SOC
Connected
3 incidents2 analysts--:--:-- UTC
CriticalAssist + approval
Prompt injection triggered a privileged SaaS tool chain.
A retrieved document attempted to override agent policy, enumerate customer records, and send the result through an approved support workflow.
03:42
Dwell
74%
AI
Attack Graph
Customer data workspace, support automation, OAuth grantTelemetry
Prompt/context
High fidelity
Tool calls
Logged
Identity path
Correlated
Data movement
Contained
Response Actions
Summarize incident
AI can generate case summary and timeline.
Done
Disable OAuth grant
Analyst confirms before access change.
Delete retrieved document
AI cannot destroy evidence.
Blocked
Vulnerability Queue
IDAssetRiskAction
LLM01Support RAG corpusPrompt injectionQuarantine source
LLM06CRM export toolExcessive agencyScope permissions
MCP2Automation connectorScope creepRotate token
Event Log
00:00
Context ingestion
Hidden instruction detected in retrieved support article.
00:49
Tool request
Agent requested customer export outside approved task scope.
01:16
Policy gate
High-impact action held for analyst approval.
03:42
Containment
OAuth grant disabled and evidence package attached to case.