Skip to content

Incident Response

Detect, contain, and close security incidents from one structured workflow.

Incident Lifecycle Containment Actions Evidence Collection Immutable Timeline AI-Assisted
5
Lifecycle stages
4
Containment actions
SHA-256
Evidence integrity
Immutable
Timeline

Incident Response gives MSPs a structured workflow for handling security incidents from initial detection through containment, evidence collection, and closure. Every action is recorded in an immutable timeline, and the AI assistant can create incidents, execute containment, and generate reports on your behalf.

Structured Incident Lifecycle

Incidents progress through five enforced statuses (detected, analyzing, contained, recovering, and closed) with controlled transitions between them. Each incident carries a classification across eight types, including malware, ransomware, phishing, and data breach, plus a P1 through P4 severity level so teams can prioritize response.

Linking Incidents to Devices and Alerts

When an incident is created it starts in the detected status with an initial timeline entry, and can be linked to related alerts, affected devices, and an assigned responder. This ties detection signals directly to the systems involved, giving analysts the full context they need without leaving the incident.

Automated Containment Actions

Execute containment actions to isolate threats during an active incident: kill a process by PID, isolate a device from the network, disable a compromised account, or block USB device access. Every containment action requires an approval reference, is dispatched as an agent command to the target device, and records its result in the incident timeline.

Forensic Evidence Collection

Attach forensic evidence (files, logs, screenshots, memory snapshots, and network data) to any incident for investigation and compliance. Evidence integrity is validated with SHA-256 hashes, and storage paths must use approved URI schemes such as s3://, gs://, r2://, azblob://, and immutable://, with path-traversal sequences blocked.

Immutable Timeline and Reports

Every incident maintains an immutable timeline that records creation, attempted and completed containment actions, collected evidence, and closure, each stamped with a timestamp and the responsible actor, whether user, brain, or system. A generated incident report rolls this up into report metadata, an actions summary, an evidence breakdown, and the full chronological event list.

AI-Assisted Incident Response

The AI assistant provides five incident tools spanning creating incidents, executing containment, collecting evidence, viewing the timeline, and generating reports, and can trigger playbooks against affected devices with the incident ID attached for traceability. Containment execution is the highest-risk tier and always requires human approval through the AI Risk Engine before it runs.

Deploy for Free Start Cloud Beta ← All Features

Ready to see Incident Response in action?

Book a 20-minute demo to see how Incident Response works in your environment, or compare plans and self-host today.

Book a Demo(opens in new tab) See Pricing Or self-host free →(opens in new tab)

Ready to try Breeze?

Self-host the open-source agent or join the managed cloud beta. No credit card required.

Start Cloud Beta Deploy for Free(opens in new tab)

Related features

All features →

Device Management

Know what is running, what is drifting, and what needs action.

Remote Access

Connect to endpoints securely from a single web interface.

First in RMM

AI Assistant

AI that can act safely across your fleet.

Patch Management

Run patching as a controlled lifecycle, not a one-off task.

Coming from another RMM? See how Breeze compares on price, features, and openness.

Compare Breeze
Book a Demo(opens in new tab) See Pricing