You Control How MuchAI Automates
FortMind's 6-level autonomy framework lets you configure exactly how much decision-making control you give to AI—from Level 0 (fully manual) to Level 5 (fully autonomous). Start cautious, scale with confidence.
The Autonomy Spectrum
Six distinct levels—from fully manual to fully autonomous. Configure globally or per alert type. Change anytime.
Each Level Explained
Understand what AI does automatically, what requires approval, and who each level is best for.
Level 0: Manual Operations
NO AUTOMATIONAI performs zero actions. Analysts do everything manually, just like traditional SOC operations.
What AI Does
- •Nothing—AI is completely disabled
- •Alerts appear in queue unchanged
- •No enrichment, triage, or investigation
What Analysts Do
- •Manually triage every alert
- •Query tools manually for enrichment
- •Decide and execute all response actions
Level 1: Assisted Operations
VERY LOW RISKAI enriches alerts and provides recommendations, but takes no actions. Analysts still make all decisions.
What AI Does
- ✓Enriches alerts with threat intel (VirusTotal, AbuseIPDB)
- ✓Suggests triage priority (High/Med/Low/False Positive)
- ✓Recommends next investigation steps
- ✗Does NOT execute any actions
What Analysts Do
- •Review AI enrichment and recommendations
- •Approve or override triage suggestions
- •Manually execute all response actions
Example Scenario:
Alert: "Suspicious login from 203.0.113.45" → AI enriches with VirusTotal (malicious), AbuseIPDB (reported for brute force), suggests "High Priority" → Analyst reviews, agrees, manually blocks IP in firewall.
Level 2: Suggested Actions
LOW RISKAI recommends specific response actions (e.g., "Block this IP"), but waits for analyst approval before executing.
What AI Does
- ✓Everything from Level 1 (enrichment, triage)
- ✓Proposes specific actions ("Block IP in firewall")
- ✓Drafts actions in UI with "Approve" button
- ✗Waits for analyst approval before execution
What Analysts Do
- •Review AI's proposed actions
- •Click "Approve" (or "Reject") for each action
- •AI executes only approved actions
Example Scenario:
Alert: "Malware detected on WIN-SRV-01" → AI suggests: "Isolate endpoint, Quarantine file, Create ticket" → Analyst reviews, clicks "Approve All" → AI executes all 3 actions via EDR API and ticketing system.
Level 3: Semi-Autonomous
MEDIUM RISKAI automatically executes low-risk actions (create tickets, enrich data), but asks approval for high-risk actions (block IPs, isolate endpoints).
AI Does Automatically
- ✓Create incident tickets
- ✓Enrich alerts with threat intel
- ✓Query logs and SIEMs for context
- ✓Send email notifications
- ✓Close confirmed false positives
Requires Approval
- ⚠Block IPs/domains in firewall
- ⚠Isolate endpoints
- ⚠Quarantine files
- ⚠Disable user accounts
- ⚠Modify firewall rules
Example Scenario:
Alert: "Phishing email clicked by user123" → AI automatically: Creates ticket, queries email logs, enriches URL (malicious) → AI asks approval: "Block domain in proxy?" → Analyst approves → AI executes block.
Level 4: Conditional Autonomy
MEDIUM-HIGH RISKAI executes all actions automatically if confidence is high, but asks approval for uncertain cases (e.g., confidence < 85%).
AI Does Automatically
- ✓All Level 3 actions (tickets, enrichment, queries)
- ✓Block IPs/domains (if confidence ≥ 85%)
- ✓Isolate endpoints (if confidence ≥ 85%)
- ✓Quarantine malware (if confidence ≥ 85%)
- ✓Close confirmed false positives
Asks Approval When
- ?Confidence < 85% (uncertain case)
- ?Action affects critical systems
- ?Conflicting evidence in investigation
- ?New attack pattern (no historical data)
Example Scenario:
High Confidence (92%): Alert: "Known ransomware IOC detected" → AI automatically isolates endpoint, quarantines file, creates ticket → Notifies analyst after completion.
Low Confidence (74%): Alert: "Unusual PowerShell execution" → AI investigates, finds mixed signals → Asks analyst: "Isolate endpoint? (74% confidence)"
Level 5: Fully Autonomous
MANAGED AUTONOMYAI operates autonomously for high-confidence cases (≥95%). Investigates, decides, and executes all response actions without routine human approval. Low-confidence edge cases auto-escalate to analysts.
