Integration

AI Integration for Cloud Incident Response Automation

Architect AI-driven workflows that connect CNAPP alerts to SOAR platforms, enabling automated containment actions like workload isolation and IAM key revocation. Reduce MTTR from hours to minutes.

Get in touch Learn more

Operations team reviewing AI workflow automation on laptop, workflow builder visible, casual office setup.

ARCHITECTURE FOR AUTONOMOUS CONTAINMENT

Where AI Fits in Cloud Incident Response

Integrating AI agents with CNAPP APIs and SOAR platforms to automate real-time threat containment and reduce mean time to resolution (MTTR).

AI fits into cloud incident response by acting as an orchestration layer between detection and action. It consumes real-time alerts and enriched context from platforms like Wiz, Prisma Cloud, or Lacework via their GraphQL or REST APIs. The AI agent's primary role is to interpret the severity, understand the affected resource's role (e.g., production database, development container), and execute pre-approved containment steps through integrated SOAR platforms (ServiceNow, Cortex XSOAR, Swimlane) or directly via cloud provider APIs. Key automated actions include: isolate workload (stop/terminate EC2 instance, scale down Kubernetes deployment), revoke IAM keys, block malicious IPs in security groups or WAF, and quarantine compromised storage buckets by modifying bucket policies.

The implementation centers on a decision engine with guardrails. The AI agent is not making open-ended decisions; it operates within a policy framework defined in code. For example, an alert for Cryptojacking on a container from Wiz's runtime protection module triggers a workflow where the agent first checks the resource's tags (env:production), consults a CMDB for owner approval status, and then executes a containment playbook if the risk score exceeds a defined threshold. The agent uses the CNAPP's attack path analysis to understand if the compromised resource is a critical node in a lateral movement chain, prioritizing containment of the most exploitable assets first. All actions are logged with a full audit trail, and human-in-the-loop approvals can be configured for specific resource classes or during business hours.

Rollout is phased, starting with low-risk, high-volume alerts. A common starting point is automating the response to publicly exposed storage buckets or over-permissive IAM roles detected by CSPM modules. The AI agent drafts the remediation ticket in ServiceNow, suggests the precise policy change (e.g., a new S3 bucket policy), and, after a simulated dry-run period, executes the change via AWS SDK, posting the result back to the CNAPP for verification. Governance is maintained through regular evaluation of the agent's decision logs against SOC analyst outcomes, tuning the policy rules and confidence thresholds. This creates a closed-loop system where the AI reduces analyst fatigue on routine tasks, allowing the team to focus on sophisticated, novel attacks that require human investigation.

ARCHITECTURE FOR AUTOMATED CONTAINMENT

CNAPP & SOAR Integration Surfaces

Real-Time Threat Context for AI Agents

AI agents require structured, high-fidelity alert data to make containment decisions. This surface involves connecting to the CNAPP platform's event streaming or webhook API (e.g., Wiz's /events endpoint, Prisma Cloud's /alert stream).

The agent ingests alerts enriched with:

Resource Context: VM/container ID, cloud account, tags, owner.
Threat Details: Severity, MITRE ATT&CK tactic, vulnerability CVE, misconfiguration rule ID.
Exposure Data: Public internet access, sensitive data proximity, blast radius analysis.

A typical ingestion handler filters for critical alerts (e.g., CRITICAL severity, ACTIVE status) and packages the context into a structured prompt for the reasoning agent. This ensures actions are based on real-time, prioritized findings.

CLOUD INCIDENT RESPONSE AUTOMATION

High-Value AI Automation Use Cases

Integrate AI agents with CNAPP APIs (Wiz, Prisma Cloud, Lacework, Orca) and SOAR platforms to automate containment, evidence gathering, and communication, reducing manual triage and accelerating mean time to respond (MTTR).

Automated Workload Containment

AI agents analyze real-time threat context from CNAPP alerts (e.g., malicious process, suspicious network flow) and execute API calls to isolate the affected EC2 instance, Kubernetes pod, or serverless function. The agent logs the action, updates the incident ticket, and notifies the on-call engineer with a containment report.

Manual -> Automated

Containment step

IAM Key Revocation & Access Review

For alerts involving compromised credentials or excessive permissions, the AI agent queries the CNAPP's CIEM findings and automatically revokes high-risk IAM keys or session tokens via the cloud provider's API. It then triggers an access review ticket in the IAM platform (Okta, Entra ID) for the associated identity.

