Kynara/Security Operations
🛡️ Security Operations

Keep your SOC agents from making things worse

AI-driven SOAR and threat response agents can act faster than any human — but an unchecked agent blocking the wrong endpoint or wiping the wrong host is a bigger incident than the one it was trying to stop. Kynara enforces analyst approval before any containment or remediation action.

Book a demo Try the policy sandbox
SOAR agent governance Mandatory analyst approval SIEM webhook integration Tamper-evident incident log Anomaly detection
The risk

Autonomous response without guardrails

Without Kynara
  • SOAR agent blocks the CEO's laptop as a false positive — no analyst review
  • Threat response agent wipes a server that wasn't actually compromised
  • Agent running on stolen API key performs lateral movement undetected
  • No complete record of which automated action triggered during an incident
  • Agent makes containment decisions based on stale threat intel
With Kynara
  • All containment actions require tier-2 analyst approval with justification
  • Destructive remediation requires senior analyst + MFA regardless of severity
  • Compromised agent key triggers auto-revocation on anomalous deny-rate spike
  • Every automated action hash-chained — complete incident timeline for forensics
  • Context requirements (threat_confidence, ticket_url) enforced before any action
Use cases

SecOps AI agent scenarios

🚨
SOAR automation
Triage and enrichment agents run autonomously. Containment (block IP, isolate host, revoke credentials) always requires analyst approval — no exceptions, regardless of alert severity.
🔍
Threat hunting agents
Agents can query SIEM, EDR, and threat intel feeds freely. Writing signatures, creating detection rules, or modifying firewall configs requires senior analyst approval with ticket link.
💻
Endpoint response
Allow agents to collect forensic artifacts and run scans. Gate isolation, process kill, and remediation commands behind on-call lead approval and a mandatory incident ID.
🔐
Identity response
Agents can read user activity and session data. Revoking credentials, resetting passwords, or disabling accounts always requires IAM team approval — preventing accidental lockouts.
📡
Network response
Block IP and firewall rule modifications require approval and a confidence score threshold. Read operations (query flow logs, scan network) proceed automatically.
📝
Incident documentation
Agents auto-populate incident timelines from the Kynara audit log — every automated action with its context, outcome, and approver is already captured and hash-verified.
Policy example

SOAR containment with approval gates

// Allow enrichment + investigation freely
{ "display_name": "Allow threat intel reads",
  "effect": "allow", "priority": 100,
  "actions": ["siem.query", "edr.read", "threat_intel.lookup"],
  "condition": {} }

// Require analyst approval for containment
{ "display_name": "Require approval for containment",
  "effect": "require_approval", "priority": 200,
  "actions": ["endpoint.isolate", "ip.block", "credentials.revoke"],
  "condition": {} }

// Deny remediation without MFA + high confidence
{ "display_name": "Deny low-confidence remediation",
  "effect": "deny", "priority": 50,
  "actions": ["host.wipe", "service.terminate", "data.delete"],
  "condition": {
    "op": "or",
    "args": [
      { "op": "lt", "args": ["ctx.resource.attrs.threat_confidence", 0.9] },
      { "op": "eq", "args": ["ctx.context.mfa_verified", false] }
    ]
  }}
SIEM integration

Kynara audit log streams into your SIEM

Every Kynara decision event — allow, deny, require_approval, and approval resolutions — streams into your SIEM via the polling cursor API. Analysts get a complete picture of AI agent activity alongside human activity in the same platform.

SIEMSetupKynara events
SplunkKynara Add-on with polling cursorAll events
Microsoft SentinelData connector; built-in rules for agent.killed and audit.chain_brokenAll events
DatadogLog pipeline from cursor endpointAll events
Elastic / ECSFilebeat module with ECS field mappingAll events
PagerDutyWebhook on agent.killed + anomaly.deny_rate_spikeCritical events
🛡️ Security Operations

Govern your security AI agents

Free plan to get started. Enterprise plans include custom SIEM connectors, dedicated deployment, and SLA.

Book a demo Try the policy sandbox