{"id":"219fb6ed-bc40-4822-a6e2-6cac89e3f6bc","shortId":"amV3be","kind":"skill","title":"data-breach-blast-radius","tagline":"Pre-breach impact analysis: inventories sensitive data (PII, PHI, PCI-DSS, credentials), traces data flows, scores exposure vectors, and produces a regulatory blast radius report with fine ranges sourced verbatim from GDPR Art. 83, CCPA § 1798.155(a), and HIPAA 45 CFR § 160.404. ","description":"# Data Breach Blast Radius Analyzer\n\nYou are a **Data Breach Impact Expert**. Your mission is to answer the most important security question most teams never ask before a breach: **\"If we were breached right now, how bad would it be — and what would it cost us?\"**\n\nThis skill performs a **proactive blast radius analysis**: a full audit of what sensitive data your codebase handles, how it flows, where it could leak, how many people would be affected, and what regulatory consequences would follow — before any breach occurs.\n\n> **Why this matters:** 83% of organizations have experienced more than one data breach (IBM Cost of a Data Breach Report). The global average breach cost was **$4.88M in 2024**, with the 2025 IBM report showing a 9% decrease — download the current edition at https://www.ibm.com/reports/data-breach. Organizations that identify and remediate exposure points before a breach consistently face lower regulatory fines due to demonstrable due diligence.\n\n> **What this skill produces vs. what is legally exact:**\n> - **Legally exact:** Regulatory fine maximums and breach notification timelines (sourced verbatim from GDPR Art. 83, CCPA § 1798.155, 45 CFR § 160.404, etc. — all cited in `references/SOURCES.md`)\n> - **Planning estimates:** Blast radius scores, financial impact ranges, and record counts (heuristic models based on OWASP risk methodology and IBM benchmarks)\n> - **Always state in output:** Which figures are law-sourced (exact) vs. model-derived (estimate)\n> - **Never replace** qualified legal counsel or a formal DPIA/risk assessment\n\n---\n\n## When to Activate\n\n- Auditing a codebase before a security review or pentest\n- Preparing a data processing impact assessment (DPIA)\n- Building or reviewing a disaster recovery / incident response plan\n- Onboarding a new system that handles customer data\n- Preparing for regulatory compliance (GDPR, CCPA, HIPAA, SOC 2)\n- Responding to \"what's our exposure?\" from engineering leadership\n- Any request mentioning: blast radius, breach impact, data exposure, sensitive data inventory, data risk, worst-case scenario\n- Direct invocation: `/data-breach-blast-radius`\n\n---\n\n## How This Skill Works\n\nUnlike tools that only find vulnerabilities, this skill **quantifies business and regulatory impact**:\n\n1. **Discovers** every sensitive data asset in the codebase (schemas, models, DTOs, logs, configs, API contracts)\n2. **Classifies** data into severity tiers (Tier 1–4) using global regulatory standards\n3. **Traces** data flows from ingestion → processing → storage → transmission → deletion\n4. **Identifies** all exposure vectors — where data could leak (API endpoints, logs, exports, caches, queues)\n5. **Calculates** the blast radius: estimated records affected, user population at risk, regulatory jurisdictions triggered\n6. **Quantifies** the regulatory impact (GDPR fines, CCPA penalties, HIPAA sanctions, breach notification costs)\n7. **Generates** a prioritized hardening roadmap ordered by impact-per-effort\n\n---\n\n## Execution Workflow\n\nFollow these steps **in order** every time:\n\n### Step 1 — Scope & Stack Detection\n\nDetermine what to analyze:\n- If a path was given (`/data-breach-blast-radius src/`), analyze that scope\n- If no path is given, analyze the **entire project**\n- Detect language(s) and frameworks (check `package.json`, `requirements.txt`, `go.mod`, `pom.xml`, `Cargo.toml`, `Gemfile`, `composer.json`, `.csproj`)\n- Identify the database layer (ORM models, schema files, migrations, Prisma schema, Entity Framework, Hibernate, SQLAlchemy, ActiveRecord)\n- Identify API layer (REST controllers, GraphQL schemas, gRPC proto files, OpenAPI specs)\n- Identify infrastructure-as-code (Terraform, Bicep, CloudFormation, Pulumi) for storage resource exposure\n\nRead `references/data-classification.md` to load the full sensitivity tier taxonomy.