Resolve AI Agent Security Risks

Platform Operations Agents resolve.ai Humble Providers
AI RISK QUADRANT POSITION DEFENSE CONTROLS (6) ATTACK SURFACE (4.8) EXPOSED GIANTS FORTIFIED LEADERS HUMBLE PROVIDERS TIGHT OPERATORS
AIRQ Score
3.38
Critical
Attack Surface
4.8
Medium
Blast Radius
3.63
Medium
Defense Controls
6
High
About The Agent

Resolve AI is a cloud-hosted platform operations agent that delegates on-call triage, incident investigation, and operational automation to coordinated teams of specialized AI agents. The platform connects to an operator's observability stack, code repositories, cloud infrastructure, and knowledge bases through customer-scoped read-only credentials, with write actions gated behind mandatory human approval. The primary risk surface is the scope of production telemetry and credential access the agent inherits across every connected integration.

About the AI Risk Quadrant

Humble Providers placement reflects an agent whose attack surface is moderate but elevated by the trifecta combination of untrusted telemetry ingestion, sensitive production data access, and external egress through Slack and ticketing channels. Blast radius is constrained by the absence of code execution and the read-only default posture, while defense controls benefit from mandatory write-action approval and customer-isolated deployment. Operators inherit a defensible posture that depends on the strength of credential scoping and redaction configuration.

1 Key Risks

The most critical security risks an operator inherits when deploying this agent in its documented default configuration. The dominant risk concentrations are the absence of input-layer injection defenses, the wide scope of credential access spanning connected production systems, and limited observability into the agent's own reasoning behavior. [2][3]

Key Input Risks
Untrusted content from production telemetry, Slack messages, PagerDuty webhooks, and MCP protocol reaches the reasoning loop without prompt-injection filtering. Auto-investigation on alert channels triggers without per-message content validation, leaving every ingestion path open to adversarial steering through telemetry poisoning or crafted alert content. [1][4][6]
Key Execution Risks
The platform executes read-only API queries across dozens of observability backends, code repositories, and infrastructure control planes with no documented sandbox boundary between investigation logic and tool invocation. Customer-specific VPC deployment is available but the default cloud posture relies on tenant isolation rather than per-query containment. [5][8]
Key Action Risks
The scope of credential access spanning production observability, cloud infrastructure, and code repositories means a compromised investigation could exfiltrate sensitive operational data through read-only queries alone, without ever triggering the write-action approval gate that guards alert silencing and PR creation. [6][7]
Key Output Risks
Investigation findings are shared via Slack and ticketing system updates with regex-based redaction for secrets and PII, but no documented DLP or exfiltration-channel blocking exists to prevent sensitive telemetry fragments from reaching downstream consumers through investigation summaries. [1][10]
Key Monitoring Risks
The Mitigation Activity dashboard provides an audit trail for approved write operations, and SOC 2 Type II certification implies structured event logging, but no documented behavioral anomaly detection or SIEM forwarding covers the agent's own investigation activity, leaving goal-drift and prompt-injection events as a blind spot. [5][6]

2 AIRQ Scores

The four headline scores quantify how exposed the agent is, how damaging a successful attack would be, and how much the agent’s own controls reduce that risk. Scores reflect a well-controlled cloud operations agent whose moderate attack surface is elevated by the trifecta floor, constrained blast radius, and meaningful vendor-implemented defense controls.

AIRQ Metrics

Humble Providers placement means both attack exposure and blast radius fall below the median thresholds, supported by vendor-documented isolation and approval controls that keep the defense investment above the minimum tier.

The composite reflects an agent with moderate ingestion exposure elevated by the trifecta combination, a credential-dominated blast profile constrained by the read-only default, and vendor-shipped approval gates that partially offset the missing input defenses.

Metric Score Comments
AIRQ Score 3.38 Composite reflects moderate exposure tempered by meaningful defense controls and constrained blast radius.
Blast Radius 3.63 / 10 Credential access breadth drives the blast profile upward while the lack of direct code execution and restricted deployment authority hold the composite below the median.
Attack Surface 4.8 / 10 Untrusted telemetry ingestion, sensitive production data access, and external messaging egress combine to push the attack surface above the per-component baseline.
Defense Controls 6 / 15 Vendor-documented write-action approval gates and tenant isolation carry the defense score, with input guardrails as the primary gap.

