Attack Flow Generator
Generate SITF-compliant attack flow JSON files from attack descriptions or incident reports.
Usage
code
/attack-flow <attack-name> [source]
- •
attack-name: Identifier for the attack (e.g., "s1ngularity", "solarwinds") - •
source: URL, "websearch" for auto-research, or omit to use conversation context
Arguments: $ARGUMENTS
Instructions
When this skill is invoked:
Phase 1: Research
- •
If source is "websearch" or a URL, gather attack details:
- •Attack timeline and phases
- •Entry point and initial access method
- •Lateral movement and persistence techniques
- •Data exfiltration or impact
- •Affected components (CI/CD, VCS, Registry, Endpoint, Production)
- •
If source is omitted, use context from the current conversation.
Phase 2: Technique Mapping
- •
Read
techniques.jsonto get the full technique library. - •
For each attack step, find the best matching technique:
- •Match by action semantics, not surface keywords
- •Example: Uploading stolen data to repos → T-V003 (Secret Exfiltration), NOT T-V008 (Malicious Hosting)
- •Example: Accessing VCS with stolen creds → T-V001 must come BEFORE any VCS actions
- •
If no matching technique exists:
- •Create a placeholder node with
"type": "technique-gap" - •Include suggested technique metadata in the data field
- •Note in output that
/technique-proposalshould be run for gaps
- •Create a placeholder node with
Phase 3: Layout Calculation
Apply these layout rules:
Rule 1: Component Layout (Left-to-Right by Attack Flow)
- •Order components by their sequence in the attack chain, not by standard SITF order
- •If attack flows CI/CD → Registry → Endpoint → VCS, layout left-to-right accordingly
- •Minimum horizontal gap between components: 80-100px
- •Component x-positions: Use increments of ~300px starting from x=0
Rule 2: Technique Ordering (Top-to-Bottom)
- •Primary: Order techniques by their sequence in the attack flow
- •Secondary: Within same attack step, order by stage (Initial Access → Discovery → Post-Compromise)
- •Vertical gap between techniques: ~130-150px
- •First technique starts at y = component.y + 80
Rule 3: Technique-Component Alignment
- •Every technique node MUST be visually positioned within its parent component
- •Calculate x-position:
component.x + 30 - •Validate technique.data.component matches parent component.data.componentId
Rule 4: Component Sizing
- •Height = (technique_count × 150) + 120 (padding)
- •Width = 230-250px
Rule 5: Edge Connections
- •Connect source.bottom → target.top for vertical flows within component
- •Connect source.right → target.left for cross-component flows
- •Add labels for significant transitions ("Second wave", etc.)
- •Use
"type": "smoothstep"for all edges
Phase 4: JSON Generation
Generate the attack flow JSON with this structure:
json
{
"metadata": {
"name": "Attack Name",
"created": "ISO-8601 timestamp",
"version": "1.0",
"framework": "SITF",
"description": "Brief attack description"
},
"nodes": [
// Entry points, components, techniques, exit points
],
"edges": [
// Connections between nodes
]
}
Node types:
- •
entryPoint: Attack entry (Phishing, Vulnerability Exploit, Stolen Credentials, etc.) - •
component: SITF component container (endpoint, vcs, cicd, registry, production) - •
technique: Attack technique from techniques.json - •
technique-gap: Placeholder for missing technique (flag for /technique-proposal) - •
exitPoint: Attack outcome (Future Breach, Persistence, Secondary Supply Chain Attack, etc.)
Phase 5: Validation
Run this checklist before outputting:
code
[ ] Valid JSON structure (parse test passes)
[ ] Required fields present: metadata.{name,created,version,framework}, nodes[], edges[]
[ ] All node IDs are unique
[ ] All edge source/target reference valid node IDs
[ ] All techniques positioned within their component boundaries (x/y validation)
[ ] Techniques ordered by attack flow sequence
[ ] Initial Access techniques appear first when order is ambiguous
[ ] All technique IDs exist in techniques.json OR flagged as technique-gap
[ ] Exit points connected to terminal techniques
[ ] No orphaned nodes (every non-entry node has incoming edge)
Phase 6: Output
- •Write the JSON file to
sample-flows/<attack-name>.json - •Validate the JSON with Python:
python3 -c "import json; json.load(open('file'))" - •Provide a summary table of the attack flow
- •If any technique-gaps exist, list them and recommend running
/technique-proposal
Example
code
/attack-flow s1ngularity websearch
This will:
- •Search for s1ngularity attack details
- •Map attack steps to SITF techniques
- •Generate
sample-flows/s1ngularity.json - •Output attack flow summary