Agent SkillsAgent Skills
OTRF

hunt-focus-definition

@OTRF/hunt-focus-definition
OTRF
4,519
848 forks
Updated 3/31/2026
View on GitHub

Define a focused hunt hypothesis by synthesizing completed system internals and adversary tradecraft research. Use this skill after research has been completed to narrow a high-level hunt topic into a single, concrete attack pattern with clear investigative intent. This skill produces a structured, testable hypothesis and should be used before selecting data sources, defining environment scope, or developing analytics.

Installation

$npx agent-skills-cli install @OTRF/hunt-focus-definition
Claude Code
Cursor
Copilot
Codex
Antigravity

Details

RepositoryOTRF/ThreatHunter-Playbook
Path.github/skills/hunt-focus-definition/SKILL.md
Branchmain
Scoped Name@OTRF/hunt-focus-definition

Usage

After installing, this skill will be available to your AI coding assistant.

Verify installation:

npx agent-skills-cli list

Skill Instructions

name: hunt-focus-definition description: Define a focused hunt hypothesis by synthesizing completed system internals and adversary tradecraft research. Use this skill after research has been completed to narrow a high-level hunt topic into a single, concrete attack pattern with clear investigative intent. This skill produces a structured, testable hypothesis and should be used before selecting data sources, defining environment scope, or developing analytics. metadata: short-description: Define a structured hunt hypothesis

Define Hunt Focus

This skill synthesizes completed research on system internals and adversary tradecraft into a single, focused hypothesis that defines what specific attack pattern will be investigated in the hunt.

It is executed after research has been completed and before detailed hunt planning, environment scoping, or query development.

Workflow

  • You MUST complete each step in order and MUST NOT proceed until the current step is complete.
  • You MUST NOT perform new web searches or introduce new research in this skill.

Step 1: Synthesize Research Context

Establish the context required to define a focused hunt hypothesis using the outputs of prior research.

  • Use the provided hunt research context.
  • Draw only from:
    • System internals research findings
    • Adversary tradecraft research findings
    • Identified candidate abuse patterns
  • Do NOT read additional reference documents or perform new research.

This step is complete when there is sufficient context to reason about a concrete, observable attack pattern.

Step 2: Select a Single Attack Pattern

Select one attack pattern to focus the hunt.

  • Choose the pattern that is:
    • Most realistic for the environment
    • Clearly observable based on expected telemetry
    • Actionable for hypothesis-driven investigation
  • If multiple patterns exist, select the dominant one.

Do NOT select multiple patterns.

Step 3: Generate the Hunt Hypothesis

Create a structured hunt hypothesis describing the selected attack pattern.

  • Use the format defined in references/hypothesis-template.md within this step ONLY.
  • Populate all required sections of the template.

Do NOT define time windows, environment scope, data sources, or constraints in this step.
Those details are defined later when the hunt is assigned to a specific environment or operational context.

More by OTRF

View all
hunt-analytics-generation
4,519

Generate query-agnostic analytics that model adversary behavior by translating hunt investigative intent into analytic definitions grounded in schema semantics. This skill is used to define how behavior should manifest in data before query execution or validation, and works best when informed by system internals, adversary tradecraft, a structured hunt focus, and suggested data sources.

hunt-blueprint-generation
4,519

Assemble a complete hunt blueprint by consolidating outputs from prior hunt planning skills into a single, structured plan for execution. Use this skill after system and tradecraft research, hunt focus definition, data source identification, and analytics generation have been completed. This skill is synthesis and packaging only and must not introduce new research, assumptions, or analytics.

hunt-data-source-identification
4,519

Identify relevant security data sources that could capture the behavior defined in a structured hunt hypothesis. Use this skill after the hunt focus has been defined to translate investigative intent into candidate telemetry sources using existing platform catalogs. This skill supports hunt planning by reasoning over available schemas and metadata before analytics development or query execution.

hunt-research-system-and-tradecraft
4,519

Research system internals and adversary tradecraft to ground a threat hunt in real system behavior and realistic abuse patterns. Use this skill at the start of hunt planning, when you are given a high-level hunt topic but lack a clear understanding of how the system normally operates or how adversaries are known to abuse it. This skill informs early hunt direction by producing candidate abuse patterns, key assumptions, and cited sources, and should be used before defining a concrete hunt hypothesis or selecting data sources.