Stop the Attack -- AgentSOAR#

AgentSOAR is the response automation engine built into Jutsu. It lets your team execute defensive actions directly against your connected cloud infrastructure -- blocking IPs, isolating hosts, disabling accounts, and controlling server power -- without leaving the platform. The AgentSOAR sidebar contains six sections: Dashboard, Playground, Executions, Containment, Providers, and Inventory.

Dashboard-AgentSOAR#

The Dashboard is the starting point. It shows the current state of the response engine at a glance.

Summary cards#

• Playground -- The total number of response actions configured and available. The subtext lists examples of the action types available. Click the card to go directly to the Playground.
• Cloud providers -- The number of cloud provider credential sets currently connected. The subtext lists which providers are connected. This must be non-zero for any response action to execute.
• Inventory assets -- The number of cloud assets synced from connected providers. The subtext confirms these are pulled from connected providers. When populated, your team can select assets by name in action forms instead of entering resource IDs manually.

Recent Execution Outcomes

Live counts of all playbook runs in this workspace. The note below the heading clarifies that Succeeded includes reverted actions. Three counters are shown:

• Succeeded / Reverted -- Actions that completed successfully or were subsequently reverted. Shown in green.
• Running -- Actions currently executing. Shown in amber.
• Failed -- Actions that did not complete successfully. Shown in red. If this number is non-zero, open Executions to read the error details before running anything new.

Playground -- The Six Actions#

Click Playground in the AgentSOAR sub-navigation to see all available response actions. Three filter tabs at the top narrow the list: All (shows every action), Active (shows enabled actions only), and Off (shows disabled actions only). The Actions counter shows the total, active, and off counts.

Running an Action#

Running a Playbook

Each action in the Playground is displayed as a card. The card shows the action name, internal ID, a plain-language description of what it does, the cloud providers it supports, an Active badge, an on/off toggle, and a play button.

• Active badge -- Confirms the action is enabled and available to run.
• On/off toggle -- Enables or disables the action. When toggled off, the action cannot be executed.
• Provider tags -- The cloud platforms this action supports, for example AWS, Google Cloud, and Microsoft Azure.
• Play button -- Click the play button on the right side of the card to open the action configuration form and run the playbook.

Inside a playbook#

When you click the play button on any action card, it opens the full configuration page for that playbook.

Page header

Shows the action name, its internal ID, the category it belongs to, and a plain-language description of what the action does.

Configure#

The main tab where you fill in the details and run the action. Active by default.

The configuration form is split into two sections.

The first section identifies the resource being protected:

• Resource Id (required) -- The identifier of the cloud resource whose subnet you want to protect.
• Public Ip -- The public IP address of the resource.
• Private Ip -- The internal IP address of the resource.
• Hostname -- The hostname of the resource.
• Display Name -- A label to identify this resource in the execution history.
• Host Email -- The email address associated with the resource.
• Host Domain -- The domain of the resource.

The second section identifies the attacker:

• Ip (required) -- The IP address of the attacker to block. The hint below the field specifies this is the attacker's IP, not the protected resource's IP.
• Reason (required) -- A plain-language explanation of why this block is being applied. This is shown in the execution log and is readable by other operators.

Once all required fields are filled, click Run playbook to execute the action.

• Arguments -- Shows the full parameter schema -- every field name, its data type, and whether it is required.
• Snippet -- A ready-to-use API call example for running this action programmatically.

Configure & Run panel (left)

The orange label at the top reads "this action mutates infrastructure." Clicking Run executes the action immediately against your live cloud environment with no additional confirmation step.

Recent Runs panel (right)

Shows the last 5 executions of this specific action. Each entry shows the target, the outcome -- green for success or reverted, red for failed -- and how long ago it ran. Click View all to open the full execution history in the Executions page.

Executions#

The Executions page shows the full history of every AgentSOAR playbook run in this workspace. The header shows the total count of executions. Each entry includes the console output from the run. The Playground link in the description takes you directly to the Playground to start a new action.

