Response approvals

High-impact actions are queued for human approval and recorded in the audit log.

Last updated 4/14/2026

SOCPilot recommends response actions, but high-impact actions never execute without an approving human. This is the default and cannot be silently disabled.

What requires approval

  • Host isolation
  • Account disablement, password reset, session revocation
  • Credential and access key rotation
  • Domain or IP blocking at the gateway
  • Any custom playbook step explicitly marked as "requires_approval"

What gets logged

Every approval writes an audit entry with: actor, action, target, timestamp, justification (optional note), and a snapshot of the recommendation evidence at the time of approval.

Two-person approval

Two-person approval is one configuration toggle in Settings → Security controls. When enabled, a second user with approve permission must confirm before execution.

Kill switch

The kill switch in Security controls instantly pauses every automated response, including queued executions. Use it during incident response when scope is uncertain.

Related articles