Reference & method
The skills,and how one is written.
An open, public reference of 56 skills, at least one for every part of the model, and the method to author and fit one to the tools and process you already run. A skill is only worth anything once it is fitted; the method is the value, not the number. Skills are one lever of six.
What is in the reference set
56 skills, across all 18 control areas.
One or more reference skills for each area of the model, so you can see the shape of a fitted control in any domain. Each is a worked, open example, raw material to take prints from, never a finished control for your stack until you fit and measure it.
completing the ai caiq self assessment
Use this skill when you need to complete the CSA AI Consensus Assessments Initiative Questionnaire (AI-CAIQ) for your organization, producing a shareable, verifiable self-attestation of AI security controls.
conducting an aicm control assessment
Use this skill when you need to conduct a structured assessment of your organization's AI controls against the CSA AICM control framework, producing a scored maturity profile and gap remediation plan.
defending against prompt injection
Use this skill when you need to harden an LLM application against prompt injection attacks, where adversarial content in user inputs or retrieved documents attempts to override system instructions or exfiltrate data.
deploying llm output guardrails
Use this skill when you need to intercept, classify, and block or rewrite unsafe, off-topic, or policy-violating LLM outputs before they reach end users, using layered guardrail controls.
detect mcp adversarial input corpus
Use this skill when you need runtime detection of adversarial prompts / jailbreak attempts matching a curated fingerprint catalog, running the vendored detector over OCSF-normalized MCP activity to emit detection findings.
detect mcp shadow tool injection
Use this skill when you need runtime detection of MCP tool poisoning where a tool's description or inputSchema is mutated mid-session away from a server-registered baseline, running the vendored detector over OCSF-normalized MCP activity to emit detection findings.
detect mcp tool drift
Use this skill when you need runtime detection of MCP tool-poisoning / rug-pull where a tool's schema changes within a session after the agent has already trusted it, running the vendored detector over OCSF-normalized MCP activity to emit detection findings.
detect mcp unbounded tool output
Use this skill when you need runtime detection of unbounded tool-output consumption (OWASP LLM10) where a tool systematically breaches output ceilings, running the vendored detector over OCSF-normalized MCP activity to emit detection findings.
detect prompt injection mcp proxy
Use this skill when you need runtime detection of prompt-injection and instruction-smuggling language embedded in MCP tool descriptions, running the vendored detector over OCSF-normalized MCP activity to emit detection findings.
detect system prompt extraction
Use this skill when you need runtime detection of MCP tool-call responses that leak system-prompt or hidden-instruction material, running the vendored detector over OCSF-normalized MCP activity to emit detection findings.
hardening agent orchestration against drift
Use this skill when you need to prevent an AI agent orchestration system from drifting outside its intended scope through goal hijacking, runaway loops, or unauthorized sub-agent delegation.
implementing content safety output filtering
Use this skill when a generative AI application exposes free-form output to end users and you need to filter that output through a content-safety classifier before it reaches them.
securing mcp server and tool boundaries
Use this skill when you need to harden a Model Context Protocol server and its exposed tools against unauthorized invocation, privilege escalation, and data exfiltration through agent-initiated tool calls.
designing ai service failover and resilience
Use this skill when you need to design failover and resilience patterns for AI services — including LLM API fallback, model endpoint redundancy, and graceful degradation under provider outages.
versioning models and system prompts with rollback
Use this skill when you need to implement version control and rollback capability for AI model artifacts and system prompts, so that a bad deployment can be reverted within minutes without manual intervention.
protecting model artifacts with key management
Use this skill when you need to encrypt AI model artifacts at rest using customer-managed keys, implement key rotation, and control access to model weights through a key management service.
isolating ai training clusters
Use this skill when you need to network-isolate an AI training cluster to prevent training data and model weights from being accessible outside the training environment, and to limit the blast radius of a compromise.
