responding-to-security-incidents

Assists with security incident response, investigation, and remediation. This skill is triggered when the user requests help with incident response, mentions specific incident types (e.g., data breach, ransomware, DDoS), or uses terms like "incident response plan", "containment", "eradication", or "post-incident activity". It guides the user through the incident response lifecycle, from preparation to post-incident analysis. It is useful for classifying incidents, creating response playbooks, collecting evidence, constructing timelines, and generating remediation steps. Use this skill when needing to respond to a "security incident".

Install with Tessl CLI

npx tessl i github:jeremylongshore/claude-code-plugins-plus-skills --skill responding-to-security-incidents

What are skills?

1.01x

Quality

60%

Does it follow best practices?

Impact

98%

1.01x

Average score across 9 eval scenarios

Optimize this skill with Tessl

npx tessl skill review --optimize ./backups/skills-migration-20251108-070147/plugins/security/security-incident-responder/skills/security-incident-responder/SKILL.md

SKILL.md

Review

Evals

Evaluation results

100%

Ransomware Attack Response

Incident classification and response playbook generation

Criteria

Without context

With context

Incident type identified

100%

Severity assessment

100%

Scope determination

100%

Containment phase present

100%

Containment listed first

100%

Eradication phase present

100%

Recovery phase present

100%

Isolation of affected systems

100%

Backup restoration mentioned

100%

Structured playbook format

100%

Without context: $0.2975 · 2m 53s · 13 turns · 14 in / 6,472 out tokens

With context: $0.4620 · 3m 28s · 23 turns · 104 in / 6,779 out tokens

100%

Customer Database Breach Investigation

Evidence gathering and attack timeline construction

Criteria

Without context

With context

Database logs specified

100%

Network data specified

100%

Application logs specified

100%

Evidence preservation guidance

100%

Legal action consideration

100%

Timeline structure provided

100%

Attack vector identification

100%

Breach scope identification

100%

Multiple evidence source types

100%

Forensic handling specifics

100%

Without context: $0.2891 · 2m 49s · 11 turns · 12 in / 5,910 out tokens

With context: $0.4553 · 3m 14s · 20 turns · 21 in / 7,928 out tokens

95%

Post-Incident Wrap-Up After DDoS Attack

Post-incident reporting, remediation planning, and stakeholder communication

Criteria

Without context

With context

Post-incident narrative

100%

Lessons learned section

100%

Specific recommendations

100%

Vulnerability documentation

100%

Remediation plan

100%

System restoration addressed

100%

Stakeholder communication plan

70%

80%

Multiple stakeholder audiences

100%

Draft communications included

100%

90%

Prioritized remediation actions

100%

Ongoing communication addressed

75%

Without context: $0.2675 · 2m 32s · 8 turns · 9 in / 5,969 out tokens

With context: $0.4615 · 3m 38s · 19 turns · 52 in / 8,584 out tokens

100%

DDoS Attack on E-Commerce Checkout Service

DDoS attack classification and response

Criteria

Without context

With context

DDoS type identified

100%

Severity assessment present

100%

Scope determination

100%

Containment phase listed first

100%

DDoS-specific containment actions

100%

Recovery phase present

100%

Network traffic logs identified

100%

Evidence preservation mentioned

100%

Stakeholder notification addressed

100%

Playbook structure

100%

No backup restoration focus

100%

Without context: $0.2333 · 2m 51s · 13 turns · 13 in / 4,731 out tokens

With context: $0.4427 · 3m 29s · 22 turns · 103 in / 6,459 out tokens

89%

Suspicious Data Exfiltration by a Departing Employee

Insider threat investigation and evidence handling

Criteria

Without context

With context

Insider threat classification

100%

Severity and scope identified

100%

User activity logs specified

100%

Multiple evidence source types

100%

Legal/HR evidence preservation

100%

Evidence not destroyed before preservation

100%

Timeline construction

55%

88%

Scope of exfiltration determination

100%

HR and legal differentiated communication

88%

100%

Containment before full response

55%

Post-investigation remediation mentioned

25%

Without context: $0.2355 · 2m 31s · 8 turns · 9 in / 5,908 out tokens

With context: $0.4614 · 4m · 21 turns · 54 in / 8,319 out tokens

100%

Building an Incident Response Preparedness Program

Incident response lifecycle preparedness planning

Criteria

Without context

With context

Severity classification framework

100%

Multiple incident type playbooks

100%

Containment-first ordering

100%

Incident type and scope classification step

100%

Evidence collection guidance

100%

Evidence preservation instructions

100%

Multi-audience communication plan

100%

Ongoing communication addressed

100%

Post-incident review process

100%

Full lifecycle coverage

100%

Structured navigable format

100%

Without context: $0.3936 · 3m 57s · 16 turns · 2,814 in / 7,529 out tokens

With context: $0.5773 · 5m 17s · 24 turns · 24 in / 10,279 out tokens

100%

Corporate Phishing Campaign Response

Phishing attack classification and evidence-driven timeline

Criteria

Without context

With context

Phishing type identified

100%

Severity level assigned

100%

Scope of affected accounts identified

100%

Containment phase listed first

100%

Phishing-appropriate containment actions

100%

Eradication phase present

100%

Recovery phase present

100%

Email logs as evidence source

100%

Authentication logs as evidence source

100%

Timeline construction guidance

100%

Evidence preservation for legal action

100%

Without context: $0.2920 · 2m 32s · 14 turns · 56 in / 5,676 out tokens

With context: $0.4858 · 3m 57s · 22 turns · 22 in / 8,215 out tokens

100%

Third-Party Software Component Compromise

Remediation planning and vulnerability documentation post-incident

Criteria

Without context

With context

Vulnerability documentation

100%

Concrete remediation steps

100%

Prioritized ordering of remediation

100%

System restoration guidance

100%

Hardening recommendations

100%

Post-remediation validation

100%

Systemic supply chain improvements

100%

Secrets rotation addressed

100%

Multiple affected services addressed

100%

No vague recovery-only language

100%

Without context: $0.2244 · 2m 29s · 9 turns · 10 in / 4,429 out tokens

With context: $0.5796 · 4m 57s · 24 turns · 24 in / 9,220 out tokens

98%

10%

Security Operations Center Incident Response Coordination Plan

Security tool integration and incident task assignment

Criteria

Without context

With context

Security tool references

100%

SIEM tool assigned to a task

100%

Threat intelligence integration

70%

100%

Role-based task assignments

100%

Phase-based task organization

50%

75%

Containment tasks assigned first

75%

100%

Expected deliverables per task

100%

Multi-audience communication plan

100%

Communication responsibility assigned

100%

Prioritized first 30 minutes

70%

100%

Without context: $0.1537 · 2m 29s · 8 turns · 9 in / 3,338 out tokens

With context: $0.3768 · 3m 9s · 19 turns · 19 in / 5,708 out tokens

Evaluated: 5 days ago
Agent: Claude Code
Model: Claude Sonnet 4.6

Table of Contents

Ransomware Attack Response Customer Database Breach Investigation Post-Incident Wrap-Up After DDoS Attack DDoS Attack on E-Commerce Checkout Service Suspicious Data Exfiltration by a Departing Employee Building an Incident Response Preparedness Program Corporate Phishing Campaign Response Third-Party Software Component Compromise Security Operations Center Incident Response Coordination Plan

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.