Does the skill detonate or run the sample itself?

No. It does not execute malware. It provides the methodology and interpretation layer, working from the static data and sandbox output you supply, so detonation stays in your controlled environment.

Can it help with malware triage at volume?

Yes. Because every sample follows the same structure, the skill is useful for quickly triaging a batch and deciding which samples deserve deeper static and dynamic analysis.

It is free and MIT-licensed, and it runs inside Claude Code, Cursor, Codex or Windsurf. You can read and adapt the methodology to match your own lab process.

CTI Skill · Threat actor & campaign work

Malware Analysis.

/malware-analysis

Malware analysis is far easier with a methodology that keeps you honest about what you have actually observed versus what you have inferred. This free, MIT-licensed skill runs inside your AI coding agent (Claude Code, Cursor, Codex or Windsurf) and walks a sample through a structured static and dynamic review, drawing out behavioural indicators, interpreting sandbox output and summarising capabilities in language a reader can act on.

Get the free pack on GitHub →Or join the free tier waitlist

What it does.

The skill guides characterisation of a malware sample from first triage through to a written summary. It frames the static review (file properties, strings, imports, packing signals) and the dynamic review (process, file, registry and network behaviour), then helps you interpret sandbox results and pull out behavioural indicators. The result is a capability picture: what the sample does, how it persists and how it communicates, rather than a raw detection dump.

When to use it.

Use it when a hash lands and you need more than a reputation score, when a sandbox report needs translating into analyst-grade findings, or when you are triaging several samples and want a consistent way to record what each one does. It pairs naturally with hash investigation, picking up where a reputation lookup stops.

What you get back.

A structured analysis note covering sample identity, static findings, observed runtime behaviour, a list of behavioural indicators, mapped capabilities and any extracted network indicators worth pivoting on. It flags what was observed directly against what is inferred, so the confidence in each finding is clear to whoever reads it next.

How it fits your workflow.

Run it from your AI coding agent alongside whatever sandbox or static tooling you already use; the skill organises and interprets your findings rather than replacing your analysis environment. The Markdown output slots into a case file or report, and the network indicators it surfaces feed straight into the indicator pivoting and IOC enrichment workflows in the same pack.

Keep going.

Frequently Asked Questions.

Ready to do more with less?

Request a demo or start your free trial today. Get instant access to AI-powered threat intelligence tailored to your organisation.