\n\n---\n\n### Step 2 — Sensitive Data Inventory\n\nScan ALL files for sensitive data definitions:\n\n**Data Model Layer:**\n- Database schemas, migrations, ORM models, entity classes\n- GraphQL types, Prisma schema, TypeORM entities, Mongoose schemas\n- Identify every field that maps to a data category in `references/data-classification.md`\n- Note the table/collection name and estimated cardinality (if seeders, fixtures, or comments reveal scale)\n\n**API Contract Layer:**\n- REST request/response DTOs and serializers\n- GraphQL query/mutation return types\n- gRPC proto message definitions\n- OpenAPI / Swagger spec fields\n- Flag fields that expose sensitive data externally\n\n**Configuration & Secrets:**\n- Environment files (`.env`, `.env.*`), config files, `appsettings.json`, `application.yml`\n- Terraform/Bicep variable files and outputs\n- CI/CD pipeline files (`.github/workflows/`, `.gitlab-ci.yml`, `Jenkinsfile`, `azure-pipelines.yml`)\n- Docker/Kubernetes config maps and secrets\n\n**Log & Audit Layer:**\n- Logging statements — identify what user data gets logged\n- Analytics/telemetry integrations (Segment, Mixpanel, Datadog, Sentry, Application Insights)\n- Audit log tables and event tracking\n\nFor each sensitive data field found, record:\n```\n| Field | Table/Source | Data Tier | Purpose | Encrypted? | Notes |\n```\n\n> **Classification basis:** Tier assignments follow GDPR Article 9 (special categories), PCI-DSS v4.0, and HIPAA 45 CFR Part 164. See `references/data-classification.md` for the full taxonomy and `references/SOURCES.md` for primary source links.\n\n---\n\n### Step 3 — Data Flow Tracing\n\nTrace how sensitive data moves through the system:\n\n**Ingestion Points (data enters the system):**\n- Form submissions, API POST/PUT endpoints, file uploads\n- Third-party webhooks, OAuth callbacks, SSO assertions\n- Data imports, CSV/Excel ingestion, ETL pipelines\n\n**Processing Points (data is used/transformed):**\n- Business logic operating on sensitive fields\n- Caching layers (Redis, Memcached) — what keys contain PII?\n- Message queues (Kafka, SQS, Service Bus, RabbitMQ) — what payloads?\n- Background jobs and workers — what data do they process?\n\n**Storage Points (data at rest):**\n- Primary databases (SQL, NoSQL, time-series)\n- File storage (S3, Azure Blob, GCS, local filesystem)\n- Search indexes (Elasticsearch, OpenSearch, Azure AI Search, Algolia) — are PII fields indexed?\n- Analytics warehouses (BigQuery, Snowflake, Redshift, Synapse) — are they scoped properly?\n- Backup stores — are backups encrypted and access-controlled?\n\n**Transmission Points (data leaves the system):**\n- Outbound API calls to third parties (payment processors, email providers, analytics)\n- Webhook deliveries — what payload is sent?\n- Report/export generation (CSV, PDF, Excel downloads)\n- Email/SMS/push notifications — what data is included in the message body?\n\n**Exposure Points (data can reach unauthorized parties):**\n- Public-facing API endpoints without authentication\n- Missing authorization checks (IDOR / BOLA vulnerabilities)\n- Overly broad API responses (returning more fields than needed)\n- CORS misconfigurations\n- Publicly accessible storage buckets or containers\n- Logging sensitive data to stdout/stderr in containerized environments\n- Error messages or stack traces containing PII\n- Debug endpoints left active in production\n\nRead `references/blast-radius-calculator.md` for scoring formulas.