[REVIEW] ir-playbook: add third-party IR retainer activation and scope-of-work evidence gates
Skill Being Reviewed
Skill name: ir-playbook
Skill path: skills/incident-response/ir-playbook/
False Positive Analysis
Benign-looking incident response plan that can be incorrectly scored as escalation-ready:
## Escalation Decision
- Severity: SEV-1 ransomware with data exfiltration indicators
- External support: "MSSP on retainer"
- Action: "Engage IR firm"
- Evidence attached: insurance policy PDF, vendor logo on intranet page
Why this is a false positive:
The skill lists third-party dependencies in context gathering and mentions external IR firms in escalation scenarios, but does not require proof that a retainer is currently active, that the engagement channel is tested, or that scope-of-work covers forensic imaging, crisis communications, and regulatory counsel. A generic "engage IR firm" step can be marked complete while no contract, no 24x7 hotline access, and no statement-of-work for regulated data exists.
Coverage Gaps
Missed variant 1: Retainer lapsed after insurance renewal
Cyber policy effective date: 2026-01-01
IR retainer SOW end date: 2025-12-31
Hotline test last successful: never
Why it should be caught: Preparation phase should fail readiness when external response capacity is documented but not contractually active.
Missed variant 2: Retainer excludes crisis communications / legal privilege workflow
Retainer scope: forensic collection and containment only
Incident requires: customer notification, law enforcement liaison, privilege logging
Gap: no comms counsel or external comms firm in scope
Why it should be caught: Stakeholder notification section assumes roles exist. The skill should require mapping incident type to retainer-covered workstreams.
Missed variant 3: MSSP escalation path differs from IR retainer path
mdr_provider: SentinelOne Vigilance
ir_retainer: CrowdStrike Services
contract_clause: "MDR must approve before IR retainer activation"
observed_delay: 11 hours waiting for MDR ticket approval
Why it should be caught: Multiple third parties create approval latency. The playbook should capture activation prerequisites and bypass criteria for SEV-1.
Edge Cases
- Cyber insurance panel vendor list differs from internal retainer.
- Global incident requires regional IR firm with data-residency constraints.
- Retainer hours consumed earlier in quarter; overage approval path undefined.
- **Tabletop exercises used vendor demo environment only; real production access prerequisites untested.
Remediation Quality
Comparison to Other Tools
| Tool |
Catches this? |
Notes |
| NIST SP 800-61 Rev 2 |
Partial |
Recommends external coordination; skill should operationalize proof |
| FIRST CSIRT framework |
Partial |
Covers coordination, not contractual readiness |
| Semgrep/CodeQL |
No |
Not applicable |
Overall Assessment
Strengths: Comprehensive severity, containment, and notification structure with good regulatory references.
Needs improvement: Third-party support is treated as a checkbox, not a verified capability. Retainer failures are a frequent source of delayed containment.
Priority recommendations:
- Add
IR-RET-01 readiness checks: contract effective dates, 24x7 contact test, covered workstreams, and required approvals.
- Map incident categories (ransomware, BEC, data breach) to minimum external capabilities before marking escalation plan complete.
- Include activation log template: who authorized spend, when vendor acknowledged, and which SOW tasks are in/out of scope.
Bounty Info
[REVIEW] ir-playbook: add third-party IR retainer activation and scope-of-work evidence gates
Skill Being Reviewed
Skill name:
ir-playbookSkill path:
skills/incident-response/ir-playbook/False Positive Analysis
Benign-looking incident response plan that can be incorrectly scored as escalation-ready:
Why this is a false positive:
The skill lists third-party dependencies in context gathering and mentions external IR firms in escalation scenarios, but does not require proof that a retainer is currently active, that the engagement channel is tested, or that scope-of-work covers forensic imaging, crisis communications, and regulatory counsel. A generic "engage IR firm" step can be marked complete while no contract, no 24x7 hotline access, and no statement-of-work for regulated data exists.
Coverage Gaps
Missed variant 1: Retainer lapsed after insurance renewal
Why it should be caught: Preparation phase should fail readiness when external response capacity is documented but not contractually active.
Missed variant 2: Retainer excludes crisis communications / legal privilege workflow
Why it should be caught: Stakeholder notification section assumes roles exist. The skill should require mapping incident type to retainer-covered workstreams.
Missed variant 3: MSSP escalation path differs from IR retainer path
Why it should be caught: Multiple third parties create approval latency. The playbook should capture activation prerequisites and bypass criteria for SEV-1.
Edge Cases
Remediation Quality
Comparison to Other Tools
Overall Assessment
Strengths: Comprehensive severity, containment, and notification structure with good regulatory references.
Needs improvement: Third-party support is treated as a checkbox, not a verified capability. Retainer failures are a frequent source of delayed containment.
Priority recommendations:
IR-RET-01readiness checks: contract effective dates, 24x7 contact test, covered workstreams, and required approvals.Bounty Info