Agentic Incident Response Pack

What this is. SecurityRecipes should not stop at prevention. This pack gives an enterprise team a deterministic way to classify an agentic incident, correlate run receipts and context hashes, contain MCP authority, preserve evidence, replay the failure, and produce a trust-center-ready readout.

The product bet

SecurityRecipes is positioned as The Secure Context Layer for Agentic AI. A credible secure context layer must answer two questions:

  • Can the platform prevent unsafe context, authority, and tool use before an agent acts?
  • When prevention fails, can the platform prove what happened, contain authority, and replay the failure before the workflow scales again?

The Agentic Incident Response Pack fills that second gap. It turns the generated control-plane evidence into a response model for context-poisoning, MCP tool misuse, authorization confused-deputy events, token passthrough, agent handoff leakage, memory or skill compromise, high-impact autonomy near misses, and receipt integrity gaps.

This makes AI easier for enterprises because SOC, AI platform, security engineering, GRC, and procurement teams can inspect one machine-readable artifact instead of reverse-engineering a failure from chat transcripts.

What was added

  • data/assurance/agentic-incident-response-profile.json - source contract for incident classes, response phases, required evidence, severity thresholds, standards alignment, and operational packaging.
  • data/evidence/agentic-incident-response-pack.json - generated incident response pack for MCP clients, CI drift checks, and reviewer diligence.
  • recipes_agentic_incident_response_pack - MCP lookup by incident class, workflow, severity, or response decision.

Evaluate a token passthrough incident:

What is inside

Section Purpose
incident_response_summary Class counts, response phase counts, workflow coverage, decision distribution, severe incident coverage, required evidence count, and source failure count.
incident_contract Default fail-closed state, required runtime fields, required evidence sources, and severity thresholds for SEV0 through SEV3.
incident_classes Response models for context poisoning, MCP tool misuse, identity abuse, token passthrough, handoff leakage, memory or skill compromise, high-impact autonomy, and evidence gaps.
response_phases Detect, contain, preserve, eradicate, replay, recertify, disclose, and learn phases mapped to minimum evidence and MCP tools.
workflow_response_matrix Per-workflow incident classes, severity floor, containment actions, readiness state, risk tier, MCP namespaces, and replay requirements.
tabletop_cases Ready-made tabletop cases for poisoned context, token forwarding, production writes without approval, and missing receipts after drift.
source_artifacts Hashes and paths for the source evidence packs used to build the incident response model.

MCP examples

Get the executive summary and workflow matrix:

{}

Inspect a specific incident class:

{
  "incident_class_id": "mcp-authorization-confused-deputy"
}

Inspect incident response coverage for a workflow:

{
  "workflow_id": "artifact-cache-quarantine"
}

Find SEV0-class response surfaces:

{
  "severity": "sev0"
}

Evaluate one runtime incident signal:

{
  "incident_id": "inc-2026-ctx-001",
  "workflow_id": "sensitive-data-remediation",
  "run_id": "run-ctx-001",
  "agent_id": "sr-agent::sensitive-data-remediation::codex",
  "identity_id": "sr-agent::sensitive-data-remediation::codex",
  "tenant_id": "tenant-a",
  "correlation_id": "corr-ctx-001",
  "incident_class_id": "context-poisoning",
  "severity_signal": "sev1",
  "source_event_ids": ["poisoning-finding-1"],
  "receipt_id": "receipt-ctx-001",
  "context_source_hashes": ["sha256:example"],
  "mcp_namespaces": ["findings.sde", "repo.contents"],
  "authorization_decisions": ["allow_authorized_mcp_request"],
  "containment_action_ids": ["hold_context_source_promotion"],
  "indicators": ["critical_poisoning_finding"]
}

Why it is review-ready

The prevention layer creates trust. The incident layer creates operational confidence.

The site should not be only a documentation archive or recipe catalog. It needs a control-plane story that a security team can inspect, run, and improve. Agentic incident response becomes useful when the open evidence can support:

  • hosted run-receipt vault,
  • SIEM and SOAR exports,
  • signed incident evidence bundles,
  • MCP kill-switch automation,
  • customer trust-center incident readouts,
  • continuous replay of incident-derived eval cases,
  • workflow recertification gates after context, connector, model, or policy drift.

That is a credible trusted-source layer around the open knowledge base: public guidance creates distribution, generated evidence creates trust, and hosted response automation remains a later deployment concern.

Industry alignment

The pack is anchored in current primary guidance:

See also