Stats
Actions
Tags
From cybersecurity-skills
Triages a single security finding to a defensible disposition with mitigation, false positive, or accepted-risk writeup. Use for scanner, audit, or advisory results needing a decision.
How this skill is triggered — by the user, by Claude, or both
Slash command
/cybersecurity-skills:finding-triageThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Every other skill in this repo *generates* findings. This skill *closes the loop* — for a single finding, walk through whether it's real, what severity it deserves in your context, and what to do about it. Output is a complete ticket-ready writeup with the right fields, the right justification, and an audit trail that survives a regulator reading it six months later.
Every other skill in this repo generates findings. This skill closes the loop — for a single finding, walk through whether it's real, what severity it deserves in your context, and what to do about it. Output is a complete ticket-ready writeup with the right fields, the right justification, and an audit trail that survives a regulator reading it six months later.
The dispositions match owasp-audit's Three-Disposition rule: Fixed, Deferred, or Accepted Risk. False positive is a fourth — but it isn't a disposition for a real finding, it's a determination that there is no finding.
This skill works on findings from any source: SAST output, DAST scanner, dependency advisory, manual audit, threat-hunt hit, pentest report, vendor disclosure, internal red-team writeup, bug bounty submission.
Cross-references:
vuln-research for the technical CVE deep-dive that feeds reachability assessment hereowasp-audit Three-Disposition rule (the framework this implements per-finding)security-comms for translating the disposition writeup into stakeholder-readable language when the finding has to leave the security contextThe agent works through these steps with the user. Stop and ask clarifying questions where the user has context the finding alone doesn't reveal.
If the finding came from a scanner, restate what's actually being claimed. Scanners produce noise; restating filters out the boilerplate.
A good restatement names:
If you can't restate it clearly, you don't understand it yet. Ask the user for context.
Half of automated-scanner findings are false positives by volume. The triage:
| Question | If yes | If no |
|---|---|---|
| Does the vulnerable code path exist as described? | Continue | False positive — scanner found a phantom |
| Is the code path reachable from any attacker-controllable input? | Continue | Continue, but severity drops |
| Does the exploit precondition match your environment? | Continue | Severity drops or false positive |
| Is there a public PoC, or has anyone confirmed this in the wild? | Severity stays / rises | Severity may drop |
| Are existing controls (WAF, auth, network segmentation) preventing exploitation? | Severity drops; controls become the mitigation | Severity stays |
Common false-positive patterns:
devDependencies only — runtime-unreachable (see dependency-audit reachability column)Document a false-positive determination as carefully as a real finding. If a future scanner or auditor flags the same thing, the prior false-positive note saves them the work.
The scanner's CVSS or severity rating is a starting point, not the answer. Adjust for your context.
Factors that increase severity beyond the rating:
Factors that decrease severity below the rating:
vuln-research)Severity scale (use the one your org uses; here's a common one):
| Level | Definition |
|---|---|
| Critical | Pre-auth or trivially exploitable; immediate data loss / RCE / takeover; patch within 24-72 hours |
| High | Auth required but minimal privilege; or post-auth path to significant impact; patch within 1-2 weeks |
| Medium | Requires meaningful privilege or chain; realistic but not trivial; patch within 30 days |
| Low | Defense-in-depth; hard to chain; patch within 90 days |
| Info | Hardening or hygiene; documented behavior; patch when convenient |
| Disposition | When to choose | Required fields |
|---|---|---|
| Fix now (synonym: Fixed) | Patch / mitigation deployable within the severity's SLA | Fix description, deploy plan, verification method |
| Defer | Severity warrants action, but operational constraints make immediate fix infeasible | Reason for deferral, new deadline, who owns, alerting if conditions change before deadline |
| Accept risk | Fix isn't planned at current configuration | (1) Why fix doesn't apply, (2) Compensating controls, (3) Re-evaluation trigger |
| False positive | Not actually a vulnerability | Evidence for the determination, scanner rule ID to suppress (with care) |
On Defer: severity does NOT change because you decided to defer. Recording a "High deferred to Q3" is honest; downgrading a High to Medium because Q3 is far away is risk-laundering.
