Cross-Agent Incident Coordination

An incident that affects a single agent is contained by isolating that agent. An incident that affects multiple agents — a shared model compromise, a supply chain attack, a coordinated injection campaign — requires coordination across agent boundaries. Cross-agent incidents are more complex because containment of one agent may not contain the threat, and investigation must span multiple log sources simultaneously.

1. Scope Determination When an incident is detected on one agent, immediately check whether other agents show related indicators. Did the compromised model serve multiple agents? Did the injection vector reach multiple input channels? Is the attack targeting a shared dependency? Scope determination within the first 15 minutes prevents under-containment.
2. Coordinated Containment If multiple agents are affected, containment must be coordinated — all affected agents are contained simultaneously. Sequential containment allows an attacker to pivot from the first contained agent to a still-active one. Coordinated containment requires pre-mapped dependency chains that identify which agents share models, services, and credentials.
3. Unified Investigation Cross-agent investigations merge log data from all affected agents into a single timeline. The incident commander correlates events across agents to reconstruct the attack chain. A fragmented investigation — where each agent is investigated separately — misses the connections between events that reveal the full scope.