Back to Architecture
NetSec Skills Suite
Interactive architecture diagrams showing how 35+ agent skills are organized, how decisions flow through each domain, and how the security pipeline validates every skill.
graph TB
subgraph Suite["netsec-skills-suite"]
direction TB
DH["Device Health<br/>Cisco · Juniper · Arista"]
RP["Routing Protocols<br/>BGP · OSPF · EIGRP · IS-IS"]
SA["Security Audits<br/>PAN-OS · FortiGate · Check Point · ASA"]
CS["Cloud Security<br/>AWS · Azure · GCP"]
OB["Observability<br/>Splunk · ELK · QRadar · Grafana"]
end
Agent["AI Agent"] --> Suite
Suite --> Pipeline["Security Pipeline"]
Pipeline --> V1["Spec Validation"]
Pipeline --> V2["Convention Check"]
Pipeline --> V3["Injection Detection"]
Pipeline --> V4["VirusTotal Scan"]
Pipeline --> V5["OpenSSF Scorecard"]
style Suite fill:#0f172a,stroke:#38bdf8,stroke-width:2px,color:#f1f5f9
style Agent fill:#818cf8,stroke:#6366f1,color:#fff
style Pipeline fill:#0f172a,stroke:#f59e0b,stroke-width:2px,color:#fbbf24
style DH fill:#0c4a6e,stroke:#38bdf8,color:#e0f2fe
style RP fill:#312e81,stroke:#818cf8,color:#e0e7ff
style SA fill:#4c0519,stroke:#fb7185,color:#ffe4e6
style CS fill:#064e3b,stroke:#34d399,color:#d1fae5
style OB fill:#451a03,stroke:#fbbf24,color:#fef3c7
style V1 fill:#1e293b,stroke:#94a3b8,color:#cbd5e1
style V2 fill:#1e293b,stroke:#94a3b8,color:#cbd5e1
style V3 fill:#1e293b,stroke:#94a3b8,color:#cbd5e1
style V4 fill:#1e293b,stroke:#94a3b8,color:#cbd5e1
style V5 fill:#1e293b,stroke:#94a3b8,color:#cbd5e1 graph TD
Start["Device Health Check"] --> Identify{Identify Platform}
Identify -->|IOS-XE / NX-OS| Cisco["cisco-device-health"]
Identify -->|JunOS| Juniper["juniper-device-health"]
Identify -->|EOS| Arista["arista-device-health"]
Cisco --> Collect["Collect Metrics"]
Juniper --> Collect
Arista --> Collect
Collect --> CPU["CPU Utilization"]
Collect --> Mem["Memory Usage"]
Collect --> Intf["Interface Health"]
CPU --> Threshold{Threshold Check}
Mem --> Threshold
Intf --> Threshold
Threshold -->|"5min CPU < 50%"| Normal["✅ Normal — Report OK"]
Threshold -->|"5min CPU 50-70%"| Warning["⚠️ Warning — Flag & Continue"]
Threshold -->|"5min CPU > 70%"| Critical["🔴 Critical"]
Critical --> TopProc{Top Process?}
TopProc -->|BGP Router| RouteChurn["Check Route Churn"]
TopProc -->|SNMP Engine| SNMPPoll["Check Polling Rate"]
TopProc -->|IP Input| TrafficSpike["Analyze Traffic"]
RouteChurn --> Report["Structured Report"]
SNMPPoll --> Report
TrafficSpike --> Report
Warning --> Report
Normal --> Report
style Start fill:#0c4a6e,stroke:#38bdf8,color:#e0f2fe
style Cisco fill:#164e63,stroke:#22d3ee,color:#cffafe
style Juniper fill:#164e63,stroke:#22d3ee,color:#cffafe
style Arista fill:#164e63,stroke:#22d3ee,color:#cffafe
style Normal fill:#064e3b,stroke:#34d399,color:#d1fae5
style Warning fill:#451a03,stroke:#fbbf24,color:#fef3c7
style Critical fill:#4c0519,stroke:#fb7185,color:#ffe4e6
style Report fill:#1e293b,stroke:#94a3b8,color:#cbd5e1 graph TD
Start["Routing Analysis"] --> Proto{Protocol?}
Proto -->|BGP| BGP["bgp-analysis"]
Proto -->|OSPF| OSPF["ospf-analysis"]
Proto -->|EIGRP| EIGRP["eigrp-analysis"]
Proto -->|IS-IS| ISIS["isis-analysis"]
BGP --> BGP1["Peer State Assessment"]
BGP --> BGP2["Path Selection Audit"]
BGP --> BGP3["Route Filtering Check"]
BGP --> BGP4["Community / AS-Path Analysis"]
OSPF --> OSPF1["Adjacency Diagnosis"]
OSPF --> OSPF2["Area Design Validation"]
