CtrlK
BlogDocsLog inGet started
Tessl Logo

analyzing-cyber-kill-chain

Analyzes intrusion activity against the Lockheed Martin Cyber Kill Chain framework to identify which phases an adversary has completed, where defenses succeeded or failed, and what controls would have interrupted the attack at earlier phases. Use when conducting post-incident analysis, building prevention-focused security controls, or mapping detection gaps to kill chain phases. Activates for requests involving kill chain analysis, intrusion kill chain, attack phase mapping, or Lockheed Martin kill chain framework.

63

Quality

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Passed

No known issues

SKILL.md
Quality
Evals
Security

Quality

Content

50%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

The body is well-structured and gives a concrete, sequenced analysis workflow, but it is held back by unreferenced executable material in the bundle, missing validation checkpoints, and some re-explanation of concepts Claude already knows.

Suggestions

Link references/api-reference.md from the 'Tools & Systems' section (e.g., 'Splunk queries: See [api-reference.md](references/api-reference.md)') so the executable Splunk/EQL/PyMISP examples are discoverable.

Add explicit validation checkpoints to the workflow, such as 'Confirm each observed action maps to exactly one phase' and 'Verify evidence supports each Completed/Detected call before producing the report'.

Trim the Key Concepts table and the basic one-line phase definitions that restate common knowledge (e.g., what reconnaissance is), keeping only the specialized indicator and COA detail.

DimensionReasoningScore

Conciseness

The per-phase indicator lists and COA framework earn their tokens, but the Key Concepts table and one-line phase definitions (e.g., 'Reconnaissance: Adversary gathers target information before attack') re-explain concepts Claude already knows, so it is mostly efficient rather than fully lean.

2 / 3

Actionability

The 5-step workflow, specific MITRE tactic IDs, worked phase-matrix example, and 6-category COA framework are concrete, but the executable Splunk/EQL/PyMISP queries that operationalize the 'Tools & Systems' section live in references/api-reference.md and are never linked from the body, leaving the guidance incomplete.

2 / 3

Workflow Clarity

The steps are clearly sequenced with a worked example, but there are no validation checkpoints or feedback loops (e.g., verifying each action maps to exactly one phase, or confirming evidence supports a 'Completed' call), so checkpoints are missing.

2 / 3

Progressive Disclosure

The body is well organized into sections, but the existing references/api-reference.md — which contains the tool queries the 'Tools & Systems' section alludes to — is not referenced anywhere, so a relevant reference is present but unsignaled.

2 / 3

Total

8

/

12

Passed

Description

100%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

A strong, well-constructed description: it states concrete capabilities in third person, gives explicit 'Use when' triggers with natural analyst terminology, and occupies a clear niche unlikely to conflict with other skills.

DimensionReasoningScore

Specificity

Names multiple concrete actions ('identify which phases an adversary has completed, where defenses succeeded or failed, and what controls would have interrupted the attack at earlier phases') in third person, matching the 'lists multiple specific concrete actions' anchor.

3 / 3

Completeness

Explicitly answers what ('Analyzes intrusion activity... to identify which phases...') and when ('Use when conducting post-incident analysis...'), with explicit 'Activates for requests involving...' triggers, matching the top anchor.

3 / 3

Trigger Term Quality

Covers natural terms a security analyst would say — 'post-incident analysis', 'mapping detection gaps', 'kill chain analysis', 'intrusion kill chain', 'attack phase mapping', 'Lockheed Martin kill chain framework' — giving good trigger coverage.

3 / 3

Distinctiveness Conflict Risk

Tightly scoped to the Lockheed Martin Cyber Kill Chain with distinct, domain-specific triggers, making it unlikely to fire for unrelated skills.

3 / 3

Total

12

/

12

Passed

Validation

93%

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation15 / 16 Passed

Validation for skill structure

CriteriaDescriptionResult

frontmatter_unknown_keys

Unknown frontmatter key(s) found; consider removing or moving to metadata

Warning

Total

15

/

16

Passed

Repository
mukul975/Anthropic-Cybersecurity-Skills
Reviewed

Table of Contents

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.