Skip to main content
Generaldvcrn

cyber-ir-playbook

Build incident response timelines and report packs from event logs. Use for detection-to-recovery reporting, phase tracking, and stakeholder-ready incident summaries.

Stars
15
Source
dvcrn/openclaw-skills-marketplace
Updated
2026-05-29
Slug
dvcrn--openclaw-skills-marketplace--cyber-ir-playbook
View on GitHubRaw SKILL.md

// install — copy + paste into any project

mkdir -p .claude/skills && curl -fsSL https://raw.githubusercontent.com/dvcrn/openclaw-skills-marketplace/HEAD/plugins/0x-professor--cyber-ir-playbook/skills/cyber-ir-playbook/SKILL.md -o .claude/skills/cyber-ir-playbook.md

Drops the SKILL.md into .claude/skills/cyber-ir-playbook.md. Works with Claude Code, Cursor, and any agent that loads SKILL.md files from .claude/skills/.

Cyber IR Playbook

Overview

Convert incident events into a standardized response timeline and phase-based report.

Workflow

  1. Ingest incident events with timestamps.
  2. Classify events into detection, containment, eradication, recovery, or post-incident phases.
  3. Build ordered timeline and summarize current phase completion.
  4. Produce a report artifact for internal and executive audiences.

Use Bundled Resources

  • Run scripts/ir_timeline_report.py to generate a deterministic timeline report.
  • Read references/ir-phase-guide.md for phase mapping guidance.

Guardrails

  • Focus on defensive incident handling and post-incident learning.
  • Do not provide offensive exploitation instructions.