Deploy XM Cyber's continuous exposure management platform to map attack paths, identify choke points, and prioritize the 2% of exposures that threaten critical assets.
Works with
AI-first code editor with Composer
Before installing skills in Cursor, ensure your development environment meets these requirements:
node --versionimplementing-attack-path-analysis-with-xm-cyberExecute the skills CLI command in your project's root directory to begin installation:
Fetches implementing-attack-path-analysis-with-xm-cyber from mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.
The CLI shows a list of agents. Use arrow keys and space to select Cursor:
Confirm successful installation by checking the skill directory location:
Restart Cursor to activate implementing-attack-path-analysis-with-xm-cyber. Access via /implementing-attack-path-analysis-with-xm-cyber in your agent's command palette.
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
Submit your Claude Code skill and start earning
Quickly understand datasets, identify patterns, and generate insights
Example
Analyze CSV with 100K rows, identify outliers, visualize correlations, suggest hypotheses
Reduce EDA time from hours to minutes, uncover insights faster
Write scripts to clean messy data, handle missing values, normalize formats
Example
Generate Python/SQL to fix date formats, impute missing values, remove duplicates
Automate 80% of data preprocessing work
Perform hypothesis testing, regression, and statistical modeling
Example
Run A/B test analysis, calculate confidence intervals, interpret p-values
0
total installs
0
this week
8.6K
GitHub stars
0
upvotes
Run in your terminal
0
installs
0
this week
8.6K
stars
| name | implementing-attack-path-analysis-with-xm-cyber |
| description | Deploy XM Cyber's continuous exposure management platform to map attack paths, identify choke points, and prioritize the 2% of exposures that threaten critical assets. |
| domain | cybersecurity |
| subdomain | vulnerability-management |
| tags | - xm-cyber - attack-path-analysis - exposure-management - ctem - choke-points - breach-simulation - attack-surface |
| version | '1.0' |
| author | mahipal |
| license | Apache-2.0 |
| nist_csf | - ID.RA-01 - ID.RA-02 - ID.IM-02 - ID.RA-06 |
XM Cyber is a continuous exposure management platform that uses attack graph analysis to identify how adversaries can chain together exposures -- vulnerabilities, misconfigurations, identity risks, and credential weaknesses -- to reach critical business assets. According to XM Cyber's 2024 research analyzing over 40 million exposures across 11.5 million entities, organizations typically have around 15,000 exploitable exposures, but traditional CVEs account for less than 1% of total exposures. The platform identifies that only 2% of exposures reside on "choke points" of converging attack paths, enabling security teams to focus on fixes that eliminate the most risk with the least effort.
Unlike point-in-time vulnerability scanning, XM Cyber continuously models all possible attack paths across the entire environment:
| Traditional Scanning | XM Cyber Attack Path Analysis |
|---|---|
| Lists individual vulnerabilities | Maps chained attack paths |
| Scores by CVSS severity | Scores by reachability to critical assets |
| Point-in-time assessment | Continuous real-time modeling |
| No context of lateral movement | Models full lateral movement chains |
| Treats each vuln independently | Shows how vulns chain together |
| Finding | Statistic |
|---|---|
| Average exposures per organization | ~15,000 |
| CVE-based exposures | < 1% of total |
| Misconfiguration-based exposures | ~80% of total |
| Exposures on critical choke points | 2% |
| Orgs where attackers can pivot on-prem to cloud | 70% |
| Cloud critical assets compromisable in 2 hops | 93% |
| Critical asset exposures in cloud platforms | 56% |
A choke point is a single entity (host, identity, credential, misconfiguration) that sits at the intersection of multiple attack paths leading to critical assets. Fixing a choke point eliminates many attack paths simultaneously, providing maximum risk reduction per remediation effort.
