Incident Response
Skill Purpose: Detect, triage, contain, and recover from security incidents with clear communication and evidence.
Core Skill Pattern
Objective: Minimize impact and restore service while preserving forensic evidence.
Universal Pattern:
- •Detect and validate the incident
- •Triage severity and scope
- •Contain and mitigate impact
- •Eradicate root cause and recover
- •Conduct post-incident review
Key Decisions (Project-Specific):
- •Severity classification criteria
- •On-call and escalation paths
- •Evidence collection requirements
- •Communication protocols
Project-Specific Implementation Notes
Customize per project:
- •Define on-call rotations and contacts
- •Ensure log retention meets forensic needs
- •Pre-approve emergency access procedures
Example Incident Checklist
- •Confirm indicators and affected systems
- •Disable compromised credentials
- •Collect logs and snapshots
- •Patch or roll back to safe state
- •Notify stakeholders and document timeline
Best Practices
- •Practice with tabletop exercises
- •Keep a clear incident timeline
- •Preserve evidence before remediation
- •Communicate status regularly
- •Close with a blameless postmortem
Stop Conditions
STOP and escalate if:
- •Severity cannot be determined
- •Evidence collection is blocked
- •Containment risks data loss
Skill Version: 1.0.0