Resources
Checklists
These checklists are starting points. Adapt them to your evidence handling, legal, privacy, and incident response requirements.
Agentic event intake
- Record who reported the event
- Capture timeframe and affected assets
- Identify agent harness and workspace
- Preserve initial prompts and outputs
- Document known impact and open questions
Session preservation
- Stop unnecessary agent activity
- Copy session stores safely
- Hash copied artifacts
- Record original paths
- Restrict access to sensitive raw records
Tool-call review
- List tools invoked
- Capture inputs and outputs
- Mark failed, denied, and approved calls
- Map affected files and APIs
- Separate observed effects from inferred intent
Prompt-injection triage
- Locate untrusted input
- Identify instruction-like content
- Check whether tools were called afterward
- Review boundary controls
- Record confidence and uncertainty
Evidence redaction
- Find secrets and personal data
- Prefer excerpts over full transcripts
- Hash values needed for correlation
- Keep originals access-controlled
- Document redaction method