ASSURED
A · S · S · U · R · E · D

Triage with confidence. Assemble the puzzle.

ASSURED is a structured, repeatable methodology for security event triage. Each alert is its own puzzle, and the analyst's job is to assemble just enough of the picture to know what they are looking at and what to do next. Seven components, three phases, one consistent way to work.

Read the introduction Jump to the Alert chapter
ASSURED methodology, seven pieces locking into place Seven puzzle pieces labeled A, S, S, U, R, E, D fly in from scattered positions and lock together edge-to-edge. A S S U R E D
Why this exists

Most frameworks tell you what to do after you already know what you are looking at.

ASSURED is about the step before that. Event triage is a distinct skill, separate from the broader incident response work it feeds into, and until now it did not have a dedicated method that analysts could learn, teach, and refine.

Tap any card to see the full picture.

A method for the first 30 minutes

Tap to reveal
NIST, SANS PICERL, and MITRE ATT&CK describe a complete response once you already have the picture. ASSURED gives you a repeatable way to *build* that picture, alert by alert, in the critical window before an incident is declared.
Tap to flip back

Built for mentees and seasoned analysts

Tap to reveal
Every chapter pairs a concept with the questions a triage analyst should ask and the artifacts they should leave behind. Junior analysts get scaffolding to lean on while their instincts develop. Senior analysts get a checklist that travels with the handoff.
Tap to flip back

Triage is not strictly linear

Tap to reveal
ASSURED's seven components have a default order, but feedback loops back to earlier phases are explicit. Risk findings send you back to Uncover. Uncover surfaces new Subjects. The methodology embraces that flow rather than pretending triage is an assembly line.
Tap to flip back
Explore the methodology

Seven letters. Many questions. One method.

Each phase has an anchor question that frames the work, and a structured set of supporting questions underneath. Read in order, or jump to the phase you need.

A

Alert

Understand detection logic, validate the signal, parse alert metadata into something an analyst can act on.

  • Detection mechanisms: signature, anomaly, rule, behavioral
  • Validation across technical, environmental, intelligence, and business dimensions
  • Parsing command lines, process trees, network activity, file system, schema
Read chapter
S

Subject

Identify the who. Any entity that authenticated or acted: user, robot account, EC2 instance, cloud role, service.

  • The four dimensions: authentication, authorization, behavior, relationships
  • Entity types: users, endpoints, services, identifiers
  • Insider analysis and the Insider Threat Matrix
Read chapter
S

Scope

Decide where the lines are. Time windows, entities in play, regulatory boundaries. Without scope, investigations sprawl.

  • Regulatory requirements: GDPR, CCPA, HIPAA, PCI DSS, SOX
  • Time-based parameters and historical windows
  • Entity-based scope and dependency tracing
Read chapter
U

Uncover

Pull the evidence. Correlate endpoint, network, identity, and cloud telemetry to find root cause.

  • Data sources for evidence gathering
  • Threat intelligence: tiers, validation, scoring
  • MITRE ATT&CK: tactics, techniques, procedures
Read chapter
R

Risk

Decide how bad. Asset criticality, attacker sophistication, business impact, likelihood. Risk turns evidence into priority.

  • Risk-based alert triage matrix
  • Impact, likelihood, and actor sophistication
  • The value of investigating a false positive
Read chapter
E

Escalation

Hand it off cleanly. The triage analyst's deliverable is the handoff packet: context, evidence, and a recommendation.

  • Criteria for escalation
  • Internal and external protocols
  • Event triage vs. incident response
Read chapter
D

Documentation

Close the loop. Decisions, evidence, and reasoning so the next analyst and the auditor can replay your thinking.

  • Standards for consistency
  • Templates for efficient recording
  • Documentation pitfalls and how to avoid them
Read chapter

Ready to begin?

Read the introduction for the full picture, or jump straight into Alert. The first piece of the puzzle.

Read the introduction Start with Alert →