Uncontrolled blast radius
Automated remediation can cause more damage than the incident when scope is unconstrained.
Use Cases / Security
Security at Speed
Incident response agents act at machine speed within bounded authority. Destructive actions escalate. Every decision is cryptographically signed and hash-chained for forensic review.
Response Risk
No audit trail under pressure
Manual incident response bypasses change management. Forensic review happens weeks later, if at all.
Binary automation
Existing tools offer all-or-nothing automation. Intended provides graduated authority with risk-proportional controls.
Control Pattern
Bounded incident response
Generally AvailableHost isolation, session revocation, and network quarantine actions execute under policy-defined authority limits. Agents respond at machine speed within explicit boundaries.
Escalation for destructive actions
Generally AvailableCredential rotations, firewall rule changes, and organization-wide revocations route to human approvers with full evidence payloads. No destructive action executes without explicit approval.
Risk scoring with security context
Generally AvailableEight-factor risk model evaluates blast radius, reversibility, environment sensitivity, and privilege level. Security teams configure thresholds per action class.
Forensic audit chain
Generally AvailableEvery containment action produces a hash-chained audit record with HMAC-signed evidence bundles. Compliance teams verify decisions independently without database access.
Connector SDK for SOAR integration
Generally AvailableBuild custom execution adapters for your SOAR platform, EDR tooling, or cloud security services. The SDK enforces token verification before any adapter executes.
Identity-aware authority rules
Readiness ModePolicy rules bind to actor identity, role, and trust score. New agents start with constrained authority that expands as operational reliability is demonstrated.
json
{
"action": "iam.revoke_session",
"target": "compromised-service-account",
"environment": "production",
"context": {
"severity": "critical",
"blast_radius": "single_identity",
"reversibility": "reversible"
}
}
→ Decision: AUTHORIZED
→ Risk Score: 38
→ Rationale: Single-identity revocation within
reversibility boundary. Auto-approved per
policy sec-incident-response-v3.Scenario Outcomes
Host isolation
Authorizedrisk: 28/100
Single-host, reversible containment within policy bounds.
Org-wide credential rotation
Escalatedrisk: 72/100
High blast radius triggers human approval requirement.
Firewall rule deletion
Deniedrisk: 94/100
Irreversible, org-wide impact exceeds deny threshold.