Step 1

Incident Intake

Capture the initiating signal and business context. This demo is pre-populated with the reference scenario; validation is enforced with Zod. Submitting loads the incident into the Commander dashboard.

Incident details

All fields validated client-side. Mock data only.

Incident title

Severity

Detection source

Primary affected identity

Affected environment

Business deadline (hours)e.g. payroll window

Summary

Reference scenario

The lab ships with one fully-modelled incident so every downstream screen is populated.

A privileged payroll user's finance endpoint shows anomalous PowerShell, while the identity provider logs failed sign-ins from an unusual geography followed by a success.

A new mailbox rule forwards payment threads externally, and an SMB session suggests lateral movement to the shared finance file server.

Payroll runs in ~6 hours — the central tension between contain-fast and keep-the-business-running.

Editing this form is illustrative in v0.1 — downstream screens always use the modelled reference incident.