关于
This skill provides a framework for implementing collective, layered defense in distributed systems, inspired by immune response patterns. It enables threat detection, alert propagation, and a proportional response that escalates with severity, preventing over- or under-reaction. Use it to design scalable incident response and defense-in-depth strategies where no single component can address all threats.
快速安装
Claude Code
推荐npx skills add pjt222/agent-almanac -a claude-code/plugin add https://github.com/pjt222/agent-almanacgit clone https://github.com/pjt222/agent-almanac.git ~/.claude/skills/defend-colony在 Claude Code 中复制并粘贴此命令以安装该技能
技能文档
Defend Colony
Layered collective defense: alarm signal + role mobilize + proportional response + immune memory. Inspired by social insect + biological immune sys.
Use When
- Defense-in-depth, no single guardian covers all
- Incident response scales w/ severity
- Components can't defend alone
- Defense over-reactive (every alert = full mob) / under-reactive (threats unnoticed)
- Org resilience: teams self-org on incident
- Complement
coordinate-swarmw/ threat-response patterns
In
- Required: Colony desc (sys, org, team)
- Required: Threat cats (attacks, failures, competitors, env)
- Optional: Current defenses + fail modes
- Optional: Defender types + caps
- Optional: Latency per tier
- Optional: Recovery reqs
Do
Step 1: Threat Landscape + Perimeter
ID what to defend, from what, where perimeter.
- Critical assets:
- Protect all cost (core data, prod sys, key ppl)
- Can sustain temp damage (staging, non-crit svcs)
- Expendable under extreme (caches, replicas, non-essential)
- Classify threats:
- Probes: low-level recon (port scans, failed logins)
- Incursions: active boundary violations (unauth access, injection)
- Infestations: persistent inside (compromised nodes, insider)
- Existential: survival threats (corruption, catastrophic fail, DDoS)
- Perimeter:
- Outer: first detection (firewalls, rate limits, monitoring)
- Inner: critical asset boundaries (access ctrl, encryption, isolation)
- Core: last-resort (backups, kill switches, circuit breakers)
Got: Map: assets prioritized + threats classified + perimeters layered.
If err: Overwhelming → top 3 critical assets + top 3 threat types. Coverage of what matters > perfect. Unclear boundaries → default zero-trust + define from actual traffic.
Step 2: Alarm Network
Detection + alert propagation.
- Sentinels per layer:
- Outer: light, high-sens (may false+)
- Inner: heavy, high-spec (fewer false+, slower)
- Core: critical monitors (zero missed tolerance)
- Graduated alarms:
- Yellow: anomaly, increased monitor, no mob
- Orange: confirmed pattern, local defenders mob, scouts investigate
- Red: active breach / severe, full mob, non-essential paused
- Black: existential, all → defense, sacrifice expendable if needed
- Propagation:
- Local: sentinels alert nearby directly
- Regional: clusters aggregate + escalate if threshold met
- Colony-wide: regional escalation → broadcast
- Each step adds confirmation — single sentinel can't trigger colony-wide
- Fatigue prevention:
- Auto-suppress repeated identical (dedup w/ time window)
- Req escalation confirmed by indep sentinels
- Track alarm-to-threat ratio — FP >50% → recalibrate
Alarm Propagation:
┌──────────────────────────────────────────────────────────┐
│ Sentinel detects anomaly ──→ Yellow alert (local) │
│ │ │
│ ↓ (confirmed by 2nd sentinel) │
│ Orange alert ──→ Local defenders mobilize │
│ │ │
│ ↓ (pattern matches known threat + 3rd sentinel) │
│ Red alert ──→ Full defense mobilization │
│ │ │
│ ↓ (critical asset under active attack) │
│ Black alert ──→ All resources to defense, circuit break │
└──────────────────────────────────────────────────────────┘
Got: Graduated alarm, severity → response intensity. Multi-sentinel confirms prevent single FPs. Fatigue managed via dedup + calibration.
If err: Too many FPs → raise thresh / more confirms. Threats slip → add sentinels at breach layer / lower thresh. Too slow → reduce confirm reqs (accept higher FP).
Step 3: Role-Based Defenders
Assign roles + mob protocols proportional to threat.
- Roles:
- Sentinels: detection (always active, low cost)
- Guards: first responders (idle until mob, fast)
- Soldiers: heavy (expensive mob, high cap)
- Healers: repair + recovery (see
repair-damage) - Messengers: coord across regions
- Roles → alerts:
- Yellow: sentinels ↑ monitor freq, guards standby
- Orange: guards mob → threat loc, soldiers standby
- Red: soldiers mob, non-essential → defense
- Black: all → defense, colony activities suspended
- Proportional:
- Never soldiers for probe (waste + reveals caps)
- Never only sentinels vs incursion (insufficient)
- Match tier — escalate if fails, de-escalate when recedes
- Role transitions:
- Workers → guards (temp upskill emergency)
- Guards → soldiers (sustained threat)
- Post-threat → reverse transitions restore normal
Got: Force scales w/ severity. Normal = min defense. Under threat = rapid proportional mob, no over/under.
