KYE Cyber Resilience & Incident Authority Pack™ — defensible AI-assisted containment, incident evidence & disclosure timing.
AI now triages alerts, proposes containment, and drafts breach notifications — and regulators and insurers demand the decisions be defensible when challenged. KYE Protocol™ governs the authority and evidence of AI-assisted cybersecurity and incident response and proves it: who authorised the containment action and under what authority, the provenance of the AI triage, the chain-of-custody of every piece of incident evidence, that no AI-asserted incident classification was relied on without a pinned, verifiable signal source, that the regulator-notification-clock decision was authority-bound, and a signed, replay-provable Evidence Pack™ per decision — with a contestability record so any decision can be reconstructed and challenged. KYE Protocol™ governs whether the AI-assisted work may proceed and proves it is defensible — it does not detect threats, run the SIEM/EDR, perform forensics, remediate the incident, or replace the SOC analyst.
AI now drives the SOC — and the containment action, the classification, and the disclosure clock are the moments accountability concentrates.
Generative triage copilots, automated containment agents, and AI breach-notification drafters are producing decisions that move quickly toward severing a host, opening a regulator clock, and the incident record. The high-value problem is not the detection — it is the action boundary and its defensibility. Four facts converge:
- The consequential moment is the containment, the classification, and the disclosure call — not the alert. A model's alert is inert; a host isolated, an account blocked, a 72-hour clock opened, or an incident classified as reportable is consequential. When the AI-assisted work is challenged — a DORA post-incident inquiry, an insurer's claim dispute, a board review — the regulator demands to see who authorised it and how it was made.
- The unsourced-triage problem is now a defensibility risk. An AI-asserted severity with no underlying alert, or an attribution with no indicator, cannot be relied on. KYE Protocol™ refuses any incident classification whose signal source does not resolve — an unsourced triage never proceeds.
- Containment and disclosure-timing decisions must be reconstructable. The containment call and the regulator-notification-clock decision are non-delegable accountable-officer judgments under DORA Article 19, NIS2 Article 23 (24h/72h), and SEC Item 1.05. KYE Protocol™ records who authorised the AI-assisted action to proceed, under what authority, and binds a contestability record so it can be reconstructed exactly as made.
- This is a governance wedge, not a security stack. KYE Protocol™ does not compete with the SIEM, the EDR, the threat-intel feed, or the SOAR runbook. It governs the action boundary they feed — the named-authority + chain-of-custody + source-pinned-triage + Evidence Pack™ + contestability layer the AI security ecosystem currently lacks.
Survives a DORA inquiry, an insurer dispute, or a board review — chain-of-custody-recorded, source-pinned, and derivable from public keys alone.
- No unsourced triage, by construction. Every AI-asserted incident classification, severity, or attribution that proceeds toward a consequential action must carry a pinned, verifiable signal source. A classification whose source does not resolve is refused at the action-admissibility gate and never proceeds.
- Containment actions are authority-bound. Every isolate, block, or shutdown maps to a recorded named-authority decision — the agent, the target asset, the action, and the named incident commander or CISO under whose authority it proceeds. An AI authorised for one purpose cannot proceed under another.
- Chain-of-custody on every piece of evidence. Every log set, memory capture, or EDR alert bundle relied on carries a recorded chain-of-custody — source system, every transformation with actor and timestamp, and integrity hash as collected and as relied on — so the incident record is certifiable as complete and reasonable under DORA / NIS2 and ISO/IEC 27035.
- Replay-provable Evidence Pack™. Every decision emits a signed Evidence Pack™ binding the authority, the chain-of-custody, the source-pinned triage, and the rule basis — reconstructable and valid at T=0, derivable from published keys alone, retained under WORM — the defensibility artefact a regulator or insurer can verify offline.
