One security objective, routed to the one reference that owns it.
A single intent-routing skill: scope under a mandatory authorization gate, classify the work into 1 of 14 routes, execute least-impact, and report with reproducible evidence. Offense is always paired with detection and remediation.
The same disciplined arc whether you are attacking, defending, or investigating. The objective enters at Scope and never moves without authorization.
State objective, authorization status, and posture in one line. Hard stop if active work lacks authorization.
Gather context passively, classify the intent, and load only the one routed reference.
Run the routed workflow passive to active, in-scope only, capturing evidence as you go.
Reproduce every finding with command and output, rate severity, drop false positives.
Severity-ordered findings with repro, remediation, and detection guidance.
The gate loads at Scope on every engagement. Passive and read-only is the default. Active scanning, exploitation, credential attacks, or persistence against anything you cannot prove is in-scope: the skill refuses and asks first.
An upstream library of 26 domains and 754 skills, plus passive-first clue hunting, folded into 14 routes. The router classifies the objective and loads exactly one reference on demand, so context stays small and the workflow stays focused.
Turns source and behavior signals into hypotheses, confidence, and a least-impact validation queue.
OSINT, scanning, attack-surface enumeration, vuln triage by CVSS and exploitability.
OWASP Top 10, SQLi / XSS / SSRF / IDOR / auth bypass, GraphQL and REST, WAF behavior.
Segmentation, traffic analysis, IDS/IPS, OT/ICS protocols. Passive-first for ICS.
AD attack paths, privilege escalation, lateral movement, phishing sim, purple-team handoff.
AWS/Azure/GCP hardening, CSPM, Kubernetes RBAC, image scanning, runtime detection.
IAM review, least-privilege, PAM, MFA/SSO, zero-trust segmentation design.
Secure SDLC, SAST/SCA/secret gates, IaC audit, TLS and key management, signing.
SIEM, log analysis, Sigma/YARA rules, hypothesis-driven hunts, LOTL analytics.
STIX/TAXII, MISP, feed profiling, actor and campaign attribution, intel requirements.
Triage, containment, eradication, recovery, BEC and phishing response.
Disk/memory imaging, timeline reconstruction, static and dynamic malware analysis.
Android/iOS app analysis, mobile pentest, MASVS controls, MDM forensics.
CIS / SOC 2 / ISO 27001 mapping, gap assessment, honeytokens and canaries.
Confirm written scope before any active or intrusive action. Default to passive. Refuse and ask when you cannot prove in-scope.
Order actions passive to active, non-destructive to destructive. Never DoS, mass-target, or persist beyond the agreed scope.
Every finding is backed by reproducible evidence. A plausible-but-unverified finding is the failure mode, so drop or downgrade it.
Offensive technique exists to improve defense. Always deliver detection and remediation alongside any exploit finding.
Accurate severity with no inflation, clear repro, and an explicit not-tested section so silence is never read as safe.
The router loads only the reference it classified. Context stays small, the procedure stays focused, the deliverable stays clean.
The whole point is one skill that routes, not a sprawl of skills to install. The breadth lives in the references; the entry point stays single.