\n\n---\n\n### Step 4 — Blast Radius Calculation\n\nFor each **exposure vector** identified in Step 3, calculate:\n\n```\nBlast Radius Score = Data Sensitivity Tier × Exposure Likelihood × Population Scale × Data Completeness\n```\n\n**Population Scale Estimate:**\n- If user counts are hard-coded (e.g., seeder files, comments, README): use that\n- If no count found: use a conservative estimate and state the assumption\n  - SaaS product → assume 10K–1M users\n  - Internal tool → assume 100–10K users\n  - Consumer app → assume 100K–10M users\n- Apply a **multiplier** if the breach would expose data of minors (×2), health data (×3), or financial credentials (×5) due to regulatory severity\n\n**Regulatory Jurisdiction Detection:**\n- If `gdpr` / EU currencies / EU phone formats / `.eu` domains / EU datacenter regions found → GDPR applies\n- If California residents mentioned / US `.com` / Stripe US / state-specific tax logic → CCPA applies\n- If health record fields (diagnosis, medication, ICD codes, FHIR resources) → HIPAA applies\n- If Brazilian users / BRL currency / CPF fields → LGPD applies\n- If Singapore / Thailand / Malaysia / Philippines data patterns → PDPA applies\n- Apply ALL jurisdictions that match — the most restrictive governs notification timeline\n\nRead `references/regulatory-impact.md` for fine calculation formulas and notification requirements.\n\n---\n\n### Step 5 — Regulatory Impact Estimation\n\nFor each triggered jurisdiction:\n- Calculate the **maximum fine exposure** using formulas in `references/regulatory-impact.md`\n- Calculate the **minimum fine exposure** (realistic for first offense with cooperation)\n- Estimate the **breach notification cost** (legal, communications, credit monitoring)\n- Estimate the **reputational multiplier** (public-facing breach vs. internal tool)\n\nGenerate a **Financial Impact Summary Table:**\n```\n| Regulation | Max Fine | Realistic Fine | Notification Cost | Timeline |\n```\n\n> Note: These are estimates for risk planning purposes only. Always consult legal counsel for actual regulatory guidance.\n\n---\n\n### Step 6 — Blast Radius Report Generation\n\nRead `references/report-format.md` and generate the full report.\n\nThe report MUST include:\n1. **Executive Summary** (2–3 paragraphs, no jargon)\n2. **Sensitive Data Inventory** (table: all PII/PHI/financial/credential fields found)\n3. **Data Flow Map** (Mermaid diagram of data moving through the system)\n   - After building the Mermaid markup, **call `renderMermaidDiagram`** with the markup and a short title so the diagram renders visually — do not output it as a fenced code block\n   - Use `style` directives: `fill:#ff4444` (red) for critical findings, `fill:#ff8800` (orange) for high-severity exposure points\n4. **Top 5 Exposure Vectors** (ranked by blast radius score)\n5. **Regulatory Blast Radius Table** (per-jurisdiction)\n6. **Financial Impact Estimate** (realistic range)\n7. **Hardening Roadmap** (from `references/hardening-playbook.md`)\n\n---\n\n### Step 7 — Hardening Roadmap\n\nRead `references/hardening-playbook.md` and generate a **prioritized action plan**:\n\nFor each critical or high-severity exposure vector:\n- **What to fix**: specific code/config change\n- **Why**: regulatory risk and user impact\n- **Effort**: Low / Medium / High\n- **Impact**: blast radius reduction percentage (estimated)\n- **Quick win flag**: mark items fixable in < 1 day\n\nSort by: `(Impact × Severity) / Effort` — highest value first.