Attack Path 1: Web Server -> SQL Injection -> DB Admin Creds
\
Attack Path 2: VPN -> Stolen Creds -> File Server -> Domain Controller
/ (Critical Asset)
Attack Path 3: Workstation -> Mimikatz -> Cached Creds
^
CHOKE POINT
(Cached Domain Admin credential)
| Category | % of Exposures | Examples |
|---|---|---|
| Identity & Credentials | 40% | Cached credentials, over-privileged accounts, Kerberoastable SPNs |
| Misconfigurations | 38% | Open shares, weak permissions, missing hardening |
| Network Exposures | 12% | Open ports, flat networks, missing segmentation |
| Software Vulnerabilities | 8% | Unpatched CVEs, outdated software |
| Cloud Exposures | 2% | IAM misconfig, public storage, overly permissive roles |
Critical Asset Definition:
Tier 1 - Crown Jewels:
- Domain Controllers (Active Directory)
- Database servers with PII/financial data
- ERP systems (SAP, Oracle)
- Certificate Authority servers
- Backup infrastructure (Veeam, Commvault)
Tier 2 - High Value:
- Email servers (Exchange)
- File servers with IP/trade secrets
- CI/CD pipeline servers
- Jump servers / PAM vaults
Tier 3 - Supporting Infrastructure:
- DNS/DHCP servers
- Monitoring systems
- Logging infrastructure
Deployment Architecture:
On-Premises:
- Install XM Cyber sensor on management server
- Configure AD integration (read-only service account)
- Enable network discovery protocols
- Set scanning scope (IP ranges, AD OUs)
Cloud (AWS):
- Deploy XM Cyber CloudConnect via CloudFormation
- Configure IAM role with read-only permissions
- Enable cross-account scanning for multi-account orgs
Cloud (Azure):
- Deploy via Azure Marketplace
- Configure Entra ID (Azure AD) integration
- Grant Reader role on subscriptions
Hybrid:
- Configure cross-environment path analysis
- Map on-premises to cloud trust relationships
- Enable identity correlation across environments
Scenario 1: External Attacker to Domain Admin
Starting Point: Internet-facing assets
Target: Domain Admin privileges
Attack Techniques: Exploit public CVEs, credential theft,
lateral movement, privilege escalation
Scenario 2: Insider Threat to Financial Data
Starting Point: Any corporate workstation
Target: Financial database servers
Attack Techniques: Credential harvesting, share enumeration,
privilege escalation, data access
Scenario 3: Cloud Account Takeover
Starting Point: Compromised cloud IAM user
Target: Production cloud infrastructure
Attack Techniques: IAM privilege escalation, cross-account
pivot, storage access, compute compromise
Scenario 4: Ransomware Propagation
Starting Point: Phished workstation
Target: Maximum host compromise (lateral spread)
Attack Techniques: Credential reuse, SMB exploitation,
PsExec/WMI lateral movement
# Interpreting XM Cyber attack path analysis results
def analyze_choke_points(attack_graph_results):
"""Analyze attack graph results for priority remediation."""
choke_points = []
for entity in attack_graph_results.get("entities", []):
if entity.get("is_choke_point"):
choke_points.append({
"entity_name": entity["name"],
"entity_type": entity["type"],
"attack_paths_blocked": entity["paths_through"],
"critical_assets_protected": entity["protects_assets"],
"remediation_complexity": entity["fix_complexity"],
"exposure_type": entity["exposure_category"],
})
# Sort by impact (paths blocked * assets protected)
choke_points.sort(
key=lambda x: x["attack_paths_blocked"] * len(x["critical_assets_protected"]),
reverse=True
)
print(f"Total choke points identified: {len(choke_points)}")
print(f"\nTop 10 choke points for maximum risk reduction:")
for i, cp in enumerate(choke_points[:10], 1):
print(f" {i}. {cp['entity_name']} ({cp['entity_type']})")
print(f" Paths blocked: {cp['attack_paths_blocked']}")
print(f" Assets protected: {len(cp['critical_assets_protected'])}")
print(f" Exposure type: {cp['exposure_type']}")
print(f" Fix complexity: {cp['remediation_complexity']}")
return choke_points
Remediation Priority Matrix:
Priority 1 (Immediate - 48h):
- Choke points on paths to Tier 1 assets
- Identity exposures (cached Domain Admin creds)
- Internet-facing vulnerabilities with attack paths
Priority 2 (Urgent - 7 days):
- Choke points on paths to Tier 2 assets
- Cloud IAM misconfigurations with privilege escalation
- Network segmentation gaps enabling lateral movement
Priority 3 (Important - 30 days):
- Remaining choke points
- Misconfigurations reducing defense depth
- Non-critical software vulnerabilities on attack paths
Priority 4 (Standard - 90 days):
- Exposures NOT on any attack path to critical assets
- Informational findings
- Hardening recommendations
Get statistically sound analysis without PhD in statistics
Create charts, dashboards, and visual reports
Example
Generate matplotlib/seaborn code for time series plots, distribution charts, heatmaps
Build presentation-ready visualizations 3x faster
Prerequisites
Time Estimate
20-40 minutes to set up and run first analysis
Steps
Common Pitfalls
✓ Do
✗ Don't
💡 Pro Tips
✓ Use when
Use for exploratory data analysis, data cleaning, statistical testing, visualization prototyping, and learning new analysis techniques. Best for initial exploration and rapid insights.
✗ Avoid when
Avoid for mission-critical financial analysis, medical research requiring regulatory compliance, production ML models, or when deep statistical expertise is required for nuanced interpretation.
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
We added implementing-attack-path-analysis-with-xm-cyber from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
Useful defaults in implementing-attack-path-analysis-with-xm-cyber — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
implementing-attack-path-analysis-with-xm-cyber is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
Useful defaults in implementing-attack-path-analysis-with-xm-cyber — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
Solid pick for teams standardizing on skills: implementing-attack-path-analysis-with-xm-cyber is focused, and the summary matches what you get after install.
Solid pick for teams standardizing on skills: implementing-attack-path-analysis-with-xm-cyber is focused, and the summary matches what you get after install.
implementing-attack-path-analysis-with-xm-cyber reduced setup friction for our internal harness; good balance of opinion and flexibility.
We added implementing-attack-path-analysis-with-xm-cyber from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
implementing-attack-path-analysis-with-xm-cyber reduced setup friction for our internal harness; good balance of opinion and flexibility.
implementing-attack-path-analysis-with-xm-cyber is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
showing 1-10 of 74