Install the plugin . Which skill do I use? . Prompts to try
Security work is not just a configuration problem. It is a decision problem: which control applies here, what needs to be validated before a policy goes live, which investigation path to follow, and what guardrails matter in this environment. The Microsoft Security Skills Plugin packages security expertise into curated skills so compatible coding agents can give accurate, opinionated Microsoft Security guidance instead of generic security advice.
- 56 curated Microsoft Security skills
- Coverage: Security, Identity and Management, Compliance and Privacy, Cloud platform security
- Compatible with GitHub Copilot, Claude Code, Cursor, Codex CLI, Gemini CLI, and other agentic hosts
- Public knowledge only, grounded in Microsoft Learn
- Behaviourally validated: a reproducible harness measures the lift each skill adds over an unaided model, verified across two independent frontier models (details)
This plugin ships 56 curated Microsoft Security skills that teach an agent how security work gets done across the Microsoft portfolio. Each skill provides workflows, decision trees, and guardrails grounded in public Microsoft Learn documentation - no proprietary content.
Skills are grouped by portfolio area:
- Threat protection and SecOps with
defender-xdr,defender-for-endpoint,defender-for-identity,defender-for-cloud-hardening,sentinel,unified-secops-platform, andthreat-modelling - Identity, access, and governance with
entra-id,entra-id-governance,entra-id-protection,entra-permissions-management,conditional-access-mfa,azure-pim, andwindows-hello - Compliance and data protection with
purview-dlp-policy,purview-advanced-dlp,purview-ediscovery,purview-audit,purview-data-classification,purview-data-lifecycle,purview-communication-compliance,insider-risk-baseline, andmicrosoft-priva - Endpoint and device management with
intune-device-mgmt,intune-app-protection,bitlocker-design, andpaw-design - Cloud and platform security with
azure-policy,azure-key-vault,azure-network-security-design,azure-firewall,azure-app-service-security,cloud-app-security-posture, andapi-security-design - Security operations acceleration with
security-copilot,security-copilot-agents,compromise-recovery, andazure-site-recovery
This is not a prompt pack. It is a packaged Microsoft Security capability layer:
- Skills teach the agent when to use each security workflow and what to avoid.
- Guardrails are built into every skill to prevent common implementation mistakes.
- Public knowledge only - every skill cites Microsoft Learn; no proprietary methodology or customer data is included.
- Multi-host support lets you use the same security capability across GitHub Copilot in VS Code, Copilot CLI, Claude Code, Cursor, Codex CLI, Gemini CLI, and other compatible hosts.
| Component | What it adds | Scope |
|---|---|---|
| 56 Microsoft Security skills | Expertise, decision trees, workflows, and guardrails across the Microsoft Security portfolio | Security, Identity and Management, Compliance and Privacy, Cloud platform security |
Before you install, make sure you have:
- Git installed and accessible from the command line
- Node.js 18+ available on your PATH if you plan to use
npx skills addto install
You can verify these with:
git --version
npx --versionThe Microsoft Security Skills Plugin supports APM. One command installs it across GitHub Copilot, Claude Code, Cursor, OpenCode, Codex, and Gemini:
apm install vinayaklatthe/microsoft-security-skillsClone the repository and point your agent at the skills/ directory:
git clone https://github.com/vinayaklatthe/microsoft-security-skills.gitOr use the skills CLI to install globally for a specific host:
# GitHub Copilot (VS Code, Copilot CLI)
npx skills add https://github.com/vinayaklatthe/microsoft-security-skills/tree/main/skills -a github-copilot -g -y
# Claude Code
npx skills add https://github.com/vinayaklatthe/microsoft-security-skills/tree/main/skills -a claude -g -y
# Cursor
npx skills add https://github.com/vinayaklatthe/microsoft-security-skills/tree/main/skills -a cursor -g -y
# Codex CLI
npx skills add https://github.com/vinayaklatthe/microsoft-security-skills/tree/main/skills -a codex -g -yInstall the extension:
gemini extensions install https://github.com/vinayaklatthe/microsoft-security-skillsAfter install, try three quick checks.
Ask:
What Microsoft Defender controls should I prioritise for a new Microsoft 365 tenant?
You should get structured, product-specific guidance with Microsoft Learn references - not generic security advice.
Ask:
How do I design a Conditional Access policy baseline for a mid-size organisation?
