security-incident-triage
by LocoLoboZ
Professional security incident triage for SOC teams to classify alerts, assess severity, and draft response plans.
- Classify suspected cyber incidents using evidence-based scoring logic.
- Generate incident ticket summaries for SOC and security operations platforms.
- Map detected adversary behavior to MITRE ATT&CK techniques with confidence ratings.
Secure checkout via Stripe
Included in download
- Classify suspected cyber incidents using evidence-based scoring logic.
- Generate incident ticket summaries for SOC and security operations platforms.
- terminal, network automation included
- Ready for severity scoring
Sample Output
A real example of what this skill produces.
The skill produces a structured triage report classifying the incident as P1 Critical under NIST SP 800-61 category TA0006 (Credential Access), with MITRE ATT&CK technique mappings for T1059.001 (PowerShell) and T1003.001 (LSASS Memory), a severity assessment with evidence basis and confidence level, an escalation recommendation targeting the incident commander, an initial action plan covering evidence preservation, endpoint isolation, and threat intelligence enrichment, and a structured incident ticket summary ready for case management import. All assumptions and validation points requiring confirmation are clearly marked.
Professional security incident triage for SOC teams to classify alerts, assess severity, and draft response plans.
Secure checkout via Stripe
Included in download
- Classify suspected cyber incidents using evidence-based scoring logic.
- Generate incident ticket summaries for SOC and security operations platforms.
- terminal, network automation included
- Ready for severity scoring
- Instant install
Sample Output
A real example of what this skill produces.
The skill produces a structured triage report classifying the incident as P1 Critical under NIST SP 800-61 category TA0006 (Credential Access), with MITRE ATT&CK technique mappings for T1059.001 (PowerShell) and T1003.001 (LSASS Memory), a severity assessment with evidence basis and confidence level, an escalation recommendation targeting the incident commander, an initial action plan covering evidence preservation, endpoint isolation, and threat intelligence enrichment, and a structured incident ticket summary ready for case management import. All assumptions and validation points requiring confirmation are clearly marked.
About This Skill
High-Level Security Triage for SOC & DevOps
This skill provides a structured framework for analyzing security alerts, user reports, and threat intelligence matches. It bridges the gap between raw log data and actionable incident response by automating the initial triage process.
What it does
The skill acts as a virtual SOC Tier 1/2 analyst. It ingest evidence—such as process chains, network connections, and file hashes—to produce a severity-assessed incident report. It prioritizes response efforts, recommends escalation paths, and maps activities to the MITRE ATT&CK framework when evidence supports it.
Why use this skill?
- Structured Methodology: Unlike generic AI prompts, this skill follows rigorous defensive security principles, separating confirmed facts from assumptions.
- Tool Agnostic: Works across any EDR, SIEM, or cloud identity platform by requesting specific context when needed.
- Operational Safety: Includes built-in guardrails against providing offensive guidance or recommending destructive containment without authorization.
- Ready for Integration: Produces summaries specifically formatted for incident tickets (Jira, ServiceNow) or executive briefings.
The Result
You receive a comprehensive triage report including a severity rationale, affected scope, evidence summary, and a prioritized initial action plan for your security operations team.
Use Cases
- Classify suspected cyber incidents using evidence-based scoring logic.
- Generate incident ticket summaries for SOC and security operations platforms.
- Map detected adversary behavior to MITRE ATT&CK techniques with confidence ratings.
- Provide prioritized containment recommendations based on asset criticality.
How to Install
mkdir -p ~/.claude/skills && curl -sL https://www.agensi.io/api/install/security-incident-triage | tar xz -C ~/.claude/skills/Free skills install directly. Paid skills require purchase - use the download button above after buying.
Reviews
No reviews yet - be the first to share your experience.
Only users who have downloaded or purchased this skill can leave a review.
Early access skill
Be the first to review this skill.
Only users who have downloaded or purchased this skill can leave a review.
Security Scanned
Passed automated security review
Permissions
Allowed Hosts
File Scopes
An optional Python triage agent script automates classification, severity scoring, optional threat intelligence enrichment (via a configurable generic API placeholder), and JSON triage record generation. Optional script: pip install requests. Works with any agent that supports the Universal SKILL.md standard, including Claude Code, Codex CLI, Cursor, VS Code Copilot, Gemini CLI, OpenClaw, and 20+ compatible agents. Operates from user-supplied alert context and included reference files. The optional script supports a configurable generic threat intelligence API placeholder.
Creator
I design and publish skills built from real professional practice across three areas: cyber security consulting, business operations, and AI workflow engineering. My cyber security skills draw on active advisory work spanning governance, risk, compliance, assurance, and executive reporting. They are built for practitioners who need structured, defensible outputs - not generic templates. My business operations skills cover the day-to-day work of running a consulting practice: bookkeeping, financial tracking, expense reconciliation, and marketing content - designed to reduce repetitive overhead and keep outputs consistent. My AI platform and workflow skills are built for people who want to get more out of Claude and similar platforms - covering prompt engineering, skill architecture, automation pipelines, and agent enhancement. Every skill I publish has been tested in production use before it reaches the marketplace. If it is here, it works.
Frequently Asked Questions
Learn More About AI Agent Skills
More Premium Skills
designing-hybrid-context-layers
Architects the right retrieval strategy for every query — teaching your agent when to use RAG, a knowledge graph, or a temporal index instead of defaulting to vector search for everything.
consumer-motivation-analyzer
Go beyond surface-level feedback to uncover the psychological drivers and hidden motivations behind buyer behavior.
Bounty Security Pattern Master Library — 399 Vulnerability Patterns
A premium library of 399 vulnerability patterns and DeFi attack vectors for AI-driven bug hunting and security audits.
diagnosing-rag-failure-modes
RAG fails quietly. It retrieves documents, returns confident-looking answers, and misses the question entirely — because the question required connecting facts across documents, reasoning about sequence, or tracing causation. This skill gives you a five-question diagnostic checklist that classifies any failing query as either RAG-safe or structurally RAG-incompatible, then maps it to the specific failure pattern and the architectural fix that resolves it.