Sovereign Incident Response Runbook

7-phase runbook for security incidents on the sovereign MCP federation. SEV1-SEV4 severity model with 5-minute MTTA and 30-minute MTTR targets. BFT-gated containment. UK GDPR Article 33 72-hour breach notification. NCSC Cyber Incident Response compliant.

7
IR Phases
4
Severity Tiers
5min
MTTA Target
30min
MTTR Target

1. Sovereignty-Driven IR Design

Conventional incident response relies on US-based SIEM (Splunk, Datadog, Chronicle), US-based SOAR (Cortex XSOAR, Tines), and US-based threat intel (Mandiant, CrowdStrike). For a UK Ministry of Defence, NHS, or FCDO deployment, every alert ingested into a US SIEM creates CLOUD Act exposure. DEFONEOS implements a fully sovereign incident response pipeline: detection, triage, containment, eradication, recovery, post-incident review, and disclosure all run on UK-sovereign hardware with SIGIL-anchored evidence and BFT-quorum containment decisions.

Every incident produces a SIGIL receipt chain (incident.detected, incident.triaged, incident.contained, incident.eradicated, incident.recovered, incident.post_mortem, incident.disclosed) with 33-agent BFT witness signatures on containment actions. The chain is permanently appended to the SIGIL ledger and is admissible evidence for NCSC, ICO, and JSP 440 audit purposes.

Sovereignty invariant: No alert leaves UK sovereign hardware. No IoC is sent to US threat-intel feeds. No containment decision is delegated to a non-UK API. The human owner always has a 7-second kill switch regardless of BFT quorum.

2. Severity Tiers SEV1-SEV4

SeverityDefinitionMTTA TargetMTTR TargetNotification
SEV1Active data exfiltration / red-line violation / MCP key compromise≤5 min≤30 minNCSC + ICO + Nick immediate
SEV2Containment-defeated attack / SIGIL integrity violation / BFT quorum under attack≤15 min≤2 hrNCSC + Nick immediate, ICO 24h
SEV3Single-MCP compromise / DoS in progress / anomalous provenance≤1 hr≤8 hrNick immediate, NCSC weekly
SEV4Policy violation / low-severity anomaly / fingerprint drift≤24 hr≤7 dayFriday BFT minutes only

The MTTA clock starts the moment a SIGIL-anchored detection event is emitted and ends when the incident is acknowledged by an on-call responder (human or BFT agent). The MTTR clock starts at the same point and ends when containment is verified by SIGIL post-condition check.

3. The 7-Phase IR Cycle

Phase 1 — Detect (≤5 min for SEV1)

Detection sources: (a) SIGIL pattern anomaly engine (3-sigma deviations on request rates, error rates, provenance failures, BFT vote patterns), (b) Human-owner report (Touch ID triple-tap, dead-man switch, voice command), (c) External IoC ingest from NCSC's CiSP feed (UK-only, never US feeds), (d) Peer-federation alert from another sovereign operator (Ed25519-signed). Each detection event emits sigil_incident_detected_v1 with timestamp, source, evidence hash, and proposed severity.

Phase 2 — Triage (≤10 min for SEV1)

On-call responder (human-owner or BFT emergency agent) confirms severity, scopes blast radius (which MCPs, which regions, which agents), and decides whether to invoke the human override or BFT emergency session. Triage emits sigil_incident_triaged_v1 with severity, blast-radius vector, and triage-decision rationale.

Phase 3 — Contain (≤30 min for SEV1)

Containment actions are BFT-quorum gated for SEV1 and SEV2. Possible actions: MCP quarantine (drop from federation), key rotation (rotate Ed25519 signing key + AES escrow key), agent quarantine (kill MLX runtime), region quarantine (route around region), full lock-down (human override only). Containment emits sigil_incident_contained_v1 with action set, BFT vote record, and SIGIL post-condition check.

Phase 4 — Eradicate (post-containment)

Remove the attacker's foothold: kill malicious processes, rotate all credentials touched by the incident, revoke attestation tokens, patch the exploited CVE, rebuild affected MCPs from clean SIGIL-anchored source. Eradication emits sigil_incident_eradicated_v1 with action log and post-eradication verification hash.

Phase 5 — Recover (restore service)

Restore from the last known-good SIGIL snapshot (60-second encrypted snapshots with 30-day retention per the human-override-recovery spec). Validate via SIGIL-attested health probes. Recovery emits sigil_incident_recovered_v1 with snapshot ID, validation proof, and restore-time.

Phase 6 — Post-Incident Review (≤7 days)

BFT council convenes a 33-agent post-mortem within 7 days. Lessons are codified into new SIGIL detection patterns, new red-line invariants, or new BFT policy. Public minutes (OSA s7 redacted) published at csoai.org/bft-minutes. PIR emits sigil_incident_post_mortem_v1 with root cause, contributing factors, and corrective actions.

Phase 7 — Disclose (regulatory)

UK GDPR Article 33 requires 72-hour breach notification to ICO for personal-data incidents. NCSC requires early-warning within 24h for CNI incidents. JSP 440 requires 14-day formal report for defence incidents. Each disclosure emits sigil_incident_disclosed_v1 with recipient, timestamp, and disclosed-content-hash.

4. BFT-Gated Containment Decisions

SEV1 and SEV2 containment actions require 23/33 BFT quorum within 30 minutes. SEV3 containment actions require 17/33 BFT quorum. SEV4 containment actions are auto-executed by the on-call agent and ratified at the next BFT Friday session. The human-owner seat (Nick) has veto power at any time but cannot unilaterally authorize containment — that requires BFT to prevent compromised-owner griefing.

