Skill Being Reviewed
Skill name: post-incident-review
Skill path: skills/incident-response/post-incident-review/
False Positive Analysis
Benign code/configuration that triggers a false positive:
Incident type: Near miss
Initial compromise timestamp: None confirmed
Detection timestamp: 2026-06-01T13:10:00Z
Containment timestamp: 2026-06-01T13:16:00Z
Recovery timestamp: Not applicable; no production asset was compromised
Outcome: Attempted credential stuffing blocked by IdP risk policy
Why this is a false positive:
The skill explicitly supports near-miss analysis, but the required metrics section assumes a compromise timestamp and recovery timestamp. For a blocked attempt, forcing MTTD/MTTR calculations can incorrectly imply missing data or incomplete response. The report should allow "not applicable" metrics and replace them with near-miss metrics such as time-to-detect-attempt, time-to-block, false-negative review, and recurrence controls.
Coverage Gaps
Missed variant 1:
Containment action: disabled all VPN accounts sharing the impacted IdP group
Unintended effect: blocked responder access to the forensic jump host
Recovery impact: delayed evidence export by 4 hours
Decision record: no rollback criteria or break-glass exception documented
Why it should be caught:
NIST's post-incident questions include whether any response actions inhibited recovery, but the skill does not make this a required output gate. PIRs should explicitly review response-induced harm, rollback criteria, and break-glass paths so teams learn when containment created avoidable operational or forensic delays.
Missed variant 2:
Incident: suspected personal-data exposure
Detection: 2026-06-01T09:00:00Z
Legal notified: 2026-06-03T18:00:00Z
Regulatory assessment started: no timestamp
Customer notification decision: not recorded
Why it should be caught:
The skill mentions communication logs and includes "notification time" as an additional metric, but the output format does not require legal/regulatory notification clock tracking. For incidents with possible data exposure, the PIR should record when legal/privacy teams were engaged, when notification obligations were assessed, and whether SLA/regulatory clocks were met.
Edge Cases
Near misses and blocked attempts need a different metric set than confirmed compromises. A PIR can be complete without MTTD from compromise if the organization has evidence that no compromise occurred.
Some containment actions intentionally trade availability for risk reduction. The PIR should not flag the action as "bad" just because it caused impact; it should require evidence that the decision, expected impact, rollback condition, and owner were documented.
Remediation Quality
Suggested additions:
Near-miss metrics: attempt detection time, block time, recurrence count, control that blocked the attempt.
Response-action review: action, expected benefit, side effects, rollback criteria, break-glass owner, evidence impact.
Notification clock: legal/privacy engagement time, regulatory assessment time, notification decision, deadline, status.
Comparison to Other Tools
| Tool |
Catches this? |
Notes |
| ServiceNow IR / Jira PIR workflows |
Partial |
Can track owners and timestamps, but only if the PIR template asks for near-miss and notification-clock fields. |
| PagerDuty postmortems |
Partial |
Good for incident timelines and response impact; weaker for legal/privacy evidence unless customized. |
| NIST SP 800-61 PIR questions |
Yes |
Specifically asks whether response actions inhibited recovery and what information was needed sooner. |
Overall Assessment
Strengths: Strong blameless PIR framing, timeline reconstruction, RCA, control failure mapping, and action tracking.
Needs improvement: The skill supports near misses but its required metrics assume compromise/recovery, and the output omits explicit response-induced harm and legal/privacy notification-clock evidence.
Priority recommendations:
- Add an alternate near-miss metrics table when compromise/recovery timestamps are not applicable.
- Require a section for response actions that inhibited recovery, evidence collection, or business operations.
- Add legal/privacy/regulatory notification clock tracking to the PIR output format.
Bounty Info
Skill Being Reviewed
Skill name: post-incident-review
Skill path:
skills/incident-response/post-incident-review/False Positive Analysis
Benign code/configuration that triggers a false positive:
Why this is a false positive:
The skill explicitly supports near-miss analysis, but the required metrics section assumes a compromise timestamp and recovery timestamp. For a blocked attempt, forcing MTTD/MTTR calculations can incorrectly imply missing data or incomplete response. The report should allow "not applicable" metrics and replace them with near-miss metrics such as time-to-detect-attempt, time-to-block, false-negative review, and recurrence controls.
Coverage Gaps
Missed variant 1:
Why it should be caught:
NIST's post-incident questions include whether any response actions inhibited recovery, but the skill does not make this a required output gate. PIRs should explicitly review response-induced harm, rollback criteria, and break-glass paths so teams learn when containment created avoidable operational or forensic delays.
Missed variant 2:
Why it should be caught:
The skill mentions communication logs and includes "notification time" as an additional metric, but the output format does not require legal/regulatory notification clock tracking. For incidents with possible data exposure, the PIR should record when legal/privacy teams were engaged, when notification obligations were assessed, and whether SLA/regulatory clocks were met.
Edge Cases
Near misses and blocked attempts need a different metric set than confirmed compromises. A PIR can be complete without MTTD from compromise if the organization has evidence that no compromise occurred.
Some containment actions intentionally trade availability for risk reduction. The PIR should not flag the action as "bad" just because it caused impact; it should require evidence that the decision, expected impact, rollback condition, and owner were documented.
Remediation Quality
Suggested additions:
Comparison to Other Tools
Overall Assessment
Strengths: Strong blameless PIR framing, timeline reconstruction, RCA, control failure mapping, and action tracking.
Needs improvement: The skill supports near misses but its required metrics assume compromise/recovery, and the output omits explicit response-induced harm and legal/privacy notification-clock evidence.
Priority recommendations:
Bounty Info