Demo Storyboard

Incident response:
breach to resolution in under 4 minutes

This demo storyboard walks through a complete data breach incident — from initial detection through automated containment, executive-approved external communications, and evidence pack generation.

Total elapsed time: 3 minutes 47 seconds
Incident Timeline

Every step, governed and audited

T+0:00Auto

Anomaly Detected

Agent: Security Agent

Security Agent detects unusual data exfiltration pattern from an internal endpoint. 3.2GB outbound transfer to an unrecognized external IP over the past 47 minutes.

Alert classified as HIGH severity
Threat intelligence lookup initiated
Affected endpoint identified: WS-FIN-042
T+0:12Tier 1 — Auto

Automated Containment

Agent: Security Agent

Policy engine classifies endpoint isolation as Tier 1 (pre-approved). Security Agent executes immediately without human approval.

Endpoint WS-FIN-042 isolated from network
Active sessions terminated
Forensic snapshot initiated
Incident ticket INC-2024-0847 created
T+0:34Tier 2 — On-Call Approval

Escalation to On-Call

Agent: Security Agent

Agent determines broader network segment may be compromised. Segment isolation requires Tier 2 approval from on-call security responder.

Teams approval card sent to on-call: Sarah Chen
Context package: affected systems, blast radius, recommendation
SLA timer started: 15-minute response window
T+0:41Approved

On-Call Approves

Agent: Human: Sarah Chen (On-Call)

On-call responder reviews the full context in Teams and approves network segment isolation with one click.

Network segment VLAN-FIN-03 isolated
7 additional endpoints quarantined
Internal stakeholder notification sent
T+1:15Tier 3 — Executive Approval

External Comms Required

Agent: Communications Agent

Analysis confirms data breach involving customer PII. Regulatory notification and customer communication required. This is Tier 3 — requires CEO, CISO, and General Counsel approval.

Draft regulatory notification prepared
Draft customer communication prepared
Approval requests sent to CEO, CISO, GC simultaneously
30-minute SLA timer for each approver
T+2:08All Approved

Executive Approval Chain Complete

Agent: CEO, CISO, General Counsel

All three executives review and approve the external communications. Each approval is logged with timestamp, identity verification, and any modifications they requested.

CISO approved at T+1:32 — no modifications
CEO approved at T+1:48 — minor wording change
GC approved at T+2:08 — added legal disclaimer
T+2:12Executing

Governed Execution

Agent: M365 Executor

Approved communications sent through the governed M365 executor identity. All emails sent via Graph API, all actions attributed to the authorizing approvals.

Regulatory notification sent via executor mailbox
Customer notification sent to affected accounts
Internal all-hands notification via Teams
Board notification queued for CEO review
T+3:47Complete

Evidence Pack Generated

Agent: Compliance Agent

Complete evidence pack automatically compiled and uploaded to SharePoint. Ready for regulatory submission, internal audit, and post-incident review.

Full incident timeline (PDF + JSON)
Approval chain with timestamps and identities
All agent actions with policy justifications
Forensic artifacts and network logs
Communication copies with approval markup

Incident Summary

12 seconds
Detection to Containment
3m 47s
Full Resolution
4 approvals
Human Approvals
142 events
Audit Events Logged

This demo storyboard illustrates how SageOS handles a real-world incident scenario with full governance at every step. Every action was policy-bounded, every approval was from a real human authority, and every event is permanently logged.

Book a Live Demo Security Architecture