Definition · Proof of Fix
What is proof of fix?
A runbook that ran is not a fix that landed. Proof of fix is the practice of observably confirming that a remediation actually closed the exposure — with evidence a human or auditor can replay. This is the working definition, and its place as the Verify stage of the DARV loop.
Last updated
The short answer
Proof of fix is verified remediation: observable, replayable evidence that a change closed the exposure it targeted — the alert cleared, the vulnerable path is gone, the blast radius is contained, and no regression was introduced. It is the difference between "the runbook executed" and "the problem is actually resolved." In AgenticOps, proof of fix is produced by the Verify stage of the DARV loop, where an agent re-checks its own remediation against the original signal before closing the incident.
Why does proof of fix matter in 2026?
As autonomous agents take remediation actions in production, "the automation ran" stops being evidence that anything got fixed. Proof of fix is what keeps graduated autonomy honest: without an observable Verify step, an agent can confidently close an incident that is still open, and no one notices until it re-pages.
The failure mode is specific and common. A runbook restarts a service, scales a node group, or rotates a credential; the command exits zero; the incident auto-closes. But the underlying exposure — a leaked secret still valid, a misconfigured security group still open, a memory leak still climbing — is untouched. Exit-zero is proof the command ran, not proof the problem is gone. Proof of fix demands the second check.
This gap widens exactly as autonomy increases. A human operator who runs a fix instinctively glances back at the dashboard; an agent operating at L3–L4 will not, unless verification is an explicit, non-skippable stage. Proof of fix turns that instinct into a contract: no incident closes until the original signal is observably cleared and a regression check passes.
How is proof of fix produced?
Proof of fix is generated by re-running detection against the post-remediation state and comparing it to the pre-remediation baseline. The agent does not trust the action; it re-measures the world. Three things must be true: the original signal is gone, the intended change is present, and nothing adjacent regressed.
Concretely, the Verify stage captures a pre-fix snapshot (the failing metric, the open finding, the erroring endpoint), applies the remediation inside a sandboxed execution environment under brokered credentials, then re-queries the same signal path. The remediation is only accepted if the exposure is observably closed against the same detector that raised it — closing the loop against the same evidence that opened it, not a proxy.
The output is a tamper-evident receipt: what was wrong, what changed, the before/after evidence, and the regression checks that passed. Any sensitive values in that evidence are run through deterministic tokenization before they leave the environment, so the proof is auditable without leaking production data. That receipt is what an engineer on the loop reviews — and what an auditor can replay months later.
How does proof of fix fit the DARV loop and graduated autonomy?
DARV is Detect, Analyze, Remediate, Verify. Proof of fix is the Verify stage made concrete — the point where the loop refuses to close on faith. Under graduated autonomy, Verify is also the trust meter: an agent earns higher autonomy by accumulating a track record of remediations that verified clean.
The four stages compound. Detect finds the exposure, Analyze reasons about root cause, Remediate applies the change, and Verify proves it landed. Skipping Verify collapses the loop back into fire-and-forget automation — the thing AgenticOps exists to replace. Proof of fix is what makes the "V" load-bearing rather than decorative.
It also drives promotion across autonomy levels. At L1–L2, a human reviews every proof of fix before close. At L3, the agent closes incidents whose verification passes cleanly and escalates the ones that do not. At L4, verification runs continuously and the human is on the loop for exceptions. In every case the receipt is the same artifact — graduated autonomy changes who reads it, not whether it exists.
Runbook automation vs verified remediation (proof of fix)
Both run a remediation. Only one proves it worked. The difference is whether the loop re-measures reality before it closes the incident.
| Dimension | Runbook automation | Verified remediation (proof of fix) |
|---|---|---|
| Definition of done | The command exited zero | The original signal is observably cleared |
| Evidence produced | A run log | Before/after snapshot plus regression checks |
| Catches a silent no-op | No — exit code hides it | Yes — re-detection still fires |
| Auditability | Log, often unstructured | Tamper-evident, replayable receipt |
| Safe under high autonomy | No — no self-check before close | Yes — close is gated on verification |
How to adopt proof of fix
You do not need a new platform to start proving fixes. You need to make verification a stage, not an afterthought — one remediation at a time.
Step 1
Define "closed" as a re-detection, not an exit code
For your top runbooks, write down the exact signal that must clear for the incident to count as fixed — the metric threshold, the finding that must disappear, the endpoint that must return healthy. This becomes the verification query the loop runs after remediation.
Step 2
Snapshot before, re-measure after
Capture the pre-fix state, apply the change, then re-run the same detector against the post-fix state. Accept the remediation only if the exposure is gone and a regression check passes. If it does not verify, the incident stays open and escalates — it does not silently close.
Step 3
Emit a receipt and let autonomy graduate on it
Every verified fix should leave a tamper-evident receipt: what was wrong, what changed, before/after evidence, checks passed. Review them at first. As a runbook accumulates clean verifications, promote it up the autonomy ladder — the proof of fix track record is the promotion criterion.
Frequently asked questions
- What is the difference between proof of fix and runbook automation?
- Runbook automation confirms a remediation ran — the command exited zero. Proof of fix confirms the remediation worked — the original exposure is observably closed when you re-run detection against it. Automation trusts the action; proof of fix re-measures reality. The gap between them is where silent no-ops and re-pages live.
- Is proof of fix the same as the Verify stage of the DARV loop?
- Yes — proof of fix is the Verify stage of DARV (Detect, Analyze, Remediate, Verify) made concrete. Verify is where the loop re-checks its own remediation against the original signal before closing the incident. Proof of fix is the evidence that stage produces: a replayable receipt showing the exposure is gone and nothing regressed.
- Why does proof of fix matter more as agents get more autonomous?
- A human operator instinctively glances back at the dashboard after running a fix; an autonomous agent will not, unless verification is an explicit, non-skippable stage. As agents operate at higher autonomy levels, "the automation ran" stops being evidence that anything got fixed. Proof of fix is the contract that keeps graduated autonomy honest: no incident closes until the exposure is observably cleared.
- How does CloudThinker produce proof of fix?
- CloudThinker runs remediation inside a sandboxed environment under brokered, scoped credentials, then re-runs the same detector that raised the incident against the post-fix state. It accepts the fix only if the exposure is closed and regression checks pass, then writes a tamper-evident receipt — before/after evidence with sensitive values deterministically tokenized. That receipt is what an engineer on the loop reviews and what an auditor can replay.
- Can proof of fix be audited without leaking production data?
- Yes. The before/after evidence in a proof-of-fix receipt is run through deterministic tokenization before it leaves the execution environment, so any secrets, PII, or sensitive identifiers are replaced with stable tokens. The receipt stays fully replayable and comparable across incidents, but the raw production values never reach the audit log — which keeps verified remediation compatible with SOC 2, GDPR, and Vietnam Decree 13.
Put Proof of Fix into operation safely
CloudThinker turns the concept into a governed AgenticOps workflow: grounded in your stack, controlled by your policy, and verified after every action.
Related reading
Sources
- incident.io — State of Incident Management 2025 — Runbook automation without verification leaves teams unsure whether an auto-closed incident is actually resolved.
- Google SRE Book — Effective Troubleshooting and Postmortems