The action layer (Playbook Engine in motion). A kanban-style board drives each incident through the response lifecycle: active playbook, open actions, SLA breaches (overdue), closures and post-remediation tests. The hard rule: no action closes without validation โ proof is required that the fix actually works.
due_at deadlines and statuses on this page are illustrative (demo). They do not reflect real response operations. The status lifecycle and the validation rule are production doctrine โ the data is simulated.
Containing a threat (contained) is not the same as fixing it (remediated), and a fix is not the same as confirming its effectiveness (verified). Only a verified state with an attached evidence_id allows a transition to closed.
| action_id | incident | action_type | owner | status | due_at | evidence_id |
|---|---|---|---|---|---|---|
ACT-7712 | INC-2044 | host isolation | SOC-2 | triage | 2026-07-04 10:00 | โ |
ACT-7708 | INC-2044 | credential reset | IAM | contained | 2026-07-04 11:30 | EVD-5111 |
ACT-7695 | INC-2039 | patch / update | NetSec-1 | overdue | 2026-07-04 06:00 | โ |
ACT-7690 | INC-2039 | IOC block (WAF) | SOC-1 | overdue | 2026-07-03 22:00 | โ |
ACT-7682 | INC-2044 | NIS2 72h report | Legal | overdue | 2026-07-03 18:00 | โ |
ACT-7640 | INC-2010 | webshell removal | SOC-lead | closed | 2026-07-02 14:00 | EVD-5077 |
TST-3120 | INC-2039 | vulnerability re-scan | DevSecOps | verified? | 2026-07-04 16:00 | pending |
TST-3116 | INC-2001 | DR / restore test | Ops | verified? | 2026-07-04 18:00 | pending |
status โ {open, triage, contained, remediated, verified, closed}. The transition to closed is blocked until the evidence_id column points to remediation proof in CONFIRMED status (see Evidence Board).
due_at set by priority (P0โค4h, P1โค24h, P2โค72h, P3 7โ30 days).evidence_id.function canClose(action) { // SIMULATION
if (action.status !== "verified") return false; // no test = no closure
const evd = evidence(action.evidence_id);
if (!evd || evd.status !== "CONFIRMED") return false; // remediation proof required
if (evd.confidence < 75) return false; // proof must be strong
if (action.type === "legal_report" && !action.filed_receipt)
return false; // regulator report = filing confirmation
return true; // only now โ closed
}
evidence_id.due_at automatically lands in the "Overdue" column and raises managerial priority.Source of actions โ every playbook step generates an entry in response_actions.
Closure validation inherits from the remediation proof (CONFIRMED evidence_id).
"Regulator report" actions carry a deadline and require a filing confirmation.
DR/backup tests close the resilience loop after an incident.