Automated security incident handling in a dynamic environment

The invention claimed is: 1. A method for taking an immediate responsive action to a current security incident, the method comprising the steps of: receiving an incident report from a customer in a public cloud environment for a first virtual machine instance, the customer seeking an incident response from one or more administrators, the incident report identifying a current security incident affecting the first virtual machine instance; receiving, from the one or more administrators, a plurality of incident information datasets respectively corresponding to a plurality of actual severities for a plurality of prior security incidents reported for the virtual machine instance and customer information collected prior to receiving the incident report; generating a security score for the virtual machine instance based at least in part on: the plurality of actual severities for the plurality of prior security incidents, wherein a high actual severity of a prior security incident supports an estimate of a high security score for the virtual machine instance, the plurality of incident information datasets, wherein a basis for the incident report being from a third party image supports a high security score for the virtual machine instance, and the customer information, wherein the customer being associated with a current customer engagement via an account representative supports a higher security score than the customer being associated with a web-based engagement by a new customer; determining, by a processor, a severity level of the current security incident based on the security score for the virtual machine instance; responsive to the security level indicating an immediate responsive action, shutting down the virtual machine instance while retaining a historical dataset of the security incidents for the virtual machine instance; and reporting, to the one or more administrators, by the processor, the estimated severity level of the current security incident and the immediate responsive; wherein: the customer information is data available independent of the current security incident including: length of customer engagement and basis of billing schedule with the customer. 2. The method of claim 1 wherein: the customer information further includes an extent of services provided to customer; and the basis of billing schedule is a free trial. 3. The method of claim 1 wherein: the incident report is received as an email message reporting a potential security incident; and the plurality of incident information datasets includes an e-mail domain of the e-mail message reporting the potential security incident. 4. The method of claim 1 wherein the current security incident is based on one, or more, of the following: a security-service provider's image, a customer's own image, and a third party image. 5. The method of claim 1 wherein the plurality of prior security incidents are identified according to one, or more, of the following: an account, an account user, and a virtual machine instance. 6. The method of claim 1 further comprising the step of: identifying the actual severity for the current security incident based on an outcome of the immediate responsive action to the current security incident. 7. A computer program product for taking an immediate responsive action to a current security incident, the computer program product comprising a non-transitory computer readable storage medium having stored thereon: first program instructions programmed to receive an incident report from a customer in a public cloud environment for a first virtual machine instance, the customer seeking an incident response from one or more administrators, the incident report identifying a current security incident affecting the first virtual machine instance; second program instructions programmed to receive from the one or more administrators, a plurality of incident information datasets respectively corresponding to a plurality of actual severities for a plurality of prior security incidents reported for the virtual machine instance and customer information collected prior to receiving the incident report; third program instructions programmed to estimate, by a processor, a severity of the current security incident by generating a security score for the virtual machine instance based at least in part on: the plurality of actual severities for the plurality of prior security incidents, wherein a high actual severity of a prior security incident supports an estimate of a high security score for the virtual machine instance, the plurality of incident information datasets, wherein a basis for the incident report being from a third party image supports a high security score for the virtual machine instance, and the customer information, wherein the customer being associated with a current customer engagement via an account representative supports a higher security score than the customer being associated with a web-based engagement by a new customer; fourth program instructions programmed to determine a severity level of the current security incident based on the security score for the virtual machine instance; fifth program instructions programmed to, responsive to the security level indicating an immediate responsive action, shut down the virtual machine instance while retaining a historical dataset of the security incidents for the virtual machine instance; and sixth program instructions programmed to report, to the one or more administrators, by the processor, the estimated severity level of the current security incident and the immediate responsive action; wherein: the customer information is data available independent of the current security incident including: length of customer engagement and basis of billing schedule with the customer. 8. The computer program product of claim 7 wherein: the customer information further includes an extent of services provided to customer; and the basis of billing schedule is a free trial. 9. The computer program product of claim 7 wherein: the incident report is received as an email message reporting a potential security incident; and the plurality of incident information datasets includes an e-mail domain of the e-mail message reporting the potential security incident. 10. The computer program product of claim 7 wherein the current security incident is based on one, or more, of the following: a security-service provider's image, a customer's own image, and a third party image. 11. The computer program product of claim 7 wherein the plurality of prior security incidents are identified according to one, or more, of the following: an account, an account user, and a virtual machine instance. 12. The computer program product of claim 7 wherein the computer readable storage medium further has stored thereon: seventh program instructions programmed to identify the actual severity for the current security incident based on an outcome of the immediate responsive action to the current security incident. 13. A computer system for taking an immediate responsive action to a current security incident, the computer system comprising: a processor(s) set; and a computer readable storage medium; wherein: the processor set is structured, located, connected and/or programmed to run program instructions stored on the computer readable storage medium; and the program instructions include: first program instructions programmed to receive an incident report from a customer in a public cloud environment for a first virtual machine instance, the customer seeking an incident response from one or more administrators, t