Build structured communication templates for malware incidents including stakeholder notifications, executive briefings, technical advisories, and regulatory disclosures with severity-based escalation procedures.
Works with
AI-first code editor with Composer
Before installing skills in Cursor, ensure your development environment meets these requirements:
node --versionbuilding-malware-incident-communication-templateExecute the skills CLI command in your project's root directory to begin installation:
Fetches building-malware-incident-communication-template from mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.
The CLI shows a list of agents. Use arrow keys and space to select Cursor:
Confirm successful installation by checking the skill directory location:
Restart Cursor to activate building-malware-incident-communication-template. Access via /building-malware-incident-communication-template in your agent's command palette.
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
Submit your Claude Code skill and start earning
Automate repetitive workflows and reduce manual effort
Example
Generate reports, summarize documents, draft communications
Save 3-5 hours per week on routine tasks
Learn new skills, understand complex topics, get expert guidance
Example
Explain concepts, provide examples, suggest learning resources
Accelerate learning and skill development by 2x
Enhance output quality through reviews, suggestions, and refinements
Example
Review drafts, suggest improvements, catch errors
Improve work quality by 30-40% with less effort
0
total installs
0
this week
8.6K
GitHub stars
0
upvotes
Run in your terminal
0
installs
0
this week
8.6K
stars
| name | building-malware-incident-communication-template |
| description | Build structured communication templates for malware incidents including stakeholder notifications, executive briefings, technical advisories, and regulatory disclosures with severity-based escalation procedures. |
| domain | cybersecurity |
| subdomain | incident-response |
| tags | - incident-communication - malware-response - stakeholder-notification - crisis-communication - executive-briefing - regulatory-disclosure |
| mitre_attack | - T1566 - T1204 - T1027 |
| version | '1.0' |
| author | mahipal |
| license | Apache-2.0 |
| nist_csf | - RS.MA-01 - RS.MA-02 - RS.AN-03 - RC.RP-01 |
Effective communication during malware incidents is critical for coordinated response, stakeholder management, and regulatory compliance. A structured communication framework ensures the right people receive appropriate information at the right time, preventing panic while maintaining transparency. Communication templates should cover internal escalation, executive briefings, technical advisories for IT teams, customer notifications, regulatory disclosures, and media statements. The framework must account for different malware types (ransomware, wiper, trojan, worm) and severity levels that drive escalation speed and audience.
| Severity | Description | Notification Timeline | Audience |
|---|---|---|---|
| P1 - Critical | Ransomware, wiper, or widespread infection affecting business operations | Within 15 minutes | CISO, CEO, Legal, Board (if applicable) |
| P2 - High | Targeted malware on critical systems, data exfiltration suspected | Within 1 hour | CISO, IT Director, Legal |
| P3 - Medium | Contained malware infection, limited spread | Within 4 hours | Security Manager, IT Director |
| P4 - Low | Single endpoint infection, quickly contained | Within 24 hours | Security Team Lead |
| Channel | Use Case | Security Level |
|---|---|---|
| Out-of-band phone calls | Initial critical notifications | Highest |
| Encrypted messaging (Signal) | Real-time IR team coordination | High |
| Secure email (encrypted) | Formal notifications, documentation | High |
| War room (physical/virtual) | Ongoing incident coordination | Medium |
| Incident ticketing system | Status tracking and documentation | Medium |
| Company intranet | Broad employee communication | Standard |
SUBJECT: [SEVERITY] Malware Incident - Initial Notification - [DATE/TIME UTC]
CLASSIFICATION: CONFIDENTIAL - IR TEAM ONLY
INCIDENT ID: IR-[YEAR]-[NUMBER]
DETECTION TIME: [YYYY-MM-DD HH:MM UTC]
NOTIFICATION TIME: [YYYY-MM-DD HH:MM UTC]
SEVERITY: [P1/P2/P3/P4]
SUMMARY:
A malware incident has been detected affecting [NUMBER] systems in
[DEPARTMENT/LOCATION]. The malware has been identified as [TYPE] with
[KNOWN/UNKNOWN] characteristics.