OSPF --> OSPF3["LSA / SPF Analysis"]
OSPF --> OSPF4["Redistribution Audit"]
EIGRP --> EIGRP1["DUAL FSM State"]
EIGRP --> EIGRP2["SIA Diagnosis"]
EIGRP --> EIGRP3["K-Value Mismatch"]
ISIS --> ISIS1["Adjacency Check"]
ISIS --> ISIS2["LSPDB Integrity"]
ISIS --> ISIS3["Level 1/2 Topology"]
BGP1 --> Converge["Convergence Report"]
BGP2 --> Converge
BGP3 --> Converge
BGP4 --> Converge
OSPF1 --> Converge
OSPF2 --> Converge
OSPF3 --> Converge
OSPF4 --> Converge
EIGRP1 --> Converge
EIGRP2 --> Converge
EIGRP3 --> Converge
ISIS1 --> Converge
ISIS2 --> Converge
ISIS3 --> Converge
style Start fill:#312e81,stroke:#818cf8,color:#e0e7ff
style BGP fill:#312e81,stroke:#a78bfa,color:#ede9fe
style OSPF fill:#312e81,stroke:#a78bfa,color:#ede9fe
style EIGRP fill:#312e81,stroke:#a78bfa,color:#ede9fe
style ISIS fill:#312e81,stroke:#a78bfa,color:#ede9fe
style Converge fill:#1e293b,stroke:#94a3b8,color:#cbd5e1 graph TD
Start["Security Audit"] --> FW{Firewall Platform}
Start --> ACL["acl-rule-analysis"]
Start --> Compliance{Compliance Framework}
FW -->|PAN-OS| PA["palo-alto-firewall-audit"]
FW -->|FortiOS| FG["fortigate-firewall-audit"]
FW -->|Check Point| CP["checkpoint-firewall-audit"]
FW -->|ASA / FTD| Cisco["cisco-firewall-audit"]
PA --> PolicyCheck["Policy Analysis"]
FG --> PolicyCheck
CP --> PolicyCheck
Cisco --> PolicyCheck
PolicyCheck --> Shadow["Shadowed Rules"]
PolicyCheck --> PermitAny["Overly Permissive"]
PolicyCheck --> Unused["Unused Rules"]
PolicyCheck --> Logging["Logging Gaps"]
ACL --> Shadow
ACL --> PermitAny
ACL --> Unused
Compliance --> CIS["cis-benchmark-audit"]
Compliance --> NIST["nist-compliance-assessment"]
Compliance --> Vuln["vulnerability-assessment"]
Shadow --> AuditReport["Audit Report"]
PermitAny --> AuditReport
Unused --> AuditReport
Logging --> AuditReport
CIS --> AuditReport
NIST --> AuditReport
Vuln --> AuditReport
style Start fill:#4c0519,stroke:#fb7185,color:#ffe4e6
style PA fill:#831843,stroke:#f472b6,color:#fce7f3
style FG fill:#831843,stroke:#f472b6,color:#fce7f3
style CP fill:#831843,stroke:#f472b6,color:#fce7f3
style Cisco fill:#831843,stroke:#f472b6,color:#fce7f3
style CIS fill:#451a03,stroke:#fbbf24,color:#fef3c7
style NIST fill:#451a03,stroke:#fbbf24,color:#fef3c7
style Vuln fill:#451a03,stroke:#fbbf24,color:#fef3c7
style AuditReport fill:#1e293b,stroke:#94a3b8,color:#cbd5e1 graph TD
Start["Cloud Security"] --> Provider{Cloud Provider}
Start --> Posture["cloud-security-posture"]
Provider -->|AWS| AWS["aws-networking-audit"]
Provider -->|Azure| Azure["azure-networking-audit"]
Provider -->|GCP| GCP["gcp-networking-audit"]
AWS --> AWSChecks["VPC Design<br/>Security Groups<br/>NACLs<br/>Flow Logs"]
Azure --> AzureChecks["VNet Config<br/>NSGs<br/>Azure Firewall<br/>Route Tables"]
GCP --> GCPChecks["VPC Networks<br/>Firewall Rules<br/>Cloud NAT<br/>Shared VPC"]
Posture --> CrossCloud["Cross-Cloud Analysis"]
CrossCloud --> IAM["IAM Audit"]
CrossCloud --> Encrypt["Encryption Check"]
CrossCloud --> Public["Public Exposure Scan"]
CrossCloud --> TF["Terraform/IaC Review"]
AWSChecks --> Report["Posture Report"]
AzureChecks --> Report
GCPChecks --> Report
IAM --> Report
Encrypt --> Report
Public --> Report
TF --> Report
style Start fill:#064e3b,stroke:#34d399,color:#d1fae5
style AWS fill:#0c4a6e,stroke:#38bdf8,color:#e0f2fe
style Azure fill:#312e81,stroke:#818cf8,color:#e0e7ff
