Technology

A Cybersecurity Firm Automated Incident Response with Governed AI Agents

A cybersecurity firm operating a 24/7 SOC for 120 enterprise clients. AI agents handle threat detection, alert triage, containment actions, evidence collection, and initial remediation. Processing 50,000+ security events daily.

The Challenge

What they were facing

38 min

average time from alert to containment with manual SOC processes

23%

of P1 incidents had containment delayed by manual approval bottlenecks

containment actions had cryptographic evidence chains for post-incident review

How it works

See the difference

Threat detected

Lateral movement from compromised endpoint

Alert fires in SIEM

Priority: P1, but enters analyst queue

Analyst reviews (18 min wait)

Queue backlog during off-hours

Manual containment

Analyst isolates host, 38 min total

Evidence collection

Manual, incomplete, no chain of custody

The Solution

What they deployed

Installed SecOps domain pack with incident response, threat containment, and forensics intents
Pre-authorized P1 containment actions: host isolation, network segmentation, credential rotation
P2/P3 containment requires analyst approval with 15-minute SLA escalation
Connected CrowdStrike, Splunk, and PagerDuty via Intended connectors
Every containment action produces court-admissible evidence chain

Implementation

From zero to governed

Week 1

Map

Catalogued all SOC AI agent actions. Classified 28 incident response intents across detection, containment, and remediation.

Week 2

Configure

Installed SecOps pack. Defined pre-authorization rules for P1 containment, approval workflows for P2/P3, and evidence chain format.

Week 3

Integrate

Connected SIEM, EDR, and ticketing systems. Validated evidence chain format with legal team for court admissibility.

Week 4

Enforce

Enabled enforcement. First automated P1 containment with full evidence chain executed in 1.8 seconds.

Results

Measurable impact

0.0s

P1 containment time

Down from 38 minutes

Evidence chain coverage

Court-admissible format

P1 containment delays

From approval bottlenecks

0K+

Events governed daily

Across 120 enterprise clients

Decision Replay

Real decisions, full trace

2026-03-15 02:14:33sec.incident.containmentRISK: 74/100ALLOW18ms

Isolate endpoint WS-ACME-4821: lateral movement detected from compromised credentials

Resolved by: Policy: P1 containment pre-authorized (host isolation)

2026-03-15 02:14:34sec.incident.credential-rotationRISK: 68/100ALLOW22ms

Force credential rotation for user jsmith@acme.com: compromised session detected

Resolved by: Policy: P1 credential rotation pre-authorized

2026-03-15 06:33:17sec.incident.containmentRISK: 82/100ESCALATE15ms

Block outbound traffic from subnet 10.4.0.0/24: data exfiltration attempt

Resolved by: SOC Lead (approved subnet isolation in 2m 44s)

2026-03-15 09:18:42sec.forensics.evidence-collectionRISK: 45/100ALLOW31ms

Collect memory dump from server DB-PROD-03 for forensic analysis

Resolved by: Policy: forensic collection auto-approved for active incident

2026-03-15 14:22:08sec.remediation.firewall-changeRISK: 88/100ESCALATE19ms

Update firewall rules to block known C2 IPs across all client environments

Resolved by: Security Director (approved global rule change in 8m 33s)

“We went from 38-minute containment times to under 2 seconds for P1 incidents. But the real win is the evidence chain -- every containment action has cryptographic proof that it was policy-authorized. Our clients' legal teams love it.”

SOC Director, Cybersecurity Firm

Start governing AI incident response

Free to start. No credit card required. See every AI decision from day one.

Start free Book a demo