🤖 AI Summary
Enterprise incident response is often delayed due to reliance on static playbooks and manual analysis. This work proposes the first supervised automated response system that integrates a multi-agent architecture with security ontologies—namely MITRE ATT&CK, D3FEND, and NIST CSF 2.0—to enable structured, low-risk, and auditable response workflows. The system employs role-based agents, a Planner-Validator closed-loop for action verification, and a Moderator gateway for security oversight. It incorporates an action catalog with risk scoring and maintains an append-only audit log for full traceability. Evaluated on a test set of 120 incidents, the system improves the FP-aware IRS F1 score from 0.61 to 0.84 and reduces harmful actions to 0.0%, substantially outperforming static baselines.
📝 Abstract
Enterprise intrusion response still depends on static playbooks and analyst-driven triage, creating delay between alert generation and containment. We present Agentra, a supervisable multi-agent Intrusion Response System (IRS) framework that converts alerts from IDS, EDR, and XDR platforms into structured incident response plans grounded in MITRE ATT&CK, MITRE D3FEND, and NIST CSF 2.0. Agentra decomposes response reasoning across role-scoped agents, validates proposed plans through a bounded Planner--Validator review loop, screens retrieved threat intelligence through a Moderator security gateway, gates actions through an Action Catalog and risk score, and records decisions in an append-only audit log. We evaluate Agentra against a static OASIS CACAO v2.0 cyber-playbook baseline on a 120-event corpus drawn from ThreatHunter-Playbook, Splunk BOTSv3, and DARPA OpTC. The strongest configuration improves FP-aware IRS F1 from 0.61 to 0.84 and restores the projected harmful-action rate to the static baseline level of 0.0% after Planner-only configurations introduce unsafe overreaction. These results indicate that multi-agent response planning can improve ontology-grounded IRS coverage while preserving analyst approval and auditability.