detect tool output exfiltration instructions
Use this skill when you need runtime detection of MCP tool-call responses instructing the agent to exfiltrate conversation history, prompts, files, or secrets, running the vendored detector over OCSF-normalized MCP activity to emit detection findings.
implementing permission aware retrieval for rag
Use this skill when building or auditing a RAG system that must enforce fine-grained document-level permissions, ensuring each user retrieves only documents their identity and role permit them to see.
scanning training and grounding data for pii
Use this skill when you need to detect, classify, and remediate personally identifiable information in datasets before they are used to train, fine-tune, or ground an AI model.
securing rag pipelines against data leakage
Use this skill when you need to audit, harden, or redesign a Retrieval-Augmented Generation pipeline to prevent sensitive documents from leaking to unauthorized users through LLM responses.
validating training data provenance and lineage
Use this skill when you need to establish or verify the chain of custody for a training dataset — confirming source, transformation history, and licensing before a model is trained or released.
building an ai risk register
Use this skill when you need to create or maintain a structured AI risk register that captures, scores, and tracks mitigations for identified risks across an organization's AI portfolio.
classifying ai systems under eu ai act
Use this skill when you need to classify an AI system under the EU AI Act risk tiers — unacceptable, high-risk, limited, or minimal — and determine the resulting compliance obligations.
mapping controls to iso 42001
Use this skill when you need to map your organization's existing security and AI controls to ISO/IEC 42001 requirements and produce a gap analysis and compliance coverage report.
establishing ai acceptable use and developer training
Use this skill when you need to create an AI acceptable use policy, security training curriculum, and attestation process for developers and staff who build or use AI systems.
bounding agent autonomy and tool scopes least privilege
Use this skill when an AI agent can invoke state-changing tools and you need to bound its blast radius with least-privilege tool scopes, rate limits, and budgets enforced by a fail-closed broker.
implementing on behalf of delegation and consent
Use this skill when an AI agent must act on behalf of a human user, requiring explicit OAuth delegation flows, consent capture, and auditable on-behalf-of token chains to prevent privilege escalation.
managing agent credential rotation and revocation
Use this skill when you need to rotate API keys or secrets used by AI agents on a schedule, or immediately revoke credentials when an agent is compromised, decommissioned, or behaves anomalously.
provisioning non human identities for ai agents
Use this skill when you need to create, scope, and govern dedicated non-human identities for AI agents — service accounts, workload identities, or machine credentials — separate from human user accounts.
scoping mcp tool authorization least privilege
Use this skill when you need to apply least-privilege principles to MCP tool grants, ensuring each AI agent can invoke only the specific tools and parameter ranges required for its assigned task.
enabling model and data portability and export
Use this skill when you need to implement model and training data export capabilities so that an organization can migrate away from a provider, exercise data portability rights, or fulfill GDPR data export obligations.
applying zero trust to ai workloads
Use this skill when you need to apply zero-trust principles to AI workload networking — ensuring no implicit trust between AI services, agents, and data stores, with continuous verification at every layer.
capturing agent action and delegation telemetry
Use this skill when you need to instrument an AI agent system to capture every tool call, sub-agent delegation, and state transition as structured telemetry for security investigation and compliance purposes.
detecting cascading and feedback loop agent behavior
Use this skill when agents can chain actions or read from and write to a shared source, and you need to detect cascades and feedback loops behind a circuit-breaker.
detecting prompt injection and jailbreak attempts
Use this skill when you need to monitor LLM application logs for prompt injection and jailbreak attempts in real time, alert on patterns, and feed detections into a SIEM for incident response.
fitting ai triage to known noise sources
Use this skill when an AI-assisted alert triage system is flagging too many known-benign patterns as incidents, and you need to fit its decision policy to your organization's specific noise sources — vulnerability scanners, backup service accounts, VPN egress ranges, approved tooling — without suppressing genuine true positives.
