Guide security incident response, investigation, and remediation processes. Use when you need to handle security breaches, classify incidents, develop response playbooks, gather forensic evidence, or coordinate remediation efforts. Trigger with phrases like "security incident response", "ransomware attack response", "data breach investigation", "incident playbook", or "security forensics".
Before using this skill, ensure:
Classify the security incident:
Prevent further damage:
Gather forensic data systematically:
System Evidence:
Log Evidence:
Network Evidence:
Reconstruct the attack timeline:
Remove threat from environment:
Restore normal operations:
Create comprehensive incident report:
The skill produces:
Primary Output: Incident response playbook saved to {baseDir}/incidents/incident-YYYYMMDD-HHMM.md
Playbook Structure:
# Security Incident Response - [Incident Type]
Date: YYYY-MM-DD HH:MM
Severity: CRITICAL
Status: Contained
## Executive Summary
- Incident type: Ransomware attack
- Detection time: 2024-01-15 08:30 UTC
- Affected systems: 15 servers, 200 workstations
- Business impact: Production halted
- Current status: Contained, recovery in progress
## Timeline of Events