Cascade — Multi-agent breach response on Band

When ransomware hits a company, response is quarterbacked by a "breach coach" — a partner at a law firm such as Mullen Coughlin, BakerHostetler, or Constangy. They coordinate six to eight organizations across a 72-hour clock: the carrier's adjuster, panel forensics, regulators across multiple jurisdictions, the insured's IT team, sometimes outside counsel, sometimes a negotiator. That work runs today on email, Slack, conference bridges, and Word templates. Cyber insurance is a $20B+ market; ransomware volume rose 50% in 2025; payment rates collapsed from 78% to 28%, meaning more incidents now go through the full coordination cycle. Three Cascade agents are wired live against Band right now and demonstrably cascade through @-mentions. Cascade Triage parses an incoming incident and routes to the Regulatory Coordinator. The Regulatory Coordinator identifies triggered notification regimes (HIPAA, CCPA, GDPR, SEC 8-K Item 1.05), then calls Band's lookup_peers to discover specialist agents at runtime and add_participant to recruit them — it does not know which specialists exist at startup. The HIPAA-BAA Specialist then posts a structured breach notification assessment citing 45 CFR §§ 164.400-414. Runtime discovery and recruitment, not a scripted pipeline. Two surfaces share one platform: a Python agent fleet using Band SDK 1.0's SimpleAdapter pattern with OpenAI tool-calling, and a Next.js 15 war-room dashboard with privileged/external boundary rooms, a 72-hour incident clock, accruing BI loss counter, and a human approval gate before external communications leave privilege. Why Band: real breach response is cross-organizational. In production, the forensics specialist would be hosted by Mandiant or Kroll under their own Band handle. The carrier-perspective agent would be hosted by the carrier. The HIPAA specialist could be published to Band's public directory. Band's contact and permission model is the substrate for that production graph. Solo seven-day build.