incident-response
by alirezarezvaniincident-response helps teams triage declared security events with classification, SEV1-SEV4 severity, false-positive checks, escalation routing, forensic evidence collection, and regulatory deadline awareness. Includes a Python triage script and NIST SP 800-61-style workflow guidance.
This skill scores 84/100, which means it is a solid listing candidate for directory users who want an agent-ready incident response workflow rather than a generic security prompt. The repository evidence shows a clear trigger definition, substantial response methodology, an incident triage script, and a regulatory deadline reference, though adoption would be easier with explicit install instructions and stronger validation guidance for compliance-sensitive content.
- Clear trigger scope: the frontmatter specifies use for detected or declared security incidents, classification, triage, escalation, false-positive filtering, and forensic evidence collection.
- Substantial operational content: SKILL.md covers severity framework, false-positive filtering, forensic collection, escalation paths, workflows, anti-patterns, and cross-references rather than acting as a placeholder.
- Includes executable leverage: scripts/incident_triage.py classifies events, applies false-positive checks, scores SEV1-SEV4, determines escalation, and returns meaningful exit codes.
- No install command or README is present in the skill path, so users must infer how to copy or enable the skill in their agent setup.
- Regulatory deadline content is useful but high-risk; teams should validate it against current counsel-approved obligations before relying on it operationally.
Overview of incident-response skill
What incident-response is for
incident-response is a security operations skill for turning a detected or declared security event into a structured response: classify the incident, filter likely false positives, assign SEV1-SEV4 severity, decide escalation, and start forensic evidence collection. It is built around practical incident handling rather than broad security advice, with references to NIST SP 800-61-style lifecycle thinking and operational severity routing.
Best-fit users and teams
This incident-response skill is most useful for SOC analysts, security engineers, SREs, incident commanders, and engineering teams that need a repeatable first-response workflow. It fits teams that already have alerts, logs, tickets, or incident notes and need help deciding: “Is this real, how bad is it, who needs to act, and what evidence must be preserved now?”
What makes it different from a generic prompt
A generic AI prompt can summarize an alert, but this skill gives the agent a response structure: incident taxonomy, false-positive checks, severity scoring, escalation paths, forensic collection guidance, and regulatory deadline awareness. The included scripts/incident_triage.py can classify events into incident types, score severity, and return machine-readable output, which makes the skill more actionable than a prose-only guide.
When this skill is not the right fit
Do not use incident-response as a replacement for threat hunting, malware reverse engineering, legal advice, or final compliance reporting. It starts after an event is detected or an incident is declared. If you are still searching for unknown threats, use a detection or hunting workflow first; if you are writing regulator-ready breach notices, pair this with legal and compliance review.
How to Use incident-response skill
incident-response install and repository path
Install from the skill repository with:
npx skills add alirezarezvani/claude-skills --skill incident-response
The source path is engineering-team/skills/incident-response in alirezarezvani/claude-skills. After install, read SKILL.md first for the response workflow, then inspect scripts/incident_triage.py for the executable triage logic and references/regulatory-deadlines.md for notification timing constraints. There is no separate README.md or metadata file in this skill directory, so SKILL.md is the primary operating document.
Inputs the skill needs for good triage
For best incident-response usage, provide more than a vague alert title. Include the alert source, timestamp, affected assets, identities, event type, raw payload or key fields, business context, observed impact, known data exposure, containment status, and any prior related alerts. The skill can reason better when you distinguish facts from assumptions.
Weak prompt:
“Investigate this ransomware alert.”
Stronger prompt:
“Use the incident-response skill. Alert source: EDR. Event type: ransomware. Host: finance-laptop-22. Time: 2026-02-14T03:20Z. Observed: file rename burst, ransom note path, suspicious process tree, outbound connection to unknown IP. User has finance file share access. No containment yet. Classify severity, check false positives, identify immediate escalation path, and list forensic evidence to preserve.”
Running the included triage script
The repository includes scripts/incident_triage.py, which accepts JSON input and can return classification, false-positive checks, severity, escalation guidance, and forensic pre-analysis. Typical usage:
python3 scripts/incident_triage.py --input event.json --json
or:
echo '{"event_type":"ransomware","raw_payload":{}}' | python3 scripts/incident_triage.py --json
The script uses exit codes operationally: 0 for clean or SEV3/SEV4 handling, 1 for SEV2 elevated response, and 2 for SEV1 critical incident declaration. Treat those outputs as triage support, not automatic authority to declare or close an incident.
Practical workflow for analysts
Start with the incident facts, ask the skill to classify and justify the category, then request severity scoring separately so assumptions are visible. Next, ask for false-positive checks and missing evidence. If confirmed, move to escalation and evidence preservation: SIEM logs, EDR telemetry, DNS/proxy logs, cloud audit logs, authentication logs, memory capture where appropriate, and chain-of-custody notes. Finally, compare the incident against references/regulatory-deadlines.md if personal data, PHI, cardholder data, or regulated systems may be involved.
incident-response skill FAQ
Is incident-response suitable for beginners?
Yes, if the beginner has access to real alert context and understands their organization’s escalation process. The skill can provide structure and reduce guesswork, but it cannot invent asset criticality, legal obligations, or internal authority. Beginners should use it to prepare a clear triage summary for a senior responder, not to make high-risk decisions alone.
How does this differ from SOAR or SIEM automation?
This incident-response guide is not a full SOAR platform. It helps an AI agent reason through classification, severity, escalation, evidence collection, and regulatory timing. The included Python script can assist with standardized triage, but it does not replace integrations with ticketing, paging, EDR isolation, SIEM enrichment, or case management tools.
Can it handle regulatory notification decisions?
It includes a useful reference file for major notification deadlines such as GDPR, PCI-DSS, and HIPAA, including the important rule that clocks often start at declaration or discovery rather than investigation completion. However, it should be used as an operational reminder, not legal advice. Always route potential reportable incidents to counsel, privacy, compliance, and executive stakeholders according to your incident plan.
When should I avoid using this skill?
Avoid using it to “confirm everything is fine” from incomplete evidence, to bypass escalation, or to produce external breach statements without review. It is also a poor fit for purely theoretical security education, proactive control design, or post-incident compliance mapping. Use it when there is a concrete event that needs triage, severity assignment, and response coordination.
How to Improve incident-response skill
Improve incident-response results with stronger evidence
The most important upgrade is better input quality. Include raw alert fields, detection rule name, affected system role, user privileges, network indicators, data sensitivity, recent changes, and containment actions already taken. Ask the skill to label each conclusion as confirmed, likely, unknown, or assumed. This prevents overconfident incident declarations and makes handoff cleaner.
Tune severity and escalation to your environment
The built-in SEV1-SEV4 model is a strong starting point, but every organization has different risk thresholds. Add your own asset tiers, customer-impact definitions, regulatory scope, on-call rotations, executive notification triggers, and “declare incident” authority. For example, ransomware on a test VM and ransomware on a domain controller should not produce the same operational response.
Watch for common failure modes
Common issues include treating low-fidelity alerts as confirmed incidents, skipping false-positive checks, collecting evidence after containment in a way that destroys volatile data, and missing regulatory clocks while waiting for perfect scope. Ask the skill explicitly: “What evidence could disprove this classification?” and “What must be preserved before containment changes system state?”
Iterate after the first output
Do not stop at the first incident-response output. Use it to create follow-up questions: request a timeline, evidence checklist, escalation message, containment decision tree, and open-questions list. After new telemetry arrives, rerun the classification and severity assessment with updated facts. Good use of incident-response is iterative: triage quickly, document assumptions, preserve evidence, escalate correctly, and revise as facts improve.