Same day

Privilege reduction

Context-Aware Ticket Enrichment for SOC

The agent consumes raw CNAPP findings (vulnerabilities, misconfigurations, anomalies) and generates a plain-language incident summary, root cause hypothesis, and blast radius analysis. It auto-populates these into the corresponding ServiceNow or Jira Service Management ticket, saving analysts 15-30 minutes of manual investigation per alert.

15-30 min saved

Per high-severity alert

SOAR-Triggered Evidence Collection

Upon ticket creation in a SOAR platform like Cortex XSOAR or Swimlane, an AI agent orchestrates evidence gathering. It pulls relevant cloud resource configurations, recent log snippets, and network flow diagrams from the CNAPP and attached cloud accounts, compiling a forensics package for the responder before they even open the ticket.

Batch -> Real-time

Evidence assembly

Dynamic Communication & Runbook Execution

Based on the incident type (e.g., data exposure, cryptojacking), the AI agent drafts stakeholder notifications for Slack or Teams and executes the first steps of a response runbook. It can query the CNAPP for affected asset owners, check change freeze windows, and update status pages—all governed by approval workflows for critical actions.

Hours -> Minutes

Stakeholder comms

Post-Incident Fix Workflow Orchestration

After containment, the agent analyzes the root cause from the CNAPP (e.g., a missing security group rule, a vulnerable container image) and automatically creates a remediation task. It can generate a PR in GitHub to fix the IaC, create a story in Jira for the dev team, or trigger a pipeline scan in the CI/CD tool to prevent regression.

1 sprint

Preventive fix lead time

AUTOMATED CONTAINMENT AND REMEDIATION

Example AI-Driven Response Workflows

These workflows illustrate how AI agents, triggered by CNAPP alerts, can orchestrate context-aware containment and remediation actions through platform APIs and connected SOAR tools. Each flow is designed to reduce manual investigation and accelerate mean time to resolution (MTTR).

Trigger: A CWPP module (e.g., Prisma Cloud Workload Security, Wiz Runtime Sensor) detects a critical runtime threat like cryptomining or lateral movement with high confidence.

AI Agent Workflow:

Context Enrichment: The agent pulls the full alert context, including the workload ID, associated cloud account, network connections, and process tree.
Blast Radius Analysis: It queries the CNAPP's graph API to identify other workloads in the same security group/VPC and any attached sensitive data stores.
Decision & Action: Using a risk-scoring prompt, the agent decides to isolate the workload. It calls the cloud provider's compute API (e.g., AWS EC2 stop-instances, Azure VM deallocate) or the CSPM's native action API if available.
SOAR Integration: The agent creates a high-severity incident in ServiceNow or Jira, attaching all gathered context and the action taken. It assigns the ticket to the Cloud Security team with a note: "Workload [ID] isolated due to [threat]. Network connections to [resources] were noted."
Human Review Point: The isolation action is logged, but the subsequent investigation and permanent remediation (image rebuild, vulnerability patching) require analyst approval documented in the linked ticket.

FROM ALERT TO AUTOMATED ACTION

Implementation Architecture & Data Flow

A production-ready architecture for connecting AI agents to CNAPP platforms and SOAR systems to execute context-aware containment.

The integration is built on a secure, event-driven pipeline. A webhook listener captures real-time high-severity alerts from your CNAPP platform—such as a Wiz Cloud Detection, a Prisma Cloud Runtime Threat, or a Lacework Anomalous Process finding. This payload, containing the full incident context (resource ID, threat type, user, timeline), is placed into a durable queue (e.g., AWS SQS, Google Pub/Sub). An orchestration agent retrieves the event, enriches it by querying the CNAPP's API for additional asset metadata and blast radius, and then passes the consolidated context to a decision-making LLM.

The LLM, governed by a strict action policy, analyzes the enriched alert against pre-defined containment playbooks. It determines the appropriate automated response—such as isolate workload, revoke IAM keys, quarantine container, or block network flow—and generates a structured action plan with the specific API calls needed. This plan is sent to a secure action executor, which authenticates with the target cloud provider's APIs (AWS EC2, GCP IAM, Azure NSG) or SOAR platform (ServiceNow, Cortex XSOAR) to carry out the containment step. All decisions, API calls, and outcomes are logged to an immutable audit trail for review.

Rollout is phased, starting with read-only enrichment and human-in-the-loop approval. Initially, the system generates proposed containment tickets in your SOAR or ITSM with full reasoning, requiring analyst approval. After validation, you can move to fully automated actions for pre-authorized, high-confidence threat types (e.g., cryptomining on a non-production instance). Governance is maintained through a centralized policy engine that defines which threat types, resource tags, and environments are eligible for auto-remediation, ensuring actions align with your cloud security and compliance frameworks.