\n\n---\n\n## Output Rules\n\n- **Always** start with the Executive Summary — leadership reads this first\n- **Always** include the Sensitive Data Inventory table — this is the foundation\n- **Always** produce the Financial Impact Estimate — this drives organizational change\n- **Always** call `renderMermaidDiagram` for the Data Flow Map — never output raw Mermaid code blocks; the tool renders it as a visual diagram automatically\n- **Never** auto-apply any code changes — present the hardening roadmap for human review\n- **Be specific** — cite file paths, field names, and line numbers for every finding\n- **State assumptions** — if record count is estimated, say so explicitly\n- **Be calibrated** — distinguish \"this is definitely exposed\" from \"this could be exposed under conditions X\"\n- If the codebase has minimal sensitive data and strong controls, say so clearly and explain what was scanned\n\n---\n\n## Severity Tiers for Blast Radius\n\n| Tier | Label | Examples | Multiplier |\n|------|-------|----------|------------|\n| T1 | **Catastrophic** | Government IDs, biometric data, health records, financial credentials, passwords | ×5 |\n| T2 | **Critical** | Full name + address + DOB combined, payment card data (PAN), SSN, passport numbers | ×4 |\n| T3 | **High** | Email + password (hashed), phone numbers, precise geolocation, IP addresses, device fingerprints | ×3 |\n| T4 | **Elevated** | First name only, email address only, general location (city), usage analytics | ×2 |\n| T5 | **Standard** | Non-personal config data, public content, anonymized aggregates | ×1 |\n\n---\n\n## Reference Files\n\nLoad on-demand as needed:\n\n| File | Use When | Content |\n|------|----------|---------|\n| `references/data-classification.md` | **Step 2 — always** | Complete taxonomy of PII, PHI, PCI-DSS, financial, credential, and behavioral data with detection patterns |\n| `references/blast-radius-calculator.md` | **Step 4** | Scoring formulas, population scale estimators, completeness multipliers, exposure likelihood matrix |\n| `references/regulatory-impact.md` | **Step 5** | GDPR/CCPA/HIPAA/LGPD/PDPA fine formulas, notification timelines, breach cost benchmarks, jurisdiction detection patterns |\n| `references/hardening-playbook.md` | **Step 7** | Prioritized controls: encryption, access control, data minimization, tokenization, audit logging, anonymization patterns by tech stack |\n| `references/report-format.md` | **Step 6** | Full report template with Mermaid data flow diagram syntax, financial summary table, hardening roadmap format |","tags":["data","breach","blast","radius","awesome","copilot","github","agent-skills","agents","custom-agents","github-copilot","hacktoberfest"],"capabilities":["skill","source-github","skill-data-breach-blast-radius","topic-agent-skills","topic-agents","topic-awesome","topic-custom-agents","topic-github-copilot","topic-hacktoberfest","topic-prompt-engineering"],"categories":["awesome-copilot"],"synonyms":[],"warnings":[],"endpointUrl":"https://skills.sh/github/awesome-copilot/data-breach-blast-radius","protocol":"skill","transport":"skills-sh","auth":{"type":"none","details":{"cli":"npx skills add github/awesome-copilot","source_repo":"https://github.com/github/awesome-copilot","install_from":"skills.sh"}},"qualityScore":"0.700","qualityRationale":"deterministic score 0.70 from registry signals: · indexed on github topic:agent-skills · 33270 github stars · SKILL.md body (13,194 chars)","verified":false,"liveness":"unknown","lastLivenessCheck":null,"agentReviews":{"count":0,"score_avg":null,"cost_usd_avg":null,"success_rate":null,"latency_p50_ms":null,"narrative_summary":null,"summary_updated_at":null},"enrichmentModel":"deterministic:skill-github:v1","enrichmentVersion":1,"enrichedAt":"2026-05-18T18:52:09.475Z","embedding":null,"createdAt":"2026-04-28T06:52:00.359Z","updatedAt":"2026-05-18T18:52:09.475Z","lastSeenAt":"2026-05-18T18:52:09.475Z","tsv":"'/data-breach-blast-radius':359,495 '/reports/data-breach.':183 '1':377,400,482,1259,1413,1624 '100':1047 '100k':1053 '10k':1041,1048 '10m':1054 '160.404':49,232 '164':740 '1798.155':43,229 '1m':1042 '2':329,393,574,1067,1262,1267,1612,1639 '2024':166 '2025':169 '3':406,754,995,1070,1263,1276,1598 '4':401,416,984,1334,1584,1659 '4.88':163 '45':47,230,737 '5':431,1074,1163,1336,1344,1569,1672 '6':446,1243,1352,1704 '7':460,1358,1364,1686 '83':41,140,227 '9':174,728 'access':879,952,1690 'access-control':878 'action':1373 'activ':287,975 'activerecord':538 'actual':1239 'address':1574,1595,1605 'affect':126,438 'aggreg':1623 'ai':855 'algolia':857 'alway':259,1234,1425,1435,1446,1456,1640 'analysi':10,103 'analyt':862,897,1611 'analytics/telemetry':693 'analyz':54,489,497,505 'anonym':1622,1697 'answer':66 'api':391,425,540,628,774,888,930,942 'app':1051 'appli':1056,1096,1111,1123,1132,1141,1142,1482 'applic':699 'application.yml':664 'appsettings.json':663 'art':40,226 'articl':727 'ask':75 'assert':786 'assess':284,302 'asset':382 'assign':724 'assum':1040,1046,1052 'assumpt':1037,1507 'audit':106,288,683,701,1695 'authent':933 'author':935 'auto':1481 'auto-appli':1480 'automat':1478 'averag':159 'azur':845,854 'azure-pipelines.yml':676 'background':821 'backup':872,875 'bad':86 'base':251 'basi':722 'behavior':1652 'benchmark':258,1680 'bicep':557 'bigqueri':864 'biometr':1562 'blast':4,30,52,101,240,342,434,985,997,1244,1341,1346,1401,1552 'blob':846 'block':1315,1469 'bodi':919 'bola':938 'brazilian':1125 'breach':3,8,51,59,78,82,135,149,155,160,193,219,344,457,1061,1193,1207,1678 'brl':1127 'broad':941 'bucket':954 'build':304,1289 'bus':817 'busi':373,798 'cach':429,804 'calcul':432,987,996,1157,1171,1180 'calibr':1517 'california':1098 'call':889,1293,1457 'callback':784 'card':1578 'cardin':620 'cargo.toml':519 'case':355 'catastroph':1559 'categori':611,730 'ccpa':42,228,326,453,1110 'cfr':48,231,738 'chang':1389,1455,1485 'check':514,936 'ci/cd':670 'cite':235,1495 'citi':1609 'class':594 'classif':721 'classifi':394 'clear':1543 'cloudform':558 'code':555,1018,1119,1314,1468,1484 'code/config':1388 'codebas':112,290,385,1533 'com':1102 'combin':1576 'comment':625,1022 'communic':1197 'complet':1008,1641,1665 'complianc':324 'composer.json':521 'condit':1529 'config':390,661,678,1618 'configur':655 'consequ':130 'conserv':1032 'consist':194 'consult':1235 'consum':1050 'contain':810,956,970 'container':963 'content':1621,1636 'contract':392,629 'control':543,880,1540,1688,1691 'cooper':1190 'cor':949 'cost':94,151,161,459,1195,1223,1679 'could':119,423,1525 'counsel':279,1237 'count':248,1014,1028,1510 'cpf':1129 'credenti':19,1073,1567,1650 'credit':1198 'critic':1323,1377,1571 'csproj':522 'csv':906 'csv/excel':789 'currenc':1085,1128 'current':178 'custom':319 'data':2,13,21,50,58,110,148,154,299,320,346,349,351,381,395,408,422,576,583,585,610,653,690,710,716,755,761,768,787,795,826,832,883,913,922,959,1000,1007,1064,1069,1138,1269,1277,1283,1439,1461,1537,1563,1579,1619,1653,1692,1710 'data-breach-blast-radius':1 'databas':525,588,836 'datacent':1092 'datadog':697 'day':1414 'debug':972 'decreas':175 'definit':584,643,1521 'delet':415 'deliveri':899 'demand':1630 'demonstr':201 'deriv':273 'detect':485,509,1081,1655,1682 'determin':486 'devic':1596 'diagnosi':1116 'diagram':1281,1304,1477,1712 'dilig':203 'direct':357,1318 'disast':308 'discov':378 'distinguish':1518 'dob':1575 'docker/kubernetes':677 'domain':1090 'download':176,909 'dpia':303 'dpia/risk':283 'drive':1453 'dss':18,733,1648 'dtos':388,633 'due':199,202,1075 'e.g':1019 'edit':179 'effort':471,1396,1419 'elasticsearch':852 'elev':1600 