Search everything...

Stats

Actions

Available In

secops-factory

Name: secops-factory
Author: drbothen

By drbothen

ICS/OT Security Operations — CVE enrichment, event investigation, MITRE ATT&CK mapping, and adversarial quality review with convergence-driven analysis.

npx claudepluginhub drbothen/claude-mp --plugin secops-factory

Popularity

Stars

Med: 0·Avg: 285

Installs

Med: 0·Avg: 1

What's Inside

Slash Commands14

Adversarial Review Secops

/adversarial-review-secops

Multi-pass adversarial convergence review of security analyses

Assess Priority

/assess-priority

Calculate multi-factor priority (P1-P5) for a vulnerability

Create Advisory

/create-advisory

Create a structured security advisory for a CVE, threat campaign, or vendor bulletin. Supports IT, ICS/OT, and combined audiences with built-in or custom templates.

Enrich Ticket

/enrich-ticket

Complete 8-stage enrichment workflow for a security ticket

Fact Verify

/fact-verify

Verify factual claims against authoritative sources

Agents6

advisory-writer

/advisory-writer

Use when creating security advisories, scanning for emerging threats, or drafting advisory bulletins for IT, ICS/OT, or combined audiences.

orchestrator-enrichment-workflow

/enrichment-workflow

Orchestrator workflow reference for the 8-stage CVE enrichment pipeline. Loaded by the enrich-ticket skill. Not directly invokable.

orchestrator-investigation-workflow

/investigation-workflow

Orchestrator workflow reference for the 7-stage security event investigation pipeline. Loaded by the investigate-event skill. Not directly invokable.

orchestrator-review-convergence

/review-convergence-workflow

Orchestrator workflow reference for the adversarial review convergence loop. Loaded by the adversarial-review-secops skill. Not directly invokable.

security-analyst

/security-analyst

Use when performing vulnerability enrichment, CVE research, security ticket analysis, risk assessment, MITRE ATT&CK mapping, or security event investigation for ICS/OT and enterprise environments.

Skills13

adversarial-review-secops

/adversarial-review-secops

Use when performing multi-pass adversarial convergence review of security analyses. Dispatches security-reviewer in fresh-context passes with strict-binary novelty until convergence. Quality thresholds: >=7.0/10 overall, no dimension <5.0.

assess-priority

/assess-priority

Use when calculating multi-factor vulnerability priority. Combines CVSS severity, EPSS exploitation probability, CISA KEV status, asset criticality, system exposure, and exploit availability into P1-P5 with SLA.

create-advisory

/create-advisory

Use when creating a structured security advisory for a CVE, threat campaign, or vendor bulletin. Supports IT, ICS/OT, and combined audiences. Accepts built-in or custom templates.

enrich-ticket

/enrich-ticket

Use when enriching a security ticket with vulnerability intelligence. Executes 8-stage enrichment: triage, CVE research, business context, remediation, ATT&CK mapping, priority assessment, documentation, JIRA update.

fact-verify

/fact-verify

Use when verifying factual claims in security analyses against authoritative sources. Supports CVE claim verification and event investigation verification.

Hooks1

Event Hooks

Bash

File writes

5 hooks across 3 events

Stats

Version0.5.3

ReleasedApr 13, 2026

LanguageShell

Stars0

MaintenanceGood

LicenseMIT

Last CommitApr 13, 2026

AddedJun 13, 2026

Actions

View on GitHub View README Plugin Marketplace JSON

Own this plugin?

Verify ownership to unlock analytics, metadata editing, and a verified badge. GitHub access is read-only (username + org membership).

Available In

claude-mp

Safety Signals

Caution

Executes bash commands

Hook triggers when Bash tool is used

Modifies files

Hook triggers on file write and edit operations

README

SecOps Factory

ICS/OT security operations plugin for Claude Code -- CVE enrichment, event investigation, and adversarial quality review.

What is SecOps Factory?

SecOps Factory is a Claude Code plugin that turns Claude into an ICS/OT security operations analyst. It provides structured, repeatable workflows for vulnerability enrichment and security event investigation, backed by authoritative intelligence sources (NVD, CISA KEV, FIRST EPSS, MITRE ATT&CK) via MCP server integrations.

The plugin enforces quality through adversarial convergence review -- a multi-pass review loop where a separate reviewer agent evaluates analysis quality with fresh context each pass, preventing blind spots from compounding. Every analysis is scored across multiple quality dimensions, and cognitive bias detection is mandatory at every stage.

