jmagly/dfir-readiness
agentic/code/frameworks/security-engineering/skills/dfir-readiness/SKILL.md
Use when a project needs DFIR readiness from the security-engineering side: prepare incident evidence handling, chain-of-custody expectations, IOC readiness, and handoff to forensics-complete without collecting evidence.
$ install --global
skillsauthnpx skillsauth add jmagly/aiwg dfir-readinessInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 25, 2026, 6:02 AM35.1s1 file scanned
SKILL.md
- namespace:
- aiwg
- name:
- dfir-readiness
- platforms:
- [all]
- description:
- Use when a project needs DFIR readiness from the security-engineering side: prepare incident evidence handling, chain-of-custody expectations, IOC readiness, and handoff to forensics-complete without collecting evidence.
- - project-context:
- repository or workspace that may need evidence-bearing incident response
- - boundary-routing:
- preventive security, production incident management, and forensic investigation responsibilities are separated
- - forensics-handoff:
- operator is routed to forensics-complete for evidence-bearing work
- - readiness-record:
- preparation notes can be written under .aiwg/security-engineering/incident-readiness/
DFIR Readiness
Use this skill when a security-engineering conversation turns into incident readiness: evidence handling, chain of custody, IOC workflow, forensic report readiness, or "what should this project have in place before an incident?"
This is a bridge. It prepares and routes. It does not replace forensics-complete, and it does not collect evidence.
Triggers
- "DFIR readiness"
- "incident response readiness"
- "evidence preservation readiness"
- "chain of custody readiness"
- "IOC readiness"
- "forensic report readiness"
- "prepare this project for a breach investigation"
- "start a forensics case safely"
- "what do we need before collecting evidence?"
Purpose
Make a security project ready to hand off to evidence-preserving DFIR work.
The skill answers three questions:
- Is this preventive security work, production incident coordination, or a forensic investigation?
- Is
forensics-completeinstalled for evidence-bearing work? - What readiness record, custody expectation, and handoff steps should exist before anyone touches volatile or potentially admissible evidence?
Behavior
Boundary
| Need | Route |
|---|---|
| Preventive controls, disclosure intake, secure design decisions | security-engineering |
| Severity, incident bridge, stakeholder comms, service restoration, PIR | sdlc-complete incident-response flows |
| Evidence preservation, triage, acquisition, timelines, IOCs, reports | forensics-complete |
If a request includes live evidence, suspected compromise, a target host, IOC extraction, chain of custody, forensic timeline, or report generation, route to forensics-complete.
1. Classify the situation
Ask only enough to route safely:
- Is there an active incident, or is this readiness planning?
- Is any evidence already collected?
- Are any destructive containment or cleanup actions planned?
- Is legal, compliance, or customer-impact handling in scope?
- Which systems could hold volatile evidence?
Do not ask for secrets, exploit payloads, private vulnerability details, or raw evidence in chat.
2. Check for the DFIR framework
Look for .aiwg/forensics/ or an installed forensics-complete entry in .aiwg/aiwg.config.
If it is missing, instruct the operator:
aiwg use forensics
# or
aiwg use dfir
Then route through discovery:
aiwg discover "forensic triage"
aiwg discover "evidence preservation"
aiwg discover "start forensics case"
3. Create a readiness record
For readiness planning, write or update:
.aiwg/security-engineering/incident-readiness/<system-or-project>.md
Use this structure:
# DFIR Readiness: <system-or-project>
- Prepared: <date>
- Owner: <person/team>
- Security-engineering record: readiness / review / update
- Forensics workspace installed: yes/no
- Production incident-management route: <SDLC flow or runbook>
- DFIR route: forensics-complete
## Evidence Sources
| Source | Volatility | Owner | Access Method | Notes |
|---|---|---|---|---|
| <host/log/cloud/container> | high/medium/low | <team> | <read-only path> | <notes> |
## Chain-of-Custody Expectations
- Master custody log: `.aiwg/forensics/chain-of-custody.md`
- Case evidence root: `.aiwg/forensics/evidence/<case-id>/`
- Hash algorithm: SHA-256 unless a stricter local standard applies
- Transfer logging: required for every evidence handoff
## Safe Start Checklist
- [ ] Confirm authority to investigate.
- [ ] Preserve volatile evidence before low-volatility sources.
- [ ] Avoid cleanup, reboot, patching, or containment unless authorized.
- [ ] Start custody logging before collection.
- [ ] Record production incident handoff if SDLC incident management is active.
- [ ] Route evidence-bearing work to `forensics-complete`.
## Open Gaps
- [ ] <missing access, log source, retention, owner, tooling, legal gate>
4. Route to the right next skill
Use aiwg discover rather than naming non-kernel skills as commands:
aiwg discover "evidence preservation"
aiwg discover "forensic triage"
aiwg discover "extract iocs"
aiwg discover "build forensic timeline"
aiwg discover "forensic report"
For production incident coordination, use:
aiwg discover "handle incident"
aiwg discover "incident triage"
Safety Rules
- Never modify a suspected evidence source as a readiness step.
- Never recommend reboot, cleanup, quarantine, or credential rotation as a forensic action without explicit operator authorization and custody logging.
- Never paste secrets, exploit payloads, raw private reports, or customer data into public issues or chat.
- If evidence already exists, record who collected it, when, from where, and how integrity was verified before continuing.
References
forensics-complete/skills/forensics-quickreffor DFIR discovery phrases.forensics-complete/skills/evidence-preservationfor custody procedures.sdlc-complete/skills/flow-incident-responsefor production incident coordination.docs/integrations/dfir-handoff.mdfor cross-framework routing guidance.
Related Skills
jmagly/radar-status
data-ai
VerifiedTrustedCommunity
Report which research-corpus radar sidecars are overdue for refresh. Computes staleness (days since last refresh vs the cadence window) for every radar, sorted most-overdue-first. Runs via `aiwg corpus radar-status`.
140SKILL.mdUpdated May 28, 2026
jmagly/radar-report
data-ai
VerifiedTrustedCommunity
Aggregate research-corpus radar sidecars into a corpus or per-cluster freshness report — totals, overdue count, per-cluster / per-GRADE / per-trajectory breakdowns, an overdue table, and per-radar rationale snippets. Runs via `aiwg corpus radar-report`.
140SKILL.mdUpdated May 28, 2026
jmagly/radar-init
testing
VerifiedTrustedCommunity
Scaffold radar/freshness sidecars for research-corpus REFs. Pulls title/authors from the citation sidecar and GRADE from the analysis doc, defaults the refresh cadence from GRADE and the cluster from a corpus-local map, and stamps documentation/radar/REF-XXX-radar.md. Runs via `aiwg corpus radar-init`.
140SKILL.mdUpdated May 28, 2026
jmagly/profile-temporal
data-ai
VerifiedTrustedCommunity
Compute an entity's publication trajectory — per-year paper counts, topic drift, hot-streak detection (≥3 consecutive A-grade years), and career phase. Runs via `aiwg corpus profile-temporal`.
140SKILL.mdUpdated May 28, 2026