--- name: network-threat-defense description: Analyze network traffic for defensive triage and operate the local defense-focused plugin runtime for PCAP forensics, live capture review, incident prioritization, posture scoring, coverage-gap analysis, and hardening guidance. Use when Codex needs to inspect `.pcap/.pcapng` files, run live packet capture, explain alerts or incidents, summarize blue-team posture, extract prioritized remediation steps, or integrate the defense workflow with Claude Code or Codex through MCP and skill interfaces. --- # Network Threat Defense ## Overview Operate the plugin-local runtime at the package root. Prefer the packaged CLI and MCP entry points over reimplementing parsing, detection, or hardening logic. ## Quick Start 1. Install dependencies with `pip install -r requirements.txt`. 2. Use `python scripts/run_defense_task.py analyze-pcap --pcap path/to/file.pcap --ai-mode heuristic` for offline analysis. 3. Use `python scripts/run_defense_task.py capture-live --interface eth0 --packet-count 200 --timeout 20 --ai-mode heuristic` for live capture. 4. Use `python scripts/run_defense_task.py latest-posture --section snapshot` to read the latest defense snapshot. 5. Use `python scripts/launch_mcp_server.py` when Claude Code or Codex should consume the runtime through MCP. ## Workflow ### Analyze Defensive Findings - Prefer `scripts/run_defense_task.py`. - Return alerts first, then incidents, then hardening actions. - Read `references/workflow.md` for commands and output locations. - Use `--ai-mode off|heuristic|auto|llm` to control semantic triage. ### Produce Defense Summaries - Read `references/integrations.md` when the task requires Claude Code or Codex interoperability. - Use MCP tools `defense_posture`, `coverage_summary`, `hardening_plan`, and `defense_snapshot`. - Prefer `heuristic` or `auto` mode by default; use `llm` only when `THREAT_AI_API_KEY` and `THREAT_AI_BASE_URL` are configured. ## Output Rules - Prefer JSON artifacts for machine use and Markdown reports for human summaries. - Surface active containment needs before long-term hardening work. - Explicitly state coverage gaps when the capture lacks DNS, ARP, or semantic candidates.