Stats
Actions
Tags
From secops-factory
Use when enriching a security ticket with vulnerability intelligence. Executes 8-stage enrichment: triage, CVE research, business context, remediation, ATT&CK mapping, priority assessment, documentation, JIRA update.
How this skill is triggered — by the user, by Claude, or both
Slash command
/secops-factory:enrich-ticket <ticket-id><ticket-id>The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Execute the complete 8-stage Security Alert Enrichment Workflow from JIRA ticket triage through full vulnerability analysis, documentation, and ticket update.
Execute the complete 8-stage Security Alert Enrichment Workflow from JIRA ticket triage through full vulnerability analysis, documentation, and ticket update.
NO JIRA UPDATE WITHOUT COMPLETED ENRICHMENT FIRST
Every stage must complete before updating JIRA. Partial enrichment posted to a ticket creates false confidence in incomplete analysis. If any stage fails, save locally and flag -- never post incomplete enrichment as if it were complete.
Before any other action, say verbatim:
I am using the enrich-ticket skill to run the complete 8-stage enrichment workflow for .
| Thought | Reality |
|---|---|
| "I can skip CVE research, the ticket already has a CVSS score" | Ticket data may be stale or wrong. Always verify against NVD. |
| "EPSS is optional, I'll skip it" | EPSS is required for multi-factor priority. Never skip. |
| "I'll update JIRA now and finish research later" | Iron Law violation. Complete all 8 stages first. |
| "The vendor says Critical, so it's P1" | Vendor severity is one factor. Run full multi-factor assessment. |
| "No patch available, so I'll skip remediation" | Document workarounds and compensating controls instead. |
| "KEV not listed, so low risk" | KEV absence does not mean low risk. Check EPSS and exploit status. |
| "I'll use a blog post as my source" | Use authoritative sources: NVD, CISA, FIRST, vendor advisories. |
| "Business context doesn't matter for this CVE" | Every CVE needs ACR + exposure assessment. Context always matters. |
jr CLI installed and authenticated (jr auth login) — for JIRA read/write/research-cve automatically falls back to web search. No configuration needed.Note: This skill delegates CVE research to /research-cve, which handles the Perplexity/WebSearch fallback internally. You do not need to check Perplexity availability yourself — just call /research-cve and it handles it.
/read-ticket <ticket-id>Outputs: cve_id, all_cves, affected_systems, initial_severity, ticket_summary
/research-cve <cve-id> for primary CVEOutputs: cvss_score, cvss_vector, epss_score, kev_status, affected_versions, patched_versions, exploit_status, sources
Outputs: acr_rating, system_exposure, business_impact
Outputs: patch_available, patch_version, workarounds, compensating_controls, remediation_steps
/map-attack <cve-id>Outputs: attack_tactics, attack_techniques, detection_implications
/assess-priority with all collected dataOutputs: priority_level, total_score, sla_deadline, priority_rationale
${CLAUDE_PLUGIN_ROOT}/templates/security-enrichment-tmpl.yamlOutputs: enrichment_document
Quality gate: All 8 stages complete, all template sections populated, JIRA updated.
${CLAUDE_PLUGIN_ROOT}/data/cvss-guide.md${CLAUDE_PLUGIN_ROOT}/data/epss-guide.md${CLAUDE_PLUGIN_ROOT}/data/kev-catalog-guide.md${CLAUDE_PLUGIN_ROOT}/data/priority-framework.md${CLAUDE_PLUGIN_ROOT}/data/mitre-attack-mapping-guide.md${CLAUDE_PLUGIN_ROOT}/templates/security-enrichment-tmpl.yaml${CLAUDE_PLUGIN_ROOT}/checklists/completeness-checklist.md${CLAUDE_PLUGIN_ROOT}/checklists/source-citation-checklist.mdnpx claudepluginhub drbothen/claude-mp --plugin secops-factoryProvides CDSS development patterns for drug interaction checking, dose validation, clinical scoring (NEWS2, qSOFA), and alert classification integrated into EMR workflows.