From Playbooks to Decisions: An Auditable Coordination Protocol for Hunter–Policy–Responder Cyber Agents (Extended Abstract)
DOI:
https://doi.org/10.1609/aaaiss.v9i1.42951Abstract
While Security Orchestration, Automation, and Response (SOAR) systems operationalize incident workflows through playbooks, they often lack a decision-provenance mechanism suited to multi-agent settings—where one agent proposes actions, another authorizes them, and a third executes them. We introduce the Cyber Agent Coordination Protocol (CACP), an auditable coordination layer that transitions agent collaboration from free-form dialogue to role-typed commitments. CACP enforces explicit authority boundaries across Hunter–Policy–Responder roles and emits signed, hash-chained Decision Cards that bind (i) evidence pointers and hashes, (ii) policy checks (e.g., rules-of-engagement clauses), and (iii) execution receipts into a queryable provenance record. To avoid a centralized bottleneck, CACP supports federated logging with periodic Merkle-root checkpointing to an immutable ledger. In a small simulated testbed (50 scenarios; 2 analysts), CACP reduced mean time-to-audit by 42% (8.6s → < 5s) relative to unstructured agent logs, and prevented execution of out-of-policy actions in a bounded suite of 100 indirect prompt-injection attempts, while adding 22ms mean coordination latency per decision cycle (vs. 1.2s average LLM inference).
Downloads
Published
2026-06-23
How to Cite
Addington, S. (2026). From Playbooks to Decisions: An Auditable Coordination Protocol for Hunter–Policy–Responder Cyber Agents (Extended Abstract). Proceedings of the AAAI Symposium Series, 9(1), 341–344. https://doi.org/10.1609/aaaiss.v9i1.42951
Issue
Section
Human-Aware AI Agents for the Cyber Battlefield: From Human Models to Autonomous Defense (Extended Abstracts)
