DynaCompliance — DORA Incident Reporting Agent

Classifies and files EU DORA Article 18/19 major-incident reports from Dynatrace in ~90 seconds — Gemini 3 + Google Cloud Agent Builder (ADK) + Dynatrace MCP, with a human approval gate.

Comment

Inspiration

Under the EU's Digital Operational Resilience Act (DORA), a financial entity that suffers a major ICT incident has just 4 hours to file an early-warning report with its regulator. Done by hand it takes ~47 minutes — and the clock starts at detection. We wanted an agent that does it in ~90 seconds, without removing the human.

What it does

When Dynatrace detects an incident, DynaCompliance:

  1. Collects the incident data, affected services, and Davis AI root cause from Dynatrace.
  2. Classifies it against DORA Article 18 major-incident thresholds — deterministically, so the verdict is auditable.
  3. Explains & drafts with Gemini 3: a plain-language rationale and an EBA-template Article 19 early-warning notice.
  4. Schedules the 4h / 72h / 1-month deadlines, anchored on detection.
  5. Proposes writing the classification back to Dynatrace and filing — and waits for a human to approve, signing every approval into an audit ledger.

How we built it

  • Gemini 3 (gemini-3-flash-preview) for the rationale and EBA drafting.
  • Google Cloud Agent Builder / ADK (@google/adk): an LlmAgent + Runner drive the agent loop at POST /api/classify-agent — the one path where all three required techs run in a single agent invocation.
  • Dynatrace MCP (@dynatrace-oss/dynatrace-mcp-server) exposed as an MCPToolset over stdio — 20 live tools; the response returns mcp_tools_called as proof the MCP server actually ran.
  • A deterministic DORA classifier keeps the legal thresholds in code (the LLM never invents them), with a test suite.
  • Human-in-the-loop: /api/execute rejects any write without an identified approver and writes a signed, append-only audit ledger.
  • Hosted on Cloud Run (Node 24); one src/app.js also runs as a Vercel function. UI designed in Google Stitch. No competing AI/cloud services — Google + Dynatrace only.

Challenges we ran into

  • Making all three technologies genuinely execute at runtime — not just appear in a config file.
  • The real Dynatrace MCP package, its tool names, and its Platform-token auth model differ from the obvious guess.
  • The MCP server needs Node 22+ (it bundles an undici that calls webidl.util.markAsUncloneable); our node:20 container crashed on startup until we moved to Node 24.
  • Cloud Run's read-only filesystem: the MCP subprocess had to be spawned with HOME=/tmp and telemetry off, or it crashed.

Accomplishments that we're proud of

A live, deployed agent where all three required technologies are provable at runtime — verify at /health (gemini_live, partner_mcp_connected with 20 tools, agent_builder) — with a defensible deterministic classification and a real human-approval + signed audit trail a regulator would recognize.

What we learned

DORA's reporting mechanics are subtle (the 4-hour clock's true anchor is classification as major — we ship a conservative detection-time model and say so honestly). "Agentic" only counts when the tools actually fire, so we return tool-call receipts. And MCP is operationally sharp: package identity, auth model, Node version, and container filesystem all matter before an agent can use it.

What's next for DynaCompliance

Map real Dynatrace business metrics via DQL so live verdicts are as rich as the demo; wire a real EBA/DNB submission channel behind the approval gate; and tighten the clock to DORA's formal "classification-as-major" anchor.

Built With

Share this project:

Updates