AI Does Everything
- ✓Receives alert, triages automatically
- ✓Investigates using all available tools
- ✓Decides severity and response plan
- ✓Executes all containment actions
- ✓Creates tickets, documents findings
- ✓Notifies analysts after completion
Analysts Review Post-Action
- •Handle escalations for low-confidence cases (<95%)
- •Review completed investigations in dashboard
- •Audit AI decisions and reasoning
- •Provide feedback (correct/incorrect)
- •Focus on threat hunting and strategy
Built-in Safety Mechanisms:
- ✓Action rate limits (max X per hour)
- ✓Critical system protection (prod servers)
- ✓Rollback capability (undo reversible actions)
- ✓Irreversible actions downgrade to Level 4 (approval required)
- ✓Real-time audit logs (immutable)
- ✓Circuit breaker (pause if >3 isolations in 10 min)
- ✓Override button (humans can intervene)
Example Scenario:
Alert: "Ransomware detected on FILE-SRV-03" → AI investigates (queries EDR, checks lateral movement, identifies IOCs) → AI decides: "High severity, contain immediately" → AI executes: Isolates endpoint, quarantines files, blocks C2 IPs, creates ticket, notifies on-call → Analyst reviews 10 minutes later, confirms correct response → Incident resolved in 5 minutes vs 45 minutes manually.
Side-by-Side Comparison
Quick reference guide to help you choose the right autonomy level for your team.
| Capability | L0 | L1 | L2 | L3 | L4 | L5 |
|---|---|---|---|---|---|---|
| Alert Enrichment | ✗ | ✓ | ✓ | ✓ | ✓ | ✓ |
| AI Triage | ✗ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Action Recommendations | ✗ | Suggest | Suggest | Suggest | Auto | Auto |
| Create Tickets | Manual | Manual | Approval | Auto | Auto | Auto |
| Block IPs/Domains | Manual | Manual | Approval | Approval | If ≥85% | If ≥95% |
| Isolate Endpoints | Manual | Manual | Approval | Approval | If ≥85% | If ≥95% |
| Quarantine Files | Manual | Manual | Approval | Approval | If ≥85% | If ≥95% |
| Time to Resolution | 45-60 min | 30-40 min | 20-30 min | 10-15 min | 5-10 min | 2-5 min |
| Analyst Involvement | 100% | 80% | 50% | 20% | 10% | 5% |
Recommended Path (Shadow Mode Validation):
Start at Level 1-2 (build confidence in AI accuracy) → Move to Level 3 → Before activating Level 4, run it in Shadow Mode (AI simulates actions, you review 50+ decisions) → Activate Level 4 once shadow log shows 100% accuracy → Graduate to Level 5 using same Shadow Mode validation. Most organizations operate at Level 3-4 long-term.
Configure & Control
Granular controls let you set autonomy per alert type, per integration, or globally. Change anytime.
Granular Configuration
Set different autonomy levels for different alert types or integrations.
Known malware → Fully autonomous (high confidence, low risk)
Suspicious internal traffic → Approval for containment
Executive accounts → Always ask before acting
Critical systems → Only enrich and suggest, never auto-act
Risk Management
Built-in safeguards ensure AI stays within bounds, even at Level 5.
Action Rate Limits
Max X blocks/isolations per hour. Prevents runaway automation.
Protected Assets
Tag critical systems (prod DBs, domain controllers) as "approval required."
Rollback Capability (Reversible Actions)
One-click undo for reversible actions (unblock IP, un-isolate endpoint). Irreversible actions (wipe device, rotate root keys) always require Level 4 approval logic.
Circuit Breaker (Default: >3 isolations in 10 min)
Auto-pause if error rate spikes or if >3 hosts are isolated in 10 minutes (prevents "flash crash" mass-quarantine scenarios).
Override Button
Analysts can stop or reverse any AI action at any time.
Immutable Audit Logs
Every AI decision and action is logged with reasoning (compliance-ready).
Start at Your Comfort Level.Scale When Ready.
FortMind grows with your trust. Begin with Level 1 (assisted), graduate to Level 3 (semi-autonomous), validate with Shadow Mode, then reach Level 5 (high-confidence autonomy). You're always in control.