PlaygroundCatalog › Security Incident Response
SI

Security Incident Response

🔵 Stable🕐 updated 2026-07-01 🔷 SkillSpec L3 pm-security

Run or document a security incident response — contain, eradicate, recover, and learn. Use when responding to a breach/compromise/security incident, writing an IR plan or runbook, or producing a post-incident report. Produces a phase-by-phase response (triage, contain, eradicate, recover, post-incident) with the immediate actions, comms, evidence-handling, and a blameless review. For incidents on systems you own or defend.

▶ Run it free — no key needed 📝 Grade your existing draft View SKILL.md ↗

What to give it

What's happening — the observed incident (malware, unauthorized access, data exfiltration, ransomware, account compromise), and how it was detected.
Scope so far — affected systems/accounts/data, whether it's ongoing, entry point if known.
Environment & stakes — what's at risk (PII, funds, availability), regulatory/notification obligations.
Resources — who's responding, tooling/access available, and any IR plan already in place.

✅ The bar it holds itself to

Every skill in this library self-verifies — these are this skill's own quality checks, straight from its definition.

Severity is classified and an incident lead + running timeline are established first
Containment preserves evidence (snapshots/logs) before eradication/wiping
Eradication addresses the root cause and rotates all potentially exposed credentials
Recovery restores from known-good with heightened monitoring
Communications cover internal, customer, and regulatory/breach-notification duties with timing
The post-incident review is blameless and produces concrete prevention action items

⚠️ What it refuses to do

Do not wipe/rebuild before preserving forensic evidence — you lose the ability to understand the breach
Do not skip credential rotation — attackers persist via stolen keys/tokens
Do not go quiet on comms — silence with customers/regulators creates legal and trust damage
Do not blame individuals in the review — blameless analysis surfaces the real systemic causes
Do not declare "recovered" without monitoring for re-compromise

Install

npx pm-claude-skills add --agent claude   # or codex · cursor · gemini · hermes
# or one-line MCP (every skill, any client):
claude mcp add pm-skills -- npx -y pm-claude-skills-mcp

Related skills

🔌 Embed this skill

Drop this on your blog, docs, or site — it renders a "Run this skill" card:

<div data-pm-skill="security-incident-response"></div>
<script src="https://mohitagw15856.github.io/pm-claude-skills/embed.js" async></script>

💬 Discussion

Security Incident Response is one of 599 open-source professional AI agent skills — all SkillSpec L3. Try them all in the browser · ⭐ Star on GitHub · Browse the full catalog