Performs initial triage of security incidents to determine severity, scope, and required response actions using the NIST SP 800-61r3 and SANS PICERL frameworks. Classifies incidents by type, assigns priority based on business impact, and routes to appropriate response teams. Activates for requests involving incident triage, security alert classification, severity assessment, incident prioritization, or initial incident analysis.
Works with
AI-first code editor with Composer
Before installing skills in Cursor, ensure your development environment meets these requirements:
node --versiontriaging-security-incidentExecute the skills CLI command in your project's root directory to begin installation:
Fetches triaging-security-incident from mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.
The CLI shows a list of agents. Use arrow keys and space to select Cursor:
Confirm successful installation by checking the skill directory location:
Restart Cursor to activate triaging-security-incident. Access via /triaging-security-incident in your agent's command palette.
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
Submit your Claude Code skill and start earning
Automate repetitive workflows and reduce manual effort
Example
Generate reports, summarize documents, draft communications
Save 3-5 hours per week on routine tasks
Learn new skills, understand complex topics, get expert guidance
Example
Explain concepts, provide examples, suggest learning resources
Accelerate learning and skill development by 2x
Enhance output quality through reviews, suggestions, and refinements
Example
Review drafts, suggest improvements, catch errors
Improve work quality by 30-40% with less effort
0
total installs
0
this week
8.6K
GitHub stars
0
upvotes
Run in your terminal
0
installs
0
this week
8.6K
stars
| name | triaging-security-incident |
| description | 'Performs initial triage of security incidents to determine severity, scope, and required response actions using the NIST SP 800-61r3 and SANS PICERL frameworks. Classifies incidents by type, assigns priority based on business impact, and routes to appropriate response teams. Activates for requests involving incident triage, security alert classification, severity assessment, incident prioritization, or initial incident analysis. ' |
| domain | cybersecurity |
| subdomain | incident-response |
| tags | - incident-triage - NIST-800-61 - SANS-PICERL - severity-classification - SOC-operations |
| mitre_attack | - T1190 - T1566 - T1078 - T1059 |
| version | 1.0.0 |
| author | mahipal |
| license | Apache-2.0 |
| d3fend_techniques | - Executable Denylisting - Execution Isolation - File Metadata Consistency Validation - Content Format Conversion - File Content Analysis |
| nist_csf | - RS.MA-01 - RS.MA-02 - RS.AN-03 - RC.RP-01 |
Do not use for routine vulnerability scanning results or compliance audit findings that do not represent active security incidents.
Gather all available context from the triggering alert before making classification decisions:
Example SIEM alert context:
Source: CrowdStrike Falcon
Detection: Suspicious PowerShell Execution (T1059.001)
Host: WORKSTATION-FIN-042
User: [email protected]
Timestamp: 2025-11-15T14:23:17Z
Severity: High (detection rule confidence: 92%)
Process: powershell.exe -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoA...
Parent: outlook.exe (PID 4812)
Map the alert to a standard incident category per NIST SP 800-61r3:
| Category | Examples |
|---|---|
| Unauthorized Access | Compromised credentials, privilege escalation, IDOR |
| Denial of Service | Volumetric DDoS, application-layer flood, resource exhaustion |
| Malicious Code | Malware execution, ransomware detonation, cryptominer |
| Improper Usage | Policy violation, insider data exfiltration, shadow IT |
| Reconnaissance | Port scanning, directory enumeration, credential spraying |
| Web Application Attack | SQL injection, XSS, SSRF exploitation |
Calculate severity by combining asset criticality with threat severity:
Severity = f(Asset Criticality, Threat Type, Data Sensitivity, Lateral Movement Potential)
Critical (P1): Crown jewel systems compromised, active data exfiltration, ransomware spreading
High (P2): Production system compromise, confirmed malware execution, privileged account takeover
Medium (P3): Non-production compromise, unsuccessful exploitation attempt, single endpoint malware
Low (P4): Reconnaissance activity, policy violation, benign true positive
Response SLA targets:
Before escalation, enrich the alert with contextual data:
Create a structured triage record and route to the appropriate response tier:
Incident Triage Record
━━━━━━━━━━━━━━━━━━━━━
Ticket ID: INC-2025-1547
Triage Analyst: [analyst name]
Triage Time: 2025-11-15T14:35:00Z (12 min from alert)
Classification: Malicious Code - Macro-based initial access
Severity: P2 - High
Affected Assets: WORKSTATION-FIN-042 (Finance dept, handles PII)
Affected Users: [email protected]
IOCs Identified: powershell.exe spawned by outlook.exe, encoded command
TI Matches: Base64 payload matches known Qakbot loader pattern
Escalation: Tier 2 - Malware IR team
Recommended: Isolate endpoint, preserve memory dump, block sender domain
If severity is P1 or P2, initiate immediate containment actions while awaiting full investigation:
| Term | Definition |
|---|---|
| Triage | Rapid assessment process to classify and prioritize security incidents based on severity and business impact |
| PICERL | SANS incident response framework: Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned |
| Dwell Time | Duration between initial compromise and detection; average is 10 days per Mandiant M-Trends 2025 |
| True Positive Rate | Percentage of alerts from a detection rule that represent genuine security incidents |
| Crown Jewel Assets | Systems and data critical to business operations whose compromise would cause severe organizational impact |
| Alert Fatigue | Degraded analyst performance caused by high volumes of low-fidelity or false-positive alerts |
| Mean Time to Acknowledge (MTTA) | Average time from alert generation to analyst acknowledgment; key SOC performance metric |
Context: SOC analyst receives a P2 alert showing powershell.exe with a Base64-encoded command spawned as a child process of outlook.exe on a finance department workstation.
Approach:
Pitfalls:
INCIDENT TRIAGE REPORT
======================
Ticket: INC-[YYYY]-[NNNN]
Date/Time: [ISO 8601 timestamp]
Triage Analyst: [Name]
Time to Triage: [minutes from alert to classification]
CLASSIFICATION
Type: [NIST category]
Severity: [P1-P4] - [Critical/High/Medium/Low]
Confidence: [High/Medium/Low]
MITRE ATT&CK: [Technique ID and name]
AFFECTED SCOPE
Assets: [hostname(s), IP(s)]
Users: [account(s)]
Data at Risk: [classification level]
Business Unit: [department]
EVIDENCE SUMMARY
[Bullet list of key observations]
ENRICHMENT RESULTS
TI Matches: [Yes/No - details]
Historical: [Related prior incidents]
Asset Criticality: [rating]
RECOMMENDED ACTIONS
1. [Immediate action]
2. [Investigation step]
3. [Escalation target]
ESCALATION
Routed To: [Team/Individual]
SLA Target: [Containment deadline]
Prerequisites
Time Estimate
15-45 minutes depending on use case complexity
Steps
Common Pitfalls
✓ Do
✗ Don't
💡 Pro Tips
✓ Use when
Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.
✗ Avoid when
Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
triaging-security-incident has been reliable in day-to-day use. Documentation quality is above average for community skills.
triaging-security-incident fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
We added triaging-security-incident from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
Solid pick for teams standardizing on skills: triaging-security-incident is focused, and the summary matches what you get after install.
triaging-security-incident is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
triaging-security-incident is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
triaging-security-incident fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
triaging-security-incident has been reliable in day-to-day use. Documentation quality is above average for community skills.
triaging-security-incident has been reliable in day-to-day use. Documentation quality is above average for community skills.
Keeps context tight: triaging-security-incident is the kind of skill you can hand to a new teammate without a long onboarding doc.
showing 1-10 of 45