Template: Incident Response Runbook for Agent Misbehavior and Data Leaks

Hook: When an autonomous agent goes rogue, minutes cost millions

Context switching, fragmented tooling, and the rise of agentic AI in 2026 mean security teams now face fast-moving incidents where an autonomous agent or assistant exfiltrates data, performs unauthorized actions, or abuses privileges. You need a runbook you can apply immediately — not theory. This runbook is a ready-to-use, production-ready incident response playbook for agent misbehavior and data leaks, tailored for modern environments: multi-tenant SaaS, SSO/IdP, containerized microservices, and hybrid cloud.

Top-line summary (inverted pyramid)

If an agent misbehaves or you suspect a data leak, follow these prioritized steps now:

1. Triage: Confirm scope and severity (5–15 min).
2. Containment: Isolate agent, revoke tokens, block egress (15–60 min).
3. Eradication: Remove malicious logic, roll back configs, rotate keys (hours).
4. Recovery: Re-deploy validated agent image and restore access (hours–days).
5. Postmortem & compliance: Document, notify stakeholders, implement preventative controls (days–weeks).

Why this matters in 2026

The rapid adoption of agentic capabilities — from desktop agents with filesystem access to commercial assistants integrated across e‑commerce and enterprise workflows — increases the attack surface. In late 2025 and early 2026 we’ve seen:

• Desktop agent previews (Anthropic Cowork) requesting local access to files and apps, increasing risk of accidental/exfiltration events.
• Major vendors (Alibaba Qwen, others) shipping "agentic" features that perform multi-step real-world actions, widening privilege boundaries.
• Government and enterprise uptake of FedRAMP‑level AI platforms, highlighting strict compliance and rapid response obligations.

That combination means your incident response runbook must span device, identity, cloud, and application layers — and be automated where possible.

Incident types covered

• Agent reads or exfiltrates sensitive files (PHI, PII, IP).
• Agent performs unauthorized API calls or financial actions.
• Agent leaks data to external endpoints (HTTP/S, cloud storage, Slack).
• Agent uses compromised keys or escalates privileges within your environment.

Severity and priority matrix

Use this matrix to assign severity quickly. Document severity in the incident ticket and follow the corresponding SLA.

• Critical (S1): Confirmed exfiltration of regulated data or agent-initiated destructive actions affecting production customers. Exec notification and legal required.
• High (S2): Unauthorized data access with limited exposure, or agent running expensive queries/commands with potential impact.
• Medium (S3): Reproducible misbehavior in a non-production sandbox or single-user scope.
• Low (S4): Behavioral anomaly without data access or clear impact.

Who to notify (stakeholders & RACI)

Prepare a compact RACI for speed. Below is a sample mapping you can copy into your incident tool.

• Incident Commander (IC) — Responsible: Security lead (24/7 on-call).
• Agent Owner — Accountable: Product/engineering owner for the agent.
• Platform Ops — Responsible: Cloud/K8s/SRE to perform containment actions.
• Identity/Access — Responsible: IAM/SSO team to revoke tokens and assess SSO scopes.
• Legal & Compliance — Consulted: For PII/regulated data and notification obligations.
• PR/Customer Success — Informed: For customer-facing communication where appropriate.

Immediate triage checklist (first 15 minutes)

Copy this checklist verbatim into your ticket tool. The aim is to confirm impact and stop additional damage.

1. Record timestamps and who reported the incident.
2. Identify the agent: service name, version, image digest, and deployment ID.
3. Capture initial evidence: logs, request IDs, audit trail entries, session tokens.
4. Determine scope: affected tenants/users; data classes involved (PII, IP, PHI).
5. Set severity using the matrix above.
6. Appoint Incident Commander and actor roles in the ticket.

Containment playbook (15–60 minutes)

Containment should be decisive and reversible. Prefer isolation over destructive actions initially.

1) Network and egress controls

• Apply emergency ACLs to block agent outbound traffic to unknown IPs/domains.
• If using a cloud NAT or proxy, disable outbound for the agent's subnet or container group.

