Machine-speed containment reasoning. Human-approved action.
Built around the Incident Commander — the person who, in the middle of a live cyber incident, has to decide what to contain, when to contain it, who must approve it, and what it will cost. Containment Command Lab shows how agentic AI can carry the analysis at machine speed while the human keeps the decision, and every action stays fully simulated.
Why containment is one of the hardest calls in cyber
Containment is rarely a technical problem alone. Under time pressure, with incomplete information, the Commander is balancing five questions at once — and getting any one of them wrong has real consequences.
What do we contain?
Isolate the wrong asset and you blind the investigation; isolate too little and the threat keeps moving.
When do we act?
Every minute of deliberation is a minute of potential spread — but acting on a bad read is worse.
Who must approve?
A targeted action and a business-halting one demand very different authority. Skipping that is how incidents become crises.
What evidence is lost?
Pull the plug too early and volatile memory, sessions and logs vanish with it — along with attribution.
What business breaks?
Containment that stops payroll, production or a board-critical wire has a cost the security team can't own alone.
This lab is an opinion about where AI helps: compress the reasoning, never the accountability.
Five incidents, one command workflow
Each scenario is a self-contained, mock incident with its own identities, assets, blast radius, business clock and containment options. Pick one to load it into the Commander console and walk the full human-approved workflow.
AI-assisted triage
Known facts, assumptions and unknowns separated and scored — deterministically, with no API keys required.
Bounded agentic layer
Eight cooperating agents reason over the incident and propose strategies. They advise; humans approve.
Blast-radius mapping
Interactive graph of identities, assets and business services, with suspected lateral movement highlighted.
Containment options
Minimal, targeted, aggressive and staged options with explicit security, business, evidence and recovery trade-offs.
Human-approved routing
Multi-level approval chains from IR Lead to Executive. A guardrail blocks simulated execution until approvals exist.
Audit-ready ledger
Every drafted, approved and simulated action is appended to a hash-chained containment ledger.
AI can compress the analysis, not the authority
Eight agents triage, map blast radius and propose a strategy in seconds — and still cannot move without a recorded human approval chain.
Trade-offs can be made explicit
Every containment option states its security benefit, business impact, evidence impact, recovery cost, required approvers and rollback plan up front.
Assumptions never masquerade as facts
Findings are typed fact / assumption / unknown, so the Commander always knows how much weight a recommendation can bear.
Every decision is reconstructable
Drafts, approvals, simulated executions and rollbacks are appended to a hash-chained ledger a reviewer could replay end to end.
This lab — the thinking, in the open
A public, portfolio-grade demonstration of the reasoning behind agentic containment. It runs entirely on mock data with a deterministic, key-free AI core — open to read, run and learn from.
- Mock incidents only
- Deterministic AI, no API keys
- Every action simulated
- Open for review and reuse
RecoverIQ Containment Command — where it leads
The production direction the lab points toward: a governed platform with read-only connectors, policy-bound reversible playbooks, real approvals with attestation, and resilience metrics. A separate, proprietary effort — the lab is where the ideas are shown working.
- Policy-guardrailed connectors
- Governed, reversible playbooks
- Real approvals + attestation
- Resilience & learning loops
Safety notice
This is a public demonstration lab, not a production incident-response platform. It contains no real EDR/SIEM/cloud/identity integrations, no offensive capabilities and no exploit logic. All containment actions are simulated against mock data, and nothing in this app can modify a real system. See About & Safety for the full model.