incident-triage

Guide rapid triage and initial response to security incidents following NIST SP 800-61 methodology. Use when the user mentions 'incident response,' 'security incident,' 'triage,' 'we've been hacked,' 'breach,' 'compromised,' 'malware detected,' 'suspicious activity,' 'IOC,' 'indicators of compromise,' or needs help handling a security event.

Quality

83%

Does it follow best practices?

Impact

—

No eval scenarios have been run

Securityby

Advisory

Suggest reviewing before use

Quality

Content

77%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

This is a strong, actionable incident response skill with a well-sequenced workflow and concrete, executable commands. Its main weaknesses are moderate verbosity (especially the cross-references block and some classifications Claude already knows) and a monolithic structure that could benefit from splitting detailed reference material into separate files. The output template and boundaries section are excellent additions that make this highly practical.

Suggestions

Trim the cross-references into a compact bullet list or table rather than a dense paragraph, and move detailed classification lists (malware subtypes, severity definitions) to a separate reference file since Claude already understands these concepts.

Remove explanatory parentheticals like '(most volatile first)' and category examples that Claude already knows (e.g., 'ransomware, trojan, worm, cryptominer') to improve token efficiency.

Dimension	Reasoning	Score
Conciseness	The cross-references paragraph at the top is verbose and could be a compact list. The priorities section and some explanations (e.g., what malware types are, what IOC types mean) explain things Claude already knows. However, the core workflow steps are reasonably tight and the tables/commands are efficient.	2 / 3
Actionability	Provides fully executable bash commands for evidence collection on both Linux and Windows, specific containment actions by category, a complete output template with tables and checklists, and concrete IOC extraction guidance. The skill is copy-paste ready for real incident response.	3 / 3
Workflow Clarity	The 5-step workflow is clearly sequenced with logical ordering (classify → contain → preserve → analyze → extract IOCs). Critical validation checkpoints are present (e.g., 'Do NOT power off systems,' volatility ordering for evidence, escalation checklist). The output format includes status tracking and checklists for verification.	3 / 3
Progressive Disclosure	The cross-references mention many related skills (disk-forensics, siem-detection, etc.) but none are actual files in a bundle. The content is somewhat monolithic — the output template, IOC table, and evidence commands could be split into referenced files. However, the sections are well-organized with clear headers.	2 / 3
	Total	10 / 12 Passed

Description

89%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

This is a strong skill description with excellent trigger term coverage and completeness, clearly answering both what the skill does and when to use it. The main weakness is that the 'what' portion could be more specific about the concrete actions performed beyond 'triage and initial response.' The NIST SP 800-61 reference and extensive trigger terms make it highly distinctive and unlikely to conflict with other skills.

Suggestions

Expand the capability description with more concrete actions, e.g., 'classify incident severity, identify indicators of compromise, recommend containment strategies, document incident timelines' to improve specificity.

Dimension	Reasoning	Score
Specificity	The description names the domain (security incidents) and mentions specific actions like 'rapid triage' and 'initial response,' and references a specific methodology (NIST SP 800-61). However, it doesn't list multiple concrete actions beyond triage and initial response — it lacks specifics like 'classify severity levels, document indicators of compromise, recommend containment steps.'	2 / 3
Completeness	Clearly answers both 'what' (guide rapid triage and initial response to security incidents following NIST SP 800-61) and 'when' (explicit 'Use when...' clause with a comprehensive list of trigger scenarios).	3 / 3
Trigger Term Quality	Excellent coverage of natural trigger terms users would actually say: 'incident response,' 'security incident,' 'triage,' 'we've been hacked,' 'breach,' 'compromised,' 'malware detected,' 'suspicious activity,' 'IOC,' 'indicators of compromise,' and 'security event.' These span both technical and colloquial language.	3 / 3
Distinctiveness Conflict Risk	The description carves out a clear niche — security incident triage and initial response using NIST SP 800-61. The specific trigger terms like 'IOC,' 'breach,' 'we've been hacked,' and the NIST methodology reference make it highly distinguishable from general security or IT skills.	3 / 3
	Total	11 / 12 Passed

Validation

90%

Warnings & errors only

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation — 10 / 11 Passed

Validation for skill structure

Criteria	Description	Result
allowed_tools_field	'allowed-tools' contains unusual tool name(s)	Warning

	Total	10 / 11 Passed

Repository: briiirussell/cybersecurity-skills
Commit: c9ade03

Reviewed: 27 days ago

Table of Contents

Discovery Implementation Validation

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.