CURRENT IMPACT:
- Systems affected: [COUNT and DESCRIPTION]
- Business functions impacted: [LIST]
- Data at risk: [DESCRIPTION]
- Current spread status: [CONTAINED/SPREADING/UNKNOWN]
IMMEDIATE ACTIONS TAKEN:
1. [ACTION - e.g., Affected endpoints isolated from network]
2. [ACTION - e.g., EDR containment policies activated]
3. [ACTION - e.g., Security team mobilized]
NEXT STEPS:
1. [PLANNED ACTION with TIMELINE]
2. [PLANNED ACTION with TIMELINE]
INCIDENT COMMANDER: [NAME]
CONTACT: [PHONE/ENCRYPTED CHANNEL]
NEXT UPDATE: [TIME] or sooner if situation changes
---
Do not forward this notification outside the IR team.
SUBJECT: Executive Briefing - Malware Incident IR-[YEAR]-[NUMBER]
FOR: [CEO / CISO / CIO / Board]
FROM: [Incident Commander]
DATE: [DATE]
UPDATE: [#]
SITUATION SUMMARY:
[2-3 sentences describing the incident in business terms]
BUSINESS IMPACT:
- Revenue impact: [ESTIMATED/NONE/UNDER ASSESSMENT]
- Operational impact: [DESCRIPTION]
- Customer impact: [DESCRIPTION]
- Regulatory implications: [DESCRIPTION]
CURRENT STATUS: [DETECTED / CONTAINED / ERADICATING / RECOVERING]
KEY DECISIONS NEEDED:
1. [DECISION with context and recommendation]
2. [DECISION with context and recommendation]
TIMELINE:
- [TIME]: Incident detected
- [TIME]: Containment initiated
- [TIME]: [MILESTONE]
- [TIME]: Estimated recovery (if known)
EXTERNAL COMMUNICATION STATUS:
- Regulatory notification: [REQUIRED/SUBMITTED/NOT REQUIRED]
- Customer notification: [REQUIRED/PLANNED/NOT REQUIRED]
- Law enforcement: [ENGAGED/PLANNED/NOT APPLICABLE]
RESOURCE REQUIREMENTS:
- [RESOURCE NEED - e.g., External IR firm engagement]
- [RESOURCE NEED - e.g., Additional hardware for rebuild]
NEXT UPDATE: [TIME]
SUBJECT: TECHNICAL ADVISORY - [MALWARE NAME] - Immediate Action Required
SEVERITY: [CRITICAL/HIGH/MEDIUM]
DATE: [DATE/TIME UTC]
ADVISORY ID: TA-[YEAR]-[NUMBER]
THREAT DESCRIPTION:
[Technical description of the malware, behavior, and indicators]
AFFECTED SYSTEMS:
- Operating Systems: [LIST]
- Applications: [LIST]
- Network segments: [LIST]
INDICATORS OF COMPROMISE (IOCs):
File Hashes:
MD5: [HASH]
SHA256: [HASH]
File Names:
[FILENAME]
Network Indicators:
C2 Domains: [DOMAIN]
C2 IPs: [IP ADDRESS]
User-Agent: [STRING]
Registry Keys:
[REGISTRY PATH]
DETECTION METHODS:
- EDR: [DETECTION RULE/SIGNATURE]
- SIEM: [CORRELATION RULE]
- Network: [IDS/IPS SIGNATURE]
REQUIRED ACTIONS:
Priority 1 (Immediate):
[ ] Block IOCs at firewall/proxy
[ ] Push EDR containment rules
[ ] Scan all endpoints for IOCs
Priority 2 (Within 4 hours):
[ ] Apply patches [KB/CVE NUMBER]
[ ] Update antivirus signatures
[ ] Review logs for historical indicators
Priority 3 (Within 24 hours):
[ ] Conduct enterprise-wide hunt
[ ] Validate backup integrity
[ ] Update detection rules
CONTACT: SOC - [PHONE] | Security Engineering - [PHONE]
[ORGANIZATION LETTERHEAD]
[REGULATORY BODY]
[ADDRESS]
Date: [DATE]
RE: Data Security Incident Notification - [REFERENCE NUMBER]
Dear [TITLE/NAME],
Pursuant to [REGULATION - e.g., GDPR Article 33, State Breach Notification Law],
[ORGANIZATION] is providing notification of a data security incident.
