Security Incident Response

Overview

Use this skill to run a structured response that minimizes blast radius, preserves evidence, and restores service safely.

Scope Boundaries

• Indicators of compromise or security alerts require investigation.
• Active abuse is suspected and containment decisions are needed.
• Security incident communications and recovery criteria must be formalized.

Templates And Assets

• Incident timeline template:
  • assets/security-incident-timeline-template.md

Inputs To Gather

• Detection source, initial evidence, and confidence level.
• Affected systems, data classes, and business criticality.
• Available responders and escalation contacts.
• Legal/compliance notification obligations and time limits.