conducting-post-incident-lessons-learned

by mukul975

The conducting-post-incident-lessons-learned skill helps Incident Response teams run structured after-action reviews, build factual timelines, identify root causes, capture what worked and failed, and turn each incident into measurable improvements with owners, deadlines, and playbook updates.

Stars0

Favorites0

Comments0

AddedMay 9, 2026

CategoryIncident Response

Install Command

npx skills add mukul975/Anthropic-Cybersecurity-Skills --skill conducting-post-incident-lessons-learned

Curation Score

This skill scores 82/100, which means it is a solid directory listing for users who need a structured post-incident lessons-learned workflow. The repository gives enough operational detail, templates, standards references, and scripts to help an agent trigger and execute the task with less guesswork than a generic prompt, though it still lacks a direct install command and some end-to-end usage guidance.

82/100

Strengths

Strong workflow specificity: when to use, prerequisites, and a stepwise review process are documented in SKILL.md and workflow references.
Good agent leverage: includes scripts for metrics/report generation plus a reusable report template and API/standards references.
Trustworthy domain framing: aligned to NIST SP 800-61, SANS PICERL, ISO 27001, and MITRE ATT&CK with no placeholder markers.

Cautions

No install command in SKILL.md, so users may need to infer setup/invocation details from the repo.
Some script content is truncated in the evidence, so directory users may want to inspect code quality and completeness before relying on automation.

Security Nist Mitre Attack Sre Post Incident Lessons Learned Playbook Workflow

Overview

Overview of conducting-post-incident-lessons-learned skill

What this skill does

The conducting-post-incident-lessons-learned skill helps you run a structured post-incident review after recovery is complete. It is designed for Incident Response teams that need to turn one incident into concrete improvements: clearer timelines, better root-cause analysis, measurable action items, and playbook updates.

Who it is for

Use the conducting-post-incident-lessons-learned skill if you are an IR lead, SOC analyst, security manager, or facilitator responsible for an after-action review. It is most useful when you already have incident data and need a repeatable way to document what happened, what worked, and what must change.

Why it is worth installing

This is more than a generic prompt. The repository includes a report template, a detailed workflow, standards references, and scripts for metric calculation and report generation. That makes the conducting-post-incident-lessons-learned skill better suited to operational use than a one-off “write a postmortem” prompt, especially when you need consistency across incidents.

How to Use conducting-post-incident-lessons-learned skill

Install and open the right files

Install with:

npx skills add mukul975/Anthropic-Cybersecurity-Skills --skill conducting-post-incident-lessons-learned

Then read SKILL.md first, followed by references/workflows.md, assets/template.md, references/standards.md, and references/api-reference.md. If you plan to automate data collection or report generation, inspect scripts/process.py and scripts/agent.py before you prompt the skill.

What input the skill needs

For strong conducting-post-incident-lessons-learned usage, provide a complete incident packet: incident ID, type, severity, detection time, containment time, recovery time, timeline events, involved teams, communication logs, and known gaps. The skill works best when the incident is fully resolved and your notes are factual, not speculative.

How to prompt it well

Turn a vague request into an operational brief. Instead of “summarize the incident,” ask for: a blameless lessons-learned report, a timeline table, response metrics, root-cause analysis, action items with owners and deadlines, and playbook updates mapped to the observed failure points. For conducting-post-incident-lessons-learned for Incident Response, state whether you want a leadership summary, a technical review, or a full facilitator draft.

Practical workflow and quality checks

Start with the template in assets/template.md, fill in timestamps and metrics, then use the workflow in references/workflows.md to structure the session. Compare your output against the standards in references/standards.md to ensure the review stays blameless and improvement-focused. If the report omits owners, deadlines, or detection gaps, ask the skill to revise those sections before circulating it.

conducting-post-incident-lessons-learned skill FAQ

Is this only for mature incident response teams?

No. The conducting-post-incident-lessons-learned skill is useful for small teams too, because it gives you a repeatable structure. What matters is having enough incident data to review; you do not need a full GRC program to get value from it.

How is this different from a normal prompt?

