Skip to main content
Hiro can propose and execute remediation actions across your connected integrations. All high-impact actions require explicit approval, ensuring you maintain full control over your security response.

How Remediation Works

When Hiro identifies a threat, it:
  1. Analyzes the situation — Correlates evidence from multiple sources
  2. Determines appropriate actions — Based on threat type and severity
  3. Calculates confidence — How certain it is the action is warranted
  4. Proposes the action — Presents it for your review
  5. Awaits approval — Executes only after you confirm
  6. Logs the result — Maintains a complete audit trail
Hiro will never execute a destructive action without explicit approval. You always see what will happen before it happens.

Approval Levels

Hiro uses a tiered approval system:

No Approval Required

Read-only operations that don’t modify state:
  • Querying logs and events
  • Listing users, groups, and resources
  • Reading configuration
  • Fetching audit trails

Approval Required

Actions that modify state or could impact users require explicit approval before execution. Both Admin and Member roles can approve actions in Hiro.

Available Actions by Integration

Okta

ActionDescriptionApproval Level
Clear user sessionsForce re-authenticationStandard
Expire passwordRequire password resetStandard
Suspend userLock out of all SSO appsElevated
Unsuspend userRestore accessElevated
Deactivate userPermanently remove accessCritical
Reset MFA factorsClear enrolled factorsStandard
Example proposal: 
PROPOSED ACTION: Suspend Okta User
─────────────────────────────────
Target: john@company.com
Reason: Account compromise detected
Evidence:
  • Login from Tor exit node (185.220.101.1)
  • Session created from previously unseen device
  • Unusual app access pattern (7 apps in 2 minutes)
Confidence: High (88%)
Impact: User will be locked out of all SSO applications

[Approve]  [Reject]  [More Info]

AWS

ActionDescriptionApproval Level
Deactivate access keyDisable API accessStandard
Delete access keyRemove API credentialsElevated
Detach admin policiesRemove AdministratorAccess, PowerUserAccess, IAMFullAccessElevated
Terminate EC2 instanceStop and remove instanceCritical
Delete IAM userRemove AWS identityCritical
Revoke IAM role sessionsInvalidate assumed rolesElevated
Quarantine security groupIsolate network accessElevated

CrowdStrike

ActionDescriptionApproval Level
Contain hostNetwork-isolate endpointElevated
Lift containmentRestore network accessElevated
RTR sessionStart remote responseElevated

GitHub

ActionDescriptionApproval Level
Revoke user tokensInvalidate access tokensStandard
Remove collaboratorRemove repo accessElevated
Disable userBlock organization accessCritical

Google Workspace

ActionDescriptionApproval Level
Sign out userEnd all sessionsStandard
Suspend userBlock Workspace accessElevated
Wipe deviceRemote wipe managed deviceCritical

Slack

ActionDescriptionApproval Level
Deactivate userRemove Slack accessElevated
End sessionsForce re-authenticationStandard

Confidence Scores

Hiro provides confidence scores for proposed actions:
ScoreMeaningRecommendation
High (80%+)Strong evidence supports actionReview briefly, approve if appropriate
Medium (50–80%)Reasonable evidenceReview carefully, consider alternatives
Low (below 50%)Limited evidenceInvestigate further before approving
Confidence scores are based on the quantity and quality of evidence, consistency across sources, and historical patterns.

The Approval Interface

When Hiro proposes an action, you’ll see:

Action Details

  • What: The specific action to be taken
  • Target: The affected user, resource, or system
  • Why: Reason for the recommendation
  • Evidence: Supporting findings with timestamps
  • Confidence: How certain Hiro is
  • Impact: What will happen when executed

Available Responses

ResponseEffect
ApproveExecute the action immediately
RejectSkip this action, continue investigation
More InfoAsk Hiro for additional context
DeferSave for later review

Manual Instructions

When an integration doesn’t support API-based remediation, Hiro provides manual instructions: 
MANUAL ACTION REQUIRED
─────────────────────
Hiro cannot automatically suspend users in your Okta configuration.

To suspend john@company.com manually:
1. Log in to Okta Admin Console
2. Navigate to Directory > People
3. Search for "john@company.com"
4. Click the user, then Actions > Suspend
5. Confirm the suspension

Once complete, mark this action as done in Hiro.

[Mark as Complete]  [Need Help]

Audit Trail

Every action (proposed, approved, rejected, executed) is logged: 
ACTION AUDIT LOG
────────────────
2024-01-15 14:32:15 | PROPOSED | Suspend Okta user john@company.com
2024-01-15 14:32:45 | APPROVED | by admin@company.com
2024-01-15 14:32:46 | EXECUTED | Okta API returned success
2024-01-15 14:32:47 | VERIFIED | User status confirmed as SUSPENDED
Access the full audit trail in Settings > Audit Log or export from any Fight Mode session.

Rollback and Recovery

Some actions support rollback:
ActionRollback
Suspend Okta userUnsuspend user
Contain CrowdStrike hostLift containment
Deactivate AWS access keyReactivate key
Terminate EC2 instanceNot reversible
Delete IAM userNot reversible
Destructive actions (delete, terminate) cannot be rolled back. Hiro will warn you before proposing irreversible actions.

Best Practices

Review Evidence Before Approving

Even with high confidence, take a moment to understand why Hiro is recommending an action.

Start with Reversible Actions

When possible, prefer suspending over deleting, containing over terminating.

Document Your Decisions

Use the notes feature to record why you approved or rejected an action.

Verify After Execution

Hiro verifies actions automatically, but you can also confirm manually.

Next Steps

Fight Mode

Use remediation in continuous threat hunting.

Integrations

Connect more systems for broader remediation coverage.