Transition to Risk
What Risk actually does
Risk is often misunderstood as “assign a priority” or “kick off response.” It is neither. Risk is the analytical checkpoint that follows evidence gathering. It evaluates whether what Uncover produced is sufficient to draw a conclusion, or whether the gaps require rescoping or continued analysis.
Evaluates investigative completeness
Is there enough evidence to understand what occurred and its potential impact? Could the current data support misinterpretation due to missing telemetry, limited retention, or insufficient visibility?
Acknowledges blind spots explicitly
Telemetry is never complete. Risk factors known blind spots into the investigative outcome rather than pretending they do not exist.
Drives the binary decision
Close the event with confidence, or expand scope to resolve uncertainties and trace potential lateral paths? Risk does not stall in ambiguity, and it does not prematurely conclude in the presence of unresolved exposure.
What Uncover hands forward
A clean Uncover handoff makes Risk’s job possible. Five Artifacts Digital evidence or traces left behind by system activity or security incidents, used in forensic analysis and incident investigation. cover what Risk needs.
📊 The evidence chain
What happened, in order, with timestamps. Each step linked to the data source that confirmed it. Mapped to MITRE ATT&CK techniques where applicable.
🎯 Confirmed entities
Which of Scope’s primary and secondary entities were actually involved in the activity. Which were investigated and ruled out. Each verdict with its supporting evidence.
🌐 Intelligence context
Which threat-intelligence sources matched, at what confidence, with what corroboration. Where the intel was hypothesis-only vs. directly evidenced.
🚧 Coverage gaps
Tools, telemetry, retention, and visibility limits that bounded the investigation. Explicit names of what could not be examined and why.
🛠️ Detection gaps
Techniques observed but not flagged automatically. Rules that fired but should have been more specific. Feedback the detection-engineering team can act on.
The binary decision Risk makes
Risk’s output is a constrained call: close with confidence, or rescope and continue. Three patterns appear most often.
Evidence is consistent with one explanation (compromise or benign), confidence is high on the primary entities, gaps are documented and assessed as non-material to the verdict. The methodology says close.
Evidence surfaced new entities, time periods, or systems that were out of Scope’s original boundary but are clearly in play. The methodology says return to Scope, widen the lines, repeat Uncover on the expanded frame.
Evidence is mixed: some signals suggest compromise, others suggest benign. Gaps are material to the verdict. The methodology says keep working within the current scope, document the ambiguity, and define what specific evidence would resolve it.
Common Uncover-to-Risk failure modes
Uncover can be thorough and still fail at the handoff to Risk.
🪞 Evidence without confidence labels
Uncover produced a chain but did not say “high confidence on the first three steps, medium on the fourth, low on the fifth.” Risk inherits a chain that looks more certain than it is, and the binary decision is made on shaky ground.
📭 Silent coverage gaps
Uncover did the work it could but did not name what it could not see. Risk closes the case without realizing a key telemetry source was offline during the relevant window. The case re-opens a week later when the data lands.
🎭 Premature attribution
Uncover claimed attribution at high confidence on isolated technical indicators. Risk inherits a verdict that survives only as long as no one questions the attribution. The methodology asks for explicit confidence on every attribution claim.
📚 Free-form prose instead of ATT&CK
Uncover wrote a narrative that does not map to the framework. Risk has to translate before it can compare against prior cases, against threat intelligence, or against detection-engineering gaps. The chain of techniques is what makes the handoff portable.
What a clean Uncover-to-Risk handoff reads like
Threat An actor (or capability) with intent and means to cause harm. A vulnerability is what they exploit; risk is the product of threat, vulnerability, and impact. type: confirmed compromise via spearphishing attachment. Chain: T1566.001 → T1204.002 → T1059.001 → T1105 → T1071.001 → T1078.004. Primary entities (confirmed): dlin ( User An individual who interacts with a system, network, or application. ), laptop-finance-09 (host), dlin’s cloud SSO identity. All high confidence. Secondary entities (confirmed): one peer host also executed the payload (laptop-finance-12). Cloud finance platform shows federated login but no in-app activity yet. Intelligence Information gathered and analyzed to understand and predict potential security threats. context: the dropper hash matches a known campaign at medium confidence. The C2 Domain A unique name or identifier for a system, network, or organization on the internet. is brand-new and does not match prior intel. Coverage gaps: cloud finance platform’s in-app activity is in vendor logs, request pending. Mobile-app activity on BYOD phones is invisible. Detection gaps: the rule that fired on host A did not fire on host B even though both ran the same payload. Cause: rule expects file path X; host B used path Y. Feature request opened. Open question for Risk: Is the current scope (3 primary + 1 peer + 1 SaaS) sufficient, or should Risk push back to Scope to widen to other finance-team mailboxes that may have received the same email?
The handoff is one screen of structured text. Every line points Risk at a specific decision. Nothing requires re-reading the SIEM query history.