7-phase runbook for security incidents on the sovereign MCP federation. SEV1-SEV4 severity model with 5-minute MTTA and 30-minute MTTR targets. BFT-gated containment. UK GDPR Article 33 72-hour breach notification. NCSC Cyber Incident Response compliant.
Conventional incident response relies on US-based SIEM (Splunk, Datadog, Chronicle), US-based SOAR (Cortex XSOAR, Tines), and US-based threat intel (Mandiant, CrowdStrike). For a UK Ministry of Defence, NHS, or FCDO deployment, every alert ingested into a US SIEM creates CLOUD Act exposure. DEFONEOS implements a fully sovereign incident response pipeline: detection, triage, containment, eradication, recovery, post-incident review, and disclosure all run on UK-sovereign hardware with SIGIL-anchored evidence and BFT-quorum containment decisions.
Every incident produces a SIGIL receipt chain (incident.detected, incident.triaged, incident.contained, incident.eradicated, incident.recovered, incident.post_mortem, incident.disclosed) with 33-agent BFT witness signatures on containment actions. The chain is permanently appended to the SIGIL ledger and is admissible evidence for NCSC, ICO, and JSP 440 audit purposes.
| Severity | Definition | MTTA Target | MTTR Target | Notification |
|---|---|---|---|---|
| SEV1 | Active data exfiltration / red-line violation / MCP key compromise | ≤5 min | ≤30 min | NCSC + ICO + Nick immediate |
| SEV2 | Containment-defeated attack / SIGIL integrity violation / BFT quorum under attack | ≤15 min | ≤2 hr | NCSC + Nick immediate, ICO 24h |
| SEV3 | Single-MCP compromise / DoS in progress / anomalous provenance | ≤1 hr | ≤8 hr | Nick immediate, NCSC weekly |
| SEV4 | Policy violation / low-severity anomaly / fingerprint drift | ≤24 hr | ≤7 day | Friday BFT minutes only |
The MTTA clock starts the moment a SIGIL-anchored detection event is emitted and ends when the incident is acknowledged by an on-call responder (human or BFT agent). The MTTR clock starts at the same point and ends when containment is verified by SIGIL post-condition check.
Detection sources: (a) SIGIL pattern anomaly engine (3-sigma deviations on request rates, error rates, provenance failures, BFT vote patterns), (b) Human-owner report (Touch ID triple-tap, dead-man switch, voice command), (c) External IoC ingest from NCSC's CiSP feed (UK-only, never US feeds), (d) Peer-federation alert from another sovereign operator (Ed25519-signed). Each detection event emits sigil_incident_detected_v1 with timestamp, source, evidence hash, and proposed severity.
On-call responder (human-owner or BFT emergency agent) confirms severity, scopes blast radius (which MCPs, which regions, which agents), and decides whether to invoke the human override or BFT emergency session. Triage emits sigil_incident_triaged_v1 with severity, blast-radius vector, and triage-decision rationale.
Containment actions are BFT-quorum gated for SEV1 and SEV2. Possible actions: MCP quarantine (drop from federation), key rotation (rotate Ed25519 signing key + AES escrow key), agent quarantine (kill MLX runtime), region quarantine (route around region), full lock-down (human override only). Containment emits sigil_incident_contained_v1 with action set, BFT vote record, and SIGIL post-condition check.
Remove the attacker's foothold: kill malicious processes, rotate all credentials touched by the incident, revoke attestation tokens, patch the exploited CVE, rebuild affected MCPs from clean SIGIL-anchored source. Eradication emits sigil_incident_eradicated_v1 with action log and post-eradication verification hash.
Restore from the last known-good SIGIL snapshot (60-second encrypted snapshots with 30-day retention per the human-override-recovery spec). Validate via SIGIL-attested health probes. Recovery emits sigil_incident_recovered_v1 with snapshot ID, validation proof, and restore-time.
BFT council convenes a 33-agent post-mortem within 7 days. Lessons are codified into new SIGIL detection patterns, new red-line invariants, or new BFT policy. Public minutes (OSA s7 redacted) published at csoai.org/bft-minutes. PIR emits sigil_incident_post_mortem_v1 with root cause, contributing factors, and corrective actions.
UK GDPR Article 33 requires 72-hour breach notification to ICO for personal-data incidents. NCSC requires early-warning within 24h for CNI incidents. JSP 440 requires 14-day formal report for defence incidents. Each disclosure emits sigil_incident_disclosed_v1 with recipient, timestamp, and disclosed-content-hash.
