Agentic SOC Incident Response Surface

Incident response and containment is where the SOC stops acting on the estate. Detection and triage produce a verdict; investigation reconstructs the story; response changes state — it isolates a host, disables an account, quarantines a mailbox, blocks an indicator, or rolls a credential. This is the per-function deep-dive for the incident-response function of the Agentic SOC Reference Architecture, describing how to build the response agent surface. The maturity half — how high this function’s autonomy may legitimately climb — is scored by the Agentic SOC CMM.

The function runs primarily on three of the RA’s planes: the Identity & Action-Authority plane (the agent’s scoped, revocable authority to act on the estate), the Policy & Enforcement plane (the deterministic gates every consequential action crosses), and the human-authority boundary (where containment is approved, overridden, or revoked). Its autonomy is gated by more CMM domains than any other function — D4 (Agent Identity & Action-Authority), D5 (Observability & Oversight), D7 (Resilience & Agent Supply Chain), and D8 (People & Governance). It is the only function whose gates reach the full L4 set, because its actions are the most consequential and the least reversible the SOC takes.

A containment action with excessive blast radius is itself an outage. Isolating the wrong subnet, disabling a service account a hundred jobs depend on, or blocking a production CIDR converts a security control into an availability incident. That is why this function carries the heaviest gating: the cost of over-delegation here is not a missed detection but a self-inflicted disruption at machine speed.

The agent surface

On the supervisor-worker topology, the orchestrator hands a confirmed incident to one or more response worker agents. A response agent does not decide whether there is an incident — that verdict arrives from the triage and investigation functions. It selects and executes a containment course of action against the affected assets, within the authority it holds.

The mechanism mix is deterministic-first by design. The reliable core is the pre-authorized containment playbook: a fixed action sequence with named blast-radius limits and explicit escalation conditions, the same shape a SOAR response playbook has carried for years. AI sits on top of that core in two roles — selecting which playbook fits the incident, and parameterizing it (which hosts, which accounts, which time window) from the investigation’s findings. The state-changing step itself crosses a deterministic gate; the AI proposes, the runtime acts. The plan-validate-execute pattern is the structural form: the agent emits a structured containment plan (action class, target resources, scope, source of intent), a non-LLM policy engine validates it against blast-radius limits and deny rules, and only a validated plan reaches execution. Validation is deterministic, not a second model, so it is not vulnerable to the same prompt injection that could subvert the agent.

The tools the agent calls are the response APIs of the estate: EDR host-isolation, identity-provider account disablement and session revocation, firewall and proxy block-lists, mailbox quarantine, cloud-workload quarantine, credential rotation. The data it reads is the case substrate the investigation function produced and the threat-intelligence grounding that scopes the indicators. Each call is identity-bound to the agent (D4), logged to a tamper-evident record, and carries a rollback reference where the action is reversible.

The human-authority boundary sits directly across the execution step for any action above the agent’s auto tier. Below that line — high-confidence, narrowly-scoped, reversible actions — a pre-authorized playbook runs without a human in the moment. Above it, the agent’s structured plan is surfaced for approval before execution. The boundary is asymptotic: even a fully delegated response function terminates here, with a human able to govern, override, and roll back. A distributed kill-switch generalizes the override so that every in-loop operator, not only a central console, can halt a running response before it completes.

This function is the operational form of the NIST AI RMF MANAGE function for the SOC: MANAGE requires that identified risks be prioritized and responded to, and the response surface is where that response changes state on the estate. The questions the upstream detection and escalation steps must answer — when an AI incident has occurred, who is notified, and how it escalates — are the same open post-deployment problems NIST AI 800-4 catalogs for monitoring deployed AI, since an AI-targeting incident often leaves no traditional file or network signature.

This function also carries the SOC’s AI-specific incident-response path. When the in-house AI-application surface is the target — a prompt-injection campaign, a jailbreak, RAG data exfiltration, an agent hijack — the response uses AI-IR playbooks (the CoSAI AI-IR shape) rather than host-and-network containment: revoke the agent’s identity, quarantine the affected model or retrieval pipeline, roll the leaked secrets, and reconstruct from a known-good baseline. The internet-scale multi-agent triage Wiz described in its Shai-Hulud response — parallelized victimology and automated secret-impact analysis across a supply-chain campaign — is the response-side counterpart at scale: many incidents, fanned out across worker agents, scoped and prioritized faster than a human team could.

Autonomy progression

The function’s autonomy is read on the CMM’s per-function ladder (L0 Manual → L4 Delegated). The ladder is mechanism-agnostic: deterministic SOAR occupies rungs on its own, and AI moves the function up the ladder faster, not into a different ladder. The load-bearing column is the gate — the gating rule holds that a function may run at autonomy L_k only when the domains governing that level are mature enough to support it.