You should get a policy framework with named Conditional Access templates and guardrails.
Ask:
What Purview DLP policies should I configure to protect sensitive data in Microsoft 365?
You should get scoped DLP guidance with workload-specific recommendations.
Once the plugin is installed, try prompts like these:
What are the first Defender XDR controls I should enable for a new tenant?Design a Conditional Access baseline for our Entra ID tenant.Help me build a Purview DLP policy to protect financial data.What Sentinel analytic rules should I enable for identity threat detection?How do I configure Entra ID Protection for risky sign-in response?Review my Intune device compliance policy for security gaps.What Defender for Cloud hardening recommendations apply to my Azure workloads?Help me design a PAW (Privileged Access Workstation) deployment.What Purview Insider Risk policies should I start with?How do I use Security Copilot to accelerate an incident investigation?
Use this table to pick the right skill before asking your question.
| If you want to... | Use this skill |
|---|---|
| Investigate a multi-product incident (endpoint + identity + email) | defender-xdr |
| Build or operate a SIEM, ingest logs, write KQL detections | sentinel |
| Merge Sentinel and Defender XDR into one portal for your SOC | unified-secops-platform |
| Use AI to help investigate or summarise incidents | security-copilot |
| Automate repetitive triage with autonomous AI agents | security-copilot-agents |
| Respond to an active breach or ransomware attack | compromise-recovery |
| Set up identity and access management (users, SSO, hybrid) | entra-id |
| Enforce MFA and access controls (Conditional Access) | conditional-access-mfa |
| Detect risky users or leaked credentials | entra-id-protection |
| Remove standing admin rights and implement JIT access | azure-pim |
| Govern identity lifecycle and access packages | entra-id-governance |
| Manage multicloud permissions across AWS, GCP, Azure | entra-permissions-management |
| Protect endpoints with EDR, attack surface reduction | defender-for-endpoint |
| Detect identity-based attacks on Active Directory | defender-for-identity |
| Protect email from phishing and business email compromise | defender-for-office-365 |
| Harden cloud infrastructure posture (Secure Score, attack paths) | defender-for-cloud-hardening |
| Harden SaaS app configurations (M365, Salesforce, etc.) | cloud-app-security-posture |
| Manage Intune device compliance and configuration | intune-device-mgmt |
| Prevent data loss across Exchange, SharePoint, Teams, Endpoint | purview-dlp-policy |
| Find and classify sensitive data across your estate | purview-data-classification |
| Investigate legal or HR matters with eDiscovery | purview-ediscovery |
| Monitor what sensitive data flows through AI prompts | purview-dspm-ai |
| Fix oversharing before rolling out Microsoft 365 Copilot | purview-copilot-oversharing |
| Detect insider data theft or policy violations | insider-risk-baseline |
| Understand which Purview feature to use (orientation) | purview-general |
| Design a Zero Trust security architecture | security-architecture |
| Threat model a system with STRIDE | threat-modelling |
| Secure Azure network design (hub-spoke, NSG, private endpoints) | azure-network-security-design |
| Store and rotate secrets, keys, certificates | azure-key-vault |
| Enforce governance guardrails across Azure subscriptions | azure-policy |
| Protect APIs (OWASP API Top 10, APIM security) | api-security-design |
| Estimate cost of Azure security controls | azure-pricing |
Overlapping scenarios: If your scenario spans multiple areas (e.g., a SOC involving both SIEM and XDR), start with the most specific skill and follow its cross-references.
| Product family | Coverage in this repo | Example skills |
|---|---|---|
| Security | Defender, Sentinel, SecOps workflows, threat modelling | defender-xdr, sentinel, unified-secops-platform, threat-modelling |
| Identity and Management | Entra, Conditional Access, governance, endpoint management | entra-id, entra-id-governance, conditional-access-mfa, intune-device-mgmt |
| Compliance and Privacy | Purview and Priva controls for data protection and compliance | purview-dlp-policy, purview-ediscovery, purview-audit, microsoft-priva |
| Cloud and platform security | Azure security architecture and control implementation | azure-policy, azure-key-vault, azure-network-security-design, azure-firewall |
| Security operations acceleration | Security Copilot and response-oriented workflows | security-copilot, security-copilot-agents, compromise-recovery |
- Agents scan skill front matter (
name,description, andWHEN:triggers) to identify likely matches. - Agents load the most relevant
SKILL.mdfiles for detailed guidance. - Agents follow the skill body to produce focused, actionable outputs tied to Microsoft Learn references.
