Sign In
In this section

Triage Instruments Overview

1-2 hours · Module 0

Three instruments, one job each

Triage runs on three instruments, and almost every alert you work from here on will pass through all three. This sub introduces them so you recognise them when they appear. It does not teach them. Each one gets a full treatment at the point in the course where you first need it, because an instrument taught before you have a problem for it to solve is just a definition to forget.

What matters now is the thing the three have in common: each exists to replace instinct with something repeatable and defensible. That is the through-line of the whole discipline. A gut call cannot be checked, cannot be handed off, and cannot be defended to a CISO at 3am or to an auditor three months later. An instrument turns the same judgment into something two analysts can apply to the same evidence and reach the same answer on, and something you can point at when asked why you called it what you called it. They are not bureaucracy. They are what makes a fast decision a trustworthy one.

They also map cleanly onto the flow of a single triage: you orient with one, grade with the second, and hand off with the third.

A single triage, left to right Five-query pack Orient: turn a bare alert into context Triage scorecard Grade: evidence into a defensible severity Triage report Hand off: start the next phase ahead

Orient, grade, hand off. You will meet each instrument in depth where the course first needs it; for now, know the shape.

The five-query pack

The five-query pack is your fast opening move: a small, fixed set of questions you can ask of almost any alert to build context quickly. Who is the account, where did it connect from, what did it touch, when, and is it still happening. It is not the investigation and it is not the grade. It is the handful of queries that turn a one-line alert into enough picture to start scoring against.

It is written artifact-first, exactly as the last two subs argued, so it maps to whatever stack you run. "Pull the authentication events for this account, last 24 hours" is the same opening question in Sentinel, in Splunk, or on the box, and you will learn it as a question with several addresses rather than as five fixed queries in one language.

The five-query pack: a one-line alert into a picture Who is the account Where did it connect from What did it touch When did it happen Still? is it happening now the fast opening move, not the grade; written artifact-first so the five questions map to any stack

Five fixed questions that build enough context to start scoring; you learn them as questions with several addresses, not as queries in one language.

The triage scorecard

The scorecard is the central instrument of the course. It is a fixed set of questions you ask of every alert, evidence of compromise, scope, whether the activity is live or historical, what data is exposed, how urgent containment is, and a few more, each scored against what the evidence actually shows. The total maps to a severity tier. Just as important, the shape of the scores tells you what kind of incident this is and what it needs first, because a high score driven by data exposure needs a different first move than the same total driven by active spread.

The scorecard is the answer to the svc-backup problem from TR0.1. Faced with an ambiguous alert at 02:14, you do not reach for nerve or caution, you run the card, and the card turns the evidence into a grade you can stand behind. You will meet it in full in the severity module, and use it in every triage after that.

The triage report

The triage report is the handoff deliverable: a short, structured summary, written fast, that tells the next person what you found, how you graded it, and what they are walking into. It is the difference between an investigation team that opens your report and starts moving and one that opens a one-line "looks bad, escalating" and has to redo the triage you already did.

A good triage report is the most undervalued instrument of the three. The scorecard protects your decision; the report protects everyone downstream of it. You will learn to write one that captures the evidence and the reasoning without slowing the response, which is a harder balance than it sounds and a skill in its own right.

That completes orientation. You know what triage is and where it stops, how the course teaches it, what environment the examples live in and how to map it to yours, how to build a lab to practise in, and the three instruments you will use throughout. The next sub is a brief summary and the bridge into the method itself, which begins with the evidence that disappears fastest.

© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.
← Previous Next →