building-incident-response-playbook
Designs and documents structured incident response playbooks that define step-by-step procedures for specific incident types aligned with NIST SP 800-61r3 and SANS PICERL frameworks. Covers playbook structure, decision trees, escalation criteria, RACI matrices, and integration with SOAR platforms. Activates for requests involving IR playbook creation, incident response procedure documentation, response runbook development, or SOAR playbook design.
90
88%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Advisory
Suggest reviewing before use
Quality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an excellent skill description that clearly articulates specific capabilities, includes explicit trigger conditions, and occupies a well-defined niche. It uses third person voice throughout, lists concrete deliverables (decision trees, RACI matrices, escalation criteria), and provides an explicit 'Activates for...' clause covering natural user request variations. The description is concise yet comprehensive.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'designs and documents structured incident response playbooks', 'step-by-step procedures', 'playbook structure, decision trees, escalation criteria, RACI matrices, and integration with SOAR platforms'. Very detailed and actionable. | 3 / 3 |
Completeness | Clearly answers both 'what' (designs/documents incident response playbooks covering structure, decision trees, escalation criteria, RACI matrices, SOAR integration) and 'when' ('Activates for requests involving IR playbook creation, incident response procedure documentation, response runbook development, or SOAR playbook design'). | 3 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'IR playbook', 'incident response procedure', 'response runbook', 'SOAR playbook', 'NIST SP 800-61r3', 'SANS PICERL', 'escalation criteria', 'decision trees', 'RACI matrices'. Good coverage of both formal framework terms and practical terms. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive niche focused specifically on incident response playbook creation and documentation. The combination of NIST/SANS frameworks, SOAR integration, and playbook-specific artifacts like decision trees and RACI matrices makes it clearly distinguishable from general security or documentation skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
77%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a strong, highly actionable skill that provides concrete templates, decision trees, tool-specific commands, and a clear end-to-end workflow for building IR playbooks. Its main weaknesses are moderate verbosity—particularly the glossary of terms Claude already knows and the tools descriptions—and the monolithic structure that could benefit from splitting detailed reference material into separate files. Overall, it would serve Claude well in producing quality IR playbooks.
Suggestions
Remove or significantly trim the Key Concepts glossary table—Claude already knows these standard IR/security terms.
Move the detailed playbook template (Step 2) and tool-specific procedures (Step 4) into separate referenced files to improve progressive disclosure and reduce the main file's token footprint.
Trim the Tools & Systems section to just tool names and their primary use case, removing marketing descriptions like '700+ integrations' and '2,800+ automated actions.'
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is fairly comprehensive but includes some content Claude already knows, such as the Key Concepts glossary defining basic terms like 'Playbook,' 'RACI Matrix,' and 'Decision Tree.' The Tools & Systems section also provides marketing-style descriptions that add little actionable value. However, the core workflow content is reasonably efficient. | 2 / 3 |
Actionability | The skill provides highly concrete, executable guidance throughout: specific tool commands (CrowdStrike containment steps, DNS blocking commands with exact syntax), a complete playbook template structure, detailed decision trees with specific SLA times, a filled-out RACI matrix example, and a complete output format. The technical procedures in Step 4 are copy-paste ready. | 3 / 3 |
Workflow Clarity | The six-step workflow is clearly sequenced from scoping through testing/maintenance. Decision trees provide explicit binary branching with defined outcomes. Escalation criteria are specific and conditional. Step 6 includes validation through tabletop exercises, live-fire testing, and post-incident review cycles, creating proper feedback loops for this type of procedural document creation. | 3 / 3 |
Progressive Disclosure | The content is well-structured with clear sections and headers, but it's a monolithic document that could benefit from splitting detailed content (e.g., the full playbook template, tool-specific procedures, common scenarios) into separate referenced files. At ~200+ lines, the inline detail for the template structure, decision trees, and scenario walkthrough could be externalized with clear navigation links. | 2 / 3 |
Total | 10 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
888bbe4
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.