Module 16 — Response Automation (SOAR)¶
Type 7 · Build-&-Operate — build a SOAR playbook that takes a real alert, enriches it, decides (with optional AI triage), and tickets/contains it; you commit a running trigger→enrich→decide→act playbook with a human approval gate. (Secondary: Judgment-as-Code/Gate — the gate is what stops you automating a wrong decision at machine speed.) Go to the hands-on lab →
Last reviewed: 2026-06
Defensive Operations — automate the boring 80% of response — with a human on the trigger.
In 60 seconds
A SOC drowns in repetitive response — enrich, look up intel, open a ticket, maybe contain — most of it the same keystrokes every time. SOAR automates that toil via a playbook: trigger → enrich → decide → act, wiring together everything this track built. It's the capstone of defensive operations because it integrates the rest, and the natural home for AI-augmented triage. The whole skill is placing the human gate where a wrong machine decision would hurt: enrichment is safe and reversible; containment acts on production at machine speed and is not.
Why this matters¶
A SOC drowns in repetitive response: enrich the alert, check the intel, open a ticket, maybe contain. SOAR automates that toil so analysts spend their judgment where it matters — and it's the natural home for AI-augmented triage. This is the capstone of defensive operations: tie your telemetry, detections, intel, and IR process into an automated, human-in-the-loop workflow. Automation is assumed now; the skill is designing it well and keeping the human in command.
Objective¶
Build a SOAR playbook that takes a real alert, enriches it, decides (with optional AI triage), and tickets/contains it — with a human approval gate.
The core idea¶
A SOC drowns in repetitive response — enrich the alert, look up the intel, open a ticket, maybe contain — and most of it is the same keystrokes every time. SOAR automates that toil so analysts spend judgment where judgment is actually needed. The mental model is a playbook: trigger → enrich → decide → act, wiring together everything this track built (telemetry, detections, intel, the IR process) into one workflow. It's the capstone of defensive operations precisely because it integrates the rest — and it's the natural home for AI-augmented triage: a small local model for high-volume "is this even interesting?", a frontier model for the genuinely hard call.
The mental model
Orchestration (connecting tools), automation (doing steps without a human), and response (the action) are not the same thing — and the art is deciding which steps are safe to fully automate and which need a human gate. Enrichment is safe (read-only, reversible). Containment is not (it acts on production, hard to undo). Shuffle gives you an OSS platform to build the whole loop for free.
flowchart LR
T["trigger<br/>(alert)"] --> EN["enrich<br/>(read-only)"]
EN --> DE["decide<br/>(AI triage)"]
DE --> G{"human<br/>gate"}
G -->|approve| AC["contain<br/>(acts on prod)"]
classDef safe fill:#1f3a1f,stroke:#6ce06c,color:#fff;
classDef risk fill:#5a1f1f,stroke:#e06c6c,color:#fff;
class EN safe
class AC risk
The whole skill is where the gate goes. Enrichment (green) is read-only and reversible — run it unattended. Containment (red) acts on production at machine speed — a wrong auto-contain takes the box down before any human can intervene, so it sits behind the gate.
The gotcha
This is where automation stops being advisory and becomes the deliverable, so AI authors → you review → you own it bites hardest. An AI triage step that auto-closes alerts will eventually auto-close a real one; an auto-contain action on a false positive takes down production at machine speed, before any human can intervene. Automation multiplies whatever judgment you encoded — including the bad judgment.
Go deeper: where to place the human gate
The entire skill is placing the human gate exactly where a wrong machine decision would hurt. Read-only, reversible steps (enrichment, intel lookups, ticket creation) can run unattended; actions that touch production and are hard to undo (isolation, account disable, blocks) want an approval gate. Get this placement right and you reclaim the boring 80% without ever risking an auto-inflicted outage.
AI caveat
This is the module where AI/automation stops being advisory and becomes the deliverable — and where the standing rule bites hardest: AI authors → you review → you own it. Put the human gate where a wrong machine decision would hurt, and own that design.
Learn (~4 hrs)¶
The platform - Automate Everything with Shuffle! (video) — building SOAR workflows in the OSS platform. - Shuffle documentation — apps, workflows, and triggers.
What to automate - MITRE ATT&CK — automate response mapped to the techniques you detect; and the Pyramid of Pain for what's worth containing.
Key concepts¶
- SOAR: orchestration vs automation vs response
- Playbooks: trigger → enrich → decide → act
- Human-in-the-loop (and when to require approval)
- Where AI fits: triage/summarisation as a step (local model for volume, frontier for hard calls)
- The danger of automating a wrong decision at machine speed
AI acceleration¶
This is the module where AI/automation stops being advisory and becomes the deliverable — and where the standing rule bites hardest: AI authors → you review → you own it. An AI triage step that auto-closes alerts will eventually auto-close a real one; an auto-contain action on a false positive takes down production. Put the human gate where a wrong machine decision would hurt, and own that design.
Check yourself
- In the trigger → enrich → decide → act playbook, which steps are safe to fully automate and which demand a human gate — and what's the deciding property?
- Why is an auto-contain action on a false positive more dangerous than the same mistake made by a human analyst?
- What does it mean that "automation multiplies whatever judgment you encoded," and how does that change how you review an AI triage step?
Comments
Sign in with GitHub to comment. Choose the type: Feedback (errors or suggestions on this page) · Hints (help for fellow learners — no spoilers) · General (anything else).