Risk: Turning evidence into priority
Phase 2 · piece 5 of 7
How bad is it, and how confident are we?
Risk turns Uncover’s evidence into a defensible priority. The phase combines impact, likelihood, attacker sophistication, and business context to decide what happens next.
What you will get from this chapter
The three pillars
Framework
The risk-based alert triage matrix. Potential impact, actor sophistication, context, escalation criteria, CVSS as input.
Read →Impact and likelihood
How to evaluate each dimension separately, and how the combination produces the priority.
Read →The value of a false-positive
Closed cases are not wasted cases. Each false-positive sharpens the detection logic and the analyst’s instinct.
Read →The dynamic loop: Scope → Uncover → Risk
Triage is not strictly linear. The investigative engine of ASSURED is an iterative loop through Scope, Uncover, and Risk that runs until clarity is reached. Risk findings often send the analyst back to Uncover for more evidence; new evidence sometimes forces a fresh Scope decision; that fresh Scope reframes what Uncover and Risk look at next. Embracing the loop is part of the methodology.
Initial Scope
Define investigation boundaries from the alert context. Deliberately narrow at the outset to keep noise down.
Uncover evidence
Gather and analyze data from targeted sources. Bounded by the current scope to avoid sprawl.
Assess risk
Evaluate impact and likelihood based on what was found. The decision is one of three: close, escalate, or rescope.
Refine scope
Adjust boundaries based on new understanding. Reactivates the loop with updated parameters.
Why Risk is its own phase
Evidence and impact are separate questions
Tap to revealUncover answers what happened. Risk answers how much it matters. Skipping Risk means escalating every finding equally, which is the same as not prioritizing at all.
Likelihood is a confidence statement
Tap to revealA high-impact finding with low confidence in the evidence is a different decision than the same finding with airtight evidence. Risk requires the analyst to state both explicitly.
Context changes the verdict
Tap to revealThe same intrusion on a sandbox is not the same intrusion on a regulated production system. Risk is the phase that brings that context into the priority decision.
False-positives have value
Tap to revealA closed false-positive is a sharpened detection. The methodology asks the analyst to capture what they learned, even when the verdict is “no incident.”