'email':895,1587,1604 'email/sms/push':910 'encrypt':719,876,1689 'endpoint':426,776,931,973 'engin':337 'enter':769 'entir':507 'entiti':534,593,600 'env':659,660 'environ':657,964 'error':965 'estim':239,274,436,619,1011,1033,1166,1191,1200,1228,1355,1405,1451,1512,1664 'etc':233 'etl':791 'eu':1084,1086,1089,1091 'event':705 'everi':379,479,604,1504 'exact':212,214,269 'exampl':1556 'excel':908 'execut':472,1260,1429 'experienc':144 'expert':61 'explain':1545 'explicit':1515 'export':428 'expos':651,1063,1522,1527 'exposur':24,189,335,347,419,563,920,990,1003,1175,1184,1332,1337,1382,1667 'extern':654 'face':195,929,1206 'fenc':1313 'ff4444':1320 'ff8800':1326 'fhir':1120 'field':605,647,649,711,714,803,860,946,1115,1130,1274,1498 'figur':264 'file':530,548,580,658,662,667,672,777,842,1021,1496,1626,1633 'filesystem':849 'fill':1319,1325 'financi':243,1072,1213,1353,1449,1566,1649,1714 'find':368,1324,1505 'fine':34,198,216,452,1156,1174,1183,1219,1221,1674 'fingerprint':1597 'first':1187,1422,1434,1601 'fix':1386 'fixabl':1411 'fixtur':623 'flag':648,1408 'flow':22,116,409,756,1278,1462,1711 'follow':132,474,725 'form':772 'formal':282 'format':1088,1719 'formula':982,1158,1177,1661,1675 'found':712,1029,1094,1275 'foundat':1445 'framework':513,535 'full':105,569,745,1253,1572,1705 'gcs':847 'gdpr':39,225,325,451,726,1083,1095 'gdpr/ccpa/hipaa/lgpd/pdpa':1673 'gemfil':520 'general':1607 'generat':461,905,1211,1247,1251,1370 'geoloc':1593 'get':691 'github/workflows':673 'gitlab-ci.yml':674 'given':494,504 'global':158,403 'go.mod':517 'govern':1150,1560 'graphql':544,595,636 'grpc':546,640 'guidanc':1241 'handl':113,318 'hard':1017 'hard-cod':1016 'harden':464,1359,1365,1488,1717 'hash':1589 'health':1068,1113,1564 'heurist':249 'hibern':536 'high':1330,1380,1399,1586 'high-sever':1329,1379 'highest':1420 'hipaa':46,327,455,736,1122 'human':1491 'ibm':150,170,257 'icd':1118 'id':1561 'identifi':186,417,523,539,551,603,687,992 'idor':937 'impact':9,60,244,301,345,376,450,469,1165,1214,1354,1395,1400,1417,1450 'impact-per-effort':468 'import':69,788 'incid':310 'includ':915,1258,1436 'index':851,861 'infrastructur':553 'infrastructure-as-cod':552 'ingest':411,766,790 'insight':700 'integr':694 'intern':1044,1209 'inventori':11,350,577,1270,1440 'invoc':358 'ip':1594 'item':1410 'jargon':1266 'jenkinsfil':675 'job':822 'jurisdict':444,1080,1144,1170,1351,1681 'kafka':814 'key':809 'label':1555 'languag':510 'law':267 'law-sourc':266 'layer':526,541,587,630,684,805 'leadership':338,1431 'leak':120,424 'leav':884 'left':974 'legal':211,213,278,1196,1236 'lgpd':1131 'likelihood':1004,1668 'line':1501 'link':752 'load':567,1627 'local':848 'locat':1608 'log':389,427,682,685,692,702,957,1696 'logic':799,1109 'low':1397 'lower':196 'm':164 'malaysia':1136 'mani':122 'map':607,679,1279,1463 'mark':1409 'markup':1292,1297 'match':1146 'matrix':1669 'matter':139 'max':1218 'maximum':217,1173 'medic':1117 'medium':1398 'memcach':807 'mention':341,1100 'mermaid':1280,1291,1467,1709 'messag':642,812,918,966 'methodolog':255 'migrat':531,590 'minim':1535,1693 'minimum':1182 'minor':1066 'misconfigur':950 'miss':934 'mission':63 'mixpanel':696 'model':250,272,387,528,586,592 'model-deriv':271 'mongoos':601 'monitor':1199 'move':762,1284 'multipli':1058,1203,1557,1666 'must':1257 'name':617,1499,1573,1602 'need':948,1632 'never':74,275,1464,1479 'new':315 'non':1616 'non-person':1615 'nosql':838 'note':614,720,1225 'notif':220,458,911,1151,1160,1194,1222,1676 'number':1502,1583,1591 'oauth':783 'occur':136 'offens':1188 'on-demand':1628 'onboard':313 'one':147 'openapi':549,644 'opensearch':853 'oper':800 'orang':1327 'order':466,478 'organ':142,184 'organiz':1454 'orm':527,591 'outbound':887 'output':262,669,1309,1423,1465 'over':940 