Skip to content

Add IR retainer activation evidence gates#1540

Open
alejandrorivas-pixel wants to merge 1 commit into
UnitOneAI:mainfrom
alejandrorivas-pixel:improve/ir-retainer-activation-gates
Open

Add IR retainer activation evidence gates#1540
alejandrorivas-pixel wants to merge 1 commit into
UnitOneAI:mainfrom
alejandrorivas-pixel:improve/ir-retainer-activation-gates

Conversation

@alejandrorivas-pixel
Copy link
Copy Markdown

@alejandrorivas-pixel alejandrorivas-pixel commented Jun 6, 2026

Skill Improvement ($50-150 Bounty)

Skill Modified

Skill name: ir-playbook
Skill path: skills/incident-response/ir-playbook/

What Was Wrong

Issue #1529 documents that the playbook treated third-party IR support as a readiness checkbox. It referenced MDR/MSSP, cyber insurance, and external IR retainers, but did not require evidence that the retainer is currently active, reachable after hours, authorized for activation, or scoped to the incident workstreams actually needed.

What This PR Fixes

  • Adds external IR retainer evidence gates for contract/SOW dates, remaining hours, overage authority, 24x7 activation-channel testing, scope coverage, approval blockers, production evidence-transfer readiness, insurer panel conflicts, and regional/data-residency coverage.
  • Adds IR-RET-01 through IR-RET-08 findings with false-positive guardrails and severity guidance.
  • Adds an incident-category-to-external-capability matrix for ransomware/wiper, BEC, cloud compromise, regulated breach, and supply-chain compromise.
  • Adds an External Support Activation Record and report output table so escalation decisions retain audit-ready provider activation evidence.

Evidence

Before:

- External IR retainer (if applicable) | [ ] | |

After:

IR-RET-01: External IR retainer referenced but contract/SOW is expired or missing
IR-RET-04: MDR, insurer, legal, or procurement approval blocks SEV-1 activation without bypass criteria

Test Cases Added/Updated

  • Added vulnerable test cases (tests/vulnerable/)
  • Added benign test cases (tests/benign/)
  • Existing tests still pass / repository diff checks pass

Validation

  • git diff --check
  • git diff --cached --check
  • python3 -m json.tool on both JSON fixtures
  • Markdown fence-balance check for SKILL.md and markdown fixtures
  • Added-file ASCII check
  • rg marker check for IR-RET-01 through IR-RET-08 and External Support Activation output
  • Prompt-injection / secret-pattern scan over changed files

Bounty Tier

  • Minor ($50) - Doc update, small logic tweak, typo fix
  • Moderate ($100) - New edge case coverage, FP reduction with evidence
  • Substantial ($150) - Rewritten detection logic, major coverage expansion

Bounty Info

  • I have read and agree to the CONTRIBUTING.md bounty terms
  • Preferred payment method: Payment details can be provided privately after maintainer acceptance.

Closes #1529

@alejandrorivas-pixel alejandrorivas-pixel mentioned this pull request Jun 6, 2026
Open
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[REVIEW] ir-playbook: add third-party IR retainer activation and scope-of-work evidence gates

2 participants

@alejandrorivas-pixel @Angel-Garcia21