How does the playbook handle multiple concurrent incidents?

Each incident is processed separately, producing its own ordered timeline and phase summary.

Can I customize phase definitions?

Yes. Follow references/ir-phase-guide.md to map events to phases and adjust as needed, maintaining consistency.

What outputs does it generate?

A deterministic timeline report and a phase-based executive pack suitable for internal and stakeholder audiences.

cyber-ir-playbook

npx machina-cli add skill 0x-Professor/Agent-Skills-Hub/cyber-ir-playbook --openclaw

Files (1)

SKILL.md

932 B

Cyber IR Playbook

Overview

Convert incident events into a standardized response timeline and phase-based report.

Workflow

Ingest incident events with timestamps.
Classify events into detection, containment, eradication, recovery, or post-incident phases.
Build ordered timeline and summarize current phase completion.
Produce a report artifact for internal and executive audiences.

Use Bundled Resources

Run scripts/ir_timeline_report.py to generate a deterministic timeline report.
Read references/ir-phase-guide.md for phase mapping guidance.

Guardrails

Focus on defensive incident handling and post-incident learning.
Do not provide offensive exploitation instructions.

Source

git clone https://github.com/0x-Professor/Agent-Skills-Hub/blob/main/skills/cyber-ir-playbook/SKILL.mdView on GitHub

Overview

Transforms incident events into a standardized response timeline and phase-based report. It enables detection-to-recovery reporting, phase tracking, and stakeholder-ready summaries of incident status.

How This Skill Works

Ingest incident events with timestamps, classify events into detection, containment, eradication, recovery, or post-incident phases, then build an ordered timeline and summarize current phase completion. Produce a report artifact for internal and executive audiences. Use the bundled resources: run scripts/ir_timeline_report.py for a deterministic timeline and consult references/ir-phase-guide.md for phase mapping guidance.

When to Use It

During an active incident to generate an up-to-date timeline from detection through recovery.
For phase tracking in ongoing response to communicate progress to the team.
To create executive-ready incident summaries for leadership and board.
In post-incident reviews to capture lessons learned and timelines for remediation.
For audits or regulatory reporting requiring standardized, deterministic incident timelines.

Quick Start

Step 1: Ingest incident events with timestamps.
Step 2: Classify events into detection, containment, eradication, recovery, or post-incident.
Step 3: Run scripts/ir_timeline_report.py to generate the deterministic timeline report and accompanying packs.

Best Practices

Ingest all events with precise timestamps to ensure accurate timelines.
Classify consistently using detection, containment, eradication, recovery, and post-incident phases.
Leverage scripts/ir_timeline_report.py to produce deterministic reports.
Refer to references/ir-phase-guide.md for phase mapping guidance.
Keep outputs concise and stakeholder-focused, with phase completion status and next steps.

Example Use Cases

SOC captures a ransomware incident from first alert to full restoration, producing a phase-based report.
Executive brief summarizes a data exfiltration incident with a deterministic timeline.
IR drill generates a timeline report pack for a simulated malware outbreak.
Stakeholders receive a post-incident review with phase-by-phase progress.
Regulatory audit requires a standard incident timeline and phase metrics.

Frequently Asked Questions

Add this skill to your agents