'owasp':253 'package.json':515 'pan':1580 'paragraph':1264 'part':739 'parti':781,892,926 'passport':1582 'password':1568,1588 'path':492,502,1497 'pattern':1139,1656,1683,1698 'payload':820,901 'payment':893,1577 'pci':17,732,1647 'pci-dss':16,731,1646 'pdf':907 'pdpa':1140 'penalti':454 'pentest':296 'peopl':123 'per':470,1350 'per-jurisdict':1349 'percentag':1404 'perform':98 'person':1617 'phi':15,1645 'philippin':1137 'phone':1087,1590 'pii':14,811,859,971,1644 'pii/phi/financial/credential':1273 'pipelin':671,792 'plan':238,312,1231,1374 'point':190,767,794,831,882,921,1333 'pom.xml':518 'popul':440,1005,1009,1662 'post/put':775 'pre':7 'pre-breach':6 'precis':1592 'prepar':297,321 'present':1486 'primari':750,835 'priorit':463,1372,1687 'prisma':532,597 'proactiv':100 'process':300,412,793,829 'processor':894 'produc':27,207,1447 'product':977,1039 'project':508 'proper':871 'proto':547,641 'provid':896 'public':928,951,1205,1620 'public-fac':927,1204 'pulumi':559 'purpos':718,1232 'qualifi':277 'quantifi':372,447 'query/mutation':637 'question':71 'queue':430,813 'quick':1406 'rabbitmq':818 'radius':5,31,53,102,241,343,435,986,998,1245,1342,1347,1402,1553 'rang':35,245,1357 'rank':1339 'raw':1466 'reach':924 'read':564,978,1153,1248,1367,1432 'readm':1023 'realist':1185,1220,1356 'record':247,437,713,1114,1509,1565 'recoveri':309 'red':1321 'redi':806 'redshift':866 'reduct':1403 'refer':1625 'references/blast-radius-calculator.md':979,1657 'references/data-classification.md':565,613,742,1637 'references/hardening-playbook.md':1362,1368,1684 'references/regulatory-impact.md':1154,1179,1670 'references/report-format.md':1249,1702 'references/sources.md':237,748 'region':1093 'regul':1217 'regulatori':29,129,197,215,323,375,404,443,449,1077,1079,1164,1240,1345,1391 'remedi':188 'render':1305,1472 'rendermermaiddiagram':1294,1458 'replac':276 'report':32,156,171,1246,1254,1256,1706 'report/export':904 'reput':1202 'request':340 'request/response':632 'requir':1161 'requirements.txt':516 'resid':1099 'resourc':562,1121 'respond':330 'respons':311,943 'rest':542,631,834 'restrict':1149 'return':638,944 'reveal':626 'review':294,306,1492 'right':83 'risk':254,352,442,1230,1392 'roadmap':465,1360,1366,1489,1718 'rule':1424 's3':844 'saa':1038 'sanction':456 'say':1513,1541 'scale':627,1006,1010,1663 'scan':578,1548 'scenario':356 'schema':386,529,533,545,589,598,602 'scope':483,499,870 'score':23,242,981,999,1343,1660 'search':850,856 'secret':656,681 'secur':70,293 'see':741 'seeder':622,1020 'segment':695 'sensit':12,109,348,380,570,575,582,652,709,760,802,958,1001,1268,1438,1536 'sent':903 'sentri':698 'seri':841 'serial':635 'servic':816 'sever':397,1078,1331,1381,1418,1549 'short':1300 'show':172 'singapor':1134 'skill':97,206,362,371 'skill-data-breach-blast-radius' 'snowflak':865 'soc':328 'sort':1415 'sourc':36,222,268,751 'source-github' 'spec':550,646 'special':729 'specif':1107,1387,1494 'sql':837 'sqlalchemi':537 'sqs':815 'src':496 'ssn':1581 'sso':785 'stack':484,968,1701 'standard':405,1614 'start':1426 'state':260,1035,1106,1506 'state-specif':1105 'statement':686 'stdout/stderr':961 'step':476,481,573,753,983,994,1162,1242,1363,1638,1658,1671,1685,1703 'storag':413,561,830,843,953 'store':873 'stripe':1103 'strong':1539 'style':1317 'submiss':773 'summari':1215,1261,1430,1715 'swagger':645 'synaps':867 'syntax':1713 'system':316,765,771,886,1287 't1':1558 't2':1570 't3':1585 't4':1599 't5':1613 'tabl':703,1216,1271,1348,1441,1716 'table/collection':616 'table/source':715 'tax':1108 'taxonomi':572,746,1642 'team':73 'tech':1700 'templat':1707 'terraform':556 'terraform/bicep':665 'thailand':1135 'third':780,891 'third-parti':779 'tier':398,399,571,717,723,1002,1550,1554 'time':480,840 'time-seri':839 