playbooks

home / skills / vadimcomanescu / codex-skills / senior-secops

senior-secops skill

/skills/.curated/security/senior-secops

This skill accelerates security incident triage and remediation by guiding containment, eradication, recovery, and postmortem learning.

npx playbooks add skill vadimcomanescu/codex-skills --skill senior-secops

Review the files below or copy the command above to add this skill to your agents.

Files (4)
SKILL.md
991 B
---
name: senior-secops
description: "Security operations workflow for vulnerability triage, incident response, detection/alerting improvements, and post-incident hardening. Use when responding to security alerts, reviewing logs for suspicious activity, building incident playbooks, or running quick log summaries during triage."
---

# Senior SecOps

Respond fast, contain blast radius, and learn permanently.

## Quick Start (incident workflow)
1) Triage: what’s impacted, is it ongoing, and what data is at risk?
2) Contain: disable credentials, block IOCs, isolate systems.
3) Eradicate: patch root cause, rotate secrets, remove persistence.
4) Recover: restore service safely; verify integrity.
5) Learn: write a postmortem and ship preventative controls.

## Optional tool: summarize a log file
```bash
python ~/.codex/skills/senior-secops/scripts/log_triage.py /path/to/log.txt --out /tmp/log_report.json
```

## References
- Incident worksheet: `references/incident-worksheet.md`

Overview

This skill provides a senior-level SecOps workflow for rapid vulnerability triage, incident response, detection tuning, and post-incident hardening. It codifies practical steps to contain incidents quickly, remove root causes, and capture durable lessons to prevent recurrence. Use it to guide decisions during alerts, log reviews, and playbook creation.

How this skill works

The skill guides responders through a five-step incident lifecycle: triage, contain, eradicate, recover, and learn. It inspects alert context and log summaries, recommends containment actions (credential rotation, IOC blocking, isolation), and suggests eradication and hardening measures. It can also run quick log summarization to highlight suspicious patterns and help prioritize investigation tasks.

When to use it

  • Immediately after a security alert that may indicate compromise.
  • When reviewing logs for suspicious activity during triage.
  • While building or updating incident response playbooks.
  • When improving detection rules and reducing false positives.
  • During post-incident reviews to define hardening actions.

Best practices

  • Start with impact-focused triage: what’s affected, ongoing attack indicators, and data at risk.
  • Contain fast and narrowly: disable credentials, block IOCs, and isolate affected hosts to reduce blast radius.
  • Document every action and preserve evidence before making destructive changes.
  • Prioritize eradication steps that remove persistence and patch root cause before recovery.
  • Run a structured postmortem and convert findings into concrete controls and detection improvements.

Example use cases

  • Triage a critical alert: determine scope, check for lateral movement, and recommend immediate containment steps.
  • Summarize a noisy log file to surface failed logins, suspicious commands, and anomalous IPs for rapid review.
  • Draft an incident playbook for ransomware that lists containment, eradication, recovery, and communications steps.
  • Tune SIEM/alerting rules after an incident to reduce false positives and catch similar future activity earlier.
  • Run a post-incident hardening checklist to rotate secrets, apply patches, and remove compromised artifacts.

FAQ

Can this skill run automated log summaries?

Yes. It includes a quick log summarization capability that extracts key events and indicators to accelerate triage.

Is this a replacement for detailed forensic analysis?

No. It is designed for rapid response and containment. Full forensic investigations should follow for root cause and legal evidence.