INCIDENT SUMMARY:
On [DATE], [ORGANIZATION] detected a malware incident affecting systems containing
[TYPE OF DATA]. The incident was detected through [DETECTION METHOD].
DATA POTENTIALLY AFFECTED:
- Types of data: [PERSONAL DATA, FINANCIAL, HEALTH, etc.]
- Number of individuals: [COUNT or ESTIMATE]
- Categories of individuals: [CUSTOMERS, EMPLOYEES, etc.]
TIMELINE:
- [DATE]: Incident occurred (estimated)
- [DATE]: Incident detected
- [DATE]: Containment achieved
- [DATE]: This notification
MEASURES TAKEN:
1. [CONTAINMENT ACTION]
2. [INVESTIGATION ACTION]
3. [REMEDIATION ACTION]
MEASURES TO MITIGATE ADVERSE EFFECTS:
1. [MITIGATION - e.g., Credit monitoring offered]
2. [MITIGATION - e.g., Password resets enforced]
CONTACT INFORMATION:
[DPO/PRIVACY OFFICER NAME]
[TITLE]
[EMAIL]
[PHONE]
Respectfully,
[SIGNATORY]
[TITLE]
SUBJECT: Important Security Notice from [ORGANIZATION]
Dear [CUSTOMER/USER],
We are writing to inform you of a security incident that may have affected
your information.
WHAT HAPPENED:
On [DATE], we detected unauthorized activity on our systems involving
malicious software. We immediately activated our incident response procedures
and engaged leading cybersecurity experts to investigate.
WHAT INFORMATION WAS INVOLVED:
Based on our investigation, the following types of information may have
been affected: [LIST - e.g., names, email addresses, etc.]
WHAT WE ARE DOING:
- We have contained the incident and removed the malicious software
- We have engaged [FORENSIC FIRM] to conduct a thorough investigation
- We have enhanced our security controls to prevent similar incidents
- We have notified relevant regulatory authorities
WHAT YOU CAN DO:
- Change your password for your [ORGANIZATION] account
- Enable multi-factor authentication if not already active
- Monitor your accounts for unusual activity
- [Additional specific recommendations]
ADDITIONAL RESOURCES:
- [DEDICATED SUPPORT LINE]
- [FAQ PAGE URL]
- [CREDIT MONITORING ENROLLMENT - if applicable]
We sincerely apologize for any concern this may cause and remain committed
to protecting your information.
[SIGNATORY]
[TITLE]
Malware Detected
|
v
[Classify Severity: P1/P2/P3/P4]
|
|-- P1: Notify within 15 min
| |-- Incident Commander
| |-- CISO (phone call)
| |-- CEO (phone call)
| |-- Legal Counsel
| |-- External IR firm
| |-- Law enforcement (if applicable)
|
|-- P2: Notify within 1 hour
| |-- CISO
| |-- IT Director
| |-- Legal Counsel
|
|-- P3: Notify within 4 hours
| |-- Security Manager
| |-- IT Director
|
|-- P4: Notify within 24 hours
|-- Security Team Lead
Prerequisites
Time Estimate
15-45 minutes depending on use case complexity
Steps
Common Pitfalls
✓ Do
✗ Don't
💡 Pro Tips
✓ Use when
Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.
✗ Avoid when
Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
I recommend building-malware-incident-communication-template for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
building-malware-incident-communication-template fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
Solid pick for teams standardizing on skills: building-malware-incident-communication-template is focused, and the summary matches what you get after install.
We added building-malware-incident-communication-template from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
Keeps context tight: building-malware-incident-communication-template is the kind of skill you can hand to a new teammate without a long onboarding doc.
Registry listing for building-malware-incident-communication-template matched our evaluation — installs cleanly and behaves as described in the markdown.
building-malware-incident-communication-template fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
building-malware-incident-communication-template is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
building-malware-incident-communication-template reduced setup friction for our internal harness; good balance of opinion and flexibility.
Solid pick for teams standardizing on skills: building-malware-incident-communication-template is focused, and the summary matches what you get after install.
showing 1-10 of 42