🚨

Incident Response Agent

Cybersecurity · Orchestrator · Claude Sonnet

Heartbeat: Continuous (event-driven)

Alert fires → triage, correlate, contain, brief — in minutes, not hours.

WHAT IT DOES

AI-native security orchestration and automated response. Monitors your security alerts (SIEM, WAF, IDS, logging systems). When an alert fires, runs automated triage: severity classification, correlation with other recent events (is this isolated or part of a pattern?), enrichment with threat intelligence. For confirmed incidents, executes containment playbooks — block IP, revoke token, isolate service — within predefined guardrails. Briefs your security team with a full incident timeline, affected systems, containment actions taken, and recommended next steps. Reduces mean time to respond from hours to minutes. All containment actions are logged and auditable.

WORKFLOW

  1. Monitor alerts (SIEM/WAF/IDS/logs)
  2. Triage severity
  3. Correlate with recent events
  4. Enrich with threat intel
  5. Execute containment playbook (within guardrails)
  6. Brief team with timeline + actions + recommendations
  7. Track resolution
  8. Post-incident report

SKILLS

alert-triagerevent-correlatorthreat-enricherplaybook-runnerincident-brieferpost-mortem-generator

INTEGRATIONS

SIEM
WAF
Logging APIs
Slack
PagerDuty
Role
Orchestrator
Model
Claude Sonnet
Heartbeat
Continuous (event-driven)