In this section
Triage Orientation Summary
What orientation established
This module taught no triage moves, by design. Orientation sets the frame the method is built on, and that frame is now in place. Four things to carry forward.
The orientation frame. Everything the method teaches from here hangs on these four.
If only one of the four stays with you, make it the second: triage owns four questions and then stops. Almost every way the first hour goes wrong is a failure of that boundary, either pulling threads long past the point of a defensible call, or handing off before reaching one. The method you are about to learn is, in the end, a disciplined way of answering those four questions fast and knowing when each is answered well enough to move.
What comes next
From here the course teaches the method, module by module, in the order an incident actually unfolds. It starts with the evidence that disappears fastest.
When an attacker moves in minutes, the proof of what they did can vanish in minutes too. Tokens expire, sessions drop, volatile state is overwritten by normal activity. TR1 covers evidence volatility and the response clock: what to preserve first when the window is collapsing, and the order to capture it in, so you do not lose the evidence while you are still deciding what the alert means. It is the natural first move, because every later decision depends on evidence that still exists.
After that the course moves into the environments where today's incidents actually land, starting with identity, where roughly nine out of ten investigations begin.
With the orientation set, the shape of the discipline rather than the method, you move into TR1, where evidence volatility makes the first real triage decision: what to preserve, and how fast, before the window closes.
How was this module?
Your feedback helps us improve the course. One click is enough — comments are optional.