Incident Response Reporting and Communication

Build me a notification automation in Tracecat. When an incident is declared, notify by a severity matrix: the response channel always, engineering leads at high severity, and executives at critical. Send through Slack and Teams, page named roles through PagerDuty, track who acknowledged, and re-ping non-responders on a timer. First help me understand how this maps to RS.CO-02 and why notification matrices should be agreed before incidents, not improvised during them. Ask me who must know at each severity, including any external parties with contractual notice rights. Talk me through keeping the matrix current as people change roles.

Build me a notification drafting workflow in Tracecat. When an incident is flagged as reportable, start the regulatory clock, and have an agent draft the notices from confirmed case facts only: regulator format from our Notion templates, plus the customer version in plain language. Hold every draft for legal approval in the case before anything sends through Gmail. First help me understand how this maps to RS.CO-02 and which notification deadlines apply to us, like the common 72-hour windows. Ask me which regulations and contracts create notice obligations for us. Talk me through how the agent should mark unconfirmed facts so drafts never overstate what we know.

Build me an intel sharing workflow in Tracecat. When an incident closes, have an agent extract the shareable indicators, strip anything that identifies us or our customers, format the package for our sharing community, and hold it for my approval before posting. Log what was shared, with whom, and under what marking. First help me understand how this maps to RS.CO-03 and how traffic light protocol markings govern what we can share. Ask me which sharing communities we belong to. Talk me through the sanitization rules the agent must never violate.