The Attack Doesn't Wait for Office Hours
At 3am, a brute-force attack starts hammering a server's SSH port — thousands of login attempts cycling through common passwords, from an IP range that has never touched your network before. Nobody is watching. Your one IT lead is asleep. The traditional answer is that the alert lands in a queue, someone triages it at 9am, and by then the attacker has either given up or got in.
The better answer is that a playbook is watching. The moment the pattern crosses a threshold, the system blocks the source IP, locks the targeted account, notifies an admin, and opens an incident — in the time it takes to read this sentence. That is what automated incident response, sometimes called SOAR (Security Orchestration, Automation and Response), is for: closing the gap between detection and containment when no human is available to close it.
This guide is about building that responsibly. The same automation that contains a threat in seconds can, if built carelessly, block your own CEO's laptop, disable a service account a critical system depends on, or lock legitimate users out during a false alarm. The engineering challenge isn't making automation fast. It's making fast automation safe.
What a Playbook Actually Is
A playbook is a defined sequence of steps that runs in response to a specific type of incident — the codified version of what a good analyst would do by hand, except it runs in milliseconds and never forgets a step. Take the brute-force example. The playbook is a chain:
| Step | Action | Reversible? | Runs automatically? |
|---|---|---|---|
| 1 | Detect brute-force pattern (N failed logins in M minutes) | — | Yes |
| 2 | Block the source IP at the firewall | Yes (unblock) | Yes, if approved |
| 3 | Disable the targeted user account | Yes (re-enable) | Yes, if approved |
| 4 | Notify the on-call admin (Slack + email) | — | Yes |
| 5 | Force a password reset on next login | Yes | Requires approval |
| 6 | Open an incident record with full timeline | Yes | Yes |
| 7 | Generate an investigation report | — | Yes |
Every step is explicit, knows whether it can be undone, and carries a flag for whether it fires on its own or waits for a human to say yes. That last column is where most of the real design work lives. A platform will have many such playbooks — malware on a host, a suspicious cloud API call, a data-exfiltration pattern — each mapping a class of incident to a sequence of contained actions. Building them is less about clever code than thinking clearly through what should happen, in what order, and who gets to stop it.
The Human-in-the-Loop Decision Is the Whole Game
Here is the question that determines whether your automated response is an asset or a liability: which actions are safe to run automatically, and which must wait for a human to approve?
Get this wrong in the permissive direction and you've built a system that can damage your own business faster than any attacker could. Get it wrong in the cautious direction and it pages a human for every step, which defeats the point. Sort actions by two questions: how much damage if this fires on a false positive, and how easily can it be undone?
Low blast radius, easily reversible → auto-run. Blocking a single external IP with no legitimate history, opening an incident record, sending a notification, collecting evidence. Block an IP that turns out to be harmless and you unblock it in ten seconds.
High blast radius or hard to reverse → require approval. Disabling a service account, isolating a production server, deleting anything, blocking an entire IP range, forcing a mass password reset. These can take down legitimate operations, and some can't be cleanly undone.
This is the same principle that governs any AI agent that can take actions: bounded actions, with hard limits on the destructive ones. An incident-response system is exactly an agent with tools — the tools just happen to be "block IP" and "disable account" rather than "process refund" — and a system that auto-approves everything carries a very different risk profile from one where destructive actions pause for a human. The difference is a deliberate design choice, not a default.
When Automated Response Goes Wrong
The failure modes here are specific, and worth naming because they turn a security investment into an incident of its own.
Auto-blocking your own people. A rule fires on "many failed logins from one IP," and the offending IP turns out to be your office's shared NAT gateway — because someone fat-fingered their VPN password. The playbook cheerfully blocks the entire office. Or worse: an executive travelling abroad trips an "impossible travel" rule and an over-eager playbook locks their account mid-meeting.
Disabling a critical service account. A rule spots unusual API activity from a service account and disables it. That account turns out to run your payment processing; the "attack" was a legitimate monthly batch job. You've now caused an outage more expensive than most real breaches.