The key pieces are:
skills/- the Microsoft Security skill definitions, one subfolder per skillplugin.json- plugin metadata for agent harnessesvalidation/- zero-dependency validation harness (structure, links, evals)README.md- high-level overview and install guide
skills/
sentinel/SKILL.md
defender-xdr/SKILL.md
purview-dlp-policy/SKILL.md
...
Each SKILL.md follows a consistent structure:
---
name: <skill-slug>
description: "<what it does>. WHEN: <trigger>, <trigger>, <trigger>."
license: MIT
metadata:
author: Microsoft
version: "0.1.0"
---
<concise, public-knowledge guidance, with Microsoft Learn links>A zero-dependency validation harness (just Node 18+, no npm install) verifies the
skills are well-formed, accurate, and actually drive the intended outcome.
npm run check:structure # frontmatter, WHEN: triggers, required sections
npm run eval # desired-outcome coverage (see validation/cases/)
npm run check:links # every Microsoft Learn URL resolves (catches link rot)
npm run validate # all threeThree layers of checks:
| Check | Answers | Script |
|---|---|---|
| Structural | Are skills well-formed and discoverable? | validation/check-structure.mjs |
| Behavioural (coverage) | Does the skill contain the knowledge each desired outcome needs? | validation/run-evals.mjs |
| Link rot | Do all documentation links still resolve? | validation/check-links.mjs |
The behavioural eval reads assertion files in validation/cases/<skill>.json. Each case
lists a prompt and the must-mention points a good answer should contain, grounded in the
skill's Microsoft Learn references. The default coverage mode checks those points are
present in the skill (runs anywhere, free). To score real model answers, generate one
<skill>__<index>.txt per case with the skill loaded, then run:
npm run eval:answers # score answers in validation/answers/with-skill
npm run eval:answers:report # same, as a Hit/Miss + Score tableThe 10 highest-risk skills ship with hand-authored assertions and a set of with-skill
answers. To prove a skill changes behaviour, capture a baseline (answers from a clean
session with no skill loaded) and compare the scores - see
validation/answers/README.md.
npm run eval:compare # baseline vs with-skill, lift summary
npm run eval:compare:report # per-case comparison tableMeasured on the 10 high-risk skills (20 prompts, 61 assertions), validated across two independent frontier models used as graders:
| Model | Baseline (no skill) | With skill | Lift |
|---|---|---|---|
| Claude Opus 4.8 | 51/61 (84%) | 61/61 (100%) | +10 |
| GPT-5.5 | 55/61 (90%) | 61/61 (100%) | +6 |
The skill never regressed either model, and the gains concentrate on the high-consequence
operational details a generic answer tends to skip. See validation/answers/README.md.
All three checks run automatically on every pull request and weekly (link-rot sweep) via
GitHub Actions - see .github/workflows/validate.yml.
- Make sure the plugin installed successfully in your host.
- Confirm the
skills/directory is present and containsSKILL.mdfiles. - Reload or restart your host so it re-indexes plugins and skill definitions.
- The agent may not have matched a skill trigger. Try phrasing the prompt using product names directly (for example, "Defender XDR", "Purview DLP", "Entra Conditional Access").
- Check that the skill's
WHEN:triggers in thedescriptionfront matter cover your scenario. If they do not, open an issue or a pull request.
- Check the
skills/directory first - coverage may already exist under a different name. - If genuinely missing, contributions are welcome. See the contributing guide below.
- Microsoft Security documentation
- Microsoft Defender XDR documentation
- Microsoft Sentinel documentation
- Microsoft Entra documentation
- Microsoft Purview documentation
- microsoft/azure-skills - the Azure equivalent of this plugin
Contributions are welcome. Keep every skill:
- Public-knowledge only - cite Microsoft Learn; no proprietary methodology or customer data.
- Focused - one product or task per skill.
- Concise - guidance an agent can act on, not a full product manual.
- Guarded - include at least one guardrail section covering common mistakes.
This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA). For details, visit https://cla.opensource.microsoft.com.
This project may contain trademarks or logos for projects, products, or services. Authorised use of Microsoft trademarks or logos is subject to and must follow Microsoft's Trademark & Brand Guidelines.