Skip to main content
Who is this for? MSP/MSSP Partners and Security Team Leadership
February 2026 · ContraForce Team · 4 min read Security Delivery Agents (SDAs) are now generally available in ContraForce. These AI agents automatically investigate incidents, enrich context with sign-in logs and device timelines, and execute response actions through Gamebooks — giving your team the capacity to handle more incidents without adding headcount.

What Security Delivery Agents Do

SDAs handle the repetitive, time-consuming work of incident investigation. When an incident arrives, the agent:
  • Analyzes the incident context using sign-in logs, audit trails, device timelines, and related incidents
  • Enriches entity information by pulling threat intelligence and historical activity patterns
  • Recommends or executes response actions based on your configured confidence thresholds
  • Documents findings with detailed comments for analyst review
This isn’t a chatbot or copilot. SDAs are autonomous agents that take action on your behalf, following the same workflows your analysts would — just faster and at scale.

A Phased Approach to Automation

ContraForce designed SDAs with a progressive adoption model. You control how much automation to enable:
PhaseModeWhat Happens
Phase 1ManualYou select incidents and trigger agent investigation on demand
Phase 2Automatic by StatusAgents run automatically on new, active, or closed incidents
Phase 3Automatic GamebooksAgents execute response playbooks based on confidence thresholds
Start with manual execution to see how agents analyze your incident types. Once you trust the outputs, enable automatic execution. When you’re confident in agent accuracy, allow Gamebook execution for full autonomous response.

Human-in-the-Loop Controls

Even with full automation enabled, you maintain control:
  • Confidence thresholds determine when agents can take action versus when they require approval
  • Status filters control which incidents trigger automatic processing
  • Gamebook authorization must be explicitly granted before agents can execute response actions
  • Audit trails capture every agent action for compliance and review

Why This Matters for Service Providers

For MSPs and MSSPs managing multiple customer workspaces, SDAs change the math on security operations:
  • Scale without headcount — Handle 10x the incident volume with the same team
  • Consistent quality — Every incident gets the same thorough investigation
  • Faster response — Automated triage means faster time-to-resolution
  • Multi-tenant ready — Agents work across all your customer workspaces from day one

Quick Summary

  • Security Delivery Agents automate incident investigation and response
  • Three-phase adoption: manual → automatic by status → automatic Gamebooks
  • Agents use sign-in logs, device timelines, and threat intelligence for context
  • Confidence thresholds and human-in-the-loop controls keep you in charge
  • Deploy once, scale across all customer workspaces

Configuring SDAs

Step-by-step guide to configuring Security Delivery Agents

Deploying Agent Center

Deploy the Azure AI infrastructure that powers SDAs
Questions? Contact us at [email protected].