MCP HubMCP Hub
Back to Skills

defend-colony

pjt222
Updated 2 days ago
7 views
17
2
17
View on GitHub
Metareactdesign

About

This skill provides a framework for implementing collective, layered defense in distributed systems, inspired by immune response patterns. It enables threat detection, alert propagation, and a proportional response that escalates with severity, preventing over- or under-reaction. Use it to design scalable incident response and defense-in-depth strategies where no single component can address all threats.

Quick Install

Claude Code

Recommended
Primary
npx skills add pjt222/agent-almanac -a claude-code
Plugin CommandAlternative
/plugin add https://github.com/pjt222/agent-almanac
Git CloneAlternative
git clone https://github.com/pjt222/agent-almanac.git ~/.claude/skills/defend-colony

Copy and paste this command in Claude Code to install this skill

Documentation

Defend Colony

Layered collective defense: alarm signal + role mobilize + proportional response + immune memory. Inspired by social insect + biological immune sys.

Use When

  • Defense-in-depth, no single guardian covers all
  • Incident response scales w/ severity
  • Components can't defend alone
  • Defense over-reactive (every alert = full mob) / under-reactive (threats unnoticed)
  • Org resilience: teams self-org on incident
  • Complement coordinate-swarm w/ threat-response patterns

In

  • Required: Colony desc (sys, org, team)
  • Required: Threat cats (attacks, failures, competitors, env)
  • Optional: Current defenses + fail modes
  • Optional: Defender types + caps
  • Optional: Latency per tier
  • Optional: Recovery reqs

Do

Step 1: Threat Landscape + Perimeter

ID what to defend, from what, where perimeter.

  1. Critical assets:
    • Protect all cost (core data, prod sys, key ppl)
    • Can sustain temp damage (staging, non-crit svcs)
    • Expendable under extreme (caches, replicas, non-essential)
  2. Classify threats:
    • Probes: low-level recon (port scans, failed logins)
    • Incursions: active boundary violations (unauth access, injection)
    • Infestations: persistent inside (compromised nodes, insider)
    • Existential: survival threats (corruption, catastrophic fail, DDoS)
  3. Perimeter:
    • Outer: first detection (firewalls, rate limits, monitoring)
    • Inner: critical asset boundaries (access ctrl, encryption, isolation)
    • Core: last-resort (backups, kill switches, circuit breakers)

Got: Map: assets prioritized + threats classified + perimeters layered.

If err: Overwhelming → top 3 critical assets + top 3 threat types. Coverage of what matters > perfect. Unclear boundaries → default zero-trust + define from actual traffic.

Step 2: Alarm Network

Detection + alert propagation.

  1. Sentinels per layer:
    • Outer: light, high-sens (may false+)
    • Inner: heavy, high-spec (fewer false+, slower)
    • Core: critical monitors (zero missed tolerance)
  2. Graduated alarms:
    • Yellow: anomaly, increased monitor, no mob
    • Orange: confirmed pattern, local defenders mob, scouts investigate
    • Red: active breach / severe, full mob, non-essential paused
    • Black: existential, all → defense, sacrifice expendable if needed
  3. Propagation:
    • Local: sentinels alert nearby directly
    • Regional: clusters aggregate + escalate if threshold met
    • Colony-wide: regional escalation → broadcast
    • Each step adds confirmation — single sentinel can't trigger colony-wide
  4. Fatigue prevention:
    • Auto-suppress repeated identical (dedup w/ time window)
    • Req escalation confirmed by indep sentinels
    • Track alarm-to-threat ratio — FP >50% → recalibrate
Alarm Propagation:
┌──────────────────────────────────────────────────────────┐
│ Sentinel detects anomaly ──→ Yellow alert (local)        │
│        │                                                 │
│        ↓ (confirmed by 2nd sentinel)                     │
│ Orange alert ──→ Local defenders mobilize                │
│        │                                                 │
│        ↓ (pattern matches known threat + 3rd sentinel)   │
│ Red alert ──→ Full defense mobilization                  │
│        │                                                 │
│        ↓ (critical asset under active attack)            │
│ Black alert ──→ All resources to defense, circuit break  │
└──────────────────────────────────────────────────────────┘

Got: Graduated alarm, severity → response intensity. Multi-sentinel confirms prevent single FPs. Fatigue managed via dedup + calibration.

If err: Too many FPs → raise thresh / more confirms. Threats slip → add sentinels at breach layer / lower thresh. Too slow → reduce confirm reqs (accept higher FP).

Step 3: Role-Based Defenders

Assign roles + mob protocols proportional to threat.

  1. Roles:
    • Sentinels: detection (always active, low cost)
    • Guards: first responders (idle until mob, fast)
    • Soldiers: heavy (expensive mob, high cap)
    • Healers: repair + recovery (see repair-damage)
    • Messengers: coord across regions
  2. Roles → alerts:
    • Yellow: sentinels ↑ monitor freq, guards standby
    • Orange: guards mob → threat loc, soldiers standby
    • Red: soldiers mob, non-essential → defense
    • Black: all → defense, colony activities suspended
  3. Proportional:
    • Never soldiers for probe (waste + reveals caps)
    • Never only sentinels vs incursion (insufficient)
    • Match tier — escalate if fails, de-escalate when recedes
  4. Role transitions:
    • Workers → guards (temp upskill emergency)
    • Guards → soldiers (sustained threat)
    • Post-threat → reverse transitions restore normal

Got: Force scales w/ severity. Normal = min defense. Under threat = rapid proportional mob, no over/under.

