building-incident-response-playbook
Designs and documents structured incident response playbooks that define step-by-step procedures for specific incident types aligned with NIST SP 800-61r3 and SANS PICERL frameworks. Covers playbook structure, decision trees, escalation criteria, RACI matrices, and integration with SOAR platforms. Activates for requests involving IR playbook creation, incident response procedure documentation, response runbook development, or SOAR playbook design.
90
88%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Advisory
Suggest reviewing before use
Quality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an excellent skill description that clearly defines its scope, lists concrete capabilities, and provides explicit activation triggers. It uses appropriate third-person voice throughout and covers both the 'what' and 'when' comprehensively. The domain-specific terminology is well-chosen and would naturally match user requests in this space.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'designs and documents structured incident response playbooks', 'step-by-step procedures', 'playbook structure, decision trees, escalation criteria, RACI matrices, and integration with SOAR platforms'. Very detailed and actionable. | 3 / 3 |
Completeness | Clearly answers both 'what' (designs/documents incident response playbooks covering structure, decision trees, escalation criteria, RACI matrices, SOAR integration) and 'when' ('Activates for requests involving IR playbook creation, incident response procedure documentation, response runbook development, or SOAR playbook design'). | 3 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'IR playbook', 'incident response procedure', 'response runbook', 'SOAR playbook', 'NIST SP 800-61r3', 'SANS PICERL', 'escalation criteria', 'RACI matrices', 'decision trees'. Good coverage of both formal framework terms and practical terms. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive niche focused specifically on incident response playbook creation and documentation. The combination of NIST/SANS frameworks, SOAR integration, and playbook-specific terminology makes it very unlikely to conflict with other security or documentation skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
77%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a strong, highly actionable skill that provides concrete templates, decision trees, tool-specific commands, and a complete output format for building IR playbooks. Its main weaknesses are moderate verbosity—particularly the glossary of terms Claude already knows and the tools descriptions—and the lack of progressive disclosure for a document of this length. The workflow is well-sequenced with appropriate validation checkpoints throughout.
Suggestions
Remove or significantly trim the Key Concepts glossary table—Claude already knows these terms and definitions consume tokens without adding actionable value.
Move the Tools & Systems section and Common Scenarios into separate reference files (e.g., TOOLS.md, EXAMPLES.md) and link to them from the main skill to improve progressive disclosure.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is fairly comprehensive but includes some content Claude already knows, such as the Key Concepts glossary defining basic terms like 'Playbook,' 'RACI Matrix,' and 'Decision Tree.' The Tools & Systems section also provides marketing-style descriptions that add little actionable value. However, the core workflow content is reasonably efficient. | 2 / 3 |
Actionability | The skill provides highly concrete, executable guidance throughout: specific playbook templates with exact fields, decision trees with binary outcomes and SLA timelines, tool-specific containment commands (CrowdStrike Falcon steps, DNS blocking with exact shell commands), and a complete output format with RACI matrix example. The phishing scenario walkthrough is step-by-step and practical. | 3 / 3 |
Workflow Clarity | The six-step workflow is clearly sequenced from scoping through testing/maintenance. Decision trees provide explicit branching logic with validation at each point. Step 6 includes testing and maintenance as validation checkpoints. The containment procedures include verification steps (e.g., 'Verify containment: Host should show Contained status badge,' 'Verify: dig @dns-primary evil.com'). The escalation criteria define clear feedback loops. | 3 / 3 |
Progressive Disclosure | The content is well-structured with clear headers and logical sections, but it's a monolithic document with no references to external files for detailed content. The Tools & Systems section, Key Concepts glossary, and detailed scenario could be split into separate reference files. For a skill of this length (~200+ lines), some progressive disclosure to supplementary files would improve navigability. | 2 / 3 |
Total | 10 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
c15f73d
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.