Skill Being Reviewed
skills/incident-response/post-incident-review/SKILL.md
False Positive Analysis
The PIR skill can create false assurance if action items are considered complete based only on owners and deadlines. A post-incident review is only useful if the remediations are verified against the original failure mode and recurrence is tracked. Without verification gates, teams can close actions such as “add detection,” “fix segmentation,” or “update playbook” without proving the control now prevents, detects, or limits the scenario that caused the incident.
Coverage Gaps
The current process has a remediation plan and action items, but it does not require closure criteria, verification evidence, retest method, control owner signoff, residual risk decision, recurrence tracking, or linkage to previous similar PIRs. Control failure mapping is strong, but the follow-through should include how each failed control will be retested and how the organization will know the same class of incident did not recur.
Edge Cases
Some actions depend on vendors or business owners and may be accepted as residual risk rather than fixed. Some remediations are detective controls that need alert-routing tests, not just rule creation. Process updates require tabletop or training evidence. For near misses, the right metric may be recurrence of the precursor signal rather than a full incident. These variations need a closure taxonomy that goes beyond open/closed.
Remediation Quality
Add a PIR action register with fields for action ID, mapped control failure, owner, due date, closure criterion, verification method, verification evidence, verifier, residual risk status, recurrence signal, and follow-up review date. Require at least one retest method per high-impact action, such as replaying detection telemetry, segmentation validation, access review sample, restore drill, or tabletop exercise. Add a section that links similar prior incidents and records whether prior actions failed, were incomplete, or did not cover the new scenario.
Comparison to Other Tools
Incident management platforms and mature SRE/security retrospectives usually separate action-item creation from action-item verification. NIST-style lessons learned are most useful when they feed measurable control improvement. The skill already reconstructs the timeline and root causes well; adding verification makes the PIR operationally enforceable.
Overall Assessment
This is a medium/high value process-quality issue. It makes PIR outputs harder to close prematurely and gives future reviewers evidence that lessons learned were actually implemented.
Bounty Info
Skill Being Reviewed
skills/incident-response/post-incident-review/SKILL.mdFalse Positive Analysis
The PIR skill can create false assurance if action items are considered complete based only on owners and deadlines. A post-incident review is only useful if the remediations are verified against the original failure mode and recurrence is tracked. Without verification gates, teams can close actions such as “add detection,” “fix segmentation,” or “update playbook” without proving the control now prevents, detects, or limits the scenario that caused the incident.
Coverage Gaps
The current process has a remediation plan and action items, but it does not require closure criteria, verification evidence, retest method, control owner signoff, residual risk decision, recurrence tracking, or linkage to previous similar PIRs. Control failure mapping is strong, but the follow-through should include how each failed control will be retested and how the organization will know the same class of incident did not recur.
Edge Cases
Some actions depend on vendors or business owners and may be accepted as residual risk rather than fixed. Some remediations are detective controls that need alert-routing tests, not just rule creation. Process updates require tabletop or training evidence. For near misses, the right metric may be recurrence of the precursor signal rather than a full incident. These variations need a closure taxonomy that goes beyond open/closed.
Remediation Quality
Add a PIR action register with fields for action ID, mapped control failure, owner, due date, closure criterion, verification method, verification evidence, verifier, residual risk status, recurrence signal, and follow-up review date. Require at least one retest method per high-impact action, such as replaying detection telemetry, segmentation validation, access review sample, restore drill, or tabletop exercise. Add a section that links similar prior incidents and records whether prior actions failed, were incomplete, or did not cover the new scenario.
Comparison to Other Tools
Incident management platforms and mature SRE/security retrospectives usually separate action-item creation from action-item verification. NIST-style lessons learned are most useful when they feed measurable control improvement. The skill already reconstructs the timeline and root causes well; adding verification makes the PIR operationally enforceable.
Overall Assessment
This is a medium/high value process-quality issue. It makes PIR outputs harder to close prematurely and gives future reviewers evidence that lessons learned were actually implemented.
Bounty Info
CONTRIBUTING.md.