#601

Global Rank · of 601 Skills

security-incident-reporting AI Agent Skill

View Source: dirnbauer/webconsulting-skills

Safe

Installation

npx skills add dirnbauer/webconsulting-skills --skill security-incident-reporting

40

Installs

Security Incident Reporting

Comprehensive framework for documenting and analyzing security incidents, drawing from NIST SP 800-61 and SANS methodologies.

When to Use

  • After a security incident (DDoS, breach, vulnerability exploitation)
  • Creating post-mortem documentation
  • Communicating with stakeholders (C-level, legal, security teams)
  • Correlating attack patterns with known CVEs
  • Establishing incident response metrics (MTTR, dwell time)

Related Skills

1. Incident Response Framework

NIST SP 800-61 / SANS Harmonization

Phase NIST SANS Documentation Focus
1 Preparation Preparation Runbooks, contacts, tools
2 Detection & Analysis Identification Initial detection, triage
3 Containment Containment Isolation actions, timeline
4 Eradication Eradication Root cause removal
5 Recovery Recovery Service restoration
6 Post-Incident Lessons Learned Post-mortem, improvements

Documentation Principle

Logbuch-Prinzip: Document in real-time during the incident, then consolidate into the post-mortem report. Never create reports retrospectively from memory.

2. Severity Rating Systems

NCISS (National Cyber Incident Scoring System)

Level Score Description
Emergency (1) 100 Nation-state attack, critical infrastructure
Severe (2) 80-99 Significant impact, data exfiltration
High (3) 60-79 Service disruption, potential data loss
Medium (4) 40-59 Limited impact, contained breach
Low (5) 20-39 Minor incident, no data loss
Baseline (6) 0-19 Informational, false positive

DDoS Resiliency Score (DRS)

Level Description Typical Bandwidth
1-2 Simple Floods < 1 Gbps
3-4 Sophisticated Multi-Vector 1-5 Gbps
5-6 Advanced (State-Actor Level) 5-100 Gbps
7 Extreme (Hyper-Volumetric) > 100 Gbps

CVSS Integration

For vulnerability-based incidents, include CVSS v3.1 base score from the security-audit skill.

3. Incident Report Template

Module A: Metadata & Executive Summary

# Security Incident Report

## Metadata
| Field | Value |
|-------|-------|
| Incident ID | SIR-2026-001 |
| Classification | Confidential |
| Status | Closed / Active / Under Investigation |
| Detection Time | 2026-01-21 14:32 UTC |
| Resolution Time | 2026-01-21 15:17 UTC |
| MTTR | 45 minutes |
| Severity | High (NCISS: 65) |
| Lead Analyst | Jane Doe |
| Affected Systems | web-cluster-01, cdn-edge-eu |

## Executive Summary (max 200 words)

On [DATE], our monitoring systems detected [INCIDENT TYPE] targeting [SYSTEMS].
The attack [IMPACT DESCRIPTION]. Through [RESPONSE ACTIONS], normal operations
were restored within [TIMEFRAME]. [DATA IMPACT STATEMENT].

### Business Impact
- Service Availability: [Degraded/Offline for X minutes]
- Data Impact: [None/Potential exposure of X records]
- Financial Impact: [Estimated cost]
- Reputation Impact: [Public/Internal]

Module B: Timeline (Chronological Analysis)

## Incident Timeline

| Time (UTC) | Event | Source | Action Taken |
|------------|-------|--------|--------------|
| 14:32 | Traffic spike detected | Cloudflare Alert | On-call notified |
| 14:35 | 5x baseline traffic confirmed | Grafana | Incident declared |
| 14:38 | Geo-blocking activated | Cloudflare | EU/US traffic filtered |
| 14:42 | Attack vector identified: UDP amplification | DPI Analysis | Null-route for UDP/427 |
| 14:55 | Traffic normalized | Monitoring | Mitigation confirmed |
| 15:17 | All systems stable | Status page | Incident closed |

### Dwell Time Analysis
- Time to Detection (TTD): 0 minutes (automated)
- Time to Containment (TTC): 10 minutes
- Time to Eradication (TTE): 23 minutes
- Time to Recovery (TTR): 45 minutes