Amplifying a false positive. If a noisy rule fires a hundred times an hour and each firing auto-disables a user, one bad rule can lock out your entire company before anyone notices. Automation multiplies whatever's upstream of it — including mistakes.
The common thread: automation removes the human sanity-check that would have caught the obvious problem. The answer isn't to abandon automation — it's to reserve the fully-automatic path for actions where a false positive is cheap, route everything else through approval, and enforce that routing at the tool level.
Hard Limits Belong in the Tool, Not the Policy
This point separates a system that's safe on paper from one that's safe in production. It's tempting to write a policy that says "never disable more than five accounts without approval" and consider the risk handled. It isn't. A soft guideline is a suggestion the system can ignore, and a limit enforced in the same layer that decides which accounts to disable can be bypassed by a single bug.
The limit has to live somewhere the response logic cannot reach past — in the containment functions themselves. The disable_account tool refuses to run against an account tagged critical, full stop. The block_ip tool refuses to block anything on the allow-list of known-good ranges (your offices, your VPN egress, your monitoring vendors). The isolate_host tool caps how many hosts it will isolate in a rolling window. These aren't checks the orchestration asks to happen; they're walls built into the tools, so even if the layer above is buggy or manipulated, the destructive action cannot execute beyond its bounds. It's the same idea as capping refunds in the function that processes them, not in the prompt — higher stakes.
Staged, Reversible, and Fully Logged
Three properties separate an automated response you trust from one you'll switch off after the first bad night. It should be staged — a good playbook escalates, taking cheap reversible steps first (block, notify, open the incident) and only moving to heavier actions on confirmation or approval, so a false positive burns a cheap action rather than a business-critical one. It should be reversible — every action records how to undo itself, so a false alarm is a one-click rollback rather than a scramble to remember what the automation touched. And it should be fully logged — every action writes an immutable audit record of what fired, why, and whether a human approved it. When an auditor asks "why was this account disabled at 3:14am," the answer has to be a precise, timestamped trail, and the log of false-positive containments becomes your list of rules to fix.
How Response Consumes the Investigation Agent's Output
Response shouldn't fire blind on a raw alert. The strongest architecture wires it to sit downstream of investigation. When a detection fires, the investigation agent gathers the surrounding evidence — process lists, login history, related cloud events, DNS lookups — and produces a summarised root cause with a confidence level. Only then does the response engine act, on that assessment rather than the bare signal.
This lets containment be proportionate. A high-confidence root cause ("confirmed credential-stuffing from a known-bad range, no legitimate sessions affected") can justify a more aggressive automatic response. A low-confidence or ambiguous finding routes to a human with the evidence attached, so they decide in seconds instead of investigating from scratch. The investigation output is what makes response smart rather than merely fast — and it's why the two modules are designed to fit together in the overall platform architecture.
What Good Looks Like
A well-built automated response capability has these properties:
Clear action tiers. Every action is classified as auto-run or approval-required by blast radius and reversibility — and that classification is visible, not buried in code.
Tool-level hard limits and allow-lists. Destructive actions carry enforced ceilings inside the functions themselves, and your own IP ranges, executive accounts, and critical service accounts are protected from automated action by default.
Rate limits and circuit-breakers. A single noisy rule cannot cascade into a company-wide lockout, because the tools cap how much they'll do in a rolling window.
A tested off-switch. You can pause all automated response instantly if it starts misbehaving — and you've tested that you can.
Questions to Ask Before You Automate Response
"Which actions run without a human, and how was that line drawn?" You should get a specific list sorted by blast radius, not a vague "the safe ones."
"Where are the hard limits enforced — in the policy or in the tool?" If the answer is a policy document, push back. Limits that live only in guidelines get bypassed.
"What's on the allow-list, and who maintains it?" Executive accounts, office IPs, and critical service accounts should be protected from day one.
"What happens if a noisy rule fires a hundred times an hour?" A good answer includes rate limits and circuit-breakers so one bad rule can't cascade into a company-wide lockout.
"How do I undo an action, and how do I turn the whole thing off right now?" There should be a one-click rollback and an immediate, tested off-switch — not a manual reconstruction and a theoretical kill command.
