Incident Response — Agentic MTTR Demo

INC17838777777644

P1in_progressai_assistedLive — updating every 2s

Anomalous burst of authentication failures from distributed IP range

Awaiting human decision — responsible group: security-operations · paged: security-operations-secondary-oncall
Pipeline Status
Context Assembly
Diagnose Agent
Severity / Routing Agent
Scenario Match
Remediate Agent
Confidence Gate
Gate Decisionveto window closed — finalizing
Execute Action
Verify Agent
Resolution
Assembled Context — bounded to last 30 minutes
Rolling logs
Recent commits
(none in lookback window)
Similar past incidents
INC177885108473992 · security/P1 · 58d ago — Anomalous burst of authentication failures from distributed IP range
INC1776507679045101 · security/P1 · 85d ago — Anomalous burst of authentication failures from distributed IP range
INC17838763391881 · security/P1 · 9999d ago — Anomalous burst of authentication failures from distributed IP range
Diagnosis Agent
ran in parallel
Active distributed credential stuffing / brute-force attack targeting high-value accounts, which is currently unmitigated because the WAF rate-limiting rule is configured in monitor-only mode.
  • [auth-service] WARN 4200 failed login attempts in 5 minutes across 340 distinct source IPs
  • [auth-service] WARN failed attempts targeting 12 distinct high-value accounts
  • [waf] INFO rate-limit rule triggered but not blocking (monitor mode)
Assessed: P3 / security
Self-reported confidence: 90% (audit-only — not used by the gate)
gemini-flash-latest · 12957ms
Severity / Routing Agent
ran in parallel
P2 / security
Routed to: security-operations
The incident involves a distributed credential stuffing attack targeting high-value accounts. While the WAF is in monitor mode and not blocking, the volume of attempts and the targeting of specific accounts indicate a significant security threat. It is classified as P2 because there is no evidence of successful account compromise or complete service unavailability at this time, but it requires immediate intervention to prevent potential data breaches.
Self-reported confidence: 95% (audit-only — not used by the gate)
gemini-flash-lite-latest · 1057ms
Scenario Matcher
deterministic, pre-LLM
Anomalous authentication failure burst
Authentication anomalies are always escalated to the security on-call; no automated remediation action is in the bounded catalog for this class.
Match score: 68% · Recommended action: escalate_to_human
Remediate Agent
grounded by runbook match, pre-gate
Proposed action: escalate_to_human
team: security-operations · reason: WAF rate-limit rule is monitor-only, not blocking attacks · message: Escalate to security on-call for credential stuffing attack · serviceName: auth-service · justification: Runbook recommends escalation; no automated remediation available
The diagnosis shows an active credential‑stuffing attack that is not being blocked because the WAF rate‑limit rule is in monitor mode. The matched runbook explicitly advises escalation to the security on‑call, and there is no automated remediation in the bounded catalog for this scenario. Therefore the appropriate bounded action is 'escalate_to_human' with relevant context provided in the parameters.
openai/gpt-oss-120b · 20342ms
Confidence Gate
pending_veto_slack

Computed from 4 measurable signals — not the model's self-reported confidence.

Severity match rate50%
x
Runbook coverage68%
x
Data completeness67%
x
Recency36%
x
Computed confidence (v1)57%
Auto-execute threshold: 75%
Proposed action: escalate_to_human
#security-operations Escalated — paged secondary on-call
in-app simulated

Proposed action "escalate_to_human" for "Anomalous burst of authentication failures from distributed IP range" — confidence 57% (below 75% auto-execute threshold). Cancel within 45s or it executes automatically.

held — awaiting human decision, will not auto-execute

Paged security-operations-secondary-oncall at 5:37:38 PM in-app simulated
Verify Agent
runs after execution
Pending…