Browse Skills

Incident Decision Tree Builder

    NIST CSF Incident Response Security GRC Playbook Regulatory
    Get Started with This Skill

    Overview

    Draft scenario-specific incident response playbooks aligned to NIST CSF 2.0 Respond (RS.RP) with a defined Decision Matrix for when to isolate a system vs. monitor it, and logic gates through Containment, Eradication, and Recovery. The skill uses regulatory_notification_timer to insert or validate mandatory reporting windows (e.g. GDPR 72 hours, SEC 4 business days, NDB Australia, HIPAA 60 days) in the playbook timeline so Communications Lead and legal stay within deadlines.

    Example Conversation

    You: We need a ransomware playbook with a clear decision matrix for when to isolate vs. monitor, and we’re under GDPR and SEC (listed).

    Agent: I’ll draft the playbook with a Containment-phase decision tree (isolate vs. monitor vs. contain-in-place) and a Post-Incident section. I’ll run regulatory_notification_timer to get the mandatory reporting table for GDPR and SEC and insert it into the playbook.

    Agent: I’ve written the playbook in ransomware-playbook.md. Running regulatory_notification_timer with regulations gdpr and sec

    Agent: Result of regulatory_notification_timer:

    ======== Regulatory notification timer — Playbook check ======== File: ransomware-playbook.md [INFO] No explicit ‘Regulatory’ or ‘Notification timeline’ section found. Consider adding the snippet below. [ADD] GDPR (EU/UK): 72 hours — Notify supervisory authority without undue delay… [ADD] SEC (US listed): 4 business days — Form 8-K Item 1.05…

    INSERT THE FOLLOWING BLOCK INTO THE PLAYBOOK (e.g. Post-Incident / Regulatory section): [markdown table with Regulation | Deadline | Authority]

    I’ve added a “Mandatory regulatory notification timeline” section to the playbook with the table. The Decision Matrix is in the Containment section and on the Quick Reference Card.

    Output Excerpt

    A typical playbook produced with this skill includes a Containment-phase decision matrix and a regulatory timeline. Excerpt:

    ## Containment — Decision matrix (isolate vs. monitor)

| Condition | Action |
|-----------|--------|
| Confirmed compromise (IOC positive) | Isolate — disconnect from network, preserve evidence |
| Suspected only (unconfirmed alert) | Monitor — increase logging, short review window; do not isolate yet |
| Ransomware / destructive malware | Isolate immediately — halt encryption |
| Critical system, no failover | Contain in place — segment, block egress; escalate to Incident Commander |

## Post-Incident — Mandatory regulatory notification timeline

| Regulation | Deadline | Authority / Action |
|------------|----------|--------------------|
| GDPR (EU/UK) | 72 hours | Supervisory authority (e.g. ICO, CNIL) |
| SEC (US listed) | 4 business days | SEC (8-K filing) |

    The agent inserts the regulatory table using the output from regulatory_notification_timer so deadlines (e.g. GDPR 72h, SEC 4 business days) are explicit for the Communications Lead.

    Extension Tool and Validations

    The skill includes one tool that runs on the incident response playbook document (Markdown or text).

    regulatory_notification_timer — Run after drafting the playbook (or its Post-Incident / Regulatory section). Pass the playbook file path and optionally a list of regulation IDs: gdpr, sec, ndb, hipaa, pcidss, nyshield, calccpa. Omit or use all to include every supported regulation.

    What it does:

    • Validation — Scans the playbook for an explicit “Regulatory” or “Notification timeline” section and for mentions of each selected regulation (e.g. “72 hour”, “GDPR”, “8-K”, “SEC”). Reports [OK] or [ADD] per regulation so you know what is already documented.
    • Insert snippet — Returns a ready-to-insert markdown table: “Mandatory regulatory notification timeline” with columns Regulation, Deadline, Authority. The agent (or you) paste this into the Post-Incident / Regulatory section so responders see mandatory reporting windows at a glance.
    • Supported deadlines — GDPR 72 hours (supervisory authority), SEC 4 business days (8-K Item 1.05), NDB Australia (as soon as practicable), HIPAA 60 days, PCI-DSS (per contract), NY SHIELD, California breach (without unreasonable delay).

    Use the tool after drafting the playbook; add the generated table to the document so the playbook stays aligned with regulatory notification requirements.

    Getting Started

    Describe the scenario (e.g. Ransomware, BEC, data exfiltration), organizational context, and applicable regulations. Activate the Incident Decision Tree Builder skill; the agent will draft the playbook with the isolate/monitor matrix and run regulatory_notification_timer to inject the notification timeline into the Post-Incident section.

    Ready to let your expertise drive the workflow?

    Stop wrestling with rigid templates and complex tooling. Write your process in markdown, let the agent handle the rest.

    Get Started