Configure and use Security Delivery Agents to automate incident investigation and response through a phased adoption approach.
Security Delivery Agents (SDAs) automate incident investigation and response within ContraForce. This guide walks you through configuring agents using a phased approach, allowing you to gradually increase automation as you become comfortable with agent capabilities.
Security Delivery Agents follow a three-phase adoption model: manual execution, automatic execution based on severity, and automatic gamebook execution. This progressive approach helps you build confidence in agent behavior before enabling full automation.
In this initial phase, you manually select individual incidents and trigger the agent to run investigations. This allows you to evaluate agent performance before enabling automation.
Once you’re comfortable with agent behavior, configure automatic execution based on incident severity and status.
The status filters below are the standard configuration. To scope automatic execution to specific severities, or to switch the trigger to Manual, enable Advanced mode and use the True-Positive Policy settings. With Advanced disabled, behavior is exactly as described in this section.
Agent requires strong evidence before taking action
Production environments, sensitive systems
Medium
Balanced approach between automation and caution
Most standard deployments
Low
Agent takes action with less certainty
Test environments, high-volume low-risk scenarios
Lower confidence thresholds result in more aggressive automation. Start with higher thresholds and adjust based on observed accuracy and your risk tolerance.
By default, every agent investigation ends in one post-investigation flow regardless of the agent’s verdict. Advanced mode replaces that single flow with a policy that acts on the agent’s classification, so a True Positive can be escalated for analyst action while a False Positive is closed out.
Advanced mode is opt-in and reversible. While it is disabled, agent behavior is exactly as described in Phases 1 to 3, with no change. Enabling it only adds the trigger and per-classification settings below.
When Advanced mode is on, each of the four classifications has its own policy. For an explanation of the classifications themselves, see Incident Classifications.
Setting
Description
Gamebooks
Gamebooks queued for the incident when the agent reaches this classification.
Assignee
The owner the incident is assigned to.
Status
The status the incident moves to (for example, keep a True Positive open for analyst action instead of closing it).
Custom action
An optional webhook fired when the agent reaches this classification. Use this to escalate into your own SIEM, ticketing, or on-call tooling.
The common True-Positive Policy pattern: for True Positive, keep the incident open, assign it to your response queue, and set a webhook custom action so your team is paged. For False Positive and Benign Positive, close the incident with no webhook.
The custom action sends the Agent investigation completed event (agent.investigation.completed.v1) the moment the investigation finishes. The payload carries the agent’s verdict and the incident context, signed so your endpoint can verify it.This event is selected here, on the classification card. It is not a broadcast subscription: only the webhook a classification card points to receives it. For the payload schema, headers, and signature verification, see Agent Investigation Completed Webhook.
If the webhook a card points to is later deleted, paused, disabled, or unsubscribed from the event, the card shows a warning with a link to fix it in Developers, and the skipped delivery is recorded as Failed rather than dropped silently. Check the card if escalations stop arriving.
Confirm “Allow Agent to run gamebooks” is toggled on
Too many automated actions
Confidence threshold too low
Increase confidence level setting
Agent missing incidents
Status filters misconfigured
Review and adjust status filter selections
Investigation not starting
Missing permissions
Verify Organizational Admin and Workspace Owner roles
Escalation webhook not arriving
Card’s webhook deleted, paused, disabled, or unsubscribed
Check the classification card for a binding warning; fix the webhook in Developers. Skipped deliveries appear as Failed in the delivery log
Advanced settings have no effect
Advanced toggle disabled
Enable the Advanced toggle and save; without it the standard Phase 1 to 3 behavior applies
If you encounter persistent issues with Security Delivery Agent configuration, contact support@contraforce.com with your configuration details and observed behavior.