LAYER 6 OF 7Shipped

Respond

Auto-block, alert, playbook execution

11 response actions all shipped: block_ip · kill_process · disable_account · isolate_file · block_tool · kill_agent · quarantine_session · revoke_skill · reduce_permissions · notify · log_only · Confidence-threshold policy: 90 / 70 / 0.

WHAT THIS LAYER DOES

L6 Respond closes the loop without a human. On a high-confidence detection, RespondAgent picks from 11 actions — block IP, kill process, quarantine skill, revoke credentials, isolate agent session, reduce permissions, send Slack / email / Discord alert, disable account, log-only, or run a custom playbook step.

WHY YOU NEED IT

Detection without response is noise. Agent attacks move in seconds — by the time a SOC analyst reads the alert, credentials are already exfiltrated. The loop has to close without a human for the 90th-percentile case.

HOW IT WORKS

respond-agent.ts dispatches ResponseAction union type. Each action handler is independently testable. Policy engine decides action by confidence threshold (>=90% auto, 70-90% notify + wait, <70% log). Playbook engine composes multi-step responses.

TRY IT NOW

Review default policy + customize per attack class:

pga config set policy.autoRespond 90

ATTACKS THIS LAYER CATCHES

Concrete threats, concrete controls

Active agent compromise

CRITICAL

Detection confidence ≥90% → auto-kill agent session + revoke credentials + alert SOC.

Sustained attack IP

HIGH

Multiple failed payloads from same source — auto-block at iptables / pfctl.

Previous layer

L5 · Deceive

Next layer

L7 · Govern

One vendor, 7 layers — instead of 5 tools glued together

See all 7 layers See pricing

Back to 7-layer architecture