If err: Mob too slow → pre-position guards near known vectors. Too expensive → reduce permanent guards, rely on worker-to-guard. Role confusion → simplify to 3 (detect/respond/recover).

Step 4: Immune Memory + Adaptation

Learn each encounter.

  1. Per incident, threat signature:
    • Attack pattern (how detected)
    • Vector (where entered)
    • Effective response (what stopped)
    • Failed response (what didn't)
  2. Store in immune memory:
    • Fast-lookup pattern lib for sentinels
    • Updated playbooks w/ known-effective
    • Flagged FP patterns → reduce future fatigue
  3. Adaptive immunity:
    • New signatures → all sentinels (colony-wide learning)
    • Detecting sentinels get priority updates (local)
    • Periodic review culls outdated
  4. Stress test:
    • Re-sim past threats → verify defenses still work
    • Red team → novel threats test adaptation
    • Measure detection: known vs unknown

Got: Defense gets stronger per encounter. Known = faster detect + better response. Novel = graduated alarm, resolution → memory.

If err: Memory too large → prioritize by freq + severity, archive rare/minor. Too specialized, misses novel → keep "general patrol" (anomaly detection, no pattern match).

Step 5: Post-Incident Recovery

Defense → normal w/ repair + resilience.

  1. Threat elim verify:
    • Confirm neutralized (not just suppressed)
    • Scan secondaries during primary
    • Verify no compromised agents remain
  2. Damage assess:
    • Catalog damaged/degraded/lost
    • Priority by criticality (core first)
    • Estimate recovery time + resources
  3. Recovery:
    • Healers → damaged (see repair-damage)
    • Restore svcs in priority
    • Elevated sentinel during recovery (vulnerable period)
  4. De-escalate:
    • Step down (Red → Orange → Yellow → Normal)
    • Reassigned workers → primary roles
    • Stand down soldiers, guards → patrol
    • Post-incident review <24h (fresh memory)

Got: Smooth defense → recovery → normal. Elevated monitor catches secondaries. Review feeds memory.

If err: Slow recovery → pre-build playbooks for likely damage. Secondaries during recovery → de-esc too aggressive, keep higher alert longer. Review skipped (time pressure) → schedule non-negotiable.

Check

  • Critical assets ID'd + prioritized
  • Threats classified (type + severity)
  • Perimeter layered + sentinels per layer
  • Alarm graduated + multi-sentinel confirm
  • Roles defined + mob → alerts
  • Proportional prevents over/under
  • Memory captures + applies lessons
  • Recovery restores safely

Traps

  • Maginot Line: Over-invest 1 layer, others unprotected. Layered — any single can breach.
  • Alert fatigue: Many alarms, few real → degrades attention. Calibrate ruthless; missed FP cheaper than missed real.
  • Symmetric response: Same intensity always → wastes + reveals caps. Match — escalate only when needed.
  • No immune memory: Repeated same threat, no learning → expensive + fragile. Every incident → update knowledge.
  • Permanent war footing: Sustained high-alert → exhausts + degrades normal. De-esc deliberate when threat passes.

  • coordinate-swarm — foundational coord patterns supporting alarm + mob
  • build-consensus — rapid consensus for collective defense under pressure
  • scale-colony — defense scales w/ growth
  • repair-damage — morphic regenerative recovery
  • configure-alerting-rules — practical alerting impl
  • conduct-post-mortem — structured analysis → feeds memory

GitHub Repository

pjt222/agent-almanac
Path: i18n/caveman-ultra/skills/defend-colony
0
agentsagentskillsai-assisted-developmentclaude-codeskillsteams

Related Skills

content-collections

Meta

This skill provides a production-tested setup for Content Collections, a TypeScript-first tool that transforms Markdown/MDX files into type-safe data collections with Zod validation. Use it when building blogs, documentation sites, or content-heavy Vite + React applications to ensure type safety and automatic content validation. It covers everything from Vite plugin configuration and MDX compilation to deployment optimization and schema validation.

View skill

polymarket

Meta

This skill enables developers to build applications with the Polymarket prediction markets platform, including API integration for trading and market data. It also provides real-time data streaming via WebSocket to monitor live trades and market activity. Use it for implementing trading strategies or creating tools that process live market updates.

View skill

creating-opencode-plugins

Meta

This skill helps developers create OpenCode plugins that hook into 25+ event types like commands, files, and LSP operations. It provides the plugin structure, event API specifications, and implementation patterns for JavaScript/TypeScript modules. Use it when you need to intercept, monitor, or extend the OpenCode AI assistant's lifecycle with custom event-driven logic.

View skill

sglang

Meta

SGLang is a high-performance LLM serving framework that specializes in fast, structured generation for JSON, regex, and agentic workflows using its RadixAttention prefix caching. It delivers significantly faster inference, especially for tasks with repeated prefixes, making it ideal for complex, structured outputs and multi-turn conversations. Choose SGLang over alternatives like vLLM when you need constrained decoding or are building applications with extensive prefix sharing.

View skill