Risk framework

Four complementary frameworks

🎚️ RATM output

Risk-Based Alert Triage Matrix. Composite rating across asset criticality, threat intent, exploitation scope, and business impact. The verdict you write in the case.

🧭 P.A.C.E. process

Potential impact, Actor sophistication, Context, Escalation criteria. The four-step think-through that gets you to the verdict.

🎯 MITRE ATT&CK vocabulary

Maps observed behaviors to a shared taxonomy of adversary tactics, techniques, and procedures.

📈 CVSS severity

Standardized numerical severity for vulnerabilities, adapted for active-threat prioritization.

🎚️ Risk-Based Alert Triage Matrix

The RATM scores alerts across four dimensions, producing a composite rating. It emphasizes technical reality while integrating business context.

Asset criticality

Is the affected system, user, or service essential to operations, or does it hold sensitive data? High-value assets (production environments, financial systems, PII repositories) warrant greater concern. Requires understanding of both technical function and business value. Inventories with criticality ratings must be reviewed and updated, or risk assessments will misrepresent actual business impact.

Threat actor intent

Is the alert opportunistic behavior or targeted activity? Sophisticated, deliberate techniques raise priority. Indicators of intent include reconnaissance focused on specific high-value targets, custom malware designed to evade detection, or attack patterns suggesting familiarity with the organization’s architecture.

Exploitation and scope

Did the exploit succeed? Is lateral movement, persistence, or privilege escalation possible? Verified compromise or multi-host activity escalates risk significantly. The scope dimension evaluates both the current footprint and the potential to expand. Evidence of successful exploitation (command execution, data access, configuration changes) raises the rating.

Business impact

What downstream effects on availability, integrity, or confidentiality? Could legal or regulatory consequences follow? Business disruption or reputational harm elevates response priority. Translates technical events into terms organizational leadership recognizes: continuity, customer trust, contractual obligations, financial exposure.

Scoring rubric: how to convert observations into High / Medium / Low

The four dimensions above are the categories. The table below is the operational rubric, what counts as High, Medium, or Low for each. Calibrate the thresholds to your environment, but start from these defaults so two analysts working the same case land at the same score.

Asset criticalityCrown-jewel system; regulated-data store (PCI, PHI, PII); revenue-affecting service.Business-critical but not regulated; internal-tooling backbone; broad-access shared service.Dev / sandbox / test environment; user-class endpoint with no privileged role; isolated workstation.

Threat actor intentConfirmed targeted activity; TTPs map to a named threat group (APT/ransomware); custom tooling; insider attribution.Commodity tooling with some targeting (spear-phish, region/role-specific lure); off-the-shelf C2 framework; financially-motivated opportunist.Opportunistic / automated; mass scan; commodity malware on a single endpoint; no targeting signal.

Exploitation & scopeConfirmed lateral movement; persistence established; multiple systems compromised; privilege escalation succeeded.Single system compromised, no spread confirmed yet; exploitation succeeded but agent contained; credential theft without observed reuse.Initial access only / attempted; no execution observed; signature match without behavioral confirmation; exposure without exploitation.

Business impactRegulatory notification clock triggered (GDPR 72h, HIPAA, PCI); revenue-affecting outage; customer-data exposure confirmed.Operational disruption possible (team-level); internal-data exposure; brand / customer-trust risk if disclosed.Contained, no business effect observed; sandbox-only; visible only to security team.

🧭 P.A.C.E. Model

P.A.C.E. is a step-by-step model that guides analysts through four key dimensions. It helps evaluate consequences, sophistication, context, and predefined escalation criteria to determine whether immediate action or further investigation is required.

Potential impact

Evaluates the potential consequences if the event remains unresolved. Data breach, system downtime, reputational harm, each raises prioritization.

Measures severity of possible outcomes
Considers both short and long-term effects
Maps to business continuity concerns

Actor sophistication

Assesses skill level and resources. Amateur group or APT? Higher sophistication signals a more dangerous threat.

Evaluates technical complexity of observed TTPs
Considers attribution to known threat groups
Examines customization versus off-the-shelf tooling

Context

Examines evidence supporting alert legitimacy. Match to known attack patterns or correlation with related IOCs raises priority.

Correlates activity with historical patterns
Considers normal vs. abnormal for users / systems
Incorporates threat intel and current campaign awareness

Escalation criteria

Defines clear triggers for when an alert should escalate. Predefined thresholds, significant operational impact, evidence aligned with known threat models.

Applies organization-specific thresholds
Ensures consistent decision-making
Supports defensible triage outcomes

🎯 MITRE ATT&CK as a risk lens

ATT&CK enters Risk as a structuring vocabulary, not a scoring tool. The framework’s value at this phase is naming what was observed so the verdict aligns with the broader landscape.

Tactic-level severity weighting

Some tactics carry inherently higher risk than others. Initial Access without follow-on activity is lower risk than confirmed Lateral Movement or Exfiltration. The tactic chain itself shapes priority.

Technique-to-actor mapping

Procedures associated with specific threat actors raise the risk weight. Custom tooling or rare techniques generally indicate targeted activity rather than commodity attacks.

Coverage gap indicators

When the observed chain includes techniques the SOC does not yet have detection for, that gap itself is a risk signal, both for this case and for the program.

📈 CVSS adaptation for triage

applies structured methodology to assess risk. By considering attack vector, complexity, and the system’s impact on confidentiality, integrity, and availability, CVSS provides a standardized approach to prioritize alerts.

The numerical scoring system (0–10) provides clear thresholds for escalation, with scores grouped into qualitative severity ratings (Low, Medium, High, Critical).

BASE

Base score

Reflects the intrinsic severity. Attack vector, privileges required, impact on confidentiality / integrity / availability. A higher score typically indicates a more critical alert.

TEMPORAL

Temporal score

Modifies the base score based on current exploitation trends and available mitigation techniques. Adjusts urgency as the threat landscape evolves.

ENVIRONMENTAL

Environmental score

Tailors the score to the organization’s infrastructure, business priorities, and existing controls. Evaluates whether critical systems are at risk and whether compensating controls reduce overall exposure.

The triage matrix in practice

The four frameworks combine into a composite verdict. The triage matrix below is the practical output: impact and likelihood combine into a default action.

HighHighEscalate immediately

HighMediumEscalate within shift

HighLowContinue investigation; raise priority if evidence strengthens

MediumHighEscalate within shift

MediumMediumInvestigate to closure within 24 hours

MediumLowStandard queue

LowHighInvestigate; likely false-positive, but worth a clean close

LowMediumStandard queue; close after light investigation

LowLowDocument and close

A Alert S Subject S Scope U Uncover R Risk E Escalation D Documentation

Next up