breach-remediation
Installation
SKILL.md
Conducting Post-Breach Remediation
Overview
Post-breach remediation transforms the findings from a breach investigation into concrete corrective actions that prevent recurrence and demonstrate accountability under GDPR Art. 5(2) and Art. 24. Effective remediation goes beyond fixing the immediate vulnerability — it addresses root causes, closes systemic control gaps, updates policies and training, enhances monitoring, and satisfies regulatory follow-up requirements.
Lessons Learned Framework
Step 1: Root Cause Remediation (Immediate — Within 30 Days)
Address the direct technical and procedural cause of the breach:
| Root Cause Category | Remediation Approach | Example (SPG-BREACH-2026-003) |
|---|---|---|
| Stale privileged account | Decommission account, implement lifecycle management | Revoked svc-migration-2024; deployed automated service account expiry (90-day review cycle) |
| Phishing vulnerability | Deploy phishing-resistant MFA, enhance email filtering | Migrated from push-based MFA to FIDO2/WebAuthn for all privileged accounts |
| Insufficient network segmentation | Implement micro-segmentation | Deployed database-tier isolation; access only via approved bastion host with session recording |
| Inadequate access review scope | Expand access review to include all account types | Added service accounts, API keys, and machine accounts to quarterly access certification |
Related skills