What It Costs and How Long It Takes
Automated response isn't the first thing you build — it sits on top of working detection and investigation, because automating response to unreliable detections just automates your mistakes. In a sensible sequence it's a Phase 3 capability.
For a platform that already has solid detection and an investigation agent, building a first set of playbooks — brute force, malware isolation, suspicious-cloud-activity, with the approval workflow, allow-lists, tool-level limits, rollback, and audit logging — is typically a six-to-ten-week engagement for a focused team. The playbooks themselves are quick to write; the safety scaffolding around them is the real work, and the part you cannot skip. The most expensive mistake is shipping automation without the tool-level limits and allow-lists, then discovering their absence at 3am when the system blocks your own infrastructure.
Related guides
- Building an AI-native security operations platform: the full architecture
- The AI security investigation agent that gathers evidence and suggests root cause
- Building the detection engine that turns events into meaningful alerts
- The AI security copilot: natural-language queries over your data
- AI agent security: what business owners need to know
- Our AI development services
We Build Response Automation That Fails Safe
Automated incident response is one of the most valuable things a security platform can do — and one of the easiest to get dangerously wrong. We build it the way we build any high-stakes AI agent: bounded actions, hard limits enforced at the tool level, allow-lists for the things that must never be touched automatically, and a complete audit trail for everything the system does on its own.
If you're weighing how much of your incident response to automate — and how much to deliberately keep manual — we're happy to walk through the specific actions, blast radii, and approval boundaries for your environment.
Talk to us about your platform — no commitment, just a conversation.
Frequently Asked Questions
What is SOAR and how is it different from an incident response plan?
SOAR stands for Security Orchestration, Automation and Response. An incident response plan is a document describing what people should do when something goes wrong; SOAR is the software that executes parts of that plan automatically. The plan defines the intent; the playbooks codify the mechanical steps (block, disable, notify, open incident) so they run in seconds without waiting for a human to be awake. Good automation implements a good plan — it doesn't replace the thinking behind it.
Which incident response actions are safe to automate without human approval?
The rule of thumb is low blast radius and easily reversible. Blocking a single external IP with no legitimate history, sending notifications, opening an incident record, and gathering evidence are safe to auto-run because a false positive is cheap to correct. Anything high-impact or hard to undo — disabling service accounts, isolating production hosts, deleting data, blocking whole IP ranges, forcing mass password resets — should require approval.
How do you stop automated response from blocking legitimate users or critical systems?
Two mechanisms. First, allow-lists: your own office IP ranges, VPN egress, executive accounts, and critical service accounts are protected from automated action by default. Second, tool-level hard limits: the containment functions themselves refuse to act against protected assets or beyond defined thresholds, so even a buggy or manipulated upstream rule can't push them past their bounds. These are enforced in the tools, not written as guidelines the system could ignore.
Why do hard limits need to be in the tool rather than a policy document?
Because a policy is a suggestion the software can ignore, and a limit enforced in the same layer that decides what to do can be bypassed by a bug or a manipulated input. If the "never disable a critical account" rule lives inside the disable_account function itself, no amount of upstream confusion can cause the destructive action to run. It's the difference between "the system shouldn't do this" and "the system can't" — and for anything that can damage your business, you want the second.
How does automated response connect to threat detection and investigation?
Response should sit downstream of both. Detection identifies that something is wrong; the investigation agent gathers the surrounding evidence and produces a root cause with a confidence level; only then does the response engine act, on that assessment rather than the raw signal. This lets containment be proportionate — a high-confidence, clearly malicious finding can justify a more aggressive automatic response, while an ambiguous one routes to a human with the evidence attached.
What happens if the automated response makes a mistake?
Every action records how to undo itself, so a false positive is a one-click rollback rather than a manual scramble, and writes an immutable audit record of what fired, why, and whether a human approved it, so you can reconstruct what happened and fix the rule that caused it. A tested off-switch lets you pause all automation instantly if it misbehaves. Mistakes are inevitable; the design goal is to make them cheap and traceable rather than catastrophic.
