Back to Skills
Skill
Community

responding-to-security-incidents

From security-incident-responder
1.7K
Install
1
Install the plugin
$
npx claudepluginhub jeremylongshore/claude-code-plugins-plus-skills --plugin security-incident-responder

Want just this skill?

Then install: npx claudepluginhub u/[userId]/[slug]

Description

Analyze and guide security incident response, investigation, and remediation processes. Use when you need to handle security breaches, classify incidents, develop response playbooks, gather forensic evidence, or coordinate remediation efforts. Trigger with phrases like "security incident response", "ransomware attack response", "data breach investigation", "incident playbook", or "security forensics".

Tool Access

This skill is limited to using the following tools:

ReadWriteEditGrepGlobBash(log-analysis:*)Bash(forensics:*)Bash(network-trace:*)
Supporting Assets
View in Repository
assets/README.md
references/README.md
references/errors.md
references/examples.md
references/implementation.md
scripts/README.md
scripts/evidence_collector.sh
Skill Content

Responding To Security Incidents

Overview

Guide the full NIST SP 800-61 incident response lifecycle: detection, containment, eradication, recovery, and post-incident analysis. Classify incidents by type (ransomware, data breach, DDoS, credential compromise, insider threat) and severity, then coordinate evidence preservation, threat containment, and root-cause investigation.

Prerequisites

  • System and application logs accessible in ${CLAUDE_SKILL_DIR}/logs/ (auth logs, web server logs, database access logs)
  • Network traffic captures (PCAP) or SIEM alert exports available
  • Incident response team contact information and escalation paths documented
  • Backup systems operational and recovery procedures tested
  • Write permissions for incident documentation in ${CLAUDE_SKILL_DIR}/incidents/
  • Forensic tools available: Volatility (memory), Autopsy/FTK Imager (disk), tcpdump/Wireshark (network)

Instructions

  1. Classify the incident: determine type (ransomware, data breach, DDoS, phishing, insider threat), assign severity (Critical/High/Medium/Low), and record initial detection timestamp and method.
  2. Scope affected systems: identify all compromised hosts, user accounts, data stores, and network segments. Map the blast radius.
  3. Preserve evidence before any changes: capture memory dumps (volatility -f memdump.raw imageinfo), create disk images, export running process lists (ps auxf), and snapshot network connection state (ss -tulnp).
  4. Collect log evidence: gather authentication logs (successful and failed), application error logs, firewall/IDS alerts, DNS query logs, and proxy server logs. Store originals in ${CLAUDE_SKILL_DIR}/incidents/evidence/.
  5. Contain the threat: isolate affected systems from the network, disable compromised accounts, block malicious IPs at the firewall, and revoke compromised API keys or tokens.
  6. Investigate and reconstruct timeline: identify initial access vector, map lateral movement, determine data exfiltration scope, locate persistence mechanisms (cron jobs, startup scripts, web shells), and document all IOCs (IPs, hashes, domains, file paths).
  7. Eradicate the threat: remove malware and backdoors, patch exploited vulnerabilities, reset all potentially compromised credentials, and update firewall rules.
  8. Recover operations: restore from verified clean backups, rebuild compromised systems from hardened images, validate system integrity, and monitor for reinfection with heightened alerting.
  9. Document the incident: produce a comprehensive report at ${CLAUDE_SKILL_DIR}/incidents/incident-YYYYMMDD-HHMM.md containing executive summary, detailed timeline, root cause analysis, IOC list, and lessons learned.
  10. Create remediation backlog: list all follow-up actions (patch gaps, monitoring improvements, policy changes) with owners and deadlines.

See ${CLAUDE_SKILL_DIR}/references/implementation.md for the seven-phase implementation workflow.

Output

  • Incident Report: ${CLAUDE_SKILL_DIR}/incidents/incident-YYYYMMDD-HHMM.md with timeline, root cause, IOCs, and impact assessment
  • IOC List: machine-readable indicators (IP addresses, file hashes, domains, YARA rules)
  • After-Action Review: lessons learned, process gaps, and recommended improvements
  • Remediation Backlog: prioritized follow-up tasks with owners and deadlines

Error Handling

ErrorCauseSolution
Critical logs missing from ${CLAUDE_SKILL_DIR}/logs/Log rotation, deletion, or attacker tamperingWork with available data; note gaps; improve logging retention for future incidents
System state modified before evidence collectionFirst responder made changes before forensic captureDocument contamination; collect remaining evidence; prioritize network and SIEM logs
Attacker still has active access during investigationOngoing compromise detectedPrioritize containment over investigation; implement emergency network isolation
Permission denied accessing system memoryInsufficient forensic tool privilegesEscalate to obtain root/admin access; fall back to available log and network data
Backups encrypted or corrupted by ransomwareAttacker targeted backup infrastructureIdentify offline/air-gapped backups; assess rebuild-from-scratch feasibility

Examples

  • "Credential stuffing detected. Use logs in ${CLAUDE_SKILL_DIR}/logs/ to triage the incident, scope affected accounts, and propose containment steps."
  • "Create an incident response plan for a suspected data breach: list evidence to collect, containment actions, and notification requirements."
  • "Investigate a web shell found at /var/www/html/uploads/cmd.php. Trace the initial access vector, identify persistence mechanisms, and produce an IOC list."

Resources

Stats
Stars1676
Forks210
Last CommitMar 11, 2026

Similar Skills