer → Upload from local
- Select the generated JSON file
Or host Navigator locally:
git clone https://github.com/mitre-attack/attack-navigator.git
cd attack-navigator/nav-app
npm install && npm start
Tips
- Layer per audience: Executives want simple red/green; analysts want score gradients with comments.
- Version pin: Always set
versions.attackto match the ATT&CK version your analysis used. - Combine layers: Navigator supports overlaying multiple layers — useful for comparing before/after or two threat actors.
- Export as SVG: Navigator can export layers as SVG for inclusion in reports.
Related Skills
mhaggis/threat-report-parser
testing
VerifiedTrustedCommunity
Expert at analyzing unstructured threat intelligence reports (CISA alerts, vendor blogs, research papers) and extracting actionable detection logic, TTPs, behavioral indicators, and MITRE ATT&CK mappings. Focuses on behaviors over IOCs. Use when provided with threat reports, security advisories, or campaign documentation.
401SKILL.mdUpdated Apr 16, 2026
mhaggis/Supply Chain Attack Analyst
testing
VerifiedTrustedCommunity
Analyze software supply chain attacks across package registries (npm, PyPI, RubyGems), CI/CD pipelines (GitHub Actions, GitLab CI), and container ecosystems. Includes detection engineering patterns for Splunk, Sentinel, Elastic, and Sigma.
401SKILL.mdUpdated Apr 16, 2026
mhaggis/Detection Query Optimizer
testing
VerifiedTrustedCommunity
Optimize detection queries for performance across Splunk (SPL), Microsoft Sentinel (KQL), and Elastic Security (EQL/ES|QL). Covers search pipeline internals, common anti-patterns, and optimization techniques for detection rules on each platform.
401SKILL.mdUpdated Apr 16, 2026
mhaggis/PR Extension Workflow
tools
VerifiedTrustedCommunity
Analyze pull requests for detection coverage gaps and recommend additional detections, story alignments, and test coverage to extend PRs before merge.
401SKILL.mdUpdated Apr 16, 2026