cyber-defense-team

---
name: cyber-defense-team
description: "Orchestrate a 4-agent cyber defense pipeline to analyze log files for threats. Use when investigating security logs, detecting anomalies in access patterns, classifying breach severity, or generating incident reports from nginx/auth/syslog files."
version: 1.0.0
usage: /cyber-defense-team [log-file-path]
args:
  - name: log_path
    description: Path to the log file to analyze (or paste log content directly)
    required: true
effort: high
---

# Cyber Defense Team Skill

Orchestrate a 4-agent pipeline that analyzes log files for security threats and produces an incident report.

## Pipeline Architecture

```
[You] → Team Lead (this skill)
           │
           ├─[1]─→ log-ingestor    (haiku)  → cyber-defense-events.json
           │
           ├─[2]─→ anomaly-detector (sonnet) → cyber-defense-anomalies.json
           │                                    (reads events.json)
           ├─[3]─→ risk-classifier  (sonnet) → cyber-defense-risk.json
           │                                    (reads anomalies.json)
           └─[4]─→ threat-reporter  (sonnet) → cyber-defense-report.md
                                               (reads all 3 JSON files)
```

Stages 2 and 3 are sequential (each depends on previous output). Stage 4 runs after all data is ready.

## Execution Steps

### Step 1 — Validate Input

Check that the log file exists (or that log content was provided inline). If the path doesn't exist, tell the user immediately — don't proceed.

### Step 2 — Spawn Log Ingestor

Use the Agent tool to spawn the `log-ingestor` agent:

```
Task: Parse the log file at [log_path] and write structured events to cyber-defense-events.json.
Log path: [log_path]
```

Wait for completion. Confirm `cyber-defense-events.json` was created.

### Step 3 — Spawn Anomaly Detector

Use the Agent tool to spawn the `anomaly-detector` agent:

```
Task: Read cyber-defense-events.json and detect anomalies. Write results to cyber-defense-anomalies.json.
```

Wait for completion. If `anomalies_found: 0`, skip to Step 5 (reporter still runs).

### Step 4 — Spawn Risk Classifier

Use the Agent tool to spawn the `risk-classifier` agent:

```
Task: Read cyber-defense-anomalies.json and classify overall risk. Write result to cyber-defense-risk.json.
```

### Step 5 — Spawn Threat Reporter

Use the Agent tool to spawn the `threat-reporter` agent:

```
Task: Read cyber-defense-events.json, cyber-defense-anomalies.json, and cyber-defense-risk.json. Generate a complete incident report and save it to cyber-defense-report.md.
```

### Step 6 — Summarize for User

Read `cyber-defense-risk.json` and present:

```
✅ Analysis complete

Risk Level : HIGH
Score      : 74/100
Threats    : 2 anomalies detected
Report     : cyber-defense-report.md

Primary threat: Brute force attack from 192.168.1.105
Immediate action required: [first recommended_action]
```

## Error Handling

- Agent fails at step 2: Tell user, stop pipeline, show raw error.
- Agent fails at step 3+: Show partial results, note which stage failed.
- Log file not found: "File [path] not found. Provide a valid path or paste log content."

## Cost Estimate

| Stage | Model | Typical tokens |
|-------|-------|----------------|
| log-ingestor | haiku | ~2K |
| anomaly-detector | sonnet | ~3K |
| risk-classifier | sonnet | ~2K |
| threat-reporter | sonnet | ~3K |
| **Total** | | **~10K** |

For large log files (>10K lines), log-ingestor may use up to 20K tokens.

## Example Usage

```
/cyber-defense-team /var/log/nginx/access.log
/cyber-defense-team /tmp/auth.log
```