A normal prompt usually produces a narrative summary. This skill is better for conducting-post-incident-lessons-learned because it supports a real workflow: metric capture, timeline review, root-cause analysis, and action tracking. That makes it more reliable when the output needs to drive change, not just documentation.

When should I not use it?

Do not use it during active containment or before the incident is resolved. It is also a poor fit if you have no timeline, no participants, or no follow-through path for the action items. In those cases, gather data first or use a lighter incident recap prompt.

Does it fit standard security frameworks?

Yes. The references align with NIST SP 800-61, SANS PICERL, ISO 27001 continual improvement, and blameless post-incident practices. That makes the conducting-post-incident-lessons-learned skill a good fit for teams that need evidence of process improvement, not just internal notes.

How to Improve conducting-post-incident-lessons-learned skill

Feed it stronger evidence

The biggest quality jump comes from better source material. Provide a chronological timeline, actual timestamps, alert samples, triage notes, and the final remediation list. If you only give a short summary, the conducting-post-incident-lessons-learned skill will still work, but the root-cause section and metrics will be weaker.

Ask for decision-ready outputs

Request outputs that help a reviewer act: “rank action items by risk reduction,” “separate process, people, and technology fixes,” or “map each lesson to a playbook update.” Those instructions produce more useful conducting-post-incident-lessons-learned usage than asking for a generic retrospective.

Watch for common failure modes

The most common miss is mixing facts with guesses. Another is vague action items such as “improve communication” or “monitor better.” Push the skill to name owners, deadlines, and measurable success criteria so the review can be tracked after the meeting.

Iterate after the first draft

Use the first output to spot gaps, then rerun the skill with missing artifacts, disputed timestamps, or a narrower audience. If leadership needs a shorter version, ask for an executive summary; if the IR team needs execution detail, ask for a technical annex. That iterative loop is the fastest way to get better results from the conducting-post-incident-lessons-learned skill.

Ratings & Reviews

No ratings yet

Share your review

0/10000

Latest reviews

Saving...

more skill

conducting-malware-incident-response

by mukul975

conducting-malware-incident-response helps IR teams triage suspected malware, confirm infections, scope spread, contain endpoints, and support eradication and recovery. It is designed for conducting-malware-incident-response for Incident Response workflows with evidence-backed steps, telemetry-driven decisions, and practical containment guidance.

Incident Response

Favorites 0GitHub 0

detecting-s3-data-exfiltration-attempts

by mukul975

detecting-s3-data-exfiltration-attempts helps investigate possible AWS S3 data theft by correlating CloudTrail S3 data events, GuardDuty findings, Amazon Macie alerts, and S3 access patterns. Use this detecting-s3-data-exfiltration-attempts skill for Security Audit, incident response, and suspicious bulk-download analysis.

Security Audit

Favorites 0GitHub 6.2k

analyzing-usb-device-connection-history

by mukul975

analyzing-usb-device-connection-history helps investigate USB device connection history on Windows using registry hives, event logs, and setupapi.dev.log for Digital Forensics, insider threat work, and incident response. It supports timeline reconstruction, device correlation, and removable-media evidence analysis.

Digital Forensics

Favorites 0GitHub 6.2k

analyzing-bootkit-and-rootkit-samples

by mukul975

analyzing-bootkit-and-rootkit-samples is a malware analysis skill for MBR, VBR, UEFI, and rootkit investigations. Use it to inspect boot sectors, firmware modules, and anti-rootkit indicators when compromise persists below the OS layer. It is suited for analysts who need a practical guide, clear workflow, and evidence-based triage for Malware Analysis.

Malware Analysis

Favorites 0GitHub 6.2k

extracting-browser-history-artifacts

by mukul975

extracting-browser-history-artifacts is a Digital Forensics skill for extracting browser history, cookies, cache, downloads, and bookmarks from Chrome, Firefox, and Edge. Use it to turn browser profile files into timeline-ready evidence with repeatable, case-focused workflow guidance.