On Accept Risk: all three fields are required. An "Accepted Risk" without all three is a real finding being silently dropped. The re-evaluation trigger is the most-skipped field — name a specific condition (plan upgrade, dependency bump, traffic pattern change, audit anniversary).
Produce a ticket-ready writeup. Use one of these templates depending on disposition.
## Finding: [Title]
**Source:** [scanner / audit / advisory]
**Severity:** [contextual] (Scanner reported: [original])
**CWE / CVE:** [if applicable]
**Location:** [file:line / endpoint / resource]
### What
[Plain-English description — what the issue is]
### Why this severity
[Contextual reasoning — what the scanner missed, what your environment adds]
### Fix
[Specific change — code diff, config update, dependency upgrade]
### Verification
[Concrete test — adversarial input + observed result that proves the fix holds]
- Run [command / test case]
- Observe [response / behavior]
### Owner: [name]
### Target deploy: [date]
## Finding: [Title] — DEFERRED
**Severity:** [unchanged]
**Original target:** [original SLA date]
**New target:** [date]
### Why deferred
[Operational constraint — release freeze, dependency on third party, etc.]
### Risk during deferral window
[What's the exposure? What controls reduce it?]
### Alerting / conditions that would escalate
[What would force action sooner than the new target?]
### Owner: [name]
### Re-evaluation: [date — usually before new target]
## Finding: [Title] — ACCEPTED RISK
**Severity:** [contextual]
**Approver:** [name + role]
**Date accepted:** [date]
### Why fix doesn't apply
[Cost tier, dependency version constraint, deployment topology, vendor limitation, etc. — be specific]
### Compensating controls
- [Control 1 — what it is, why it reduces impact / likelihood]
- [Control 2]
- ...
### Re-evaluation trigger
[Specific condition — plan upgrade, dependency bump, traffic pattern change, calendar anniversary]
- Trigger: [what would change this decision]
- Calendar review: [date — at minimum, annually]
### Approvals
- [ ] Engineering owner: [name, date]
- [ ] Security: [name, date]
- [ ] (if required) Compliance / Legal: [name, date]
## Finding: [Title] — FALSE POSITIVE
**Scanner:** [name + rule ID]
**Original severity:** [as reported]
### What the scanner claimed
[Restate the claim]
### Why it's not real
[Specific evidence — code path not reachable, version contains the fix, etc.]
### Suppression decision
- [ ] Suppress this exact finding (location + rule ID)
- [ ] Add allow-list rule (with care — broad suppression breeds blind spots)
- [ ] No suppression — re-evaluate if it returns
### Determination by: [name, date]
### Reviewed by: [name, date — for non-trivial suppressions]
Before submitting:
Findings that should NOT be triaged unilaterally by a single engineer:
These get a second reviewer (Tier 3 / security team / approver named in policy).
The primary output is the disposition writeup itself (templates above). For a triage session that covers multiple findings or a batch import, summarize:
# Finding Triage Session
## Source: [scanner / audit / report]
## Date: [date]
## Triaged by: [name]
### Summary
| Finding | Original severity | Contextual severity | Disposition |
|---------|-------------------|---------------------|-------------|
### Detail
[Per-finding writeup using the appropriate template]
### Escalations
[Findings that need senior review or approval]
incident-triage — disposition triage is for steady-state findings, not firesfirst.org/cvssnpx claudepluginhub briiirussell/cybersecurity-skills --plugin cybersecurity-skillsTriages a single security finding from any source into a defensible disposition with evidence: Fixed, Deferred, Accepted Risk, or False Positive. Use when normalizing findings or building audit-trail writeups.
Validates bug bounty findings before submission using a 7-question gate, pre-submission checks, CVSS reference, and severity guide. Kill invalid findings early to protect your validity ratio.
Validates and triages Hacktron security findings against source code and optionally a live deployment, distinguishing true/false positives, adjusting severity, and committing fixes or updating states via the Hacktron REST API.