Incident Response for Malware

When malware incidents occur, SOCs need to act fast — manual workflows are too slow and fragmented. Key context (IOC metadata, case comments, MITRE mappings) is often underutilized, and documentation is incomplete. Without automation and LLM support, effective containment and traceability are compromised.

Agentic AI enables a multi-agent orchestration of security incident response by integrating LLM-powered runbooks, tool APIs (MCP servers), and automated decision flows.
A soc_manager agent delegates to four sub-agents (soc_analyst_tier1, soc_analyst_tier2, cti_researcher, incident_responder) that leverage LLM-supported runbooks to perform actions via MCP tools such as get_case_details, search_security_events, or get_collection_report. The final result is a structured Markdown case report including executive summary, timeline, and containment actions.

Agent Structure:

• Root Agent: soc_manager

• Sub-Agents: soc_analyst_tier1; soc_analyst_tier2; cti_researcher; incident_responder

Source: Mandiant & Google Cloud Security - Agentic incident reaction

• Faster response times via agent-based automation: Tasks like IOC enrichment, triage, isolation, and containment are executed concurrently and role-specifically – reducing Mean Time to Respond (MTTR).

• Adaptive decision-making powered by LLMs: Embedded logic in LLM-supported runbooks enables dynamic reactions based on case context, historical comments, and threat intelligence (e.g. MITRE ATT&CK).

• Comprehensive, automated case documentation for compliance: Markdown reports include executive summary, timeline, containment steps, and tooling used – eliminating the need for manual write-ups.