Incident Lessons Learned Review is a skill published by agensi that turns raw cyber security incident data into structured post-incident analysis outputs. It is designed for use after security incidents, near misses, or tabletop exercises where teams need to move beyond informal debriefs into documented, audit-ready reporting.
The skill consolidates incident timelines, logs, and stakeholder inputs into a single evidence base, then applies blameless root cause analysis using either the 5-Whys or Fishbone method. The focus is on identifying systemic weaknesses rather than assigning individual fault. From provided timestamps, it calculates key incident response metrics including Mean Time to Respond (MTTR) and Mean Time to Contain (MTTC).
Outputs include executive summaries suitable for leadership reporting, playbook update plans that specify what detection logic or response procedures need changing, and tracked action items with defined owners and validation criteria. This last point is important: the skill is structured to ensure that lessons learned translate into concrete follow-up work rather than general observations.
The skill enforces defensive incident response standards throughout, keeping analysis evidence-based and tool-agnostic unless a specific toolset is provided as input. It bridges the gap between technical recovery documentation and executive communication, making it appropriate for security operations teams that need consistent, repeatable post-incident processes.