Digital Forensics

Favorites 0GitHub 0

detecting-ransomware-encryption-behavior

by mukul975

detecting-ransomware-encryption-behavior helps defenders spot ransomware-style encryption using entropy analysis, file I/O monitoring, and behavioral heuristics. It is suited for incident response, SOC tuning, and red-team validation when you need to detect mass file changes, rename bursts, and suspicious process activity quickly.

Incident Response

Favorites 0GitHub 0

detecting-privilege-escalation-attempts

by mukul975

detecting-privilege-escalation-attempts helps hunt privilege escalation on Windows and Linux, including token manipulation, UAC bypass, unquoted service paths, kernel exploits, and sudo/doas abuse. Built for threat hunting teams that need a practical workflow, reference queries, and helper scripts.

Threat Hunting

Favorites 0GitHub 0

detecting-evasion-techniques-in-endpoint-logs

by mukul975

The detecting-evasion-techniques-in-endpoint-logs skill helps hunt defense evasion in Windows endpoint logs, including log clearing, timestomping, process injection, and security tool disabling. Use it for threat hunting, detection engineering, and incident triage with Sysmon, Windows Security, or EDR telemetry.

Threat Hunting

Favorites 0GitHub 0

analyzing-network-traffic-for-incidents

by mukul975

analyzing-network-traffic-for-incidents helps incident responders analyze PCAPs, flow logs, and packet captures to confirm C2, lateral movement, exfiltration, and exploitation attempts. Built for analyzing-network-traffic-for-incidents for Incident Response with Wireshark, Zeek, and NetFlow-style investigation.

Incident Response

Favorites 0GitHub 0

detecting-credential-dumping-techniques

by mukul975

The detecting-credential-dumping-techniques skill helps you detect LSASS access, SAM export, NTDS.dit theft, and comsvcs.dll MiniDump abuse using Sysmon Event ID 10, Windows Security logs, and SIEM correlation rules. It is built for threat hunting, detection engineering, and Security Audit workflows.

Security Audit

Favorites 0GitHub 0

correlating-security-events-in-qradar

by mukul975

correlating-security-events-in-qradar helps SOC and detection teams correlate IBM QRadar offenses with AQL, offense context, custom rules, and reference data. Use this guide to investigate incidents, reduce false positives, and build stronger correlation logic for Incident Response.

Incident Response

Favorites 0GitHub 0

containing-active-breach

by mukul975

containing-active-breach is an incident-response skill for live breach containment. It helps isolate hosts, block suspicious traffic, disable compromised accounts, and slow lateral movement using a structured containing-active-breach guide with practical API and script references.

Incident Response

Favorites 0GitHub 0

configuring-suricata-for-network-monitoring

by mukul975

The configuring-suricata-for-network-monitoring skill helps deploy and tune Suricata for IDS/IPS monitoring, EVE JSON logging, rules management, and SIEM-ready output. It suits the configuring-suricata-for-network-monitoring for Security Audit workflow when you need practical setup, validation, and false-positive reduction.

Security Audit

Favorites 0GitHub 0

detecting-process-injection-techniques

by mukul975

detecting-process-injection-techniques helps analyze suspicious in-memory activity, validate EDR alerts, and identify process hollowing, APC injection, thread hijacking, reflective loading, and classic DLL injection for Security Audit and malware triage.

Security Audit

Favorites 0GitHub 0

detecting-business-email-compromise

by mukul975

The detecting-business-email-compromise skill helps analysts, SOC teams, and incident responders identify BEC attempts using email-header checks, social-engineering clues, detection logic, and response-oriented workflows. Use it as a practical detecting-business-email-compromise guide for triage, validation, and containment.

Incident Response

Favorites 0GitHub 6.1k

detecting-email-forwarding-rules-attack

by mukul975

The detecting-email-forwarding-rules-attack skill helps Security Audit, threat hunting, and incident response teams find malicious mailbox forwarding rules used for persistence and email collection. It guides analysts through Microsoft 365 and Exchange evidence, suspicious rule patterns, and practical triage for forwarding, redirect, delete, and hide behaviors.

Security Audit

Favorites 0GitHub 0