πŸ”₯ awesome-dfir-skills

January 18, 2026 Β· View on GitHub

Awesome PRs Welcome DFIR

A community-driven collection of DFIR / incident response skills: reusable prompts, workflows, and helper files that help practitioners move faster, stay consistent, and maybeβ€”just maybeβ€”get some sleep.

πŸš€ Quick Start

  1. Pick a skill from skills/README.md
  2. Copy/paste it into your AI assistant (Claude, Codex, etc.)
  3. Feed it your artifacts when prompted
  4. Watch the magic happen ✨

Pro tip: Keep placeholders like {{time_window}} as-isβ€”fill them in when the skill asks for them.

πŸ€” What's a "Skill" Anyway?

Think of a skill as a cheat code for IR. It's a small, reusable artifact you can copy/paste into your AI assistant or playbook to get consistent, high-quality outputs every time.

Each skill is designed to:

FeatureWhy It Matters
πŸ“₯ Clear inputs & outputsNo guessing games
🎯 Explicit about unknownsFewer hallucinations, more facts
πŸ”’ Safe-by-defaultEvidence handling & privacy baked in

πŸ“ Repository Layout

skills/
β”œβ”€β”€ README.md                          # Start here β†’ skill catalog
β”œβ”€β”€ _templates/
β”‚   └── skill.md                       # Template for new skills
└── <category>/
    └── <skill-id>/
        β”œβ”€β”€ skill.md                   # The skill entrypoint
        └── helpers/                   # Query snippets, regex, parsers

πŸ› οΈ Platform Setup

Claude Desktop / Claude.ai

Skills are folders of instructions that Claude loads dynamically:

  1. Use the skill's Skill prompt as workflow instructions
  2. Provide inputs in-chat when prompted
  3. Keep {{placeholders}} intactβ€”fill values in the corresponding sections

OpenAI / Codex

Codex loads skills from a dedicated folder (e.g., $REPO_ROOT/.codex/skills):

  1. Mirror or symlink skills from skills/ to your Codex skill location
  2. Invoke skills explicitly (mention them) or let Codex pick them up implicitly
  3. Provide artifacts as inputs; keep {{...}} placeholders as-is

🀝 Contributing

How to Add a Skill

  1. Copy skills/_templates/skill.md
  2. Create skills/<category>/<skill-id>/skill.md
  3. Keep it practical, tool-agnostic where possible
  4. Test on real (or realistic) artifacts

Coming soon: Metadata validator and detailed contribution guidelines.

πŸ’‘ Inspiration

πŸ“œ License

MIT β€” Use it, fork it, improve it.

Made with β˜• and mild panic by the DFIR community