cyber-ir-playbook
Build incident response timelines and report packs from event logs. Use for detection-to-recovery reporting, phase tracking, and stakeholder-ready incident summaries.
About this skill
The Cyber IR Playbook skill is engineered to convert raw incident event data into structured, phase-based incident response timelines and reports. It ingests event logs with timestamps, intelligently classifies each event into standard incident response phases—detection, containment, eradication, recovery, or post-incident—and then compiles this information into an easily digestible timeline. This tool is invaluable for cybersecurity professionals who need to quickly and consistently document the progression of a cyber incident. It helps track the status of an incident across its lifecycle, summarize current phase completion, and generate essential report artifacts suitable for both internal technical teams and executive-level audiences. Utilizing this skill ensures uniformity in incident reporting, reduces manual effort, and provides clear, actionable summaries, thereby enhancing incident management efficiency and facilitating prompt, accurate communication during critical security events.
Best use case
The primary use case for this skill is to rapidly transform disparate incident event logs into clear, standardized incident response timelines and executive reports. This benefits cybersecurity analysts, incident responders, and security operations center (SOC) managers who need to track, report on, and communicate the progress of ongoing or concluded cyber incidents to both technical and non-technical stakeholders.
Build incident response timelines and report packs from event logs. Use for detection-to-recovery reporting, phase tracking, and stakeholder-ready incident summaries.
A generated incident response timeline and a phase-based report artifact suitable for internal and executive audiences.
Practical example
Example input
Generate an incident response timeline and report for the following events: - 2023-10-26T09:00:00Z: Alert triggered on suspicious login (detection) - 2023-10-26T09:15:00Z: Network segment isolated (containment) - 2023-10-26T10:30:00Z: Malicious process terminated (eradication) - 2023-10-26T11:00:00Z: System restored from backup (recovery) - 2023-10-26T12:00:00Z: Post-incident review scheduled (post-incident)
Example output
**Incident Timeline:** - 09:00 AM: Suspicious login detected. (Detection Phase) - 09:15 AM: Network segment isolated. (Containment Phase) - 10:30 AM: Malicious process terminated. (Eradication Phase) - 11:00 AM: System restored. (Recovery Phase) - 12:00 PM: Post-incident review scheduled. (Post-Incident Phase) **Phase Completion Summary:** - Detection: Complete - Containment: Complete - Eradication: Complete - Recovery: Complete - Post-Incident: In Progress (Review scheduled)
When to use this skill
- When needing to quickly generate an incident response timeline from event logs.
- For creating standardized reports on incident detection-to-recovery phases.
- To prepare stakeholder-ready summaries of cyber incidents.
- During post-incident analysis to build a chronological record of events.
When not to use this skill
- If you need to perform offensive security operations or penetration testing.
- When incident events lack timestamps or clear chronological order.
- For tasks unrelated to cyber incident response reporting or timeline generation.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/cyber-ir-playbook/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How cyber-ir-playbook Compares
| Feature / Agent | cyber-ir-playbook | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | easy | N/A |
Frequently Asked Questions
What does this skill do?
Build incident response timelines and report packs from event logs. Use for detection-to-recovery reporting, phase tracking, and stakeholder-ready incident summaries.
How difficult is it to install?
The installation complexity is rated as easy. You can find the installation instructions above.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
AI Agents for Coding
Browse AI agent skills for coding, debugging, testing, refactoring, code review, and developer workflows across Claude, Cursor, and Codex.
Best AI Skills for ChatGPT
Find the best AI skills to adapt into ChatGPT workflows for research, writing, summarization, planning, and repeatable assistant tasks.
Best AI Skills for Claude
Explore the best AI skills for Claude and Claude Code across coding, research, workflow automation, documentation, and agent operations.
SKILL.md Source
# Cyber IR Playbook ## Overview Convert incident events into a standardized response timeline and phase-based report. ## Workflow 1. Ingest incident events with timestamps. 2. Classify events into detection, containment, eradication, recovery, or post-incident phases. 3. Build ordered timeline and summarize current phase completion. 4. Produce a report artifact for internal and executive audiences. ## Use Bundled Resources - Run `scripts/ir_timeline_report.py` to generate a deterministic timeline report. - Read `references/ir-phase-guide.md` for phase mapping guidance. ## Guardrails - Focus on defensive incident handling and post-incident learning. - Do not provide offensive exploitation instructions.
Related Skills
Cybersecurity Risk Assessment
You are a cybersecurity risk assessment specialist. When the user needs a security audit, threat assessment, or compliance review, follow this framework.
afrexai-cybersecurity-engine
Complete cybersecurity assessment, threat modeling, and hardening system. Use when conducting security audits, threat modeling, penetration testing, incident response, or building security programs from scratch. Works with any stack — zero external dependencies.
cyber-owasp-review
Map application security findings to OWASP Top 10 categories and generate remediation checklists. Use for normalized AppSec review outputs and category-level prioritization.
cyber-kev-triage
Prioritize vulnerability remediation using KEV-style exploitation context plus asset criticality. Use for CVE triage, patch order decisions, and remediation reporting.
HIPAA Compliance for AI Agents
Generate HIPAA compliance checklists, risk assessments, and audit frameworks for healthcare organizations deploying AI agents.
Data Governance Framework
Assess, score, and remediate your organization's data governance posture across 6 domains.
Compliance & Audit Readiness Engine
Your AI compliance officer. Guides startups and scale-ups through SOC 2, ISO 27001, GDPR, HIPAA, and PCI DSS — from zero to audit-ready. No consultants needed.
Compliance Audit Generator
Run internal compliance audits against major frameworks without hiring a consultant.
AI Safety Audit
Comprehensive AI safety and alignment audit framework for businesses deploying AI agents. Built around the UK AI Security Institute Alignment Project standards (2026), EU AI Act requirements, and NIST AI RMF.
clickhouse-github-forensics
Query GitHub event data via ClickHouse for supply chain investigations, actor profiling, and anomaly detection. Use when investigating GitHub-based attacks, tracking repository activity, analyzing actor behavior patterns, detecting tag/release tampering, or reconstructing incident timelines from public GitHub data. Triggers on GitHub supply chain attacks, repo compromise investigations, actor attribution, tag poisoning, or "query github events".
security-guardian
Automated security auditing for OpenClaw projects. Scans for hardcoded secrets (API keys, tokens) and container vulnerabilities (CVEs) using Trivy. Provides structured reports to help maintain a clean and secure codebase.
mema-vault
Secure credential manager using AES-256 (Fernet) encryption. Stores, retrieves, and rotates secrets using a mandatory Master Key. Use for managing API keys, database credentials, and other sensitive tokens.