Transition to Escalation
The loop ends here, or it doesnβt
The Scope β Uncover β Risk loop introduced on the Risk overview is the engine that drove the investigation to this point. Crossing into Escalation only happens when the loop terminates, when the residual risk is well-enough understood to justify a resolution decision. If you find yourself reaching for Escalation but the loop is still revealing new Entity A person, system, or organization that interacts with or affects a security incident. , new Lateral Movement Adversary traversal from the initial-access host to other hosts inside the environment. Each hop expands the blast radius and adds new entities for Subject analysis. Often piggybacks on legitimate authentication, which is what makes it hard to detect. , or new Data Staging Sensitive data collected and stored locally in chunks before exfiltration, avoiding large, sudden transfers that DLP would flag. signals, that is a signal to refine the scope and run the loop again, not a signal to escalate prematurely. Escalation is the end of triage, not a substitute for it.
When escalation is warranted
Escalation is warranted when the cumulative findings indicate that observed activity exceeds predefined thresholds of acceptable risk. Crucially, escalation is not reactionary. It is a deliberate step grounded in collected evidence and organizational policy.
β οΈ Confirmed malicious behavior
Evidence supports compromise. Indicators map cleanly to known tactics or campaigns. The verdict is high-likelihood, and the activity is ongoing or has produced material impact.
π High-value asset involvement
Primary entities include crown-jewel infrastructure, regulated data stores, or systems supporting critical operations. The asset profile elevates the response posture independent of the technical evidenceβs depth.
π Regulatory exposure
Evidence triggers reportable incident thresholds under GDPR, HIPAA, PCI DSS, SOX, or similar frameworks. The notification clocks run independently of the technical investigation; escalation lets compliance engage on the parallel track.
π Persistence indicators
The adversary has established or is establishing mechanisms for long-term access. Containment requires response capabilities beyond what triage provides.
What an actionable escalation includes
Riskβs handoff to Escalation must be both justified and actionable.
Articulate why the risk is unacceptable
Based on observed evidence. Not βthis seems badβ but βimpact X, likelihood Y, here are the named inputs that produced both.β
Identify affected systems, users, or data
With precision. Primary entities, secondary entities, downstream exposures. The escalation team should not have to re-derive the entity map.
Outline containment needs and timing
What needs to happen now vs. what can wait. Time-sensitive factors (active session, ongoing exfiltration, regulatory clock) get called out explicitly.
Curate the supporting data
Validated, deduplicated, ready for transfer. Logs, timeline, ATT&CK mapping, intel context. The next analyst should not have to re-pull the same data.