3 Attack Surface

Attack surfaces are the entry points and interaction patterns through which adversarial input can reach the agent’s reasoning loop and steer its behavior. The dominant exposures are the unfiltered telemetry ingestion pipeline, the multi-agent orchestration surface, and the breadth of authenticated but content-unvalidated input channels.

Attack Surface Metrics

One surface reaches the upper band while the remaining nine sit at the middle or lower tiers, reflecting a platform designed around read-only investigation rather than unrestricted tool execution.

Each row maps a specific entry point to its architectural exposure level and the evidence anchoring that assessment.

Surface Score Comments
User Input 2 / 4 Authenticated channels from Slack, webhooks, MCP, and API accept operator and alert content without prompt-injection filtering or instruction-hierarchy separation. [6][10]
External Data 2 / 4 Production logs, metrics, traces, and alerts are queried live from connected observability platforms with regex-based redaction but no adversarial-content validation. [8][9]
Memory 2 / 4 Investigation summaries persist for continuity and the learning system captures cross-session patterns within customer-specific environments, without documented integrity verification. [6][12]
Reasoning 2 / 4 Multi-step investigation reasoning follows structured hypothesis workflows with inspectable findings, constrained to the declared investigation scope. [5][13]
Planning 2 / 4 Investigation plans decompose into parallel hypotheses with visible evidence chains and explicit approval gating before any remediation action executes. [7][13]
Tool Execution 2 / 4 Tool surface spans dozens of read-only API integrations across observability, infrastructure, and code platforms, with write actions scoped to approved alert silencing and PR creation. [7][9]
Orchestration 3 / 4 Multi-agent teams pursue parallel hypotheses autonomously, always-on background agents trigger on alerts and schedules, and the platform operates as an MCP server for external agent invocation. [11][12][13]
Inter-Agent 2 / 4 Internal multi-agent coordination uses a vendor-managed protocol, while the newly announced MCP server exposes the platform to external agent ecosystems without documented inter-agent authentication. [12][13][14]
Output Processing 1 / 4 Investigation findings are shared via Slack messages and ticketing updates with regex-based credential redaction for secrets and PII tokens. [1][10]
Configuration 1 / 4 Configuration is managed through the vendor UI and Kubernetes YAML for the Satellite proxy, with no auto-loaded project files or community plugin marketplace. [8][9]

The Lethal Trifecta is triggered when an agent processes untrusted content, accesses private data, and communicates externally in the same session — the three conditions that turn an isolated prompt injection into full-chain exfiltration. Resolve AI ingests alert-channel messages and production telemetry that may carry attacker-crafted content, reads infrastructure credentials and operational state across every connected integration, and transmits investigation findings to Slack channels and external ticketing systems without exfiltration-channel gating.

Lethal Trifecta · Complete (3 of 3)

Resolve AI exhibits all three of these conditions in its documented default configuration:

  • Untrusted input — Production logs, metrics, traces, Slack messages, and PagerDuty alert content carry bytes authored by parties outside the operator's direct control. [6][10]
  • Sensitive data — The agent reads production telemetry, code repositories, Kubernetes cluster state, and organizational knowledge bases containing sensitive operational data. [8][9]
  • External egress — Investigation findings transmit to Slack channels and ticketing systems, and telemetry summaries flow from customer environments to the Resolve cloud via the Satellite proxy. [1][10]

4 Blast Radius

The blast radius is what an attacker who controls the agent can reach — which systems they touch, which credentials they read, and which actions they take without operator approval. A compromised investigation inherits read access to credentials stored across every connected observability, infrastructure, and code integration, but the agent cannot execute arbitrary code or directly modify production deployments.

Blast Radius Metrics

Credential access is the dominant blast factor, reaching the upper band while the remaining five factors stay at the middle tier or below, reflecting a platform that reads broadly but writes narrowly.

Each row connects a blast factor to the specific operational capability and credential scope the agent holds on its documented default.