AUTOMATED RESPONSE WORKFLOWS

Code & Payload Examples

Ingesting CNAPP Alerts into SOAR

When a critical alert is triggered in Wiz, Prisma Cloud, or Lacework, the platform sends a webhook payload to your SOAR platform (e.g., ServiceNow, Cortex XSOAR). An AI agent first enriches this alert with context before deciding on an automated containment action.

This TypeScript handler receives the webhook, calls the CNAPP API for additional context (like affected resource tags, blast radius), and uses an LLM to classify the severity and recommend a response playbook.

typescript
// Example: Enriching a CNAPP alert for AI decision-making
type CNAPPAlert = {
  id: string;
  source: 'wiz' | 'prisma' | 'lacework';
  severity: 'CRITICAL' | 'HIGH' | 'MEDIUM';
  type: 'MALWARE' | 'CREDENTIAL_ACCESS' | 'NETWORK_EXPOSURE';
  resourceId: string;
  resourceType: string;
  cloudProvider: string;
  region: string;
};

async function enrichAlertForAI(alert: CNAPPAlert): Promise<EnrichedAlert> {
  // 1. Fetch additional resource context from CNAPP API
  const resourceContext = await fetchCNAPPResourceDetails(alert.resourceId);
  
  // 2. Query CMDB or asset inventory for owner and business criticality
  const businessContext = await fetchBusinessContext(resourceContext.tags);
  
  // 3. Prepare prompt for LLM to assess and recommend action
  const prompt = `CNAPP Alert Analysis:\n` +
    `Type: ${alert.type}\n` +
    `Resource: ${resourceContext.name} (${alert.resourceType})\n` +
    `Tags: ${JSON.stringify(resourceContext.tags)}\n` +
    `Business Unit: ${businessContext.team}\n` +
    `Criticality: ${businessContext.criticality}\n\n` +
    `Based on the alert type and business context, recommend an immediate containment action: ` +
    `[ISOLATE_NETWORK, REVOKE_IAM, STOP_INSTANCE, CREATE_TICKET]. Justify briefly.`;
  
  const llmRecommendation = await getLLMRecommendation(prompt);
  
  return {
    ...alert,
    resourceContext,
    businessContext,
    recommendedAction: llmRecommendation.action,
    justification: llmRecommendation.reason
  };
}

AI-DRIVEN INCIDENT RESPONSE

Realistic Time Savings & Operational Impact

How AI agents integrated with CNAPP platforms (Wiz, Prisma Cloud, Lacework) and SOAR tools transform manual, reactive processes into automated, context-aware workflows.

Metric	Before AI	After AI	Notes
Mean Time to Acknowledge (MTTA)	15-30 minutes	< 2 minutes	AI agents auto-triage and route critical alerts from CNAPP APIs.
Initial Containment Action	Manual ticket + human review	Automated, policy-governed execution	e.g., isolate workload, revoke IAM keys via SOAR playbook.
Incident Summary Draft	Analyst writes from scratch (20-30 min)	AI-generated from CNAPP context (2 min)	Includes affected assets, blast radius, and root cause from Wiz/Prisma Cloud data.
Evidence Gathering	Manual API queries, console navigation	Automated data pull via agent tool-calling	Agent fetches related logs, config snapshots, and user activity from cloud APIs.
Remediation Ticket Creation	Copy-paste details into ITSM	Structured, enriched ticket auto-created	Includes AI-generated fix steps and links to CNAPP findings for tracking.
Cross-Team Coordination	Email/chat threads, manual handoffs	Orchestrated workflow with approval gates	AI routes tasks to cloud, IAM, or DevOps teams based on incident type.
Post-Incident Report	Days to compile and analyze	First draft generated in hours	AI synthesizes timeline, actions taken, and lessons from CNAPP & SOAR logs.

ARCHITECTING FOR CONTROL AND SCALE

Governance, Security, and Phased Rollout

Integrating AI into live incident response requires a security-first architecture with clear operational guardrails.