If err: Mob too slow → pre-position guards near known vectors. Too expensive → reduce permanent guards, rely on worker-to-guard. Role confusion → simplify to 3 (detect/respond/recover).
Step 4: Immune Memory + Adaptation
Learn each encounter.
- Per incident, threat signature:
- Attack pattern (how detected)
- Vector (where entered)
- Effective response (what stopped)
- Failed response (what didn't)
- Store in immune memory:
- Fast-lookup pattern lib for sentinels
- Updated playbooks w/ known-effective
- Flagged FP patterns → reduce future fatigue
- Adaptive immunity:
- New signatures → all sentinels (colony-wide learning)
- Detecting sentinels get priority updates (local)
- Periodic review culls outdated
- Stress test:
- Re-sim past threats → verify defenses still work
- Red team → novel threats test adaptation
- Measure detection: known vs unknown
Got: Defense gets stronger per encounter. Known = faster detect + better response. Novel = graduated alarm, resolution → memory.
If err: Memory too large → prioritize by freq + severity, archive rare/minor. Too specialized, misses novel → keep "general patrol" (anomaly detection, no pattern match).
Step 5: Post-Incident Recovery
Defense → normal w/ repair + resilience.
- Threat elim verify:
- Confirm neutralized (not just suppressed)
- Scan secondaries during primary
- Verify no compromised agents remain
- Damage assess:
- Catalog damaged/degraded/lost
- Priority by criticality (core first)
- Estimate recovery time + resources
- Recovery:
- Healers → damaged (see
repair-damage) - Restore svcs in priority
- Elevated sentinel during recovery (vulnerable period)
- Healers → damaged (see
- De-escalate:
- Step down (Red → Orange → Yellow → Normal)
- Reassigned workers → primary roles
- Stand down soldiers, guards → patrol
- Post-incident review <24h (fresh memory)
Got: Smooth defense → recovery → normal. Elevated monitor catches secondaries. Review feeds memory.
If err: Slow recovery → pre-build playbooks for likely damage. Secondaries during recovery → de-esc too aggressive, keep higher alert longer. Review skipped (time pressure) → schedule non-negotiable.
Check
- Critical assets ID'd + prioritized
- Threats classified (type + severity)
- Perimeter layered + sentinels per layer
- Alarm graduated + multi-sentinel confirm
- Roles defined + mob → alerts
- Proportional prevents over/under
- Memory captures + applies lessons
- Recovery restores safely
Traps
- Maginot Line: Over-invest 1 layer, others unprotected. Layered — any single can breach.
- Alert fatigue: Many alarms, few real → degrades attention. Calibrate ruthless; missed FP cheaper than missed real.
- Symmetric response: Same intensity always → wastes + reveals caps. Match — escalate only when needed.
- No immune memory: Repeated same threat, no learning → expensive + fragile. Every incident → update knowledge.
- Permanent war footing: Sustained high-alert → exhausts + degrades normal. De-esc deliberate when threat passes.
→
coordinate-swarm— foundational coord patterns supporting alarm + mobbuild-consensus— rapid consensus for collective defense under pressurescale-colony— defense scales w/ growthrepair-damage— morphic regenerative recoveryconfigure-alerting-rules— practical alerting implconduct-post-mortem— structured analysis → feeds memory
GitHub 仓库
Frequently asked questions
What is the defend-colony skill?
defend-colony is a Claude Skill by pjt222. Skills package instructions and resources that Claude loads on demand, so Claude can perform defend-colony-related tasks without extra prompting.
How do I install defend-colony?
Use the install commands on this page: add defend-colony to Claude Code as a plugin, or clone its repository into your skills directory, then restart Claude so it picks up the skill.
What category does defend-colony belong to?
defend-colony is in the Meta category, tagged react and design.
Is defend-colony free to use?
Yes. defend-colony is listed on AIMCP and free to install. It runs inside Claude, so no separate service account is required to use the skill itself.
相关推荐技能
Content Collections 是一个 TypeScript 优先的构建工具,可将本地 Markdown/MDX 文件转换为类型安全的数据集合。它专为构建博客、文档站和内容密集型 Vite+React 应用而设计,提供基于 Zod 的自动模式验证。该工具涵盖从 Vite 插件配置、MDX 编译到生产环境部署的完整工作流。
这个Claude Skill为开发者提供完整的Polymarket预测市场开发支持,涵盖API调用、交易执行和市场数据分析。关键特性包括实时WebSocket数据流,可监控实时交易、订单和市场动态。开发者可用它构建预测市场应用、实施交易策略并集成实时市场预测功能。
该Skill帮助开发者创建OpenCode插件,用于接入命令、文件、LSP等25+种事件。它提供了插件结构、事件API规范和JavaScript/TypeScript实现模式,适合需要拦截操作、扩展功能或自定义事件处理的场景。开发者可通过它快速构建响应式模块来增强OpenCode AI助手的能力。
SGLang是一个专为LLM设计的高性能推理框架,特别适用于需要结构化输出的场景。它通过RadixAttention前缀缓存技术,在处理JSON、正则表达式、工具调用等具有重复前缀的复杂工作流时,能实现极速生成。如果你正在构建智能体或多轮对话系统,并追求远超vLLM的推理性能,SGLang是理想选择。
