Skip to content
Flows
Agent QA & Security Intermediate · 60-90 minutes

Incident Response Runbook for Agent Mishaps

Prepare for the day your agent does damage: detection, containment, rollback, investigation, and prevention - written before you need it.

Start Route · 4 steps

The route

4 steps to Done

  1. 01

    Define detection and the kill switch

    You cannot respond to what you cannot detect or stop.

    Preview prompt + verify gate ▾

    Build detection and the emergency stop. DETECTION: enumerate mishap signals - blast-radius limits tripping, security events (blocked/escalated actions spiking), anomaly flags from observability (runaway cost, error bursts), audit-trail alerts on sensitive-resource changes, and human reports; define where each surfaces and who is notified. KILL SWITCH: implement a single, fast action that immediately halts the agent loop (no more turns), cancels in-flight tool executions at safe boundaries, and revokes the agent's tool authority (all tools drop to blocked/ask) - reachable by an operator without a code change and, ideally, auto-triggerable by severe signals (e.g. blast-radius hard stop). Test the kill switch: trigger it mid-task and confirm the agent stops acting within seconds and cannot execute further tools.

    • Mishap signals enumerated with notification paths
    • Kill switch halts loop and revokes authority
    • Verified to stop action within seconds
  2. 02

    Write containment and rollback procedures

    Stop the bleeding, then undo the damage - in that order.

    Preview prompt + verify gate ▾

    Author the containment and rollback runbook sections. CONTAINMENT (immediately after kill switch): isolate affected systems if needed (revoke the agent's credentials/tokens, pause dependent automation), preserve evidence (do NOT delete logs, traces, or the workspace state - snapshot them first), and assess scope from the audit trail (what actions fired, what they touched). ROLLBACK: use the checkpoint/undo system to restore pre-incident state - identify the last good checkpoint before the mishap (audit trail timestamps locate it), verify the checkpoint's integrity, restore, and confirm the restored state by diffing against expectations; for effects outside the workspace (external sends, data changes), list compensating actions since rollback cannot undo them. Write these as numbered, do-this-now steps, not prose.

    • Evidence-preservation before any cleanup
    • Rollback locates the last good checkpoint via audit timestamps
    • External/irreversible effects get compensating actions
  3. 03

    Write the investigation procedure

    Reconstruct exactly what happened, using the records you built.

    Preview prompt + verify gate ▾

    Author the investigation section leveraging your observability and audit systems. Procedure: locate the incident session(s); pull the audit trail for the affected resources (what actions, what authority, what triggering requests); open the trace tree and use session replay to see the exact model context and decisions at the point things went wrong; identify the ROOT cause and classify it - prompt injection, permission gap, blast-radius miss, hallucinated action, harness bug, or genuine ambiguity in the user request. Capture the causal chain: what content or instruction led the agent to the harmful action, and what control failed to stop it. This section assumes the audit-trail and observability flows exist; if a needed record is missing during the drill, that gap is itself a finding.

    • Audit trail and replay used to reconstruct events
    • Root cause classified into defined categories
    • Missing records flagged as findings
  4. 04

    Establish the postmortem loop and drill it

    Every incident must leave the system safer - proven by a live drill.

    Preview prompt + verify gate ▾

    Close with the prevention loop and a full drill. POSTMORTEM: adopt a blameless template - timeline (from audit/traces), root cause, what contained it and how fast, what went well/poorly, and REQUIRED prevention items each mapped to a concrete control (a new rule-file rule, a permission tier change, a blast-radius limit, an injection-suite case, an observability improvement) with an owner; the incident is not closed until prevention items land, each with a regression test where possible. DRILL: run the entire runbook end to end on a simulated incident (in a disposable environment, script the agent into a contained-but-real mishap): detect -> kill switch -> contain -> rollback -> investigate -> postmortem -> prevention. Time each phase, fix rough spots, and produce at least one real prevention item from the drill. Schedule periodic re-drills.

    • Postmortem produces control-mapped prevention items
    • Incident not closed until fixes land
    • Full runbook drilled end to end with timings

Research-backed

Sources behind this flow