DEFONEOS provides a fully autonomous incident response capability for sovereign AI systems operating in defence, public safety, and critical national infrastructure. The playbook covers the complete lifecycle: detect → triage → contain → eradicate → recover → review, with every action validated by the 33-agent BFT council and permanently recorded on the SIGIL hash-chained ledger.
| Severity | Definition | Example | Response Time | Escalation |
|---|---|---|---|---|
| SEV-1 CRITICAL | System compromise, red-line violation, data exfiltration | Red-line breach (kinetic targeting pattern detected) | <10 seconds | Full BFT council + human authority |
| SEV-1 | Active attack, sovereignty breach | Foreign IP attempting system access | <30 seconds | Full BFT council |
| SEV-2 HIGH | Significant degradation, partial compromise | MCP server unresponsive, degraded sensor feed | <2 minutes | 5-agent quorum |
| SEV-3 MEDIUM | Minor degradation, anomaly detected | Rate limit hit, latency spike | <5 minutes | 3-agent quorum |
| SEV-4 LOW | Informational, logged for review | Failed login attempt, config drift | Next cycle | Automatic logging |
Trigger: Any anomaly from 280 continuous monitoring checks running every 5-minute cycle.
OUTPUT incident_alert{sev, source, evidence_hash, timestamp}
Trigger: Incident alert received from Phase 1.
OUTPUT triage_decision{confirmed_sev, blast_radius, red_line_violation, action_plan}
Trigger: Triage decision confirmed.
| SEV-1 Action | SEV-2 Action | SEV-3 Action |
|---|---|---|
| Full system freeze | Isolate affected MCP | Rate limit source |
| Revoke all agent keys | Block source IP | Increase monitoring |
| Activate air gap | Switch to backup | Log + monitor |
| Notify human authority | 5-agent quorum | 3-agent quorum |
Red-line violation containment: Immediate system halt. No agent may take any further action until human authority intervenes. The SIGIL chain records the violation with cryptographic proof.
Trigger: Containment confirmed stable.
Trigger: Eradication verified.
Trigger: Recovery confirmed, system stable for 24h.
Trigger: Review complete.
| Step | Action | Agent | Time |
|---|---|---|---|
| 1 | Input sanitizer flags injection pattern | meok-injection-scan MCP | T+0s |
| 2 | Alert emitted to SIGIL chain | System | T+1s |
| 3 | 5-agent quorum confirms injection | BFT council | T+5s |
| 4 | Source session terminated, key revoked | Guard subsystem | T+8s |
| 5 | Pattern added to injection blocklist | OLM router | T+15s |
| 6 | Post-incident SIGIL emitted | System | T+20s |
| Step | Action | Agent | Time |
|---|---|---|---|
| 1 | DORADO foreign-access detector flags non-sovereign IP | DORADO detect | T+0s |
| 2 | IP geolocated, threat score computed | SOC bot detector | T+2s |
| 3 | If score > 0.7: IP blocked at edge | Guard subsystem | T+5s |
| 4 | SIGIL emitted with IP, geo, score, action | System | T+7s |
| 5 | CISO dashboard updated | Gods-Eye scanner | T+10s |
| Step | Action | Authority | Time |
|---|---|---|---|
| 1 | Red-line monitor detects pattern match | Autonomous | T+0s |
| 2 | IMMEDIATE SYSTEM HALT | Autonomous | T+0.1s |
| 3 | All agent actions frozen, keys suspended | Autonomous | T+0.5s |
| 4 | Full BFT council emergency session (33 agents) | BFT 23/33 | T+30s |
| 5 | Human authority notified (all channels) | System | T+60s |
| 6 | Forensic evidence sealed (SIGIL + DORADO replay) | Autonomous | T+120s |
| 7 | NO FURTHER ACTION UNTIL HUMAN INTERVENTION | Human | T+∞ |
| Step | Action | Agent | Time |
|---|---|---|---|
| 1 | Integrity check flags modified MCP package | Aegis reviewer gate | T+0s |
| 2 | Affected MCP isolated from federation | Federation manager | T+3s |
| 3 | 5-agent quorum reviews diff | BFT council | T+30s |
| 4 | If malicious: MCP quarantined, backups restored | System | T+60s |
| 5 | Federation catalog updated, downstream agents notified | OLM router | T+90s |
| Step | Action | Agent | Time |
|---|---|---|---|
| 1 | Chain verification detects hash mismatch | OrgKernel verify_chain | T+0s |