SecOps Factory connects directly to your JIRA instance for ticket intake and enrichment posting, and uses Perplexity for real-time CVE research and threat intelligence. The result is security analysis that is structured, traceable, and auditable -- not freeform text generation.

Key Features

8-stage CVE enrichment pipeline -- from JIRA ticket triage through CVSS/EPSS/KEV research, business context, remediation planning, ATT&CK mapping, multi-factor priority, documentation, and JIRA update
7-stage event investigation pipeline -- alert triage with auto-detection of ICS/IDS/SIEM platforms, evidence collection, technical analysis, and TP/FP/BTP disposition determination
Adversarial convergence review -- minimum 2-pass review with strict-binary novelty classification (SUBSTANTIVE vs NITPICK) until convergence
Cognitive bias detection -- mandatory bias audit every pass checking for confirmation, anchoring, availability, automation, overconfidence, and recency bias
MITRE ATT&CK mapping -- Enterprise and ICS matrices with T-number references and detection recommendations
Multi-factor priority scoring -- 6-factor algorithm (CVSS + EPSS + KEV + ACR + exposure + exploit status) producing P1-P5 with SLA deadlines
8 quality dimensions for CVE enrichment and 7 weighted dimensions for event investigation -- scored via dedicated checklists
3 enforcement hooks -- block JIRA updates without review, block saving incomplete enrichment, remind analysts to check cognitive bias after research

Quick Start

1. Install the plugin

From the drbothen marketplace (recommended):

drbothen/claude-mp is the shared marketplace for all drbothen plugins (secops-factory, vsdd-factory, ...). Register it once and install/update any plugin from it.

/plugin marketplace add drbothen/claude-mp
/plugin install secops-factory@claude-mp

Update to latest version:

/plugin marketplace update drbothen/claude-mp
/plugin update secops-factory@claude-mp

Alternative: from the secops-factory repo directly:

Useful if you only want secops-factory and don't want the wider drbothen marketplace registered.

/plugin marketplace add drbothen/secops-factory
/plugin install secops-factory@secops-factory

From source (local development):

git clone https://github.com/drbothen/secops-factory.git
claude --plugin-dir ./secops-factory/plugins/secops-factory

2. Configure MCP servers

SecOps Factory uses jr CLI for JIRA and Perplexity MCP for AI-assisted research.

jr CLI (required): Install the jira-cli Rust CLI and authenticate with jr auth login. The plugin calls jr issue view, jr issue edit, jr issue comment, jr issue move, jr issue list, and jr issue assets via Bash.

Perplexity MCP (recommended): Configure the Perplexity MCP server with your API key. The plugin uses perplexity_search, perplexity_ask, perplexity_reason, and perplexity_research at different tiers based on CVE severity. If not configured, skills fall back to web search.

3. Verify setup

/secops-factory:secops-health

This checks MCP server availability, data files, templates, checklists, and skills.

4. Run your first enrichment

/secops-factory:enrich-ticket SEC-1234

The plugin reads the JIRA ticket, extracts CVE IDs, researches vulnerability intelligence via Perplexity, assesses business context and priority, maps to MITRE ATT&CK, generates a structured enrichment document, and updates the JIRA ticket.

Workflow Diagrams

CVE Enrichment Pipeline (8 Stages)

flowchart LR
    A[1. Triage] --> B[2. CVE Research]
    B --> C[3. Business Context]
    C --> D[4. Remediation]
    D --> E[5. ATT&CK Mapping]
    E --> F[6. Priority Assessment]
    F --> G[7. Documentation]
    G --> H[8. JIRA Update]

    style A fill:#e1f5fe
    style H fill:#e8f5e9

View full README on GitHub

secops-factory

Popularity

What's Inside

Confidence

README

SecOps Factory

What is SecOps Factory?

Key Features

Quick Start

1. Install the plugin

2. Configure MCP servers

3. Verify setup

4. Run your first enrichment

Workflow Diagrams

CVE Enrichment Pipeline (8 Stages)

Similar Plugins

everything-claude-code

ecc

dotnet-skills

fullstack-dev-skills

octo

unity-dev-toolkit

More by drbothen

vsdd-factory

SecOps Factory

What is SecOps Factory?

Key Features

Quick Start

1. Install the plugin

2. Configure MCP servers

3. Verify setup

4. Run your first enrichment

Workflow Diagrams

CVE Enrichment Pipeline (8 Stages)

Popularity

Health & Quality

More by drbothen

vsdd-factory

Similar Plugins

everything-claude-code

ecc

dotnet-skills

fullstack-dev-skills

octo

unity-dev-toolkit