Security Incident Triage
Professional security incident triage for SOC teams to classify alerts, assess severity, and draft response plans.
- Classify suspected cyber incidents using evidence-based scoring logic.
- Generate incident ticket summaries for SOC and security operations platforms.
- Map detected adversary behavior to MITRE ATT&CK techniques with confidence ratings.
$10
· or 50 creditsSecure checkout via Stripe
Included in download
- Classify suspected cyber incidents using evidence-based scoring logic.
- Generate incident ticket summaries for SOC and security operations platforms.
- terminal, network automation included
- Ready for severity scoring
Sample input
Triage the following alert: an endpoint detection platform flagged suspicious PowerShell execution on a finance workstation at 02:14 UTC followed by LSASS memory access attempts. The user was not logged in at the time. Assess severity, classify the incident type, map any TTPs, and provide an initial action plan.
Sample output
The skill produces a structured triage report classifying the incident as P1 Critical under NIST SP 800-61 category TA0006 (Credential Access), with MITRE ATT&CK technique mappings for T1059.001 (PowerShell) and T1003.001 (LSASS Memory), a severity assessment with evidence basis and confidence level, an escalation recommendation targeting the incident commander, an initial action plan covering evidence preservation, endpoint isolation, and threat intelligence enrichment, and a structured incident ticket summary ready for case management import. All assumptions and validation points requiring confirmation are clearly marked.
Security Incident Triage
Professional security incident triage for SOC teams to classify alerts, assess severity, and draft response plans.
$10
· or 50 creditsSecure checkout via Stripe
Included in download
- Classify suspected cyber incidents using evidence-based scoring logic.
- Generate incident ticket summaries for SOC and security operations platforms.
- terminal, network automation included
- Ready for severity scoring
- Instant install
Sample input
Triage the following alert: an endpoint detection platform flagged suspicious PowerShell execution on a finance workstation at 02:14 UTC followed by LSASS memory access attempts. The user was not logged in at the time. Assess severity, classify the incident type, map any TTPs, and provide an initial action plan.
Sample output
The skill produces a structured triage report classifying the incident as P1 Critical under NIST SP 800-61 category TA0006 (Credential Access), with MITRE ATT&CK technique mappings for T1059.001 (PowerShell) and T1003.001 (LSASS Memory), a severity assessment with evidence basis and confidence level, an escalation recommendation targeting the incident commander, an initial action plan covering evidence preservation, endpoint isolation, and threat intelligence enrichment, and a structured incident ticket summary ready for case management import. All assumptions and validation points requiring confirmation are clearly marked.
About This Skill
High-Level Security Triage for SOC & DevOps
This skill provides a structured framework for analyzing security alerts, user reports, and threat intelligence matches. It bridges the gap between raw log data and actionable incident response by automating the initial triage process.
What it does
The skill acts as a virtual SOC Tier 1/2 analyst. It ingest evidence—such as process chains, network connections, and file hashes—to produce a severity-assessed incident report. It prioritizes response efforts, recommends escalation paths, and maps activities to the MITRE ATT&CK framework when evidence supports it.
Why use this skill?
- Structured Methodology: Unlike generic AI prompts, this skill follows rigorous defensive security principles, separating confirmed facts from assumptions.
- Tool Agnostic: Works across any EDR, SIEM, or cloud identity platform by requesting specific context when needed.
- Operational Safety: Includes built-in guardrails against providing offensive guidance or recommending destructive containment without authorization.
- Ready for Integration: Produces summaries specifically formatted for incident tickets (Jira, ServiceNow) or executive briefings.
The Result
You receive a comprehensive triage report including a severity rationale, affected scope, evidence summary, and a prioritized initial action plan for your security operations team.
Use Cases
- Classify suspected cyber incidents using evidence-based scoring logic.
- Generate incident ticket summaries for SOC and security operations platforms.
- Map detected adversary behavior to MITRE ATT&CK techniques with confidence ratings.
- Provide prioritized containment recommendations based on asset criticality.
Known Limitations
- Requires manual provision of logs/context; cannot autonomously browse internal networks.
- Not a substitute for human legal or forensic sign-off.
- Performance depends on input data quality.
How to Install
mkdir -p ~/.claude/skills && curl -sL https://www.agensi.io/api/install/security-incident-triage -o /tmp/security-incident-triage.zip && unzip -o /tmp/security-incident-triage.zip -d ~/.claude/skills && rm /tmp/security-incident-triage.zipFree skills install directly. Paid skills require purchase - use the download button above after buying.
Reviews
No reviews yet - be the first to share your experience.
Only users who have downloaded or purchased this skill can leave a review.
Early access skill
Be the first to review this skill.
Only users who have downloaded or purchased this skill can leave a review.
Security Scanned
Passed automated security review
Permissions
Allowed Hosts
File Scopes
An optional Python triage agent script automates classification, severity scoring, optional threat intelligence enrichment (via a configurable generic API placeholder), and JSON triage record generation. Optional script: pip install requests. Works with any agent that supports the Universal SKILL.md standard, including Claude Code, Codex CLI, Cursor, VS Code Copilot, Gemini CLI, OpenClaw, and 20+ compatible agents. Operates from user-supplied alert context and included reference files. The optional script supports a configurable generic threat intelligence API placeholder.