Incident Management

Build me an incident intake workflow in Tracecat. Accept reports from the security inbox in Gmail, a Slack shortcut, and tool webhooks. Have an agent validate each report, dedupe it against open cases, fill the required case fields, and close obvious false alarms with a polite explanation to the reporter. Everything else becomes a case in the triage queue. First help me understand how this maps to RS.MA-02 and why validation before assignment protects the on-call analyst. Ask me what minimum fields a workable case needs. Talk me through which false-alarm patterns are safe to auto-close.

Build me a case classification automation in Tracecat. When a case enters triage, have an agent read the evidence, set the incident category from our taxonomy, and score priority from asset criticality, data sensitivity, and spread. Route the case to the owning queue, and page through PagerDuty when priority crosses our threshold. First help me understand how this maps to RS.MA-03 and how a consistent taxonomy improves both response and reporting. Ask me what categories and priority levels we use today. Talk me through auditing the agent's classifications so trust builds over time.

Build me an escalation automation in Tracecat. Encode our escalation criteria: priority level, blast radius, regulated data, or response time exceeded, and when a case meets one, open an Incident.io incident, page the incident commander through PagerDuty, and post the case summary with the timeline so far. Record what triggered the escalation on the case. First help me understand how this maps to RS.MA-04 and why escalation criteria should be decided before the bad day, not during it. Ask me who can declare and who must be told. Talk me through de-escalation when the trigger turns out to be wrong.

Build me a recovery gate in Tracecat. For active incidents, track the recovery criteria as case tasks: containment confirmed, root cause known well enough, and eradication verified. When all pass, notify the incident commander in Slack that recovery can begin, kick off the recovery checklist, and record the decision and timestamp on the case. First help me understand how this maps to RS.MA-05 and why starting recovery too early reinfects environments. Ask me who owns the recovery decision today. Talk me through which criteria can be machine-verified and which need human sign-off.