'timelin':221,1152,1224,1677 'titl':1301 'token':1694 'tool':365,1045,1210,1471 'top':1335 'topic-agent-skills' 'topic-agents' 'topic-awesome' 'topic-custom-agents' 'topic-github-copilot' 'topic-hacktoberfest' 'topic-prompt-engineering' 'trace':20,407,757,758,969 'track':706 'transmiss':414,881 'trigger':445,1169 'type':596,639 'typeorm':599 'unauthor':925 'unlik':364 'upload':778 'us':95,1101,1104 'usag':1610 'use':402,1024,1030,1176,1316,1634 'used/transformed':797 'user':439,689,1013,1043,1049,1055,1126,1394 'v4.0':734 'valu':1421 'variabl':666 'vector':25,420,991,1338,1383 'verbatim':37,223 'visual':1306,1476 'vs':208,270,1208 'vulner':369,939 'warehous':863 'webhook':782,898 'win':1407 'without':932 'work':363 'worker':824 'workflow':473 'worst':354 'worst-cas':353 'would':87,92,124,131,1062 'www.ibm.com':182 'www.ibm.com/reports/data-breach.':181 'x':1530","prices":[{"id":"911dfdec-75c8-4b36-baae-88869b0c1317","listingId":"219fb6ed-bc40-4822-a6e2-6cac89e3f6bc","amountUsd":"0","unit":"free","nativeCurrency":null,"nativeAmount":null,"chain":null,"payTo":null,"paymentMethod":"skill-free","isPrimary":true,"details":{"org":"github","category":"awesome-copilot","install_from":"skills.sh"},"createdAt":"2026-04-28T06:52:00.359Z"}],"sources":[{"listingId":"219fb6ed-bc40-4822-a6e2-6cac89e3f6bc","source":"github","sourceId":"github/awesome-copilot/data-breach-blast-radius","sourceUrl":"https://github.com/github/awesome-copilot/tree/main/skills/data-breach-blast-radius","isPrimary":false,"firstSeenAt":"2026-04-28T06:52:00.359Z","lastSeenAt":"2026-05-18T18:52:09.475Z"}],"details":{"listingId":"219fb6ed-bc40-4822-a6e2-6cac89e3f6bc","quickStartSnippet":null,"exampleRequest":null,"exampleResponse":null,"schema":null,"openapiUrl":null,"agentsTxtUrl":null,"citations":[],"useCases":[],"bestFor":[],"notFor":[],"kindDetails":{"org":"github","slug":"data-breach-blast-radius","github":{"repo":"github/awesome-copilot","stars":33270,"topics":["agent-skills","agents","ai","awesome","custom-agents","github-copilot","hacktoberfest","prompt-engineering"],"license":"mit","html_url":"https://github.com/github/awesome-copilot","pushed_at":"2026-05-18T01:26:59Z","description":"Community-contributed instructions, agents, skills, and configurations to help you make the most of GitHub Copilot.","skill_md_sha":"0496b1593ce4758a84aacd5b10198289681c2cb3","skill_md_path":"skills/data-breach-blast-radius/SKILL.md","default_branch":"main","skill_tree_url":"https://github.com/github/awesome-copilot/tree/main/skills/data-breach-blast-radius"},"layout":"multi","source":"github","category":"awesome-copilot","frontmatter":{"name":"data-breach-blast-radius","description":"Pre-breach impact analysis: inventories sensitive data (PII, PHI, PCI-DSS, credentials), traces data flows, scores exposure vectors, and produces a regulatory blast radius report with fine ranges sourced verbatim from GDPR Art. 83, CCPA § 1798.155(a), and HIPAA 45 CFR § 160.404. Cost benchmarks from IBM Cost of a Data Breach Report (annually updated). All citations in references/SOURCES.md for verification. Use when asked: \"assess breach impact\", \"what data could be exposed\", \"calculate blast radius\", \"data exposure analysis\", \"how bad would a breach be\", \"quantify data risk\", \"sensitive data inventory\", \"data flow security audit\", \"pre-breach assessment\", \"worst-case breach scenario\", \"breach readiness\", \"data risk report\", \"/data-breach-blast-radius\". For any stack handling user data, health records, or financial information. Output labels law-sourced figures (exact) vs heuristic estimates (planning only). Does not replace legal counsel."},"skills_sh_url":"https://skills.sh/github/awesome-copilot/data-breach-blast-radius"},"updatedAt":"2026-05-18T18:52:09.475Z"}}