SI
Security Incident Response
🔵 Stable🕐 updated 2026-07-01
🔷 SkillSpec L3
pm-security
Run or document a security incident response — contain, eradicate, recover, and learn. Use when responding to a breach/compromise/security incident, writing an IR plan or runbook, or producing a post-incident report. Produces a phase-by-phase response (triage, contain, eradicate, recover, post-incident) with the immediate actions, comms, evidence-handling, and a blameless review. For incidents on systems you own or defend.
What to give it
▸What's happening — the observed incident (malware, unauthorized access, data exfiltration, ransomware, account compromise), and how it was detected.
▸Scope so far — affected systems/accounts/data, whether it's ongoing, entry point if known.
▸Environment & stakes — what's at risk (PII, funds, availability), regulatory/notification obligations.
▸Resources — who's responding, tooling/access available, and any IR plan already in place.
✅ The bar it holds itself to
Every skill in this library self-verifies — these are this skill's own quality checks, straight from its definition.
✓Severity is classified and an incident lead + running timeline are established first
✓Containment preserves evidence (snapshots/logs) before eradication/wiping
✓Eradication addresses the root cause and rotates all potentially exposed credentials
✓Recovery restores from known-good with heightened monitoring
✓Communications cover internal, customer, and regulatory/breach-notification duties with timing
✓The post-incident review is blameless and produces concrete prevention action items
⚠️ What it refuses to do
Do not wipe/rebuild before preserving forensic evidence — you lose the ability to understand the breach
Do not skip credential rotation — attackers persist via stolen keys/tokens
Do not go quiet on comms — silence with customers/regulators creates legal and trust damage
Do not blame individuals in the review — blameless analysis surfaces the real systemic causes
Do not declare "recovered" without monitoring for re-compromise
Install
npx pm-claude-skills add --agent claude # or codex · cursor · gemini · hermes
# or one-line MCP (every skill, any client):
claude mcp add pm-skills -- npx -y pm-claude-skills-mcp
Related skills
🔌 Embed this skill
Drop this on your blog, docs, or site — it renders a "Run this skill" card:
<div data-pm-skill="security-incident-response"></div>
<script src="https://mohitagw15856.github.io/pm-claude-skills/embed.js" async></script>
💬 Discussion
Security Incident Response is one of 599 open-source professional AI agent skills — all SkillSpec L3.
Try them all in the browser · ⭐ Star on GitHub · Browse the full catalog