When containment fails · when reversal isn't enough · we go on-site

An agent broke free. Who do you call?

Mandiant doesn't know agents. CrowdStrike doesn't know prompt-injection. The first person to call is the one who built the containment layer in the first place. Agent Incident Response — on-demand retainer for agent compromises. Commander Lead on call.

Seven incident classes · one playbook

Every documented agent incident on our Nightmare Board fits one of these. We've seen them all. Each has a different first move.

AGENT_HIJACK

Outsider takes control

Prompt injection · stolen API key · adversarial RAG poisoning.

KEY_LEAK

Agent leaks a credential

Env-var exfil · log exposure · response-channel leak.

DATA_DESTRUCTION

Agent deletes / corrupts data

The Replit-class incident. Production drop · backups wiped.

TOOL_MISUSE

Agent uses tools out-of-policy

Tool-graph drift · undeclared tool invocation.

PROMPT_INJECTION

Crafted input → goal hijack

Direct · indirect (via fetched doc) · multi-turn coordinated.

DRIFT

Persona / capability erosion

Long-running slow corruption. Often the canary for bigger issues.

OTHER

Novel attack class

If it's new, it gets a name when we're done. Public publication optional.

Response SLA

Faster for retainer customers. Ad-hoc gets 2× the SLA. ENTERPRISE retainer halves it.

Critical
3min
High
15min
Medium
30min
Low
1h

Five-step engagement

01

File

Email or API. Auto-assigned commander + SLA clock starts.

02

Triage

Snapshot the agent, freeze affected resources, isolate.

03

Forensics

What did the agent do? When? How? Cryptographic audit trail.

04

Reversal

Where RWS makes it possible — undo. Where it doesn't — minimise.

05

Post-mortem

Public if you want (Nightmare Board addition) or private.

How an engagement runs

You don't fight the incident alone. We bring the playbook, the operators, and the audit trail.

FILE

You email or Slack us — 24/7

Severity + incident class triaged within the SLA you're on. No ticket forms.

BRIDGE

We open a war-room channel within 1 hour

You + your CISO + your blockchain team. Slack / Teams — your choice.

CONTAIN

Action log captured live

Every step you + we take. Auditable record. Regulator-ready. No retrofitting after the fact.

RESOLVE

Closure note + post-mortem + 30-day watch

Engagement closed when YOU agree it's closed. Watching period included.

🚨 Active incident right now?

Email adama@cryptoshieldai.ai · subject: URGENT · attach what you have · Commander Lead replies within SLA.
Retainer: €10,000/mo · activation: €5,000/day · Enterprise retainer halves all SLAs.

Open the war room now Buy a retainer