Incident Lessons Learned Review

Convert cyber incident evidence into blameless post-mortem reports, root cause analyses, and action trackers.

Install
cmdop skills install agensi-incident-lessons-learned-review

Incident Lessons Learned Review is a skill published by agensi that turns raw cyber security incident data into structured post-incident analysis outputs. It is designed for use after security incidents, near misses, or tabletop exercises where teams need to move beyond informal debriefs into documented, audit-ready reporting.

The skill consolidates incident timelines, logs, and stakeholder inputs into a single evidence base, then applies blameless root cause analysis using either the 5-Whys or Fishbone method. The focus is on identifying systemic weaknesses rather than assigning individual fault. From provided timestamps, it calculates key incident response metrics including Mean Time to Respond (MTTR) and Mean Time to Contain (MTTC).

Outputs include executive summaries suitable for leadership reporting, playbook update plans that specify what detection logic or response procedures need changing, and tracked action items with defined owners and validation criteria. This last point is important: the skill is structured to ensure that lessons learned translate into concrete follow-up work rather than general observations.

The skill enforces defensive incident response standards throughout, keeping analysis evidence-based and tool-agnostic unless a specific toolset is provided as input. It bridges the gap between technical recovery documentation and executive communication, making it appropriate for security operations teams that need consistent, repeatable post-incident processes.

Use cases

  • Generate a blameless root cause analysis after a ransomware or data breach incident
  • Produce an executive summary of a security incident for leadership or board reporting
  • Calculate MTTR and MTTC metrics from incident timestamps for KPI tracking
  • Create a structured action item tracker with owners and validation criteria after a tabletop exercise
  • Draft playbook update plans identifying gaps exposed during a near miss
  • Compile stakeholder inputs and log data into a single consolidated incident timeline

When to use it

  • After a cyber security incident where a formal post-mortem is required
  • Following a tabletop exercise where structured lessons learned documentation is needed
  • When security teams need audit-ready reports rather than informal retrospective notes
  • When bridging between technical incident details and executive-level reporting

When not to use it

  • For real-time incident detection or active response — this skill handles post-incident analysis only
  • When no incident data, timelines, or logs are available to provide as input
  • For non-security operational retrospectives such as software outages unrelated to security incidents
  • When a fully automated SIEM or SOAR integration is required — this skill does not connect to external tooling