ASSURED
A · S · S · U · R · E · D

Triage with confidence. Assemble the puzzle.

ASSURED is a structured, repeatable methodology for security event triage. Each alert is its own puzzle, and the analyst's job is to assemble just enough of the picture to know what they are looking at and what to do next. Seven components, three phases, one consistent way to work.

Read the introduction Jump to the Alert chapter
ASSURED methodology, seven pieces locking into place Seven puzzle pieces labeled A, S, S, U, R, E, D fly in from scattered positions and lock together edge-to-edge. A S S U R E D
Why this exists

Most frameworks tell you what to do after you already know what you are looking at.

ASSURED is about the step before that. Event triage is a distinct skill, separate from the broader incident response work it feeds into, and until now it did not have a dedicated method that analysts could learn, teach, and refine.

Tap any card to see the full picture.

Explore the methodology

Seven letters. Many questions. One method.

Each phase has an anchor question that frames the work, and a structured set of supporting questions underneath. Only Alert is fully published right now. The rest are being moved from the source manuscript.

A

Alert

Understand detection logic, validate the signal, parse alert metadata into something an analyst can act on.

  • Detection mechanisms: signature, anomaly, rule, behavioral
  • Validation across technical, environmental, intelligence, and business dimensions
  • Parsing command lines, process trees, network activity, file system, schema
Read chapter
S

Subject

Coming soon

Identify the who. Any entity that authenticated or acted: user, robot account, EC2 instance, cloud role, service.

  • The four dimensions: authentication, authorization, behavior, relationships
  • Entity types: users, endpoints, services, identifiers
  • Insider analysis and the Insider Threat Matrix
S

Scope

Coming soon

Decide where the lines are. Time windows, entities in play, regulatory boundaries. Without scope, investigations sprawl.

  • Regulatory requirements: GDPR, CCPA, HIPAA, PCI-DSS, SOX
  • Time-based parameters and historical windows
  • Entity-based scope and dependency tracing
U

Uncover

Coming soon

Pull the evidence. Correlate endpoint, network, identity, and cloud telemetry to find root cause.

  • Data sources for evidence gathering
  • Threat intelligence: tiers, validation, scoring
  • MITRE ATT&CK: tactics, techniques, procedures
R

Risk

Coming soon

Decide how bad. Asset criticality, attacker sophistication, business impact, likelihood. Risk turns evidence into priority.

  • Risk-based alert triage matrix
  • Impact, likelihood, and actor sophistication
  • The value of investigating a false positive
E

Escalation

Coming soon

Hand it off cleanly. The triage analyst's deliverable is the handoff packet: context, evidence, and a recommendation.

  • Criteria for escalation
  • Internal and external protocols
  • Event triage vs. incident response
D

Documentation

Coming soon

Close the loop. Decisions, evidence, and reasoning so the next analyst and the auditor can replay your thinking.

  • Standards for consistency
  • Templates for efficient recording
  • Documentation pitfalls and how to avoid them

Ready to begin?

Read the introduction for the full picture, or jump straight into Alert. The first piece of the puzzle.

Read the introduction Start with Alert →