Criteria for escalation
Four canonical categories
β Confirmed malicious activity
Validated IOCs reliably linked to attacker behavior. Triage moves into containment posture.
π High impact / business-critical
Systems essential to operations, regulated data, or revenue. Impact-driven escalation independent of evidence depth.
βοΈ Lateral movement or exfiltration
Advanced compromise stage. Containment timing becomes urgent because blast radius is growing.
π Ongoing or widespread campaign
Multiple hosts, users, or sectors. Coordinated activity demanding organization-level response.
β Confirmed malicious activity
Escalation is warranted when definitive evidence ties the event to attacker behavior. Confirmed malicious activity reflects intentional use of tactics, techniques, and procedures aligned with known Threat An actor (or capability) with intent and means to cause harm. A vulnerability is what they exploit; risk is the product of threat, vulnerability, and impact. actors or campaigns.
Verified malicious infrastructure
IP addresses or domains associated with known command-and-control servers, phishing sites, or other malicious infrastructure documented in threat-intelligence sources.
Malware indicators
File hashes matching malware or unauthorized tools documented in threat-intelligence databases, with verified malicious functionality.
Exploitation evidence
Execution of attacker tools or exploits consistent with known malware families or attacker profiles, showing intentional compromise.
MITRE ATT&CK correlation
Use of techniques mapped to MITRE ATT&CK categories such as privilege escalation, persistence, or defense evasion. The framework gives the activity structured context.
π High impact / business-critical systems affected
When an event affects systems essential to operations, Regulatory Compliance Adherence to laws, regulations, and standards governing data protection, privacy, and security requirements for specific industries or data types. , or Sensitive Data Information that is confidential, proprietary, or regulated, such as personal data, financial information, or intellectual property. protection, escalation must be immediate and comprehensive. Business-critical systems support mission-critical services, store regulated data, or perform functions whose disruption could cause substantial operational, financial, or reputational harm.
π Production environments
Systems directly impacting revenue generation or customer experience. Compromise can result in service degradation, financial losses, and customer dissatisfaction.
π Regulated data repositories
Databases containing PII, PHI, or payment card data. Heightened scrutiny due to compliance violations and mandatory breach-reporting under GDPR, HIPAA, PCI DSS, SOX.
βοΈ Cloud infrastructure
Cloud environments hosting critical workloads, particularly those with privileged access or extensive connections to organizational data.
π Identity and access systems
Identity providers (IdPs), authentication services, VPNs. Compromise here could impact the entire organizationβs secure-access infrastructure, enabling widespread unauthorized access.
βοΈ Lateral movement or data exfiltration detected
The detection of Lateral Movement Adversary traversal from the initial-access host to other hosts inside the environment. Each hop expands the blast radius and adds new entities for Subject analysis. Often piggybacks on legitimate authentication, which is what makes it hard to detect. or Data Exfiltration The unauthorized transfer of data from a computer or network to an external location or system. signifies an advanced stage of compromise. Attackers leveraging lateral movement expand control beyond the initially Compromised Host A system under attacker control, often used for lateral movement, staging malware, or maintaining persistence within a network. . Data exfiltration indicates intent to steal information with regulatory and business consequences.
Stages of compromise
Initial compromise
Attacker gains foothold on a single system. Triage usually starts here.
Internal reconnaissance
Discovery of additional network resources. Often the earliest expansion signal.
Lateral movement
Expansion to additional systems. Blast radius now exceeds triage capacity.
Data exfiltration
Extraction of valuable information. Regulatory clocks may already be running.
Lateral-movement signs that demand immediate escalation
- Unauthorized Access Access to a system, network, or resource without proper authorization or permission. to multiple endpoints or servers beyond the initial compromise.
- Credential Dumping Extracting credentials (hashes, tokens, tickets) from a compromised system's memory or files. (T1003) followed by credential-use techniques like Pass-the-Hash The attacker never needs the plaintext password. The NTLM hash from host A authenticates against host B because the protocol treats the hash as the credential. Silent, irreversible until the password is rotated, and the backbone of many lateral-movement campaigns. MITRE T1550.002. (T1550.002) or Pass-the-Ticket Kerberos analog of pass-the-hash. The attacker presents a stolen TGT (Ticket Granting Ticket) or TGS (Ticket Granting Service ticket) to authenticate as that identity against any service in the realm, without ever needing the user's password. Often paired with Mimikatz extraction of LSASS memory. MITRE T1550.003. (T1550.003). Dumping extracts the hash or Kerberos ticket; pass-the-hash/ticket is the subsequent use of the stolen material to authenticate as that identity. Both stages on the same case is a strong escalation signal.
- Internal reconnaissance via PowerShell A command-line shell and scripting language built on the .NET framework, commonly used for system administration and potentially for malicious purposes. , WMI, or PsExec to gather network topology.
- Suspicious lateral connections at unusual hours or from unexpected source systems.
- Tunneling mechanisms designed to hide communication between compromised hosts.
- Large data transfers to external destinations, especially with encryption or Obfuscation Techniques used to make code, commands, or data difficult to understand or detect, used both by attackers and legitimately for IP protection. .
Escalation enables Network Segmentation The division of a network into smaller, isolated segments to improve security and reduce the attack surface. , Credential Whatever the system accepts as proof of identity: a password, an API key, an OAuth token, a Kerberos ticket, an NTLM hash. Credentials are the highest-value loot in most intrusions; their theft is usually the pivot point. rotation, and Endpoint A device that initiates network connections and runs user-facing software: laptop, desktop, server, phone, tablet. Endpoints are where most adversary tradecraft eventually shows up, which is why EDR exists. isolation. The presence of these techniques demonstrates attacker sophistication and intent that extends beyond opportunistic exploitation to targeted data theft or persistent access.
π Ongoing or widespread attack campaign
Attack campaigns requiring rapid escalation indicate sustained adversary presence or coordinated efforts targeting multiple assets. Early recognition allows organizational-level response and deployment of enhanced defensive measures.
Related alerts across systems
Multiple alerts showing similar IOCs or attack techniques across different systems or locations within a short timeframe suggest coordination by a single threat actor or group.
Coordinated attack patterns
Distributed phishing campaigns, simultaneous ransomware deployment attempts, or waves of brute force suggest orchestrated activity using sophisticated infrastructure designed for scale.
Evasive techniques
Polymorphic malware or rapidly evolving techniques suggest adversaries actively modifying their approach to bypass controls. Adaptive threats require equally adaptive response.
Threat intelligence context
External intel feeds correlating local detections with known campaigns targeting your industry or region. Contextual alignment substantially increases risk profile and response urgency.
Risk impact and likelihood reference
A formal Risk Assessment Systematic process of evaluating potential risks to system and data security, including likelihood and impact analysis. combines potential impact and likelihood that the compromise will continue or worsen. The matrix below provides a quick reference for evaluating escalation thresholds.