analyzing-cyber-kill-chain
Analyzes intrusion activity against the Lockheed Martin Cyber Kill Chain framework to identify which phases an adversary has completed, where defenses succeeded or failed, and what controls would have interrupted the attack at earlier phases. Use when conducting post-incident analysis, building prevention-focused security controls, or mapping detection gaps to kill chain phases. Activates for requests involving kill chain analysis, intrusion kill chain, attack phase mapping, or Lockheed Martin kill chain framework.
90
88%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Quality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an excellent skill description that clearly articulates specific capabilities, provides explicit 'Use when' and 'Activates for' clauses with natural trigger terms, and occupies a well-defined niche around the Lockheed Martin Cyber Kill Chain framework. It follows best practices by using third person voice, listing concrete actions, and covering multiple natural keyword variations that users would employ.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: identifies which phases an adversary has completed, where defenses succeeded or failed, and what controls would have interrupted the attack at earlier phases. These are clear, actionable capabilities. | 3 / 3 |
Completeness | Clearly answers both 'what' (analyzes intrusion activity against the Cyber Kill Chain framework to identify phases, defense gaps, and controls) and 'when' (explicit 'Use when' clause for post-incident analysis, building security controls, mapping detection gaps, plus an 'Activates for' clause with trigger terms). | 3 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'kill chain analysis', 'intrusion kill chain', 'attack phase mapping', 'Lockheed Martin kill chain framework', 'post-incident analysis', 'detection gaps'. Good coverage of variations and natural terms. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive with a clear niche: specifically the Lockheed Martin Cyber Kill Chain framework. The combination of framework-specific terminology and explicit trigger terms makes it very unlikely to conflict with other security or analysis skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
77%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a well-structured, actionable skill with a clear 5-step workflow and concrete output formats (phase matrix, COA categories, report structure). Its main weakness is moderate verbosity—defining terms and listing indicators that Claude already knows—and keeping all content inline rather than splitting reference material into separate files. The workflow clarity and actionability are strong, making this a solid analytical skill despite the conciseness issues.
Suggestions
Trim the phase indicator lists to just 1-2 non-obvious examples per phase, removing well-known indicators Claude already understands (e.g., phishing emails for delivery, scheduled tasks for persistence).
Move the Key Concepts table and Tools & Systems section to a separate reference file, keeping only a brief pointer in the main skill.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is mostly efficient but includes some content Claude would already know (e.g., defining what beaconing is, explaining what a kill chain is, listing basic indicator types for each phase). The key concepts table and phase indicator lists add bulk that an experienced analyst model wouldn't need. However, the COA framework and phase matrix format add genuine value. | 2 / 3 |
Actionability | The skill provides concrete, actionable guidance: a specific phase matrix format to produce, explicit COA categories to document per phase, ATT&CK tactic mappings, and a structured report output format. The phase matrix example is copy-paste ready and the 5-step workflow gives clear instructions for what to produce at each stage. | 3 / 3 |
Workflow Clarity | The 5-step workflow is clearly sequenced with logical progression from mapping actions → identifying detection points → ATT&CK enrichment → COA development → report production. Each step has explicit outputs. The phase matrix in Step 2 serves as a validation checkpoint showing where detection succeeded/failed, and Step 4's COA framework provides structured verification of defensive coverage. | 3 / 3 |
Progressive Disclosure | The content is well-structured with clear sections and a logical flow, but it's a monolithic document that could benefit from splitting detailed content (e.g., full phase indicator lists, COA templates, report templates) into separate reference files. The MITRE ATT&CK mapping table and tools section could be external references rather than inline content. | 2 / 3 |
Total | 10 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
c15f73d
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.