Escalation chapter quiz

Pre-defined criteria exist precisely to prevent hesitation under pressure. If even one criterion is met, escalation is the default. Overriding requires documented reasoning.

The distinction is about the question being asked. Triage is 'what is going on.' IR is 'what do we do about it.' Conflating them leads to premature escalation or stalled investigations.

The packet is the bridge between triage and IR. The metric is whether the next tier can act without asking the triage analyst to re-explain. Brevity is good; completeness is the goal.

Law enforcement is one external path among several. Engagement is selective (specific case types), channeled through legal counsel, and not a default for every incident.

ASSURED treats them as distinct concepts with distinct operational meaning. Events are raw observability data. Alerts cross a threshold and become SOC work. Incidents are correlated alerts representing business-impacting issues that require coordinated response. Conflating them loses precision under pressure.

Lateral movement into unscoped systems is a classic dynamic-loop trigger. The methodology requires returning to Scope with refined boundaries, re-running Uncover on the expanded frame, and re-evaluating Risk. Escalation criteria are then applied to the broader picture, not just the initial finding. Skipping the loop produces escalations based on incomplete pictures.

The Communication record is the ninth section of the handoff packet for exactly this reason. Backfilling notifications (who, on which channel, when) with real timestamps prevents duplicate pages, gives IR an instant view of who already knows, and starts the audit trail before memory fades. Verbal handoffs and post-close amendments both lose information.