The handoff packet
What the packet contains
π 1. Case summary
One paragraph. What happened, what is known, what the triage analyst recommends.
β° 2. Timeline
Sequential events with timestamps. Includes both adversary actions and analyst actions (when notified, what was checked, when escalated).
π₯ 3. Entities
Primary and secondary entities with their assessment results. The Subject and Scope output.
π 4. Evidence chain
The Uncover narrative with sources, queries used, and MITRE technique mappings.
βοΈ 5. Risk verdict
Impact, likelihood, combined priority, open questions, and recommended response.
π¦ 6. Containment actions taken
What was already done (host isolated, account disabled, etc.) and what was deliberately not done and why.
π 7. Artifacts
Relevant log excerpts, IoCs, hashes, screenshots, queries. Attached or linked so the next analyst does not have to re-derive them.
π§ 8. Open questions
What the triage analyst could not resolve and would have pursued next. The IR team picks up from this list.
π 9. Communication record
Who has been notified so far, on which channel, when. Manager paged at 14:02. Compliance flagged at 14:18. Vendor request opened at 14:35. Prevents duplicate notifications, gives IR an instant view of who already knows, and starts the audit trail for regulatory reporting.
What makes a packet actionable
A complete packet still fails if it does not pass a few practical tests. The methodology asks the analyst to verify three properties before declaring a packet ready for handoff.
π Can be read in five minutes
The case summary plus the Risk verdict should give the receiving tier the picture in under five minutes. Detail lives in the appendix. The opening should orient, not exhaust.
π― Names the next decision
A good packet does not just describe the case; it tees up the decision the next tier needs to make. βIsolate the second host,β βengage compliance,β βcontain the federated sessionβ, concrete recommendations.
πͺ Survives the cold read
An analyst who was not involved should be able to open the packet, understand the case, and continue the work. If the packet requires the triage analystβs presence to interpret, it is not actionable yet.
A packet that fails the cold-read test
A common anti-pattern: the packet reads as a sequence of analyst thoughts (βI checked X, looked OK, then I checked Y, found something weirdβ). The narrative makes sense to the person who wrote it. Someone reading it cold has no idea what was concluded.
The fix is structural. Replace the analyst-narrative voice with the nine-section format above. Each section answers a specific question; the reader can navigate them without reading the others. The case summary at the top tells the reader whether they need to read the rest at all.
Test the packet by handing it to a peer who has no context on the case. If they cannot summarize the verdict in one sentence after five minutes, the packet is not done.