Incident Response — Agentic MTTR Demo

INC17768119697557

P1pending_human_reviewai_assisted

Anomalous burst of authentication failures from distributed IP range

Verify agent flagged this as unresolved — responsible group: security-incident-response
Pipeline Status
Context Assembly
Diagnose Agent
Severity / Routing Agent
Scenario Match
Remediate Agent
Confidence Gate
Gate Decisionveto timeout executed
Execute Action
Verify Agent
Resolution
Assembled Context — bounded to last 30 minutes
Rolling logs
Recent commits
(none in lookback window)
Similar past incidents
INC177885108473992 · security/P1 · -24d ago — Anomalous burst of authentication failures from distributed IP range
INC1776507679045101 · security/P1 · 3d ago — Anomalous burst of authentication failures from distributed IP range
INC1776719925084180 · security/P1 · 1d ago — Anomalous burst of authentication failures from distributed IP range
Diagnosis Agent
ran in parallel
A coordinated credential‑stuffing/brute‑force attack from a large, distributed IP range targeting high‑value accounts, with the WAF only in monitor mode and therefore not actively blocking the traffic.
  • [auth-service] WARN 4200 failed login attempts in 5 minutes across 340 distinct source IPs
  • [auth-service] WARN failed attempts targeting 12 distinct high-value accounts
  • [waf] INFO rate-limit rule triggered but not blocking (monitor mode)
  • Similar past incidents: INC177885108473992, INC1776507679045101, INC1776719925084180 – all classified as security/P1 and showing the same pattern
Assessed: P2 / security
Self-reported confidence: 90% (audit-only — not used by the gate)
openai/gpt-oss-120b · 1718ms
Severity / Routing Agent
ran in parallel
P1 / security
Routed to: security-incident-response
The incident demonstrates a clear, active credential stuffing attack pattern targeting high-value accounts. Given the history of recent similar incidents, this represents a critical and recurring threat to account security and platform integrity.
Self-reported confidence: 95% (audit-only — not used by the gate)
gemini-flash-lite-latest · 1002ms
Scenario Matcher
deterministic, pre-LLM
Anomalous authentication failure burst
Authentication anomalies are always escalated to the security on-call; no automated remediation action is in the bounded catalog for this class.
Match score: 74% · Recommended action: escalate_to_human
Matched tags: security
Remediate Agent
grounded by runbook match, pre-gate
Proposed action: escalate_to_human
team: security-incident-response · reason: P1 security incident requiring human investigation · message: Escalating credential stuffing attack to security on-call · justification: Automated remediation not available; need human analysis and response
The runbook for this pattern explicitly recommends escalation to a human on‑call because automated actions are insufficient for credential‑stuffing attacks. The diagnosis confirms a coordinated brute‑force attempt and the WAF is only in monitor mode, so no safe automated remediation exists. Therefore we follow the runbook and escalate to the security team.
openai/gpt-oss-120b · 1624ms
Confidence Gate
veto_timeout_executed

Computed from 4 measurable signals — not the model's self-reported confidence.

Severity match rate50%
x
Runbook coverage74%
x
Data completeness67%
x
Recency100%
x
Computed confidence (v1)68%
Auto-execute threshold: 75%
Proposed action: escalate_to_human
Verify Agent
runs after execution
Not resolved · residual risk: high
Follow-up: notify_oncall
The incident is a coordinated brute-force attack currently bypassing automated WAF defenses. While the escalation successfully handed off the task to the security team, the active threat remains unmitigated, posing a high residual risk until manual intervention occurs.
Self-reported confidence: 95% (audit-only — not used by the gate)
gemini-flash-lite-latest · 883ms