Escalation: Triage to broader response
Phase 3 ยท piece 6 of 7
Who needs to know, and with what context?
Escalation is the triage analystโs most consequential deliverable. The handoff packet is the artifact that determines whether the next tier starts strong or starts from scratch.
What you will get from this chapter
The four pillars
Criteria for escalation
The thresholds that should trigger escalation regardless of who is on shift.
Read โInternal and external protocols
Tier 1 / 2 / 3 responsibilities, plus the external paths (vendor, legal, law-enforcement) when they apply.
Read โTriage vs. incident response
The methodologyโs sharpest piece of original thinking. The two are different work; the difference matters.
Read โThe handoff packet
The structured deliverable Escalation produces. What it contains and why each piece matters.
Read โWhy Escalation is its own phase
The handoff is the artifact
Tap to revealThe triage analystโs most consequential output is not โwe found something.โ It is the structured packet that lets the next tier act without re-investigating. The packet is the artifact, not the alert.
Triage and IR are different work
Tap to revealTriage frames the puzzle. IR completes it. Confusing the two leads to either premature escalation (IR doing triageโs job) or delayed escalation (triage trying to do IRโs). Escalation is the phase where the analyst decides which work this is.
Criteria beat judgment under pressure
Tap to revealPre-defined escalation criteria prevent the case where a stressed analyst hesitates on something that should have escalated five minutes ago. Criteria are the SOCโs collective judgment encoded ahead of time.
External paths exist
Tap to revealSometimes the escalation goes to a vendor, to legal, to law enforcement, to a parent companyโs SOC, or to the customer. Escalation is the phase that knows which path applies and when.