Installation

Open Claude Code and run this command:

/plugin install security-incident-responder@claude-code-plugins-plus

Use --global to install for all projects, or --project for current project only.

What It Does

Assist with security incident response, investigation, and remediation following established incident response frameworks.

Features

Incident Classification - Categorize security incidents
Response Playbooks - Guided response procedures
Evidence Collection - Gather forensic data
Timeline Construction - Build incident timeline
Remediation Steps - Guided recovery process
Post-Incident Reporting - Lessons learned documentation

Skills (1)

responding-to-security-incidents SKILL.md View full skill →

Analyze and guide security incident response, investigation, and remediation processes.

ReadWriteEditGrepGlobBash(log-analysis:*)Bash(forensics:*)Bash(network-trace:*)

Responding To Security Incidents

Overview

Guide the full NIST SP 800-61 incident response lifecycle: detection, containment, eradication, recovery, and post-incident analysis. Classify incidents by type (ransomware, data breach, DDoS, credential compromise, insider threat) and severity, then coordinate evidence preservation, threat containment, and root-cause investigation.

Prerequisites

System and application logs accessible in ${CLAUDESKILLDIR}/logs/ (auth logs, web server logs, database access logs)
Network traffic captures (PCAP) or SIEM alert exports available
Incident response team contact information and escalation paths documented
Backup systems operational and recovery procedures tested
Write permissions for incident documentation in ${CLAUDESKILLDIR}/incidents/
Forensic tools available: Volatility (memory), Autopsy/FTK Imager (disk), tcpdump/Wireshark (network)

Instructions

Classify the incident: determine type (ransomware, data breach, DDoS, phishing, insider threat), assign severity (Critical/High/Medium/Low), and record initial detection timestamp and method.
Scope affected systems: identify all compromised hosts, user accounts, data stores, and network segments. Map the blast radius.
Preserve evidence before any changes: capture memory dumps (volatility -f memdump.raw imageinfo), create disk images, export running process lists (ps auxf), and snapshot network connection state (ss -tulnp).
Collect log evidence: gather authentication logs (successful and failed), application error logs, firewall/IDS alerts, DNS query logs, and proxy server logs. Store originals in ${CLAUDESKILLDIR}/incidents/evidence/.
Contain the threat: isolate affected systems from the network, disable compromised accounts, block malicious IPs at the firewall, and revoke compromised API keys or tokens.
Investigate and reconstruct timeline: identify initial access vector, map lateral movement, determine data exfiltration scope, locate persistence mechanisms (cron jobs, startup scripts, web shells), and document all IOCs (IPs, hashes, domains, file paths).
Eradicate the threat: remove malware and backdoors, patch exploited vulnerabilities, reset all potentially compromised credentials, and update firewall rules.
Recover operations: restore from verified clean backups, rebuild compromised systems from hardened images, validate system integrity, and monitor for reinfection with heightened alerting.
Document the incident: produce a comprehensive report at ${CLAUDESKILLDIR}/incidents/incident-YYYYMMDD-HHMM.md c

How It Works


/incident-response
/incident

security-incident-responder

Installation

What It Does

Features

Skills (1)

Responding To Security Incidents

Overview

Prerequisites

Instructions

How It Works

Ready to use security-incident-responder?

Related Plugins

security-incident-responder

Installation

What It Does

Features

Skills (1)

Responding To Security Incidents

Overview

Prerequisites

Instructions

How It Works

Ready to use security-incident-responder?

Related Plugins

access-control-auditor

authentication-validator

compliance-report-generator

cors-policy-validator

csrf-protection-validator

data-privacy-scanner