Safety & approvals
AgentSOAR is built so that automated response stays safe and reversible. Several layers of guardrails sit between a decision and a change to your environment—validation, scoped credentials, a complete audit trail, revertibility, re-authentication on expiry, and an approval posture that governs what the Response agent may do on its own.
Validation before any change
Every action's inputs are validated before AgentSOAR calls a provider. The target must resolve—an inventory asset for resource capabilities, or the credential bound to the protected mailbox or domain for tenant capabilities—and the credential must be valid. Inputs that fail validation stop the run with an input_invalid reason rather than producing an unexpected change. AgentSOAR also captures revert context first, so an action is recorded as undoable before it takes effect.
Least-privilege credentials
Each credential is scoped to a single provider plugin and supplies only the access that provider's capabilities require. Secrets are encrypted at rest with AES-256-GCM and are never returned through the UI or API. Binding email and identity credentials to the domains they protect keeps each tenant's actions confined to that tenant. See Credentials & domains for setup.
A complete audit trail
Every action becomes an execution row recording the capability, the target, the operator-supplied reason, the analyst or agent that ran it, the status, and a step-by-step log. Because the source of every run is recorded—analyst or AI agent—you can always answer who did what, when, and why. See Executions & revert.
Revertibility
Containment is reversible by design. AgentSOAR captures the state it changes and can restore it: removing the deny rules a block_ip added, restoring a host's original network configuration after isolate, powering a host back on, deleting a mail filter or blocklist entry, or restoring a user's prior state. This lets responders—human or automated—act decisively while keeping a clear path back.
Not every run is reversible in every state. AWS isolate cannot be reverted when the host was already isolated, because the original configuration was no longer available to capture. Treat irreversible actions with extra care.
Re-authentication on expiry
When a credential expires or is rejected, AgentSOAR does not silently fail or retry blindly. It pauses the affected execution as awaiting_reauth and prompts you to re-authenticate. If the cutoff window passes, the run moves to expired_awaiting_reauth and clears the prompt. This keeps a stale credential from leaving an action half-applied or repeatedly erroring.
Approval posture: automated vs manual
How an action runs depends on who initiates it.
- Manual response. An analyst runs a capability from the Playground against a chosen target. The analyst is the approval.
- Automated response. The Response agent decides on an action from a triage verdict and executes the matching AgentSOAR capability—but only with approval, governed by your response policy. The agent does not act outside what that policy permits.
The Response agent's policy-approved execution is the gate for autonomous response. Review and tune your approval policy so automated containment matches your organization's risk tolerance, and confirm the policy controls available in your deployment.
Together these guardrails mean AgentSOAR can move at machine speed where you allow it, while every action stays validated, scoped, audited, and—wherever possible—reversible.