Factor Score Comments
Code execution 0 / 4 The agent does not execute shell commands, run arbitrary code, or invoke interpreters; all operations are API-mediated queries and structured investigation workflows. [6][7]
File system access 1 / 4 Git integration provides read-only access to code repositories; the Satellite reads Kubernetes API state but does not mount or traverse host file systems. [8][9]
Network access 2 / 4 Outbound network access is scoped to configured integration endpoints via customer-provided credentials, with no documented unrestricted HTTP or DNS access. [8][9]
Credential access 3 / 4 The agent operates with customer-provided API keys, OAuth tokens, and service accounts across Datadog, Grafana, PagerDuty, Slack, AWS, GCP, and Git integrations. [1][6]
Autonomous action 2 / 4 Always-on background agents run autonomously on alert triggers and schedules, but all write operations require explicit human approval through a separated execution engine. [7][13]
Deployment access 1 / 4 Git Code Remediation creates pull requests with suggested fixes after human approval, but the agent cannot directly deploy, modify infrastructure, or publish packages. [7][9]

5 Defense Controls

Defense controls are what the agent’s own architecture does to detect, contain, and report attacks before they reach the operator’s systems. The vendor documents meaningful isolation and approval controls on the default configuration, with input guardrails as the primary gap and monitoring limited to write-action auditing.

Defense Controls Metrics

The vendor ships meaningful write-action gating and tenant isolation on the default posture, but the absence of input-layer defenses leaves the agent's reasoning loop exposed to adversarial content in ingested telemetry.

Write-action approval and tenant isolation carry the defense posture while input guardrails and behavioral monitoring represent the primary gaps an operator must fill independently.

Component Score Comments
Input Guardrails 0 / 3 No documented prompt shield, ML-based injection detection, or instruction-hierarchy separation for incoming investigation queries or ingested telemetry content. [1][6]
Execution Isolation 2 / 3 Tenant-level data isolation and the Satellite proxy architecture provide containment on the default posture, with credential isolation and encrypted gRPC channels between the customer environment and the vendor cloud. [5][8]
Action Controls 2 / 3 Every write operation passes through a mandatory approval gate before reaching the separated execution engine; the AI model proposes actions but cannot invoke write APIs on its own, and write permissions must be opted in per integration. [6][7]
Output Guardrails 1 / 3 Regex-based redaction strips PII, secrets, and tokens from investigation outputs; the Satellite applies redaction before data leaves the customer environment. [1][6]
Monitoring 1 / 3 Approved writes are tracked in the Mitigation Activity console, and the compliance program provides evidence of structured audit controls, but no behavioral anomaly detection or SIEM forwarding is documented for investigation-level activity. [5][6]

6 Hardening Tips

Concrete actions an operator can take to reduce the risks reported above, grouped by which defense control each tip strengthens. The highest-leverage changes are deploying input-layer injection detection, restricting credential scope per investigation, and forwarding agent activity logs to the organizational SIEM.

Input Guardrails

Input guardrails intercept adversarial content before it reaches the reasoning loop.

Input Guardrails
  • Policy Require that all Slack channels feeding auto-investigation are restricted to authenticated operators and verified alert sources -- counters User Input exposure from unvalidated messaging channels.
  • Configuration Configure the Satellite redaction rules to strip prompt-injection patterns from ingested log and trace content before it reaches the investigation engine -- counters External Data ingestion without adversarial content validation.
  • Engineering Deploy a prompt-injection classifier between the ingestion pipeline and the reasoning loop to detect and quarantine adversarial instructions embedded in telemetry content -- counters the absence of Input Guardrails at the default posture.

Execution Isolation

Execution isolation contains what a compromised agent can do on the host.

Execution Isolation
  • Policy Mandate customer-specific VPC deployment for all production investigation workloads rather than accepting the shared SaaS default -- counters Execution Isolation reliance on tenant-level containment.
  • Configuration Restrict Satellite namespace access to the minimum required Kubernetes namespaces and disable DNS Tap for environments where network topology is not needed -- counters broad infrastructure visibility on the default Satellite configuration.
  • Engineering Implement per-investigation ephemeral credential issuance with short-lived tokens scoped to the specific observability backends needed for each investigation -- counters credential blast radius across all connected integrations.

Action Controls

Action controls govern which tools and actions the agent can invoke autonomously.

