Sign In
In this section

Security Alert Triage Course

1-2 hours · Module 0

What triage is

Triage is the first hour of an incident: the work of turning an alert into a decision. Something fires. A sign-in flagged as risky, an EDR detection, a user forwarding a suspicious email, a log line that does not fit. Triage is everything between that signal and the moment you can say, with evidence behind you, what it is, how bad it is, who needs to act, and what happens next.

It is not the investigation. It is not the cleanup. It is the fast, evidenced assessment that decides whether an investigation needs to start at all, and how hard. Done well it points the whole response in the right direction inside minutes. Done badly it sends the team chasing a false alarm while a real intrusion runs, or it wakes fourteen people for a backup job and quietly teaches them to stop trusting the pager.

It helps to see where triage sits in the arc of a response, because its job is defined by its position. Everything upstream of it is automated noise: detections firing, rules matching, signals arriving faster than anyone can read them. Everything downstream of it is expensive and deliberate: investigation, containment, eradication, recovery, each consuming people and time. Triage is the narrow gate between the two, the point where a flood of cheap signals is turned into a small number of evidenced decisions about which ones deserve the expensive work. That position is what makes it decisive: it is the cheapest place in the whole response to change the outcome, because every later phase inherits the direction triage set.

Triage is the gate between cheap signals and expensive response Upstream: signals detections, rules, alerts automated, high-volume cheap TRIAGE flood in, a few evidenced decisions out Downstream: response investigate, contain, eradicate, recover expensive the cheapest place to change the outcome: every later phase inherits the direction triage set

Triage earns its weight from its position: a narrow, cheap gate that decides which of many signals are worth the expensive work downstream.

This course teaches triage as a discipline: a repeatable method you apply to any alert, in any environment, with any toolset, and defend afterwards. Not a checklist for one platform. A way of working that survives a change of job, a change of stack, and an attacker you have never seen before.

Why the first hour decides the outcome

For years the numbers said you had time. Attackers dwelled in networks for weeks before doing anything you would notice, and triage could afford to be slow. That world is gone. The 2026 incident-response reporting is blunt about it: in the fastest cases, access bought by one group is handed to the next in under thirty seconds, and identity weaknesses sit at the centre of roughly nine out of ten investigations. The attacker is not breaking down the door. They are logging in with a stolen token, and the clock from that login to real damage now runs in minutes.

That is what makes triage decisive. The decisions that shape the entire response get made in the first hour, when you have the least information and the most pressure, and they are the decisions that cannot be taken back later.

0 min ~60 min Attacker Token replayed Mailbox, lateral move Impact Done in minutes. You Alert lands in queue Still triaging Not here yet

The attacker crossed the finish line while your response was still forming. Triage is the only phase fast enough to change the result.

Get the first hour right and the response is fast and proportionate: the session is revoked while it still matters, the right people are moving, and the scope is contained before it grows. Get it wrong and the cost is not a near miss. It is the rest of the incident.

What getting it wrong actually costs

The two failure modes are not equal and they are not abstract. Work the alert below the way a real shift would, then see where each call lands.

Pick how you would grade this alert: a service account signing in interactively at 02:14 and reading a file server it has never touched. Under-react, over-react, or pull evidence first.

The point is not that one answer is obvious. At 02:14, with a mid-looking score and an account that genuinely might be a backup job, both wrong calls are tempting. Under-react and an active compromise sits in a queue while the attacker works the file server. Over-react a few times and the next real page gets ignored. The skill is not nerve or caution. It is reaching the defensible call fast, from evidence, and that is a method you can learn.

Two ways to get the first hour wrong Under-react grade a real compromise benign; it sits in the queue a live intrusion runs unwatched Over-react escalate false alarms, wake people for a backup job the next real page gets ignored the skill is the defensible call, reached fast from evidence, not a default toward either error

Both errors are real and both have a cost; triage is the discipline of avoiding both by grading from evidence rather than from how loud the alert was.

Why it is hard

If triage were "follow the runbook," it would not be a discipline worth a course. It is hard for reasons the tooling does not solve.

The signal is ambiguous. The same svc-backup sign-in is either an attacker on a stolen credential or a misconfigured job, and the alert text will not tell you which. The answer is in evidence you have to go and pull. And the loudest fact is rarely the one that matters: four thousand failed logins look alarming and mean nothing if none succeeded, while one quiet successful sign-in from a new ASN means everything.

The environments differ, but the method does not. A token replay in the cloud, a credential dump on a Windows host, and a web-shell on a Linux server leave different evidence in different places. The question you ask of that evidence is the same every time. Most analysts learn one environment's tooling and stall when the alert lands somewhere else. Watch the same triage question hold its shape across three stacks:

Switch between cloud, Windows, and Linux. The triage question and the artifact stay the same; only the source and the query change.

That is the whole argument for learning triage as a method rather than a tool. The query language is where you type the question. The question, and knowing which question to ask, is the skill.

And the clock never stops. Every minute you spend is a minute the attacker may be acting, so triage is not about the most complete answer. It is about the most useful answer in the time you have.

What you will be able to do

By the end of this course you will take any alert, in any environment your organisation runs, and work it to a defensible classification and a clean handoff inside the response window. You will know which evidence to pull and where it lives, how to read it, how to score severity from the evidence instead of from how loud the alert was, when to contain and when to preserve, and how to hand off so the next person starts ahead instead of starting over.

You will do this whether your SIEM is Sentinel or Splunk, your EDR is Defender or CrowdStrike, and whether the thing in front of you is a cloud tenant or a Linux box with nothing but its own logs. The tools are interchangeable. The method is not, and the method is what this course builds.

The next sub draws the line that defines the discipline: where triage ends and investigation begins, and why confusing the two is the most common way the first hour gets wasted.

© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.
← Previous Next →