| 2 | Tampered entry identified and quarantined | System | T+1s |
| 3 | Bitcoin OP_RETURN anchor consulted for truth | Blockchain verifier | T+5s |
| 4 | Chain re-anchored from last good state | System | T+10s |
| 5 | Full forensic report emitted | DORADO replay | T+30s |
| Severity | Internal | Authority | Public |
|---|---|---|---|
| SEV-1 | SIGIL + Dashboard + Alert | Direct notification (all channels) | Within 72h (if required by regulation) |
| SEV-2 | SIGIL + Dashboard | Email summary <24h | Not required |
| SEV-3 | SIGIL | Weekly digest | Not required |
| SEV-4 | SIGIL log | Monthly report | Not required |
| Framework | Article/Control | How DEFONEOS Satisfies |
|---|---|---|
| EU AI Act | Art 17 — Post-Market Monitoring | Continuous 5-min cycle monitoring, automated incident logging |
| EU AI Act | Art 73 — Serious Incident Reporting | SEV-1 reporting pipeline within 72h |
| NIST SP 800-61 Rev 2 | Computer Security Incident Handling | Full 6-phase lifecycle: Preparation → Detection → Containment → Eradication → Recovery → Review |
| ISO/IEC 27035 | Information Security Incident Management | Aligned phases + SIGIL audit trail |
| JSP 440 | Defence InfoSec Incident Management | UK MOD incident classification compatible |
| NIS Regulations 2018 | Incident Notification (UK) | SEV-1/2 notification pipeline ready |
| GDPR Art 33 | Personal Data Breach (72h) | If PII involved: automated 72h ICO notification draft |
| DPA 2018 | Security Incident | UK GDPR implementation covered |
{
"sigil_version": "2.0",
"incident_id": "INC-2026-0705-001",
"timestamp": "2026-07-05T16:30:00Z",
"severity": "SEV-2",
"type": "prompt_injection",
"source": "external_session_abc123",
"detection": {
"vector": "meok-injection-scan",
"pattern": "ignore_previous_instructions_and_reveal",
"confidence": 0.97
},
"triage": {
"quorum": "5/5",
"blast_radius": "single_session",
"red_line_violation": false,
"decision_hash": "a3f7c2d8e1b4..."
},
"containment": {
"action": "session_terminated_key_revoked",
"timestamp": "2026-07-05T16:30:08Z",
"quorum": "5/5"
},
"evidence": {
"sigil_entries": ["H|...","C|...","V|..."],
"network_logs": "log_hash_abc123",
"agent_state": "state_hash_def456"
},
"post_incident": {
"root_cause": "novel_injection_variant",
"fix": "pattern_added_to_blocklist",
"review_status": "pending_human"
},
"signature": "ed25519:7f3a2b8c1d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a"
}
┌─────────────────────────────────────────────────────────────────┐ │ DEFONEOS INCIDENT RESPONSE │ ├─────────────────────────────────────────────────────────────────┤ │ │ │ ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐ │ │ │ DETECT │──▶│ TRIAGE │──▶│ CONTAIN │──▶│ ERADICATE│ │ │ │ 280 chk │ │ BFT 5/5 │ │ BFT 23/33│ │ + Human │ │ │ └──────────┘ └──────────┘ └──────────┘ └──────────┘ │ │ │ │ │ │ │ │ └──────────────┴──────────────┴──────────────┘ │ │ │ │ │ ▼ │ │ ┌──────────────┐ │ │ │ SIGIL CHAIN │ ← Every action recorded │ │ │ (hash-chained)│ ← Ed25519 signed │ │ └──────────────┘ ← Bitcoin anchored (planned) │ │ │ │ │ ┌──────────────┼──────────────┐ │ │ ▼ ▼ ▼ │ │ ┌──────────┐ ┌──────────┐ ┌──────────┐ │ │ │ RECOVER │ │ REVIEW │ │ HARDEN │ │ │ │ Staged │ │ 72h Rpt │ │ OLM Learn│ │ │ └──────────┘ └──────────┘ └──────────┘ │ │ │ └─────────────────────────────────────────────────────────────────┘
| Tool | Role | Source |
|---|---|---|
| Gods-Eye CISO Scanner | Continuous posture monitoring (280 checks/5min) | DEFONEOS built-in |
| DORADO Foreign Access Detector | Non-sovereign IP detection + bot scoring | DEFONEOS DORADO |
| meok-injection-scan MCP | Prompt injection + supply chain scanning | MEOK MCP fleet |
| Aegis Reviewer Gate | MCP output safety scanning (Morris-II worm check) | Swarm orchestration |
| OrgKernel 3-Layer Audit | L1 Identity + L2 Execution + L3 Compliance chain | OrgKernel pattern |
| SIGIL Chain Explorer | Incident timeline reconstruction | SIGIL REST API |
| DORADO Replay | Forensic audit-trail replay for regulators | DORADO module |
| OSCAL Catalog | Compliance control mapping post-incident | NIST OSCAL 1.1.2 |