Step 2 · Command center

Incident Commander

A single operating picture: severity, blast radius, the business clock, and the live state of every containment decision.

Severity

Critical

provisional classification

Blast radius

100

3 identities · 5 assets

Payroll run

—

business deadline

Decisions in flight

4 evidence items to preserve

Agentic analysis

—

Situation

Critical

Anomalous PowerShell on a finance endpoint owned by a user with privileged access to payroll and payment systems. Correlated with failed logins from an unusual geography, a suspicious mailbox forwarding rule, and possible lateral movement to a shared finance file server. Payroll processing is scheduled in approximately six hours.

Identities

Assets

Services

Evidence

Blast radius map Containment options Approval routing

AI recommendation

Targeted Containment

fit 80/100

Surgically isolate the compromised endpoint and identity while explicitly protecting the payroll processing path.

Containment decisions

Manage routing →

Incident Commander

Situation

AI recommendation

Containment decisions

Recent activity