Cyber Attack Chain Analysis

Transform incident timelines into structured Cyber Kill Chain mappings and high-impact defensive roadmaps.

Install
cmdop skills install agensi-cyber-attack-chain-analysis

Cyber Attack Chain Analysis is a skill that takes fragmented incident logs and timeline notes and maps them onto the Cyber Kill Chain framework. It distinguishes between confirmed facts and assumptions throughout the analysis, identifies the first point of detection in a given intrusion sequence, and surfaces exactly where visibility failed rather than simply listing what occurred. Secondary mapping support is included for MITRE ATT&CK tactics and techniques alongside the primary Kill Chain structure. The skill is designed to work with input from any security tooling the user provides, including SIEM, EDR, and XDR platforms, without requiring integration with a specific vendor stack. Output from the skill includes executive summaries suitable for leadership reporting, detection gap registers that document where controls failed or were absent, and prioritized remediation roadmaps. This makes it useful when a security team needs to move from raw incident data to a structured, evidence-grounded narrative that can drive both technical remediation and strategic defensive investment. It is built for post-incident review workflows where objective phase categorization and gap analysis are required, and where analysts need to produce reports that are both technically precise and accessible to non-technical stakeholders.

Use cases

  • Map a confirmed intrusion timeline to each phase of the Cyber Kill Chain
  • Identify the first point of detection and enumerate earlier stages that were missed
  • Generate a detection gap register documenting where controls failed during an incident
  • Produce an executive summary of an attack for leadership or board-level reporting
  • Cross-reference Kill Chain phases with MITRE ATT&CK tactics and techniques
  • Build a prioritized remediation roadmap from a completed post-incident analysis

When to use it

  • Conducting a structured post-incident review after a confirmed intrusion
  • Translating technical incident findings into leadership-ready reports
  • Identifying defensive coverage gaps revealed by an attack
  • Mapping adversary behavior to recognized frameworks for documentation or compliance purposes

When not to use it

  • Real-time threat detection or alerting — this skill operates on supplied timelines, not live data streams
  • Automated ingestion of logs directly from a SIEM or EDR; the user must supply the relevant data as input
  • Incidents where no timeline or log data is available to provide as evidence
  • Use cases requiring integration with a specific security platform via API