Internal and external escalation protocols
Internal tiers
Initial detection and triage
Receives alerts, validates the signal, applies initial triage protocols to categorize events by type and severity. Determines true positive vs. false-positive. The Alert, Subject, and Scope work usually lives here. Escalates anything that meets predefined criteria or exceeds Tier 1 mandate.
- Alert validation and preliminary risk assessment
- False-positive closure with detection feedback
- Categorization by event type and severity
- Initial scope and entity identification
In-depth investigation
Security engineers with specialized expertise pick up escalated cases. Conduct deeper technical investigation, develop containment strategies, and create remediation plans for confirmed incidents. Uncover and Risk work usually completes here.
- Technical analysis with deep forensic capability
- Containment planning and remediation design
- Decision on whether case becomes a declared incident
- Coordination with detection engineering for rule refinement
Cross-functional coordination
Engages the full incident response capability for high-impact events or those involving critical systems. Brings together legal counsel for compliance considerations, communications for stakeholder messaging, and executive leadership for strategic decisions.
- Full incident response orchestration
- Legal, compliance, communications engagement
- Executive briefings and strategic decision support
- Incident-commander role responsibilities
Beyond the internal tiers: organizational stakeholders
Internal escalation moves the case through Tiers 1 โ 2 โ 3. Established protocols then govern when to engage other organizational stakeholders.
๐ ๏ธ IT Operations
Engaged when system or network-level compromises require configuration changes, patching, or network-wide defensive measures. Containment in production environments often needs IT Ops on the call.
๐งโโ๏ธ Legal & compliance
Engaged when events potentially affect regulated information. Assesses reporting obligations and legal implications. Often early in the timeline for incidents with regulatory exposure.
๐ข Business units
Engaged for business-specific incidents affecting departmental systems or data. Ensures remediation aligns with operational requirements and that affected workflows are restored.
๐ข Communications
For incidents that may become public. Press, customer, and partner messaging is its own workstream. Legal counsel coordinates with comms before any external disclosure.
๐ค Vendors
When the incident involves a vendorโs product, platform, or data. Vendor disclosure may be required by contract. Coordination follows MSA / DPA terms.
๐ฎ Law enforcement
For criminal activity, extortion, or cross-border threats. Engaged through legal counsel, not directly by the SOC. Engagement decisions usually require executive sign-off.