2) Identity and token revocation

Revoke tokens and disable agent service principals. Examples:

# Revoke OAuth refresh tokens via Identity Provider (example using Keycloak/OpenID)
curl -X POST "https://idp.example.com/auth/realms/prod/protocol/openid-connect/revoke" \
  -u "client-id:client-secret" \
  -d "token=" 

# AWS: remove IAM role permissions (example using AWS CLI)
aws iam detach-role-policy --role-name AgentRole --policy-arn arn:aws:iam::aws:policy/AdministratorAccess

# Kubernetes: evict or cordon agent pods
kubectl -n agents scale deployment agent-service --replicas=0

3) Agent process isolation

• Quarantine the specific agent instance: stop the process, freeze the VM, snapshot disk for forensic analysis.
• For desktop agents, instruct user to disconnect network and collect memory image if possible.

4) Data access remediations

• Rotate exposed keys and secrets; invalidate API keys used by the agent.
• Revoke temporary credentials (e.g., AWS STS tokens) associated with the agent session.

Containment automation: sample playbook (yaml)

name: agent-incident-containment
steps:
  - name: snapshot-agent-vm
    action: cloud.snapshot
    args:
      instance_id: ${agent.instance_id}
  - name: revoke-idp-tokens
    action: idp.revoke_tokens
    args:
      user: ${agent.service_principal}
  - name: block-egress
    action: network.apply_acl
    args:
      subnet: ${agent.subnet}
      rule: deny all outbound
  - name: scale-down-deployment
    action: kubernetes.scale
    args:
      namespace: agents
      deployment: agent-service
      replicas: 0

Evidence collection & forensics

Collect artifacts before changing state where feasible. Prioritize:

• Agent logs (stdout/stderr), application traces, request/response payloads.
• Audit logs from IdP (SSO), cloud provider (CloudTrail/Azure Activity Log), and SIEM alerts.
• Network captures (PCAP) if egress destinations unknown; DNS query logs.
• Container images & digests, git commits for agent code, and runtime environment variables.

Preserve integrity: use read-only snapshots, hash files (SHA-256), and maintain a chain-of-custody log.

Eradication and remediation (hours)

• Patch or replace the agent binary with a verified image; revert to a known-good configuration.
• Implement least-privilege policies: reduce agent IAM scopes to minimal required permissions.
• Harden data stores: enable row/field-level encryption, tokenization, and strict RBAC.
• Improve validation: add stricter input/output filters, content classification, and DLP policies at the agent boundaries.

Recovery and validation

Restore service gradually with validation gates:

1. Deploy agent into a canary namespace with simulated traffic and enhanced logging.
2. Run automated E2E tests that include security scenarios and negative tests.
3. Perform an independent code review and behavioral test harnessing (fuzzing prompts and inputs).
4. Only promote to production when the IC, security lead, and product owner sign off.

Postmortem template (ready-to-use)

Use the template below for a blameless postmortem. Fill each section and include links to artifacts and timelines.

Title: [Short descriptive title]
Severity: [S1/S2/...]
Detection time: [UTC timestamp]
Containment time: [UTC timestamp]
Recovery time: [UTC timestamp]
Duration: [total hours/minutes]

Summary:
  - One-paragraph summary of what happened and impact.

Timeline:
  - [timestamp] Event description (log IDs, request IDs)
  - ...

Root cause analysis:
  - Contributing factors (code bug, misconfiguration, excessive privileges, poor input validation)

Actions taken (immediate):
  - List

Long-term remediation (owners & due dates):
  - [Action] — Owner — Due date

Communication log:
  - Internal notifications, customer notifications, regulator notifications (if any)

Lessons learned & follow-ups:
  - [Concrete changes to make]

Regulatory & customer communication guidance

If regulated data is involved, follow legal counsel guidance. Typical steps:

• Notify senior executives and legal within the hour for S1 incidents.
• Prepare a concise customer notification template (see below) and a FAQ for support teams.
• If required by law (e.g., GDPR, HIPAA), prepare notifications within statutory windows; document timelines.

Example customer notification (short): "On [date/time] we detected unauthorized activity by an automated service. We contained the incident and are investigating; no customer action is required at this time. We will notify affected customers if any regulated data is confirmed exposed."

Preventative controls and scaling considerations

Agent risks are systemic. Build these controls to scale securely across tenants.

