Sign In
In this section

Triage vs Investigation

1-2 hours · Module 0

The line that defines the discipline

Triage and investigation are different jobs with different goals, and the fastest way to waste the first hour is to treat one as the other. Triage asks a narrow question: is this worth a full response, and how urgently? Investigation asks a wide one: what exactly happened, start to finish? Triage is bounded and decision-shaped. Investigation is open-ended and truth-shaped. You triage in order to decide whether to investigate, and the discipline lives in keeping those two apart under pressure.

The confusion runs both ways, and both directions are expensive. Pull triage toward investigation and you start reconstructing the full attack chain before you have even classified the alert: tracing every lateral hop, pulling six months of sign-in history, building the timeline an investigation would build. All of it good work, all of it in the wrong hour. While you do it, the decision that actually mattered, contain now or not, goes unmade and the window closes. Pull investigation toward triage and you commit the opposite error: you hand off a half-graded alert as though the work were finished, the investigation team inherits a verdict with no evidence under it, and they start again from nothing because nothing was actually established. The handoff that should have saved them an hour costs them one.

The boundary is confused both ways, both expensive Triage pulled toward investigation reconstruct the chain before classifying: good work, wrong hour the contain decision goes unmade Investigation pulled toward triage hand off a half-graded alert as finished, with no evidence under it they start again from nothing holding the line is what makes triage finishable: pull exactly what the decision needs, then move

Both errors waste the first hour; the discipline is keeping the two jobs apart under pressure so triage stays a thing you can finish.

Hold the line and triage becomes finishable. That is the point of the boundary. There is always one more query you could run, one more thread you could pull, and an analyst who does not know where triage ends will keep pulling until the alert is stale and unclassified. An analyst who knows the boundary pulls exactly what the decision needs, makes the call, and moves.

What triage owns, and what it hands off

Triage answers four questions and stops. Everything past them belongs to the next phase. The split is not about depth, it is about purpose: triage establishes enough to decide, investigation establishes everything to understand.

Triage owns Investigation owns Is it real? True positive, false positive, or explained. How bad? Severity, from evidence not from alarm. Who acts? Escalation, on what timeline, to whom. What next? Contain or preserve, and the handoff. Full attack-chain reconstruction Root cause and entry vector Complete scope of every host Attribution Eradication and recovery plan Lessons-learned and reporting Everything triage deliberately leaves.

Triage establishes enough to make four decisions. Everything on the right is real work that belongs to a later phase, not this hour.

Take the svc-backup alert from the last sub. Triage needs to know whether the interactive sign-in succeeded, whether the session is still live, and whether the file server it touched holds anything that raises the stakes. Three or four queries, ten minutes, and you can grade it and decide to contain. What triage does not need, and must not stop to build, is the complete map of everywhere that account has been in the last quarter, how the credential was stolen in the first place, or which other service accounts share its weakness. Those questions matter. They are simply the investigation's to answer, once triage has decided the investigation is warranted.

Notice the relationship between the two columns. When a triage question genuinely cannot be answered without the full attack chain, that is not a sign you should start reconstructing it. It is the signal that the alert has earned a full investigation, which is itself one of the four triage decisions. The boundary is not a wall you refuse to cross. It is the line at which you stop and hand the work to the phase built for it.

Why this is what makes triage transferable

The four questions are the reason triage is a portable skill rather than a per-tool procedure. They do not change with the environment. "Is it real, how bad, who acts, what next" is the same interrogation whether the alert is a cloud token replay, a Windows credential dump, or a Linux web-shell. What changes is the evidence you pull to answer them, and that is a matter of knowing where each environment keeps its authentication log and its process history, not of learning a different discipline each time.

Same four questions, different evidence source The four questions is it real? how bad? who acts? what next? Cloud token replay evidence: Entra sign-in logs Windows credential dump evidence: EDR process events Linux web-shell evidence: syslog, shell history the discipline is the constant left column; the environment is just where it keeps each thing

A triage method learned once transfers across every job, because the four questions hold their shape and only the evidence address changes.

An investigation, by contrast, goes as deep as the specific incident demands, and that depth is often tool- and environment-specific in ways that do not transfer. This is why a triage method learned once pays out across every job you will ever hold, and why the rest of this course spends its effort on the four questions and the judgment behind them rather than on any one platform's console.

The next sub covers how the course is built to teach that judgment: the method, the shape of each lesson, and how to get the most from it whatever your starting point.

© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.
← Previous Next →