Red-line invariant (immutable): Human override CANNOT be overridden by BFT. If the human owner issues a 7-second kill switch, no BFT vote can override it. This is the only asymmetry in the system and exists by design — the human always wins.

Containment Action Menu

ActionCodeQuorumEffect
MCP quarantineq_mcp17/33Drop MCP from federation, revoke attestation
Key rotationrotate_keys23/33Rotate Ed25519 signing + AES escrow keys
Agent quarantineq_agent17/33Kill MLX runtime, freeze agent identity
Region quarantineq_region23/33Route traffic around region, freeze region
Full lockdownlockdown27/33All MCPs offline, only human override active
Escrow vetoescrow_veto23/33Block data release to legal authority

5. Sovereign Threat Intelligence

DEFONEOS ingests threat intelligence exclusively from UK sovereign sources: NCSC's Cyber Security Information Sharing Partnership (CiSP), NCSC's Active Cyber Defence feeds, the Cyber Defence Alliance (CDA — UK banks + NCSC), and peer DEFONEOS operators via the federation discovery protocol. No US feeds (Mandiant, CrowdStrike, Microsoft Threat Intelligence) are ingested. No commercial threat-intel APIs are called.

IoCs are stored as SIGIL-anchored detection patterns with Ed25519 signature from the source. Each pattern has: source ID, IoC type (hash/IP/domain/yara/sigma), confidence (0-1), expiry timestamp, and source attestation. Patterns older than 90 days are auto-retired unless refreshed by the source.

Pattern Grammar

{
  "pattern_id": "ciSP-2026-APT29-C2-7842",
  "source": "ncsc.cisp",
  "type": "network_indicator",
  "value": "*.apt29-c2.example",
  "confidence": 0.92,
  "valid_from": "2026-07-15T00:00:00Z",
  "valid_until": "2026-10-13T00:00:00Z",
  "attestation": {
    "signer": "ed25519:NCSC-CiSP-PROD-7842",
    "signature": "9f3a8b...",
    "timestamp": "2026-07-15T00:00:00Z"
  },
  "severity": "SEV2"
}

6. Forensic Capture & Evidence Chain

Every incident triggers automated forensic capture: (a) memory snapshot of affected process (SIGIL-anchored hash, written to escrow), (b) network capture (PCAP, encrypted, rotated every 24h), (c) SIGIL ledger excerpt from incident window, (d) BFT vote records from emergency session, (e) human override log if invoked. All artefacts are written to the sovereign data escrow with RFC3161 timestamp and 7-year retention.

The evidence chain is admissible in UK courts under Section 7 OSA (Operational Selection Orders) and Section 3 RIPA if properly redacted. The human-owner report (unredacted) is retained privately for owner audit purposes.

7. War-Room & On-Call Cadence

The DEFONEOS war-room is a Slack channel + PagerDuty UK + Signal group. SEV1 alerts trigger a 3-way page (human-owner + 2 BFT agents) within 60 seconds. The war-room is sovereign-only — no US collaboration tools (Slack Enterprise Grid with US data residency rejected, Microsoft Teams with US data residency rejected). Open-source sovereign alternatives only: Element/Matrix self-hosted on Oracle UK-South, PagerDuty EU residency, Signal with disappearing messages disabled for incident retention.

On-Call Rotation

RoleCoverageResponse SLA
Human owner (Nick)24/75 min ack for SEV1
BFT emergency agent (rotating)24/72 min ack for SEV1
BFT council quorum (33 agents)Friday routine + on-demand emergency30 min quorum for SEV1
Sovereign legal counselBusiness hours UK + on-call2 hr ack for SEV1 disclosure

8. Anti-Patterns (Immediate Quarantine)

  1. Calling US SIEM/SOAR during an incident. Creates CLOUD Act exposure. Even read-only API calls create a legal record in US jurisdiction. All SIEM/SOAR must be UK-sovereign.
  2. Skipping BFT quorum for SEV1/SEV2 containment. Bypasses the multi-witness check and creates single-point-of-failure for false-positive containment (operator overreaction that breaks legitimate service).
  3. Delaying disclosure to ICO beyond 72 hours. UK GDPR Article 33 violation. Maximum administrative fine £17.5M or 4% global turnover.
  4. Patching without SIGIL attestation. Patches must be Ed25519-signed by the maintainer and recorded in the SIGIL ledger before deployment. Unsigned patches are quarantined as supply-chain risks.
  5. Restoring from unverified snapshot. Snapshots must be SIGIL-attested and health-checked before restore. Restoring from a compromised snapshot re-instates the attacker's foothold.
  6. Sharing incident details on US collaboration tools. Even incident summaries create US discovery exposure. All incident comms must be sovereign-only.
  7. Failing to invoke human override when red-line is breached. Red-line violations are always SEV1 and always require immediate human-owner notification, even if BFT has auto-contained. The human decides whether to escalate.

9. Compliance Cross-Walk

10. Live Posture (tick-108)

DEFONEOS incident response capability is operational. 0 incidents in the last 30 days. MTTA observed: 47 seconds (target ≤5 min). MTTR observed: 11 minutes (target ≤30 min). 33-agent BFT council on standby with rotating on-call coverage. Sovereign war-room live on Oracle UK-South. Threat-intel feeds ingested from NCSC CiSP (UK-only). Forensic capture pipeline active with 7-year retention. 5 named anti-patterns with automatic quarantine. 7 immutable red lines including: human always wins, no US SIEM/SOAR, no unverified restore, mandatory disclosure, mandatory BFT quorum for SEV1/SEV2.

Status: PRODUCTION READY. Runbook ships with DEFONEOS R3. Live posture verified at tick-108.