NoeX Decision Layer Beta

Public validation asset

SOC Containment Approval Checklist

Use this checklist to review guarded SOC / MSSP delegation where containment remains human-gated.

Boundary note: this is a public validation asset, not production deployment and not evidence of a deployed customer workflow.

Back to public validation front door View raw Markdown

Alert triage

  • What alert entered review?
  • What asset, customer, or business impact context is known?
  • What enrichment is useful before an analyst decides?
  • What uncertainty should stay visible?

Containment boundary

  • What enrichment or recommendation drafting is allowed?
  • What containment action is blocked?
  • What customer-impacting action is gated?
  • What account, endpoint, or network change is out of scope without approval?

Approval before irreversible action

  • Who approves containment?
  • What information must be present before approval?
  • What action is rejected, held, or escalated?
  • Is the approval point part of the receipt?

Analyst review

  • Which analyst or shift lead owns the decision?
  • What does the analyst inspect?
  • What is the escalation path?
  • How are disagreement or low confidence handled?

Receipt / replay

  • Does the receipt show triage, allowed enrichment, blocked containment, and analyst review?
  • Can another analyst replay why containment did or did not proceed?
  • Does the record show the human checkpoint before impact?

Boundaries

  • This does not replace SOAR tooling.
  • It does not claim live containment automation.
  • It does not claim live SOC operation.
  • It does not remove analyst accountability.