Incident Triage

llm-trading-agent-security is a practical guide for securing autonomous trading agents with wallet authority. It covers prompt injection, spend limits, pre-send simulation, circuit breakers, MEV-aware execution, and key isolation to reduce financial-loss risk in a Security Audit.

memory-forensics skill for RAM capture and dump analysis with Volatility 3. Covers install context, usage workflows, artifact extraction, and incident triage across Windows, Linux, macOS, and VM memory.

postmortem-writing helps teams create blameless incident postmortems with timelines, root cause analysis, contributing factors, impact, and actionable follow-up items for report writing after outages or near-misses.

Learn the on-call-handoff-patterns skill for reliable shift transitions. Use it to structure incident handoffs, capture active issues, recent changes, escalation state, and next actions for Reliability teams.

incident-runbook-templates helps teams create structured incident response runbooks with clear triage, mitigation, escalation, communication, and recovery steps for outages and operational Playbooks.

detecting-shadow-it-cloud-usage helps identify unauthorized SaaS and cloud usage from proxy logs, DNS queries, and netflow. It classifies domains, compares them with approved lists, and supports security audit workflows with structured evidence from the detecting-shadow-it-cloud-usage skill guide.

detecting-service-account-abuse is a threat-hunting skill for finding service account misuse across Windows, AD, SIEM, and EDR telemetry. It focuses on suspicious interactive logons, privilege escalation, lateral movement, and access anomalies, with a hunt template, event IDs, and workflow references for repeatable investigation.

building-ioc-defanging-and-sharing-pipeline skill for extracting IOCs, defanging URLs, IPs, domains, emails, and hashes, then converting and sharing them as STIX 2.1 via TAXII or MISP for security audit and threat intel workflows.

building-incident-timeline-with-timesketch helps DFIR teams build collaborative incident timelines in Timesketch by ingesting Plaso, CSV, or JSONL evidence, normalizing timestamps, correlating events, and documenting attack chains for incident triage and reporting.

building-incident-response-playbook helps security teams create reusable incident response playbooks with step-by-step phases, decision trees, escalation criteria, RACI ownership, and SOAR-ready structure. It is designed for incident response procedure documentation, incident triage workflows, and audit-friendly operational response plans.

detecting-modbus-protocol-anomalies helps detect suspicious Modbus/TCP and Modbus RTU behavior in OT and ICS networks, including invalid function codes, out-of-range register access, abnormal polling timing, unauthorized writes, and malformed frames. Useful for a Security Audit and evidence-based triage.

The detecting-business-email-compromise skill helps analysts, SOC teams, and incident responders identify BEC attempts using email-header checks, social-engineering clues, detection logic, and response-oriented workflows. Use it as a practical detecting-business-email-compromise guide for triage, validation, and containment.

detecting-beaconing-patterns-with-zeek helps analyze Zeek conn.log intervals to detect C2-style beaconing. It uses ZAT, groups flows by source, destination, and port, and scores low-jitter patterns with statistical checks. Ideal for SOC, threat hunting, incident response, and detecting-beaconing-patterns-with-zeek for Security Audit workflows.

detecting-azure-service-principal-abuse helps detect, investigate, and document suspicious Microsoft Entra ID service principal activity in Azure. Use it for Security Audit, cloud incident response, and threat hunting to review credential changes, admin consent abuse, role assignments, ownership paths, and sign-in anomalies.

analyzing-security-logs-with-splunk helps investigate security events in Splunk by correlating Windows, firewall, proxy, and authentication logs into timelines and evidence. This analyzing-security-logs-with-splunk skill is a practical guide for Security Audit, incident response, and threat hunting.

analyzing-ransomware-network-indicators helps analyze Zeek conn.log and NetFlow to spot C2 beaconing, TOR exits, exfiltration, and suspicious DNS for Security Audit and incident response.

analyzing-ransomware-leak-site-intelligence helps monitor ransomware data leak sites, extract victim and group signals, and produce structured threat intelligence for incident response, sector risk review, and adversary tracking.

analyzing-azure-activity-logs-for-threats skill for querying Azure Monitor activity logs and sign-in logs to spot suspicious admin actions, impossible travel, privilege escalation, and resource tampering. Built for incident triage with KQL patterns, an execution path, and practical Azure log table guidance.

analyzing-apt-group-with-mitre-navigator helps analysts map APT group techniques into MITRE ATT&CK Navigator layers for detection gap analysis, threat modeling, and repeatable threat intelligence workflows. It includes practical guidance for ATT&CK data lookup, layer generation, and comparing adversary TTP coverage.

eradicating-malware-from-infected-systems is a cybersecurity incident response skill for removing malware, backdoors, and persistence mechanisms after containment. It includes workflow guidance, reference files, and scripts for Windows and Linux cleanup, credential rotation, root-cause remediation, and validation.

Analyze WAF and audit logs to detect SQL injection campaigns with detecting-sql-injection-via-waf-logs. Built for Security Audit and SOC workflows, it parses ModSecurity, AWS WAF, and Cloudflare events, classifies UNION SELECT, OR 1=1, SLEEP(), and BENCHMARK() patterns, correlates sources, and produces incident-oriented findings.

detecting-privilege-escalation-attempts helps hunt privilege escalation on Windows and Linux, including token manipulation, UAC bypass, unquoted service paths, kernel exploits, and sudo/doas abuse. Built for threat hunting teams that need a practical workflow, reference queries, and helper scripts.

detecting-port-scanning-with-fail2ban helps configure Fail2ban to detect port scans, SSH brute force attempts, and reconnaissance, then ban suspicious IPs and alert security teams. This skill fits hardening and detecting-port-scanning-with-fail2ban for Security Audit workflows, with practical guidance for logs, jails, filters, and safe tuning.

detecting-pass-the-ticket-attacks helps detect Kerberos Pass-the-Ticket activity by correlating Windows Security Event IDs 4768, 4769, and 4771. Use it for threat hunting in Splunk or Elastic to spot ticket reuse, RC4 downgrades, and unusual TGS volume with practical queries and field guidance.