Stats
Actions
Tags
From sat-analysis
Structured Analytic Techniques (SAT) for rigorous analysis of user-supplied data. Applies intelligence community cognitive discipline to technical problems. Use when user provides logs asking about breach/anomaly/incident/compromise, crash dump/stack trace asking about cause, code diff asking if fix is correct/complete, or claim/statement asking for validity assessment. Triggers on "apply SAT", "structured analysis", "generate hypotheses", or "why did X happen" with ambiguous causation. Modes: BREACH_DETECTION, CRASH_ANALYSIS, FIX_VERIFICATION, STATEMENT_ANALYSIS, GENERAL_HYPOTHESIS.
How this skill is triggered — by the user, by Claude, or both
Slash command
/sat-analysis:sat-analysisThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Apply intelligence community analytic tradecraft to technical analysis problems.
Apply intelligence community analytic tradecraft to technical analysis problems. Enforces cognitive discipline, generates comprehensive hypotheses, evaluates competing explanations, and produces calibrated assessments.
Technical analysis often suffers from confirmation bias, anchoring on the first plausible explanation, and failure to consider alternative hypotheses. Without structured cognitive discipline, analysts jump from observation to conclusion, skipping rigorous evaluation of competing explanations and producing overconfident, unfalsifiable assessments.
Auto-select based on input:
| Input Pattern | Mode |
|---|---|
| Logs + security question | BREACH_DETECTION |
| Crash/stack trace + cause question | CRASH_ANALYSIS |
| Code diff + fix verification | FIX_VERIFICATION |
| Claim/statement + validity question | STATEMENT_ANALYSIS |
| Ambiguous situation | GENERAL_HYPOTHESIS |
Every analysis follows this sequence:
Critical: Separate observations from interpretations FIRST.
| Test | If Yes → |
|---|---|
| Could a camera record this exactly? | Observation |
| Requires inference or judgment? | Interpretation → becomes hypothesis |
BAD: "Attacker logged in at 3am"
GOOD: "Login recorded for user X at 03:00:00 from IP Y"
BAD: "Malicious PowerShell execution"
GOOD: "powershell.exe spawned by winword.exe at [time]"
Minimum 5 hypotheses before any evaluation.
Generation methods (use ≥2):
Required categories (at least one each):
Rate each evidence-hypothesis pair:
| Rating | Symbol | Meaning |
|---|---|---|
| Strongly Supports | ++ | Evidence predicted by hypothesis |
| Supports | + | Consistent with hypothesis |
| Neutral | N | Neither supports nor contradicts |
| Contradicts | - | Inconsistent with hypothesis |
| Strongly Contradicts | -- | Argues against hypothesis |
Score: ++=+2, +=+1, N=0, -=-1, --=-2
Always provide BOTH verbal term AND numeric range:
| Term | Range | Usage |
|---|---|---|
| Almost Certain | 90-99% | Overwhelming evidence, no alternatives |
| Highly Likely | 80-89% | Strong evidence, alternatives unlikely |
| Likely | 65-79% | Preponderance, alternatives possible |
| Moderate | 50-64% | Genuine uncertainty |
| Unlikely | 20-49% | Evidence against, but possible |
| Remote | 5-19% | Little support |
Every conclusion must include:
## SAT ANALYSIS: [Title]
**Mode**: [Mode]
**Confidence**: [Term] ([X-Y%])
**Techniques**: [List]
---
### OBSERVATIONS
| ID | Observation | Source | Time |
|----|-------------|--------|------|
| O1 | [Pure data] | [Src] | [T] |
### HYPOTHESES
| ID | Hypothesis | Category | Prob |
|----|------------|----------|------|
| H1 | [desc] | [cat] | [%] |
### ACH MATRIX
| Evidence | H1 | H2 | H3 | H4 | H5 |
|----------|----|----|----|----|-----|
| O1 | [rating] | ... |
| **SCORE** | [X] | [X] | [X] | [X] | [X] |
### ASSESSMENT
**Primary**: [Conclusion with confidence]
**Alternatives**: [What else is possible]
### ASSUMPTIONS
1. [Assumption]
### FALSIFICATION
- Would be falsified by: [evidence]
- Would be strengthened by: [evidence]
### LIMITATIONS
- [Gap or caveat]
Required hypothesis categories:
Map to ATT&CK/kill chain where applicable. See references/attack_patterns.md.
Hypothesis dimensions:
Distinguish proximate cause from root cause. See references/crash_patterns.md.
Hypothesis categories:
Trace causal chain from issue to fix. See references/fix_patterns.md.
Evaluate:
Decompose claim → evidence → assumptions → logical structure.
Before ANY output, verify:
Reduce confidence:
| Factor | Adjustment |
|---|---|
| Single source | -10 to -20 |
| No corroboration | -10 to -15 |
| Conflicting evidence | -15 to -25 |
| Limited analysis time | -5 to -15 |
May increase confidence:
| Factor | Adjustment |
|---|---|
| Multiple independent sources | +5 to +15 |
| Direct observation | +5 to +10 |
| Corroboration | +5 to +15 |
Support iterative refinement:
For detailed guidance, see:
references/techniques.md - Full technique documentationreferences/attack_patterns.md - Security indicator patternsreferences/crash_patterns.md - Crash/failure patternsreferences/fix_patterns.md - Fix verification patternsreferences/cognitive_biases.md - Bias detectionscripts/parse_logs.py - Parse common log formatsscripts/timeline.py - Build event timelinesscripts/ach_matrix.py - Generate ACH matrix markdownSearches MemPalace before answering questions about past work, people, projects, or prior decisions. Returns verbatim stored content instead of guessing from model memory.
Guides Payload CMS config (payload.config.ts), collections, fields, hooks, access control, APIs. Debugs validation errors, security, relationships, queries, transactions, hook behavior.
Implements vector databases with Pinecone, Weaviate, Qdrant, Milvus, pgvector for semantic search, RAG, recommendations, and similarity systems. Optimizes embeddings, indexing, and hybrid search.
npx claudepluginhub dmaynor/dmaynor-skills-marketplace --plugin sat-analysis