LevelWhat it looks like for incident responseGating domains
L0 — ManualAn analyst executes every containment step by hand — pulls the cable, disables the account in the console, edits the block-list. No agent surface.
L1 — AssistedThe agent recommends a containment course of action and pre-stages it; a human reviews and executes. Decision support only, human-in-the-loop on every action.
L2 — Semi-autonomousRoutine sub-tasks run (enrichment, drafting the containment plan, pre-staging the API calls), but every consequential action — every state change on the estate — needs explicit human approval.D4 · D1
L3 — ConditionalHigh-confidence, narrowly-scoped containment runs autonomously within bounds; the agent escalates out-of-bounds actions to a human. Pre-authorized containment with blast-radius limits is the deterministic mechanism that makes this rung safe. Humans monitor on-the-loop and can intervene mid-action.+ D5 · D3
L4 — DelegatedThe response function owns its lifecycle within a governed authority boundary; humans govern outcomes and approve the upper-tier actions. Reached only where the organization can secure the response agents at scale and govern machine-speed response — including simultaneous incidents. Asymptotic: a human authority boundary remains.+ D7 · D8

The gates tighten in a way specific to this function:

  • D4 gates every rung. A response action is a state change on production, so it needs scoped, revocable authority and a per-action tier (auto / propose / approve / block) before it may run at all. D4 adds the control the data-access models do not carry: blast-radius limits — caps on how many hosts, accounts, or segments a single agent action may affect before it must escalate. L2 needs scoped authority and a coarse auto/approve split; L3 needs formal tiers and blast-radius caps enforced at a deterministic policy decision point. Pre-authorized containment is the deterministic mechanism that lets L3 run without a human in the moment: the action is bounded by a gate the agent cannot exceed, so its blast radius is capped even if its judgment is wrong.
  • D7 and D8 gate the upper rungs because a response agent is the most dangerous one to compromise or over-delegate. A privileged response agent can isolate a host, block an identity, and quarantine a workload — so a compromised response agent is an attacker that already holds containment authority. D7 keeps the agent’s composition verified and its failure mode fail-closed (no containment without verification); D4 bounds the damage if D7 fails. D8 requires that the organization can govern machine-speed response: a named owner of the autonomy-raising decision, rehearsal of simultaneous incidents, and the human-authority boundary held as a governed commitment rather than a tool setting.

The defined failure mode is operating above the earned ceiling — running response at L3 or L4 when the governing domains do not support it. For this function that failure is acute: a delegated containment with no blast-radius limit (D4 immature), no live oversight (D5 immature), or no compromised-agent recovery drill (D7 immature) is reckless autonomy whose first bad action is an outage. The weakest of D4, D5, D7, and D8 caps the function; the model names that domain as the one to mature next.

Control landscape (dated)

Vendors and patterns are named as dated, swappable examples, not endorsements. The deterministic core predates AI; the AI layer parameterizes and selects over it.

CapabilityWhat ships todayStatus (mid-2026)
Pre-authorized containment playbooksSOAR / response-platform playbooks with fixed action sequences, approval tiers, and escalation conditions (Splunk SOAR, Tines, Torq, Microsoft Sentinel automation rules, Google SecOps SOAR)GA and long-established; the deterministic spine of the function
Blast-radius / least-action gatingPer-action authority tiers (auto / propose / approve / block) and named scope caps configured over the response platform; plan-validate-execute with a non-LLM policy engine (Cedar, OPA) validating the structured containment planTiers and approval workflows GA in mainstream SOAR; per-action tiering over agents and plan-validate gating are a pattern assembled over them, not a shipped agent-governance product
Response API surfaceEDR host-isolation, IdP account disablement and session revocation, firewall/proxy block-list push, mailbox quarantine, cloud-workload quarantine, credential rotationGA across endpoint, identity, network, and cloud platforms; the actions the agent’s authority is scoped to
AI response agentsVendor response/containment agents in the agentic-SOC stacks (Microsoft Security Copilot, Google SecOps Gemini, CrowdStrike AIDR) selecting and parameterizing playbooksMix of GA and preview across vendors; current-state is dated and should be re-verified at use
Break-glass overrideHuman-authority approval, override, and rollback surfaces at the boundary; distributed kill-switch / halt-authority held by every in-loop operatorApproval/override GA in response platforms; the distributed-halt pattern is emerging, assembled from a gateway halt signal plus governance policy
AI-specific incident responseAI-IR playbooks (CoSAI AI-IR shape) for the in-house AI-application surface: agent-identity revocation, model/pipeline quarantine, secret rotation, known-good reconstructionPractice-level; the playbook content is the dated layer, the response mechanics reuse the deterministic spine above
Simultaneous-incident handlingMulti-agent triage and response fanned out across worker agents — parallelized victimology and automated secret-impact analysis (Wiz’s Shai-Hulud response)Practitioner-demonstrated at internet scale; not a packaged product, built from agent orchestration plus the response APIs

