Detection Skills Overview

​

What are Detection Skills?

Detection Skills extend Anthropic’s Agent Skills for Cyber Defense Engineering. Sigma gave the community a portable way to express what a detection looks for, and remains a valid standard for that. But a detection is more than the query that fires it. The triage, investigation, and tuning that follow have always lived outside it - in playbooks and analysts’ heads. A Detection Skill captures that work in a portable format and attaches it to the detection, authored and versioned alongside it. Those attached skills are where the expertise lives, and they’re built to be reused:

• Domain expertise: Encode how to work a class of alerts (Okta impossible travel, a suspicious OAuth grant, beaconing to a new domain), with the queries and context an investigation needs.
• Repeatable workflows: Every alert of a type is worked the same way, with the agent’s reasoning and evidence attached to the verdict - auditable, not dependent on who’s on shift.
• Cross-detection reuse: Write a skill once (identity context, GeoIP enrichment, a known-VPN check) and call it from any detection that needs it. Improve it in one place; every detection benefits.

​

How do Detection Skills work?

When the detection’s trigger matches, an agent runs the skills attached to it. The workflow has three phases, each a skill with a defined contract for what it returns:

• Triage: runs on the trigger before it becomes an alert, and returns decision (e.g. 'escalate', 'dismiss'). Escalating is what turns it into an alert.
• Investigation: runs on what triage escalates, and returns verdict (e.g. 'malicious', 'suspicious', 'inconclusive', 'benign') + recommended_actions when it’s not benign.
• Tuning: the feedback loop. Reads the outcome and proposes a change to the detection and returns action (e.g. 'exclude', 'include', 'modify', 'fork') + target + value.

The teal nodes - Triage, Investigation, and Tuning are the Detection Skills attached to the detection; each runs at its point in the loop. The human stays in the loop by design: every dismissal is logged and reversible, tuning only ever proposes changes for review rather than editing detections in place, and escalations route to an analyst queue.

​

Why an open standard for Detection Skills?

Most detections aren’t unique to your organization. A CloudTrail finding, a common SaaS misconfiguration, a known attacker technique, triage looks much the same everywhere, and no team should have to reinvent it. An open format lets the community build and share that work as open-source skills you can run as-is. The detections that matter most are usually specific to your environment: a particular set of privileged logins, or signs of internal fraud. For these, a team authors its own triage skill, or forks a community one and adjusts its instructions to fit its data, risk tolerance, and policy, and keeps that logic private. Because a Detection Skill is just a folder of instructions and code in a common format, both live side by side: open-source skills for the commodity detections, private skills for the ones that matter most, all reviewed and versioned the same way.

​

Built on Agent Skills

Detection Skills use the same format as Agent Skills - a folder with a SKILL.md for metadata and instructions, plus optional scripts, references, and assets so anything that runs Agent Skills can run a Detection Skill. The standard is stewarded by Vega and released as an open format for the cyber defense community: free to adopt, extend, and contribute to.