Research System Internals and Adversary Tradecraft

Provide structured research context at the start of a threat hunt by incrementally applying only the references explicitly called for in each workflow step. This skill establishes a grounded understanding of system capabilities and adversary behaviors so downstream hunt planning reflects how the environment actually works and how it is realistically abused.

Workflow

• You MUST complete each step in order and MUST NOT proceed until the current step is complete.
• You MUST NOT read reference documents or perform web searches unless the current step explicitly instructs you to do so.
• Do NOT output raw notes, coverage checks, intermediate reasoning, or step summaries.
• Do NOT restate findings from previous steps outside the final report structure.

Step 1: Normalize the input

Translate the user's high-level topic into a precise research scope before any investigation begins. This step exists to remove ambiguity and establish a shared frame for system and adversary analysis.

This step is complete only when the scope is explicit and unambiguous.