Failure modes and what to watch

  • Reckless containment (excessive blast radius). The defining risk of this function: an autonomous action that isolates too much, disables too broadly, or blocks production traffic. Bounded by D4 blast-radius limits and the deterministic plan-validate gate; an action above its tier or scope must escalate rather than execute. Watch the false-containment rate and the blast-radius-limit trigger count.
  • Over-delegation past the earned ceiling. Running L3/L4 response without the governing domains. Bounded by the gating rule (the weakest of D4/D5/D7/D8 caps the function) and the D8 autonomy-raising decision right — a named approver, a written evidence bar, a re-review date. Watch for autonomy that crept up because an agent “seemed reliable.”
  • Compromised response agent. A subverted agent with containment authority is an attacker inside the boundary. Bounded jointly by D7 (verified composition, fail-closed behavior, rehearsed compromised-agent recovery) and D4 (scoped, revocable authority that limits the damage). Watch for harness-config drift and run the compromised-agent recovery drill.
  • Irreversible-action regret. Some response actions cannot be cleanly rolled back (a rotated credential, a deleted resource). The plan-validate-execute confirm tier and a maintained rollback reference bound this; actions without a rollback path should sit higher up the authority tiers.
  • Review fatigue / rubber-stamping. When every containment needs approval, approvers degrade into approval bots and the human gate becomes nominal. Risk-proportional confirmation UX and surfacing the delta from expected behavior (per plan-validate-execute) mitigate it; the failure is a human boundary that exists on paper but not in practice.
  • Simultaneous-incident overload. Machine-speed attacks open several incidents at once and a human-paced response cannot keep a coherent authority boundary across them. Bounded by D8 rehearsal of the simultaneous-incident case and a communications plan that does not assume one incident commander.

The authority boundary at machine speed is asserted, not demonstrated

Every rung holds a human-authority boundary as the load-bearing control, and L4 requires that boundary to survive simultaneous, machine-speed incidents. No source on the wiki shows it actually holding under that load. The failure modes that erode it — rubber-stamping under approval volume, an incident-commander model that assumes one incident at a time — are precisely the conditions machine-speed attacks create. D8 prescribes rehearsing the simultaneous-incident case, but rehearsal is the recommendation, not evidence that a governed boundary keeps pace with autonomous containment. Whether a human boundary can bound machine-speed response across concurrent incidents is unresolved.

Right-sizing by org profile

The realistic autonomy target for response rises with the blast radius the function can reach and the maturity behind the gates. Because response is the most consequential function, its right-sized target sits a rung below the analysis functions for the same org.

BandRealistic response-autonomy targetWhy
Solo / smallL1 → L2, often via the providerNear or below the cyber-poverty line. Containment authority is narrow by necessity, and the team borrowing capability through an MSSP/MDR inherits the provider’s response playbooks and approval controls. For its few in-house agents, recommend-and-approve (L1) and a coarse auto-tier on narrow reversible actions (L2) are achievable and sufficient. AI lowers the barrier to the lower rungs — a small team gets pre-staged, parameterized containment without hand-building the SOAR playbook or wiring the ETL the older automation demanded. Delegated response is not warranted; the blast radius of getting it wrong outweighs the speed gain
MidL2 → selective L3An in-house SOC can run formal auto/propose/approve/block tiers with blast-radius limits (D4 L3) and a working human-on-the-loop oversight surface (D5 L3), then let high-confidence, narrowly-scoped containment run in-bounds on its highest-volume incident types. Pre-authorized containment with deterministic gating does the heavy lifting; L3 is earned per action class, not switched on wholesale
EnterpriseSelective L3 → L4 on narrow action classesA full response-agent fleet with broad containment authority can reach delegated response, but only where D7 (rehearsed compromised-agent recovery, signed and reconciled agent composition) and D8 (governed autonomy-raising, simultaneous-incident rehearsal, the human-authority boundary as a standing commitment) both hold. Even at L4 the boundary remains: the upper-tier and irreversible actions terminate at human approval, and the delegation is scoped to the action classes whose blast radius is bounded and reversible

Relations