- Contestable when challenged. Every decision carries a contestability record so a DORA / NIS2 post-incident inquiry, an insurer dispute, or litigation can reconstruct it exactly as made and contest it through a recorded route. Bound to DORA ICT incident reporting, NIS2 24h/72h, NIST CSF 2.0 RESPOND/RECOVER, SEC Item 1.05, and ISO/IEC 27035 — each with a 90-day attestation cadence.
Every consequential incident decision — authority-bound and evidenced at the action boundary.
One coherent spine governs three specializations — containment-authority, incident-evidence, and disclosure-timing — with no parallel packs. Each AI-assisted decision that moves toward a consequential action flows through the same five rules, on the canonical KYE Protocol™ envelopes.
- 1 — Decision proposed. An AI triage / response agent produces a containment action, an incident classification, or a disclosure-timing call that begins to move toward being executed, relied on, or reported.
- 2 — Authority + source check. The Action Admissibility™ Gate verifies the named-authority under which the decision proceeds and that every AI-asserted incident classification is pinned to a verifiable signal source, under the §25 Edge Governance Safety Floor. No authority, or an unsourced classification = no action.
- 3 — Chain-of-custody recorded. Every piece of incident evidence relied on carries its recorded chain-of-custody — source system, every transformation with actor and timestamp, integrity hash as collected and as relied on — before it proceeds.
- 4 — Evidence Pack™ + contestability sealed. The runtime emits kye.purpose.request.v1 + kye.purpose.admissibility.v1 + kye.evidence.decision_map.v1 + kye.evidence.pack.v1 + kye.replay.context_seal.v1 in lockstep, binding the authority, the chain-of-custody, the source-pinned triage, and a contestability record into a signed, replay-provable, WORM-retained Evidence Pack™ — reconstructable for a regulator, an insurer, or a court when the work is challenged.
Bound to the cyber-incident reporting, response, and disclosure perimeter.
The pack binds the canonical KYE™ artefact set to the cyber resilience & incident perimeter. Every claim resolves to a control row on the bound framework — the five regimes are consumed by the rule pack, never re-mapped (honest scope: KYE™ maps only the authority / evidence / defensibility slices, and cedes threat detection / SIEM-EDR / forensics / remediation to the customer's security stack).
| Framework | Control area | Pack coverage |
|---|---|---|
| DORA ICT Incident Reporting (Article 19) | Named-authority on the containment / response action, incident-evidence chain-of-custody, staged-report timing authority & reconstruction | partial |
| NIS2 (Article 23 — 24h / 72h) | Disclosure-timing authority on the notification clock; notification-evidence chain-of-custody & contestability | partial |
| NIST CSF 2.0 (RESPOND / RECOVER) | RESPOND/RECOVER action authority, source-pinned incident analysis (RS.AN), post-incident reconstruction | partial |
| SEC Cyber Disclosure (Item 1.05, 4 business days) | Disclosure-timing authority on the four-business-day materiality clock; timing-decision contestability | partial |
| ISO/IEC 27035 (Incident Management) | Incident-evidence chain-of-custody, assessment-and-decision authority, lessons-learned reconstruction | partial |
Honest scope. KYE Protocol™ governs the authority, chain-of-custody, provenance, evidence, and contestability of the AI-assisted incident decision at the action boundary — whether the work may proceed and how it came into existence, so it is defensible when challenged. It does not detect threats, run the SIEM/EDR, perform forensics, remediate the incident, or replace the SOC analyst. Partial coverage means the bound surface satisfies the authority / evidence / defensibility slice of the control area when paired with the customer’s own security operations. KYE™ complements CrowdStrike, Microsoft Sentinel, Splunk, Palo Alto, and the SOC — it does not compete with them.
Qualified security-AI partners — apply through the Foundry.
The KYE Cyber Resilience & Incident Authority Pack™ is a §68 sector product productised through the KYE Sector Pack Foundry™ Build tier, with Starter, Enterprise, and Regulated commercial tiers; commercial distribution is value-based, qualification-gated, and disclosed under NDA to qualified applicants.