• Multi-tenant segmentation: enforce strong tenant isolation at storage, runtime, and network layers. Use per-tenant encryption keys and KMS access controls.
• SSO & authorization: implement short-lived tokens, enforce MFA for agent service accounts that can access sensitive data, and adopt continuous token revocation patterns.
• Automated backups & immutable logs: immutable append-only audit logs (WORM) and automated backups that are tested regularly for recovery integrity.
• Runtime attestation: use signed images (sigstore/Cosign), hardware attestation or workload identity to ensure only validated agent code runs.
• Data exfiltration prevention: inline DLP, egress filtering, and strict outbound rules for agent workloads.

Monitoring queries & detection rules (examples)

Deploy these example SIEM rules and metrics to detect agent misbehavior fast.

Elastic/SIEM example (pseudo-query)

# Detect large outbound uploads from agent containers
index=network_logs sourcetype=proxy
| where source_container_name="agent-service"
| stats sum(bytes_out) as total_out by dest_domain, dest_ip
| where total_out > 50000000

CloudTrail/CloudWatch (AWS example)

# CloudWatch alarm for high-rate PutObject to external S3 buckets
Filter: eventName = PutObject AND userIdentity.sessionContext.sessionIssuer.userName = "agent-service"

Playbook snippets for common containment tasks

Keep these snippets in your runbook for on-call engineers.

Revoke GitHub Actions tokens used by agent

# Using GitHub API to revoke a token (replace TOKEN_ID and ORG)
curl -X DELETE -H "Authorization: token ${ADMIN_TOKEN}" \
  https://api.github.com/orgs/ORG/actions/runners/INSTANCES/TOKEN_ID

Invalidate API keys in your key store (example for Vault)

vault kv put secret/agent/keys status=revoked

Real-world example (short case study)

In December 2025 a fintech startup running an agent-driven reconciliation service detected abnormal outbound HTTP requests from an agent container. Using the runbook above they:

1. Identified the container and blocked egress via network ACLs (10 minutes).
2. Revoked the service principal via their IdP and rotated exposed keys (30 minutes).
3. Captured container snapshot for forensics and redeployed a signed image after a code patch and least-privilege IAM change (6 hours).

Outcome: no confirmed customer data exfiltration, faster remediation due to pre-scripted token revocation and automated canary deployments. This mirrors the operational lessons organizations learned from agentic rollouts across 2025–2026.

Checklist to add to your runbook now

• Predefine S1 on-call list and escalation policy for agent incidents.
• Store automated revocation scripts in a secure runbook repo accessible to on-call.
• Maintain signed agent images and enforce image policies via CI/CD.
• Document tenant-specific contact points and legal notification requirements.

Post-incident: measuring ROI and improvements

Track these KPIs to demonstrate productivity and risk reduction to leadership:

• Mean time to detect (MTTD) and mean time to contain (MTTC) for agent incidents.
• Number of incidents prevented by automated revocation or egress rules.
• Reduction in exposed credentials or privilege escalation events.

Appendix: quick templates

Incident ticket fields

• Title, severity, IC, agent service name & version, affected tenants, impacted data types, initial detection source, evidence links, containment actions taken, follow-ups.

Customer notification (short)

We detected unauthorized activity by an automated service on [date]. We contained the incident and are investigating. We will notify customers directly if any of their data is confirmed exposed. For immediate questions contact [support contact].

Final recommendations (actionable takeaways)

1. Prebuild automation: Store emergency playbooks that revoke tokens, block egress, and snapshot environments.
2. Limit privileges: Run agents with the minimum required permissions and adopt short-lived credentials.
3. Instrument and monitor: Add DLP and behavioral rules specific to agent patterns in your SIEM and network stack.
4. Practice: Run tabletop drills and simulated agent incidents quarterly; update runbooks with lessons learned.

Call to action

Need a pre-configured incident response bundle for agentic AI you can deploy across tenants today? Download our production-ready runbook templates, automation snippets, and detection rules — or schedule a workshop with our team to integrate them into your SSO, CI/CD, and monitoring pipelines.

Related Reading

• Emergency Commuter Jewelry Kit: What to Carry if You Ride an E‑Bike or Use a Home Gym
• Privacy, Accuracy, and Explainability: The Three Pillars of Age Detection for Startups
• Headphones as a Winter Accessory: Pairing Noise-Canceling Headphones with Coats and Hats
• When to Say No to a New App: Decision Rules for Teachers and Principals
• How New YouTube Monetization Rules Could Change Reporting on Sensitive Topics