analyzing-cyber-kill-chain
Analyzes intrusion activity against the Lockheed Martin Cyber Kill Chain framework to identify which phases an adversary has completed, where defenses succeeded or failed, and what controls would have interrupted the attack at earlier phases. Use when conducting post-incident analysis, building prevention-focused security controls, or mapping detection gaps to kill chain phases. Activates for requests involving kill chain analysis, intrusion kill chain, attack phase mapping, or Lockheed Martin kill chain framework.
67
81%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Passed
No known issues
Quality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an excellent skill description that clearly articulates specific capabilities, provides explicit trigger guidance with both 'Use when' and 'Activates for' clauses, and occupies a well-defined niche. It uses proper third-person voice throughout and includes natural keywords that users in the cybersecurity domain would actually use. The description is concise yet comprehensive.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: identifies which phases an adversary has completed, where defenses succeeded or failed, and what controls would have interrupted the attack at earlier phases. These are clear, actionable capabilities. | 3 / 3 |
Completeness | Clearly answers both 'what' (analyzes intrusion activity against the Cyber Kill Chain framework to identify phases, defense gaps, and controls) and 'when' (explicit 'Use when' clause for post-incident analysis, building controls, mapping detection gaps, plus an 'Activates for' clause with trigger terms). | 3 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'kill chain analysis', 'intrusion kill chain', 'attack phase mapping', 'Lockheed Martin kill chain framework', 'post-incident analysis', 'detection gaps'. Good coverage of variations and natural terms. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive with a clear niche: specifically tied to the Lockheed Martin Cyber Kill Chain framework. The specific framework reference and domain-specific trigger terms like 'kill chain analysis' and 'attack phase mapping' make it very unlikely to conflict with other security or analysis skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
62%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a competent analytical skill with a well-structured 5-step workflow and useful concrete examples like the phase matrix. Its main weaknesses are moderate verbosity (defining terms Claude knows, listing basic indicators) and insufficient actionability — it describes what to do conceptually but lacks executable examples like actual SIEM queries, structured output templates, or concrete COA examples per phase. The skill would benefit from trimming known concepts and adding concrete, copy-paste-ready artifacts.
Suggestions
Add concrete examples to the COA section — e.g., for Phase 3 Delivery: 'Deny: Block macro execution via GPO; Detect: Yara rule for weaponized document patterns; Deceive: canary email addresses seeded in public directories'
Include at least one executable query example for the referenced tools (e.g., an Elastic EQL query for beaconing detection or a Splunk search for scheduled task creation)
Provide a structured output template (markdown or JSON) for the kill chain analysis report in Step 5, rather than just listing section headings
Trim the Key Concepts table — Claude knows what beaconing and kill chains are; replace with a concise note on the intelligence gain/loss concept which is the only non-obvious term
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is reasonably well-structured but includes some content Claude already knows (e.g., defining what beaconing is, explaining what the kill chain phases are at a basic level). The Key Concepts table and some indicator lists could be trimmed. However, the phase-specific indicators and COA framework add genuine value. | 2 / 3 |
Actionability | The skill provides a clear analytical framework with specific steps and a concrete phase matrix example, but it lacks executable artifacts — no query examples for Splunk/Elastic, no template files, no structured output format (e.g., JSON schema for the report). The COA section lists categories but doesn't provide concrete examples of actual controls per phase. | 2 / 3 |
Workflow Clarity | The 5-step workflow is clearly sequenced and logically progresses from evidence mapping through analysis to report production. The phase matrix example in Step 2 serves as an effective validation checkpoint, and Step 3's ATT&CK mapping provides a cross-referencing verification step. For an analytical (non-destructive) skill, this level of workflow clarity is appropriate. | 3 / 3 |
Progressive Disclosure | The content is entirely self-contained in a single file with no bundle files. While the skill is moderately long (~120 lines of substantive content), the Tools & Systems section and the ATT&CK mapping details could be split into reference files. The structure within the file is good with clear sections, but there's no progressive disclosure to deeper materials. | 2 / 3 |
Total | 9 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
0f429d0
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.