implementing prompt and response logging
Use this skill when you need to implement structured, tamper-resistant logging of LLM prompts and responses to support security monitoring, incident investigation, and compliance audits.
conducting adversarial robustness testing
Use this skill when you need to systematically measure how an AI model responds to adversarial inputs — perturbations, out-of-distribution samples, and evasion attacks — before production deployment.
detect mcp model artifact tampering
Use this skill when you need runtime detection of ML supply-chain compromise where an MCP server swaps a model artifact (weights, adapter, tokenizer) mid-session, running the vendored detector over OCSF-normalized MCP activity to emit detection findings.
detect mcp model token flood
Use this skill when you need runtime detection of unbounded prompt-token consumption against a model endpoint over MCP (OWASP LLM10), running the vendored detector over OCSF-normalized MCP activity to emit detection findings.
evaluating model safety bias and harm
Use this skill when you need to systematically evaluate an AI model for safety failures, demographic bias, and harmful output potential before releasing it to production or a broader audience.
monitoring model drift and degradation
Use this skill when you need to detect data drift, concept drift, or performance degradation in a deployed AI model through continuous monitoring, alerting, and automated rollback triggers.
verifying model integrity and provenance signing
Use this skill when you need to cryptographically verify that a model artifact has not been tampered with since it was produced, and to sign new model artifacts so downstream consumers can establish provenance.
building an ai incident response playbook
Use this skill when you need to create or update an incident response playbook that covers AI-specific incident types — model compromise, prompt injection attacks, data leakage through LLM outputs, and agent credential theft.
implementing kill switch and rollback for autonomous agents
Use this skill when an autonomous AI agent holds state-changing permissions in production and you need an emergency kill switch and per-action rollback the SOC can invoke within seconds.
investigating compromised ai agent credentials
Use this skill when you suspect or have confirmed that credentials used by an AI agent have been stolen or misused, and need to contain the incident, reconstruct the timeline, and restore secure operations.
assessing third party model and provider risk
Use this skill when you need to evaluate the security, privacy, and compliance risks of adopting a third-party AI model provider, API service, or pre-trained model before onboarding.
detect mcp plugin supply chain
Use this skill when you need runtime detection of MCP plugin/tool whose inputSchema references a hostname outside an allowlist (supply-chain risk), running the vendored detector over OCSF-normalized MCP activity to emit detection findings.
generating an ai bill of materials
Use this skill when you need to produce a machine-readable AI Bill of Materials that inventories all models, datasets, libraries, and supply chain dependencies for an AI system deployment.
verifying open model supply chain integrity
Use this skill when you need to verify that an open-weight model downloaded from a public registry has not been tampered with, backdoored, or substituted before it is deployed in your environment.
assessing jailbreak resistance pre deployment
Use this skill when you need to quantitatively score a deployed or pre-production LLM system's resistance to jailbreak attempts before go-live, producing a pass/fail safety gate result.
detecting deepfake audio in vishing attacks
Use this skill when you need to determine whether a recorded phone call contains AI-generated deepfake speech, extracting spectral features to classify the audio and produce a forensic report.
red teaming llm applications
Use this skill when you need to conduct a structured red-team assessment of an LLM application, systematically probing for jailbreaks, data extraction, harmful output, and safety bypass vulnerabilities.
scanning ai bom for vulnerable components
Use this skill when you need to generate an AI Bill of Materials and scan it for known CVEs, malicious packages, and supply chain risks in ML frameworks, model dependencies, and data pipeline libraries.
governing ai coding assistant endpoints
Use this skill when you need to govern which AI coding assistant endpoints developers may connect to from managed devices, preventing data leakage to unapproved external AI services through IDE plugins and CLI tools.
What a skill is
Anatomy of a skill, in plain language.
A skill is not a document to read, it is an executable procedure: the same five parts every time, so a person or an AI agent can run it and produce evidence. Here is a real one from the set, assessing jailbreak resistance pre deployment, which scores an app’s resistance to jailbreaks before go-live and returns a pass or fail.
