CtrlK
BlogDocsLog inGet started
Tessl Logo

building-incident-response-playbook

Designs and documents structured incident response playbooks that define step-by-step procedures for specific incident types aligned with NIST SP 800-61r3 and SANS PICERL frameworks. Covers playbook structure, decision trees, escalation criteria, RACI matrices, and integration with SOAR platforms. Activates for requests involving IR playbook creation, incident response procedure documentation, response runbook development, or SOAR playbook design.

72

Quality

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Advisory

Suggest reviewing before use

SKILL.md
Quality
Evals
Security

Quality

Content

77%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

The content is highly actionable with executable containment commands and a well-sequenced, validated workflow, but it is padded with concept/tool explanations Claude already knows and fails to point to the provided bundle files. Tightening the explanatory sections and linking the references would raise the score.

Suggestions

Remove or shrink the 'Key Concepts' table and the descriptive blurbs in 'Tools & Systems', keeping only what Claude would not already know.

Add one-level-deep pointers to the bundle, e.g. 'API code for TheHive/XSOAR/Splunk SOAR: see [references/api-reference.md]' and 'Programmatic playbook builder: see [scripts/agent.py]'.

Add an explicit validate→fix→retry feedback loop for destructive containment steps (isolation, DNS blocking, account disabling) beyond the single verify command.

DimensionReasoningScore

Conciseness

Mostly efficient and action-oriented, but the 'Key Concepts' table defines basic terms (RACI Matrix, Decision Tree) and the 'Tools & Systems' section includes descriptive padding Claude already knows, so it could be tightened.

2 / 3

Actionability

Step 4 provides copy-paste-ready executable commands (ssh, echo zone block, rndc reload, dig verification) and concrete CrowdStrike Falcon UI steps, matching the fully-executable anchor.

3 / 3

Workflow Clarity

A clear six-step sequence is present with validation checkpoints (e.g., 'Verify: dig @dns-primary evil.com', 'Verify containment: Host should show Contained status badge') and a test/maintain step, so the destructive-operation cap does not apply.

3 / 3

Progressive Disclosure

Bundle files references/api-reference.md and scripts/agent.py exist but are never signposted from the body, and the SKILL.md is a fairly monolithic wall of templates — references present but not clearly signaled.

2 / 3

Total

10

/

12

Passed

Description

100%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

The description is third-person, concise, and clearly states both the capability and explicit activation triggers with concrete artifacts. It is a strong, well-scoped skill description with no notable weaknesses.

DimensionReasoningScore

Specificity

Lists multiple concrete actions and artifacts — 'Designs and documents structured incident response playbooks', 'decision trees, escalation criteria, RACI matrices, and integration with SOAR platforms' — matching the anchor for listing several specific concrete actions.

3 / 3

Completeness

Clearly answers both what ('Designs and documents structured incident response playbooks...') and when ('Activates for requests involving...'), providing an explicit trigger clause equivalent to 'Use when'.

3 / 3

Trigger Term Quality

Explicit trigger terms a user would naturally say are present: 'IR playbook creation', 'incident response procedure documentation', 'response runbook development', and 'SOAR playbook design', giving good coverage of natural phrasings.

3 / 3

Distinctiveness Conflict Risk

The niche of building IR playbooks with SOAR integration and NIST/SANS framing is specific and unlikely to conflict with generic incident-response or runbook skills.

3 / 3

Total

12

/

12

Passed

Validation

93%

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation15 / 16 Passed

Validation for skill structure

CriteriaDescriptionResult

frontmatter_unknown_keys

Unknown frontmatter key(s) found; consider removing or moving to metadata

Warning

Total

15

/

16

Passed

Repository
mukul975/Anthropic-Cybersecurity-Skills
Reviewed

Table of Contents

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.