Module C: Technical Analysis & IoCs

## Technical Analysis

### Attack Vectors (MITRE ATT&CK)
- T1498: Network Denial of Service
- T1498.001: Direct Network Flood
- T1498.002: Reflection Amplification

### Indicators of Compromise (IoCs)

#### Network Artifacts
| Type | Value | Context |
|------|-------|---------|
| IP Range | 192.0.2.0/24 | Source (spoofed) |
| ASN | AS12345 | Amplification source |
| Port | UDP/427 | SLP Amplification |
| Signature | \x00\x00\x00\x00SLP | Payload pattern |

#### System Artifacts
| Type | Value | Hash (SHA256) |
|------|-------|---------------|
| Modified File | /var/www/shell.php | a1b2c3... |
| New User | backdoor_admin | N/A |
| Cron Job | /tmp/.hidden/beacon | d4e5f6... |

### Root Cause Analysis (5-Whys)
1. Why did the attack succeed? → Amplification ports were exposed
2. Why were ports exposed? → Firewall rules not updated after migration
3. Why weren't rules updated? → No automated validation in deployment
4. Why no automation? → Security review not in CI/CD pipeline
5. Why not in pipeline? → Technical debt, prioritized features

**Root Cause**: Missing security validation in deployment pipeline

4. DDoS Post-Mortem Analysis

Metrics Table

Metric Value Threshold Status
Peak Bandwidth 45 Gbps 10 Gbps Exceeded
Peak Packets/sec 12M PPS 5M PPS Exceeded
Peak Requests/sec 850K RPS 100K RPS Exceeded
Unique Source IPs 145,000 N/A Amplification
Attack Duration 45 min N/A -
Geographic Spread 89 countries N/A Global botnet

Attack Vector Classification

Vector % of Traffic Type Mitigation
UDP Flood 60% Volumetric Null-route
SYN Flood 25% Protocol SYN cookies
HTTP Flood 15% Application Rate limiting

Multi-Vector Detection

Was this a smoke-screen attack?
├── Volumetric attack started: 14:32
├── Application-layer probing detected: 14:38
├── Login brute-force attempts: 14:40-14:45
└── Conclusion: Coordinated multi-vector attack

5. CVE Correlation for DDoS

Map attack signatures to known vulnerabilities for threat intelligence.

Amplification Vector CVE Table

Attack Type Port Amplification Factor CVE Description
NTP Monlist UDP/123 556x CVE-2013-5211 NTP mode 7 monlist
Memcached UDP/11211 51,000x CVE-2018-1000115 UDP reflection
CLDAP UDP/389 70x CVE-2020-9490 LDAP reflection
SLP UDP/427 2,200x CVE-2023-29552 Service Location Protocol
DNS UDP/53 54x Various Open resolver abuse
SSDP UDP/1900 30x Various UPnP reflection
Chargen UDP/19 358x CVE-1999-0103 Character generator

Analysis Example

## CVE Correlation Analysis

Traffic analysis shows 40% of UDP flood originated from port 427.
Deep Packet Inspection confirmed payloads typical for CVE-2023-29552.

**Conclusion**: Botnet leveraging unpatched VMware ESXi instances as
SLP reflectors. Recommend:
1. Verify our infrastructure is not acting as reflector
2. Block UDP/427 at edge
3. Report to upstream provider

6. Impact Assessment Matrix

Operational Impact

Category Level Description
Availability Critical Complete outage for 15 minutes
Performance High 50% degradation for 30 minutes
Collateral Medium API gateway affected

Financial Impact

Category Estimated Cost
Lost Revenue $15,000
Scrubbing Overage $2,500
Incident Response $5,000 (8 person-hours)
Total $22,500

Reputation Impact

Channel Severity Action Required
Social Media Medium Prepared statement
B2B Partners Low Direct notification
Press None No external coverage

7. Blameless Post-Mortem

Principles

  1. Focus on systems, not individuals: "Why did the process allow X?" not "Who did X?"
  2. Assume good intentions: Everyone acted with the best information available
  3. Learn, don't punish: Goal is improvement, not blame
  4. Share openly: Publish internally for organizational learning

