Documentation Index Fetch the complete documentation index at: https://docs.continum.co/llms.txt
Use this file to discover all available pages before exploring further.
What are Incidents? When Continum detects HIGH or CRITICAL risk signals, it automatically creates an incident trail for tracking investigation and resolution. Incidents provide a complete audit trail with segregation of duties, ensuring compliance with regulatory requirements for incident response.
Incident Lifecycle 1. DETECTED Automatically created when a HIGH or CRITICAL signal is detected:
{ "status" : "DETECTED" , "signalId" : "sig_abc123" , "riskLevel" : "HIGH" , "violations" : [ "PII_LEAK" , "EMAIL" ], "detectedAt" : "2024-03-15T10:30:00Z" }
2. INVESTIGATING Compliance officer begins investigation:
{ "status" : "INVESTIGATING" , "assignedTo" : "compliance_officer_123" , "startedAt" : "2024-03-15T11:00:00Z" }
Issue identified, remediation in progress:
{ "status" : "REMEDIATING" , "remediationPlan" : "Update input validation to prevent PII submission" , "startedAt" : "2024-03-16T09:00:00Z" }
4. VERIFIED Independent auditor verifies resolution:
{ "status" : "VERIFIED" , "verifiedBy" : "auditor_456" , "verifiedAt" : "2024-03-17T14:30:00Z" , "timeToResolution" : "48 hours" }
Segregation of Duties Continum enforces segregation of duties to meet compliance requirements:
Role Requirements
COMPLIANCE_OFFICER : Can investigate and remediateAUDITOR : Can verify resolution (cannot be the same person who investigated)ADMIN : Can view all incidentsVIEWER : Read-only access
Enforcement # Compliance officer investigates curl -X PATCH "https://api.continum.co/evidence/incidents/inc_123/status" \ -H "x-continum-key: co_your_api_key_here" \ -H "Content-Type: application/json" \ -d '{ "status": "INVESTIGATING", "userId": "compliance_officer_123", "userRole": "COMPLIANCE_OFFICER" }' # Same person cannot verify (will fail) curl -X PATCH "https://api.continum.co/evidence/incidents/inc_123/status" \ -H "x-continum-key: co_your_api_key_here" \ -H "Content-Type: application/json" \ -d '{ "status": "VERIFIED", "userId": "compliance_officer_123", "userRole": "COMPLIANCE_OFFICER" }' # Error: "COMPLIANCE_OFFICER cannot verify their own incident" # Different auditor must verify curl -X PATCH "https://api.continum.co/evidence/incidents/inc_123/status" \ -H "x-continum-key: co_your_api_key_here" \ -H "Content-Type: application/json" \ -d '{ "status": "VERIFIED", "userId": "auditor_456", "userRole": "AUDITOR" }' # Success ✅
Creating Incidents Automatic Creation HIGH and CRITICAL signals automatically create incidents:
// SDK automatically creates incident for HIGH/CRITICAL signals const response = await continum . llm . openai . gpt_4o . chat ({ messages: [{ role: 'user' , content: 'My SSN is 123-45-6789' }] }); // If Guardian detects HIGH risk: // 1. Signal created with riskLevel: HIGH // 2. Incident automatically created // 3. Status set to DETECTED // 4. Notification sent (if configured)
Manual Creation Create incidents for specific signals:
curl -X POST "https://api.continum.co/evidence/incidents" \ -H "x-continum-key: co_your_api_key_here" \ -H "Content-Type: application/json" \ -d '{ "signalId": "sig_abc123" }'
Viewing Incidents Get Incident Details curl "https://api.continum.co/evidence/incidents/inc_123" \ -H "x-continum-key: co_your_api_key_here"
Response:
{ "id" : "inc_123" , "signalId" : "sig_abc123" , "status" : "VERIFIED" , "changes" : [ { "id" : "change_1" , "fromStatus" : null , "toStatus" : "DETECTED" , "userId" : "system" , "userRole" : "ADMIN" , "timestamp" : "2024-03-15T10:30:00Z" , "hash" : "a1b2c3d4..." }, { "id" : "change_2" , "fromStatus" : "DETECTED" , "toStatus" : "INVESTIGATING" , "userId" : "compliance_officer_123" , "userRole" : "COMPLIANCE_OFFICER" , "timestamp" : "2024-03-15T11:00:00Z" , "hash" : "d4e5f6g7..." }, { "id" : "change_3" , "fromStatus" : "INVESTIGATING" , "toStatus" : "REMEDIATING" , "userId" : "compliance_officer_123" , "userRole" : "COMPLIANCE_OFFICER" , "timestamp" : "2024-03-16T09:00:00Z" , "hash" : "g7h8i9j0..." }, { "id" : "change_4" , "fromStatus" : "REMEDIATING" , "toStatus" : "VERIFIED" , "userId" : "auditor_456" , "userRole" : "AUDITOR" , "timestamp" : "2024-03-17T14:30:00Z" , "hash" : "j0k1l2m3..." } ], "createdAt" : "2024-03-15T10:30:00Z" , "resolvedAt" : "2024-03-17T14:30:00Z" , "timeToResolution" : "48 hours" }
