Who is this for? Organizational Admins and Agent Admins who manage Security Delivery Agents and want to standardize incident classification and response procedures.
SOP Types
ContraForce supports two types of SOPs, each designed for a different phase of incident handling.Classification SOPs
Classification SOPs define how incidents should be categorized and prioritized. These contain your organization’s specific severity definitions, escalation criteria, and triage procedures. Each AI Agent can have multiple Classification SOPs associated with it, but only one Classification SOP is activated per investigation. This ensures that every incident processed by that Agent follows a single, consistent classification standard while giving you the flexibility to maintain several classification approaches for different scenarios.Response SOPs
Response SOPs contain procedures for how to respond to and remediate security incidents. These include containment steps, investigation workflows, communication protocols, and recovery procedures. Each AI Agent can have multiple Response SOPs associated with it, and each Response SOP can be shared across multiple Agents. This many-to-many relationship means you can assign your phishing response playbook to three different Agents without duplicating the document.Supported File Formats
SOP Knowledge Base accepts the following document formats:| Format | Extensions |
|---|---|
| Markdown | .md |
| Plain Text | .txt |
Uploading an SOP
Open SOP Knowledge Base
Navigate to Agent Center in the left navigation menu, then select SOP Knowledge Base.
Select the SOP type
Choose either Classification or Response to categorize the SOP. This determines how the SOP can be associated with AI Agents.
Upload the file
Drag and drop your file into the upload area, or click to browse and select a file from your computer.
Add metadata
Enter a title for the SOP. Optionally, add tags for easier searching and organization, and map the SOP to relevant MITRE ATT&CK techniques.
Viewing SOP Content
After uploading, you can view the full content of any SOP directly within ContraForce without switching to an external application.- Open Agent Center → SOP Knowledge Base.
- Click on any SOP in the list to open the detail view.
- The detail panel displays the extracted document content, metadata (type, tags, MITRE ATT&CK mappings, version), and timestamps.
Associating SOPs with AI Agents
You can create SOP-Agent associations from either direction.From the SOP detail page
- Open the SOP you want to associate.
- Select the Linked Agents tab.
- Click Add Agent and select one or more AI Agents from the list.
- The association takes effect immediately.
From the Agent detail page
- Navigate to Agent Center and select the Agent you want to configure.
- Scroll to the Associated SOPs section.
- Click Add SOP and select the SOPs you want to associate.
- You can associate multiple Classification SOPs with an Agent, but only one will be activated per investigation.
Changes to SOP-Agent associations take effect immediately. There is no separate publish or deploy step.
Updating an SOP
SOP Knowledge Base does not support in-place editing. To update an SOP, upload a new version of the file. All existing Agent associations are preserved when you update the document. Use the version field on the SOP to track changes over time.Searching and Filtering SOPs
The SOP list view provides several ways to find the right document quickly:- Search by SOP title or content keywords.
- Filter by type to show only Classification or Response SOPs.
- Sort by last updated date, title, or associated agent count.
Roles and Permissions
SOP access follows the ContraForce role-based access control model.| Role | Permissions |
|---|---|
| Organizational Admin | Full access: create, view, update, and delete SOPs |
| Agent Admin | Create, view, and update SOPs |
| Workspace-level roles (Analyst, Incident Responder) | View SOPs associated with Agents they have access to |
How AI Agents Use SOPs
When an AI Agent processes an incident, it retrieves the content from its associated SOPs to inform its investigation and response decisions. This means the Agent follows your organization’s specific procedures rather than relying on generic response patterns.- Classification SOPs guide how the Agent categorizes incident severity and priority.
- Response SOPs guide the specific containment, investigation, and remediation steps the Agent recommends or executes.
Best Practices
Start with your most critical playbooks. Upload the SOPs your team uses most frequently first, such as phishing response, ransomware containment, and business email compromise procedures. Use tags consistently. Apply tags likephishing, ransomware, insider-threat, or data-exfiltration so SOPs are easy to find and can be matched to relevant incidents.
Map to MITRE ATT&CK techniques. Associating SOPs with specific techniques helps surface the right procedure when an incident involves those techniques.
Keep SOPs focused. Rather than uploading one massive document covering everything, break your procedures into focused SOPs by incident type or response phase. This makes Agent associations more precise and retrieval more effective.
Review and update regularly. Upload new versions of your SOPs as your procedures evolve. ContraForce preserves all Agent associations when you update a document.
Frequently Asked Questions
Is there a limit to how many SOPs I can upload?
Is there a limit to how many SOPs I can upload?
There is no hard limit on the number of SOPs per workspace. We recommend organizing your SOPs thoughtfully and associating only the most relevant procedures with each Agent.
Can I associate one SOP with multiple Agents?
Can I associate one SOP with multiple Agents?
Yes. Both SOP types support many-to-many associations, so a single SOP can be linked to multiple Agents. For Classification SOPs, multiple can be associated with an Agent, but only one is activated per investigation.
What happens if I delete an SOP that is associated with an Agent?
What happens if I delete an SOP that is associated with an Agent?
The association is removed automatically. The Agent will continue to function but will no longer reference that SOP during incident handling.
Can I share SOPs across workspaces?
Can I share SOPs across workspaces?
Do I need to redeploy my Agent after associating an SOP?
Do I need to redeploy my Agent after associating an SOP?
No. SOP associations take effect immediately. There is no redeployment or restart required.
Related Guides
Configuring Security Delivery Agents
Set up and configure agents using the three-phase adoption model.
Agent Execution History
Monitor and audit agent activity with a complete execution trail.
Deploying Agent Center
Deploy the Azure AI Foundry infrastructure required for agents.
Incident Management
Learn how incidents flow through ContraForce.
Questions about SOP Knowledge Base? Contact us at support@contraforce.com.