A production AI integration for cloud incident response must operate within the existing security and compliance boundaries of your CNAPP (Wiz, Prisma Cloud, Lacework) and SOAR (ServiceNow, Cortex XSOAR) platforms. This means the AI agent acts as a privileged, audited system user, not an external override. Key controls include:

API Credential Scoping: Agents use service accounts with least-privilege access, scoped only to the necessary CNAPP APIs (e.g., POST /containers/{id}/isolate, DELETE /users/{id}/accessKeys) and SOAR ticketing modules.
Action Approval Gates: High-impact containment steps (like revoking root IAM keys) are configured to require human approval via a SOAR task or a dedicated governance dashboard before execution.
Immutable Audit Trail: Every AI-initiated action—from alert ingestion to remediation ticket creation—is logged with a session ID in your SIEM, linking back to the original CNAPP finding and the agent's reasoning context.

A successful rollout follows a phased, risk-based approach, starting with low-risk, high-volume alerts to build trust and operational muscle memory.

Phase 1: Triage & Enrichment (Weeks 1-2)

Deploy AI agents to consume alerts from your CNAPP's event stream (e.g., Wiz's /events API, Prisma Cloud's /_search).
Agents perform root cause analysis, querying cloud context (resource tags, network paths) to suppress noise and generate a plain-language summary appended to the SOAR ticket.
No automated actions. The output is a human-reviewed enrichment layer that reduces mean time to triage (MTTR) from hours to minutes.

Phase 2: Recommended Playbooks (Weeks 3-4)

Agents begin to analyze the enriched alert and the affected resource's state, then propose a specific, ranked list of containment steps (e.g., "1. Isolate EC2 instance i-abc123, 2. Revoke temporary credentials for role ProdLambdaExecution").
Recommendations are inserted into the SOAR ticket as a checklist for the analyst to approve and execute manually, creating a feedback loop for agent accuracy.

Phase 3: Supervised Automation (Weeks 5-6+)

For pre-defined, low-risk scenarios (e.g., containing a flagged container in a non-production cluster), agents execute the first step of the playbook automatically, creating a task for the analyst to verify completion.
Governance is maintained through RBAC in the SOAR platform and regular review of the agent's action log in your /integrations/cloud-security-and-cnapp-platforms/ai-governance-for-cloud-security workflows.

This controlled, incremental approach ensures the integration augments—rather than disrupts—your security operations center (SOC). The architecture is designed for resilience: if the AI service is unavailable, your CNAPP and SOAR platforms continue to function, with alerts routing to the standard manual queue. By treating AI as a deterministic workflow orchestrator with clear boundaries, you gain the efficiency of automation without sacrificing the oversight required for cloud security.

Enabling Efficiency, Speed & Accuracy

Intelligent Analysis, Decision & Execution

We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.

Talk to Us

Search across company data

Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.

Useful when people spend too long searching or get different answers from different systems.

Enterprise searchRAGPermissions

Automate internal workflows

Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.

Useful when repetitive work moves across multiple tools and teams.

AI agentsWorkflow automationGovernance

Add AI to products and internal tools

Build assistants, guided actions, or decision support into the software your team or customers already use.

Useful when AI needs to be part of the product, not a separate tool.

AI integrationDecision supportModel routing

IMPLEMENTATION BLUEPRINT

Frequently Asked Questions

Practical questions for architects and security leaders planning AI-driven incident response with CNAPP platforms like Wiz, Prisma Cloud, or Lacework.

AI agents act as an orchestration layer between your CNAPP and action systems. The workflow is:

Trigger: A high-severity alert is generated in the CNAPP (e.g., CRITICAL: Cryptomining container detected in production cluster).
Context Pull: The agent calls the CNAPP's API (e.g., Wiz's /graphql endpoint) to fetch enriched context:
- Asset Details: Workload ID, cloud account, tags, owner.
- Threat Context: Process tree, network connections, involved vulnerabilities.
- Risk Score & Business Impact: Is this a customer-facing service? Is it in PCI scope?
Decision Input: This structured context is formatted into a prompt for an LLM (like GPT-4 or Claude), alongside predefined security playbooks.

Agent Action: The LLM evaluates the context against policy (e.g., "Isolate if cryptomining AND production") and returns a structured action plan, such as:

json
{
  "action": "CONTAIN",
  "steps": [
    {"system": "Kubernetes", "command": "cordon node <node-name>"},
    {"system": "AWS IAM", "command": "revoke temporary credentials for role <role-arn>"}
  ],
  "justification": "Critical threat in production workload with high blast radius."
}

Execution: The agent executes these steps via respective APIs (Kubernetes API, AWS SDK) or creates a high-fidelity ticket in your SOAR platform for automated execution.

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.

Limited slotsGet a Free AI Consultation

How We Work

Custom AI workflows for your Business

One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.