List All Incidents curl "https://api.continum.co/evidence/incidents?status=INVESTIGATING" \ -H "x-continum-key: co_your_api_key_here"
Filter by:
status: DETECTED, INVESTIGATING, REMEDIATING, VERIFIEDstartDate: Filter by creation dateendDate: Filter by creation date
Time-to-Resolution Continum automatically calculates time-to-resolution:
curl "https://api.continum.co/evidence/incidents/inc_123/time-to-resolution" \ -H "x-continum-key: co_your_api_key_here"
Response:
{ "incidentId" : "inc_123" , "timeToResolutionMs" : 172800000 , "timeToResolutionHours" : 48 , "timeToResolutionDays" : 2 , "detectedAt" : "2024-03-15T10:30:00Z" , "resolvedAt" : "2024-03-17T14:30:00Z" }
Cryptographic Audit Trail Every status change is cryptographically signed:
{ "change" : { "fromStatus" : "INVESTIGATING" , "toStatus" : "REMEDIATING" , "userId" : "compliance_officer_123" , "timestamp" : "2024-03-16T09:00:00Z" , "hash" : "SHA256(fromStatus + toStatus + userId + timestamp + previousHash)" } }
This creates an immutable audit trail where any tampering is immediately detectable.
Incident Notifications Configure notifications for incident events:
Email Notifications { "notificationConfig" : { "email" : { "enabled" : true , "recipients" : [ "compliance@company.com" ], "events" : [ "INCIDENT_CREATED" , "INCIDENT_VERIFIED" ] } } }
Webhook Notifications { "notificationConfig" : { "webhook" : { "enabled" : true , "url" : "https://your-app.com/webhook" , "events" : [ "INCIDENT_CREATED" , "INCIDENT_STATUS_CHANGED" ] } } }
Dashboard Integration View and manage incidents in the Continum dashboard:
Incident List : All incidents with status and ageIncident Details : Complete audit trailStatus Updates : Update incident status with role verificationTime Metrics : Average time-to-resolutionTrend Analysis : Incident volume over time
Best Practices Response Times Establish clear response time targets:
CRITICAL : Immediate response (< 1 hour)HIGH : Same-day response (< 8 hours)MEDIUM : Weekly reviewLOW : Monthly review
Investigation Process Follow a consistent investigation process:
Acknowledge : Assign to compliance officerAnalyze : Review signal details and contextIdentify : Determine root causeRemediate : Implement fixVerify : Independent verification by auditorDocument : Record findings and actions
Segregation of Duties Maintain clear role separation:
Different people for investigation and verification
Document role assignments
Audit role compliance
Regular role reviews
Documentation Document all incident activities:
Investigation findings
Remediation actions
Verification results
Lessons learned
Process improvements
Incident Metrics Track incident metrics for compliance reporting:
Volume Metrics
Total incidents by period
Incidents by risk level
Incidents by violation type
Incident rate trends
Resolution Metrics
Average time-to-resolution
Resolution rate by status
Overdue incidents
Repeat incidents
Compliance Metrics
Segregation of duties compliance
Documentation completeness
Verification rate
Audit trail integrity
Integration with Evidence Packages Incidents are automatically included in evidence packages:
curl -X POST "https://api.continum.co/evidence/packages" \ -H "x-continum-key: co_your_api_key_here" \ -H "Content-Type: application/json" \ -d '{ "framework": "SOC2", "startDate": "2024-01-01T00:00:00Z", "endDate": "2024-12-31T23:59:59Z", "includeIncidents": true }'
Evidence packages include:
Incident summary statistics
Complete incident trails
Time-to-resolution metrics
Segregation of duties verification
Next Steps
Evidence Learn about compliance evidence
API Reference API documentation
Dashboard Manage incidents in dashboard
Evidence Learn about compliance evidence