Action Controls
  • Policy Establish a two-person approval policy for all mitigation actions in production environments, requiring a second reviewer before any alert silence or PR creation executes -- counters autonomous action scope with single-approver gates.
  • Configuration Disable write permissions on all integrations by default and enable them only for specific, pre-approved integration instances with documented justification -- counters deployment-wide write-permission enablement.
  • Engineering Build a webhook-based approval workflow that routes mitigation proposals to a dedicated security channel with automatic expiration if not approved within a defined window -- counters indefinite approval availability.

Output Guardrails

Output guardrails inspect what the agent sends to other systems and users.

Output Guardrails
  • Policy Define a data classification policy that restricts which telemetry fields may appear in Slack investigation summaries, blocking production secrets and customer PII from reaching messaging channels -- counters Output Processing exposure through investigation findings.
  • Configuration Extend the Satellite redaction configuration to cover additional sensitive patterns specific to the organization's telemetry schema beyond the default PII and token patterns -- counters Output Guardrails limited to generic regex patterns.
  • Engineering Deploy a DLP gateway between the investigation output pipeline and downstream Slack and ticketing integrations to inspect and block sensitive data before it leaves the platform boundary -- counters the absence of exfiltration-channel blocking.

Monitoring

Monitoring captures what the agent did and surfaces anomalies for review.

Monitoring
  • Policy Require that all Resolve AI investigation activity logs are forwarded to the organizational SIEM with a defined retention period and alerting rules for anomalous investigation patterns -- counters Monitoring limited to write-action auditing.
  • Configuration Enable verbose investigation logging and configure alerts for investigations that access an unusually high number of integrations or query sensitive namespaces outside normal patterns -- counters behavioral blind spots in the default monitoring posture.
  • Engineering Instrument the investigation pipeline with OpenTelemetry traces that capture per-step tool invocations, credential usage, and reasoning chain decisions for export to the organizational observability stack -- counters the absence of agent behavioral anomaly detection.

7 References

The evidence base behind every score and finding in the profile, grouped by source type so the reader can verify any claim. Numbers in brackets throughout the report (e.g. [7, 13]) refer to entries below, listed in citation order.

Selected Vulnerabilities

  1. Resolve AI Security Documentation Vendor security FAQ documents vulnerability SLAs with severity-based triage and fixes plus read-only defaults and human approval for writes

Selected Research

  1. OWASP Top 10 for Agentic Applications Peer-reviewed framework identifies critical agentic security risks including goal hijack and tool misuse applicable to platform operations agents
  2. Azure SRE Agent Tenant Isolation Failure Security research documents CVE-2026-32173 where a comparable cloud operations agent broadcast privileged data to unauthorized tenants
  3. Telemetry Poisoning Against AIOps Agents Research demonstrates how attackers poison application telemetry to steer LLM-driven AIOps agents into harmful remediations

Vendor Documentation

  1. Resolve AI Trust and Security Vendor trust page documents SOC 2 Type II certification and HIPAA and GDPR compliance with Satellite gateway and SSO and RBAC controls
  2. Resolve AI Mitigation Actions Vendor documents the separated execution engine where the AI model generates proposals but cannot call write APIs directly
  3. Resolve Satellite Architecture Vendor documents the containerized proxy within customer infrastructure providing read-only Kubernetes monitoring and credential isolation
  4. Resolve AI Integration Guide Vendor documents integration setup covering observability and code and infrastructure and knowledge and chat types with customer-scoped credentials
  5. Resolve AI Slack App Vendor documents Slack integration including auto-investigation on alert channels and investigation updates in threads
  6. Resolve AI Privacy Policy Vendor privacy policy documents data collection and retention and deletion practices with GDPR rights
  7. Resolve AI SRE Product Page Vendor product page documents multi-agent investigation teams and always-on background agents and parallel hypothesis architecture

Other Sources

  1. Resolve AI Platform Expansion Coverage Technology coverage documents the multi-agent investigation architecture and always-on background agents and MCP server availability
  2. Resolve AI Always-On Agents Announcement Vendor announcement documents always-on background agents and new investigation architecture with parallel hypothesis testing
  3. AI Ops Agents as Attack Surface Industry analysis maps OWASP Agentic Top 10 risks to operations agent deployments covering tool poisoning and identity abuse