{
  "map": "prompt-injection-defense-incident-map",
  "steps": [
    {"step": "detect", "owner": "security", "evidence": "scenario failure or runtime signal"},
    {"step": "contain", "owner": "platform", "evidence": "tool disabled source removed or route blocked"},
    {"step": "assess", "owner": "risk", "evidence": "affected users data and actions"},
    {"step": "remediate", "owner": "service_owner", "evidence": "control fix and regression test"},
    {"step": "postmortem", "owner": "operations", "evidence": "runbook and monitoring update"}
  ]
}