When to Use
The trigger. Plain words for the situation this skill answers, so you know it is the right one to reach for.
Inputs
What it needs from you and your stack: the model endpoint, the attack corpus, the thresholds. These are where it binds to your tools.
Procedure
Numbered, concrete steps with real commands and API calls, no ambiguity. This is the part an agent can actually run.
Outputs
What it produces: here, a score and a pass or fail gate result you can act on or attach as evidence.
Quality Checks
How you know it worked, so the result is trustworthy, not just produced.
The method
Write it generic. Fit it to your stack. Measure it.
A thousand unfitted skills are inventory, not capability. The engine has two halves: a skill is authored generic against the schema, then bound to a function’s deployed tools and real process through its fit-points, the configuration that turns raw material into a measured result. The five-step motion and the six kinds of fit-point:
Engage & set scope
Baseline the posture
Prioritize the gaps
Apply the fitted skill
A skill ships as a generic core with an explicit fit interface: named points where it must be adapted to the client. Fitting that interface — not the template — is the deliverable.
generic-core + fit interface
Each fit-point declares a kind:
worked instance · splunk detection-rule skill
- Splunk deployment typeenvironment
- Security index namesenvironment
- CIM data model availabilitydata-source
- Threat-intel lookup tablesdata-source
Measure & iterate
Proof is per-engagement and task-level: the same work, skills-off vs skills-on, measured before and after on the one workflow in scope. We report measured results only when a real measurement protocol has been run; everything else is labelled as a projection.
modeled · illustrativeToday’s published figures are modeled, not measured. See the worked example for the projected before/after, clearly labelled as such.
The full seven-step authoring walk-through is in the essay How a Skill Is Built and Fitted →; the schema and a worked example live in the reference’s SKILL_SPEC →. Take the sample further: fork it, swap its fit-points for your own tools, and re-measure.
Running it
How an instrument runs a skill against a target.
A skill is the procedure; an instrument is what it runs. A large language model (LLM) or agent reads the skill, calls the open-source instrument with the inputs the fit-points named, runs it against the target, and scores the result against the skill’s quality checks. That is how a modeled control becomes a measured one.
Skill
the procedure
Instrument
the open-source tool or corpus
LLM / agent
reads the skill, makes the call
Target
app · data · process · vendor
Evidence
a measured before and after
Proven, not theoretical: StoryBond’s harness runs an attack corpus against the app’s guard on a staging clone with synthetic data, scoring it 53% → 100%. See the run →
The target is not always an app.
An organisation’s AI surface is bigger than one app, so the target changes with the posture. The three instrument lanes map to the three postures:
Testers · Built
The target is a model or app endpoint.
Garak · PyRIT · Promptfoo, run against your own app.
Corpora · Used
The target is staff usage and policy, not an endpoint.
a fixed stimulus set to surface shadow AI or test AI-literacy.
Controls · Bought
The target is a vendor’s responsibility evidence.
grade a procured model’s attestations across the shared line.
The instruments are open-source complements you fit, never a tool you must buy into. And the discipline is non-negotiable: a staging clone, synthetic data, never production or real personal data. See the instruments →
How it connects
Where these skills show up in the practice.
The reference set is the substrate, not the product. A fitted skill is one lever inside a larger motion:
The fitted few
A handful of skills, fitted per play, do the work, not the whole pool.
See the fitted few →Inside a play
A skill is one of six levers a play uses to move its key performance indicator (KPI); the rest are vendor features, automation, process, people, and policy.
See the plays →Proven on a live app
StoryBond fitted a jailbreak guard to its own attack classes and measured the lift, the same gate the sample scores.
See the proof →As a pipeline gate
The jailbreak-resistance skill is the prompt-injection red-team gate (gate #4, Test) in the DevSecAIOps tollgates.
See the gates →
Not your role?
Each role has its own way in. Here is where the others start.