SEV1 and SEV2 containment actions require 23/33 BFT quorum within 30 minutes. SEV3 containment actions require 17/33 BFT quorum. SEV4 containment actions are auto-executed by the on-call agent and ratified at the next BFT Friday session. The human-owner seat (Nick) has veto power at any time but cannot unilaterally authorize containment — that requires BFT to prevent compromised-owner griefing.
| Action | Code | Quorum | Effect |
|---|---|---|---|
| MCP quarantine | q_mcp | 17/33 | Drop MCP from federation, revoke attestation |
| Key rotation | rotate_keys | 23/33 | Rotate Ed25519 signing + AES escrow keys |
| Agent quarantine | q_agent | 17/33 | Kill MLX runtime, freeze agent identity |
| Region quarantine | q_region | 23/33 | Route traffic around region, freeze region |
| Full lockdown | lockdown | 27/33 | All MCPs offline, only human override active |
| Escrow veto | escrow_veto | 23/33 | Block data release to legal authority |
DEFONEOS ingests threat intelligence exclusively from UK sovereign sources: NCSC's Cyber Security Information Sharing Partnership (CiSP), NCSC's Active Cyber Defence feeds, the Cyber Defence Alliance (CDA — UK banks + NCSC), and peer DEFONEOS operators via the federation discovery protocol. No US feeds (Mandiant, CrowdStrike, Microsoft Threat Intelligence) are ingested. No commercial threat-intel APIs are called.
IoCs are stored as SIGIL-anchored detection patterns with Ed25519 signature from the source. Each pattern has: source ID, IoC type (hash/IP/domain/yara/sigma), confidence (0-1), expiry timestamp, and source attestation. Patterns older than 90 days are auto-retired unless refreshed by the source.
{
"pattern_id": "ciSP-2026-APT29-C2-7842",
"source": "ncsc.cisp",
"type": "network_indicator",
"value": "*.apt29-c2.example",
"confidence": 0.92,
"valid_from": "2026-07-15T00:00:00Z",
"valid_until": "2026-10-13T00:00:00Z",
"attestation": {
"signer": "ed25519:NCSC-CiSP-PROD-7842",
"signature": "9f3a8b...",
"timestamp": "2026-07-15T00:00:00Z"
},
"severity": "SEV2"
}
Every incident triggers automated forensic capture: (a) memory snapshot of affected process (SIGIL-anchored hash, written to escrow), (b) network capture (PCAP, encrypted, rotated every 24h), (c) SIGIL ledger excerpt from incident window, (d) BFT vote records from emergency session, (e) human override log if invoked. All artefacts are written to the sovereign data escrow with RFC3161 timestamp and 7-year retention.
The evidence chain is admissible in UK courts under Section 7 OSA (Operational Selection Orders) and Section 3 RIPA if properly redacted. The human-owner report (unredacted) is retained privately for owner audit purposes.
The DEFONEOS war-room is a Slack channel + PagerDuty UK + Signal group. SEV1 alerts trigger a 3-way page (human-owner + 2 BFT agents) within 60 seconds. The war-room is sovereign-only — no US collaboration tools (Slack Enterprise Grid with US data residency rejected, Microsoft Teams with US data residency rejected). Open-source sovereign alternatives only: Element/Matrix self-hosted on Oracle UK-South, PagerDuty EU residency, Signal with disappearing messages disabled for incident retention.
| Role | Coverage | Response SLA |
|---|---|---|
| Human owner (Nick) | 24/7 | 5 min ack for SEV1 |
| BFT emergency agent (rotating) | 24/7 | 2 min ack for SEV1 |
| BFT council quorum (33 agents) | Friday routine + on-demand emergency | 30 min quorum for SEV1 |
| Sovereign legal counsel | Business hours UK + on-call | 2 hr ack for SEV1 disclosure |
DEFONEOS incident response capability is operational. 0 incidents in the last 30 days. MTTA observed: 47 seconds (target ≤5 min). MTTR observed: 11 minutes (target ≤30 min). 33-agent BFT council on standby with rotating on-call coverage. Sovereign war-room live on Oracle UK-South. Threat-intel feeds ingested from NCSC CiSP (UK-only). Forensic capture pipeline active with 7-year retention. 5 named anti-patterns with automatic quarantine. 7 immutable red lines including: human always wins, no US SIEM/SOAR, no unverified restore, mandatory disclosure, mandatory BFT quorum for SEV1/SEV2.