style GCP fill:#064e3b,stroke:#34d399,color:#d1fae5
style Posture fill:#064e3b,stroke:#6ee7b7,color:#d1fae5
style Report fill:#1e293b,stroke:#94a3b8,color:#cbd5e1 graph TD
Start["Observability & IR"] --> SIEM["siem-log-analysis"]
Start --> NetLog["network-log-analysis"]
Start --> Dashboard["monitoring-dashboard-audit"]
Start --> IR["incident-response-lifecycle"]
Start --> NetIR["incident-response-network"]
SIEM --> Platform{SIEM Platform}
Platform -->|Splunk| SPL["SPL Queries"]
Platform -->|ELK| KQL["KQL Queries"]
Platform -->|QRadar| AQL["AQL Queries"]
Dashboard --> Grafana["Grafana Audit"]
Grafana --> PromQL["PromQL Validation"]
Grafana --> AlertRules["Alert Rule Review"]
Grafana --> PanelCheck["Panel Coverage"]
IR --> Phase1["1. Detection & Alerting"]
Phase1 --> Phase2["2. Analysis & Scoping"]
Phase2 --> Phase3["3. Containment"]
Phase3 --> Phase4["4. Eradication & Recovery"]
Phase4 --> Phase5["5. Post-Mortem"]
NetIR --> Packet["Packet Capture Analysis"]
NetIR --> Flow["NetFlow / sFlow Analysis"]
NetIR --> Forensics["Network Forensics"]
style Start fill:#451a03,stroke:#fbbf24,color:#fef3c7
style SIEM fill:#78350f,stroke:#f59e0b,color:#fef3c7
style IR fill:#78350f,stroke:#f59e0b,color:#fef3c7
style Phase1 fill:#1e293b,stroke:#94a3b8,color:#cbd5e1
style Phase2 fill:#1e293b,stroke:#94a3b8,color:#cbd5e1
style Phase3 fill:#1e293b,stroke:#94a3b8,color:#cbd5e1
style Phase4 fill:#1e293b,stroke:#94a3b8,color:#cbd5e1
style Phase5 fill:#1e293b,stroke:#94a3b8,color:#cbd5e1 graph LR
Skill["Skill Loaded"] --> Check{Safety Tier?}
Check -->|read-only| RO["Read-Only Mode"]
Check -->|read-write| RW["Read-Write Mode"]
RO --> ShowCmd["show / display commands"]
RO --> Collect["Data collection"]
RO --> Analyze["Analysis & reporting"]
RW --> ShowCmd2["show / display commands"]
RW --> Config["Configuration changes"]
RW --> Remediate["Auto-remediation"]
ShowCmd --> Safe["✅ Safe for production"]
Collect --> Safe
Analyze --> Safe
ShowCmd2 --> Approval{"Operator Approval<br/>Required"}
Config --> Approval
Remediate --> Approval
Approval -->|Approved| Execute["Execute Change"]
Approval -->|Denied| Block["🛑 Blocked"]
style Skill fill:#0f172a,stroke:#38bdf8,color:#e0f2fe
style RO fill:#064e3b,stroke:#34d399,color:#d1fae5
style RW fill:#451a03,stroke:#fbbf24,color:#fef3c7
style Safe fill:#064e3b,stroke:#34d399,color:#d1fae5
style Execute fill:#064e3b,stroke:#6ee7b7,color:#d1fae5
style Block fill:#4c0519,stroke:#fb7185,color:#ffe4e6 graph LR
PR["Pull Request"] --> S1["1. Spec Validation<br/>agentskills validate"]
S1 --> S2["2. Convention Check<br/>validate.sh"]
S2 --> S3["3. Security Audit<br/>skill_security_auditor.py"]
S3 --> S4["4. VirusTotal<br/>70+ engines"]
S4 --> S5["5. OpenSSF Scorecard<br/>Weekly assessment"]
S3 --> Checks["Injection Detection<br/>Credential Harvesting<br/>Obfuscation Scan<br/>Safety Tier Mismatch"]
S5 --> Pass{All Pass?}
Pass -->|Yes| Merge["✅ Merged"]
Pass -->|No| Reject["🛑 Blocked"]
style PR fill:#0f172a,stroke:#38bdf8,color:#e0f2fe
style S1 fill:#1e293b,stroke:#6ee7b7,color:#d1fae5
style S2 fill:#1e293b,stroke:#6ee7b7,color:#d1fae5
style S3 fill:#1e293b,stroke:#f59e0b,color:#fef3c7
style S4 fill:#1e293b,stroke:#f59e0b,color:#fef3c7
style S5 fill:#1e293b,stroke:#818cf8,color:#e0e7ff
style Checks fill:#451a03,stroke:#f59e0b,color:#fef3c7
style Merge fill:#064e3b,stroke:#34d399,color:#d1fae5
style Reject fill:#4c0519,stroke:#fb7185,color:#ffe4e6