Post-Mortem Template

## Post-Mortem: [Incident Title]

### What Happened
[Factual description of the incident]

### What Went Well
- Detection was automated (0 min TTD)
- On-call responded within SLA
- Communication was clear

### What Went Wrong
- Firewall rules were outdated
- No alerting for UDP traffic spikes
- Runbook was incomplete

### Action Items
| ID | Action | Owner | Due Date | Status |
|----|--------|-------|----------|--------|
| 1 | Add security validation to CI/CD | @devops | 2026-02-01 | Open |
| 2 | Update runbook with DDoS procedures | @security | 2026-01-28 | Open |
| 3 | Implement UDP traffic alerting | @sre | 2026-02-05 | Open |

### Lessons Learned
- Automated security gates prevent configuration drift
- Regular runbook reviews are essential
- Multi-vector attacks require layered defense

8. Report Distribution

Classification Levels

Level Audience Content
Executive C-Level, Board Summary, business impact, remediation status
Technical Security Team, SOC Full IoCs, TTPs, forensic details
Legal Legal, Compliance Data impact, regulatory implications
Public Customers, Press Sanitized summary, no technical details

Retention Requirements

Document Type Retention Storage
Full Incident Report 7 years Encrypted archive
IoC Data 2 years Threat Intelligence Platform
Logs & Evidence 1 year Immutable storage

9. Checklists

Pre-Incident Preparation

  • Incident response runbooks documented
  • On-call rotation established
  • Communication templates prepared
  • Evidence collection tools ready
  • Stakeholder contact list updated

During Incident

  • Incident declared and logged
  • Timeline documentation started
  • Evidence preserved (logs, packets)
  • Stakeholders notified
  • Status page updated

Post-Incident

  • Full incident report completed
  • Post-mortem meeting scheduled
  • Action items assigned and tracked
  • Lessons learned documented
  • Controls validated/improved

References

Credits & Attribution

This skill draws from the "Handbuch für Advanced Security Incident Reporting" methodology,
incorporating elements of NIST SP 800-61, SANS frameworks, and industry best practices.

Developed by webconsulting.at for the Claude skill collection.

Source: https://github.com/dirnbauer/webconsulting-skills
Thanks to Netresearch DTT GmbH for their contributions to the TYPO3 community.

Installs

Installs 40
Global Rank #601 of 601

Security Audit

ath Safe
socket Safe
Alerts: 0 Score: 90
snyk Low
EU EU-Hosted Inference API

Power your AI Agents with the best open-source models.

Drop-in OpenAI-compatible API. No data leaves Europe.

Explore Inference API

GLM

GLM 5

$1.00 / $3.20

per M tokens

Kimi

Kimi K2.5

$0.60 / $2.80

per M tokens

MiniMax

MiniMax M2.5

$0.30 / $1.20

per M tokens

Qwen

Qwen3.5 122B

$0.40 / $3.00

per M tokens

How to use this skill

1

Install security-incident-reporting by running npx skills add dirnbauer/webconsulting-skills --skill security-incident-reporting in your project directory. Run the install command above in your project directory. The skill file will be downloaded from GitHub and placed in your project.

2

No configuration needed. Your AI agent (Claude Code, Cursor, Windsurf, etc.) automatically detects installed skills and uses them as context when generating code.

3

The skill enhances your agent's understanding of security-incident-reporting, helping it follow established patterns, avoid common mistakes, and produce production-ready output.

What you get

Skills are plain-text instruction files — not executable code. They encode expert knowledge about frameworks, languages, or tools that your AI agent reads to improve its output. This means zero runtime overhead, no dependency conflicts, and full transparency: you can read and review every instruction before installing.

Compatibility

This skill works with any AI coding agent that supports the skills.sh format, including Claude Code (Anthropic), Cursor, Windsurf, Cline, Aider, and other tools that read project-level context files. Skills are framework-agnostic at the transport level — the content inside determines which language or framework it applies to.

Data sourced from the skills.sh registry and GitHub. Install counts and security audits are updated regularly.

EU Made in Europe

Chat with 100+ AI Models in one App.

Use Claude, ChatGPT, Gemini alongside with EU-Hosted Models like Deepseek, GLM-5, Kimi K2.5 and many more.

Start for free View pricing
Customer Support