Filter tabs

Eight tabs narrow the list by execution status:

• All -- Shows every execution regardless of outcome.
• Action required -- Executions that need manual intervention to proceed or complete.
• Running -- Executions currently in progress.
• Succeeded -- Executions that completed successfully.
• Failed -- Executions that did not complete. Click any failed entry to read the console output and understand what went wrong.
• Reverted -- Executions that completed successfully and were subsequently reversed via the Containment page.
• Revert failed -- Executions where a revert was attempted but did not complete successfully.
• Expired -- Executions that timed out before completing.

Containment#

The Containment page shows every response action currently in effect across your environment -- all active IP blocks, host isolations, and power changes applied through AgentSOAR. The Active containment header shows the current count of active actions.

The description below the header notes that Block IP, Isolate Host, and Power actions currently applied through AgentSOAR are listed here. The Action playbooks link takes you directly to the Playground to enable or configure additional actions.

A note on the right side of the header explains what Revert does: it undoes the change in your cloud provider -- unblocking an IP, restoring network connectivity to an isolated host, or restoring the prior power state of a server.

Filter tabs

Four tabs narrow the list by action type:

• All types -- Shows all active containment actions regardless of type.
• Block IP -- Shows only active IP block actions.
• Isolate Host -- Shows only active host isolation actions.
• Power -- Shows only active power change actions.

When no actions are active, the list is empty. Actions appear here as soon as a playbook is successfully executed from the Playground.Providers and Inventory

Providers#

The Providers page manages the cloud provider credentials that AgentSOAR uses to execute playbooks and sync inventory. All secrets are encrypted at rest using AES-256-GCM. The header shows how many providers are currently saved.

Click Add provider to connect a new cloud provider account.

Saved providers

Lists all connected provider credentials. These are the connections used by playbooks when they execute actions against your cloud infrastructure. The note at the top advises rotating keys in your cloud console rather than here -- values stored here stay encrypted at rest.

Each provider entry shows:

• Provider logo and name -- Identifies the cloud provider and the name given to this credential.
• Provider type badge -- The cloud platform this credential belongs to, for example GCP or AWS.
• Health badge -- Shows whether the credential is currently valid and reachable. A green Healthy badge confirms the connection is working.
• Credential details -- Key metadata about the credential such as authentication mode, project ID, service account email, region, or access key -- depending on the provider type.
• Added -- How long ago this credential was added.
• Three-dot menu -- Contains options to edit or delete the credential.

Inventory#

The Inventory page shows all cloud assets synced from your connected providers, grouped by category. It gives you a real-time view of your infrastructure so your team can select assets by name when configuring playbooks instead of looking up resource IDs manually.

Provider tabs

At the top of the page, tabs let you filter the inventory by provider:

• All providers -- Shows assets from all connected providers combined. Displays the total count and a Sync all button to refresh all providers at once.
• Individual provider tabs -- One tab per connected provider, for example Jutsu GCP and Jutsu AWS. Each has its own sync button to refresh that provider's inventory independently.

Category filters

Below the provider tabs, category buttons filter the asset list by type. All shows every asset across all categories. Additional category buttons appear for each asset type found, for example Cloud instances.

Search

Search assets by name, ID, IP address, or region. The total count of assets shown is displayed on the right side of the search bar.

Asset table

Assets are grouped by category. Each category section shows a header with the category name, a description, and the total asset count. The table columns are:

• Provider -- The cloud provider logo identifying where this asset lives.
• Name -- The asset name and its unique resource identifier below it.
• Location -- The region and availability zone the asset is deployed in.
• Network -- The private and public IP addresses of the asset. Click the copy icon next to either IP to copy it to your clipboard.
• Status -- The current operational state of the asset, for example Running.
• Attacks -- The number of attacks detected against this asset in the platform.