In this section
The Escalation Decision Matrix
What you already know
You can grade an incident's severity defensibly. The grade is only useful if it triggers the right response, and that means knowing exactly who to contact, and how, for each tier, before the clock is running.
Scenario
A High-severity incident lands at 02:00 and the responder, unsure who to wake, calls everyone: CISO, IR lead, legal, the managed SOC. Three of the four didn't need to be on that call yet, and now the next real escalation gets a slower response because the team has been desensitized. The matrix tells you precisely who each tier reaches, so escalation stays a signal, not noise.
You have classified the incident as High severity. Who do you call? The IR team lead? The CISO? Legal? The managed SOC? All of them? The triage responder who gets the classification right but the escalation wrong, notifying the wrong people, at the wrong time, through the wrong channel, creates confusion that delays the response. Under-escalation means the IR team finds out hours late. Over-escalation means the CISO receives a 02:00 phone call about a failed password spray. Both erode trust. This subsection provides the escalation decision matrix: for each severity level, who gets notified, when, through which channel, and what information they need.
Figure TR7.2. Escalation matrix. Filled circles indicate mandatory notification. Outlined circles with "?" indicate conditional notification based on insider threat or regulatory factors. Dashes indicate no notification required at that severity level.
The escalation decision per severity tier
Critical. Immediate, all parties:
The first phone call goes to the IR team lead (or the on-call IR responder if outside business hours). The second notification goes to the CISO or CTO, whoever has incident command authority. Legal is notified for regulatory assessment. The MSSP (BlueVoyant at NE) is engaged for concurrent support: an extra set of eyes and an additional containment execution capability. HR is notified only if the incident involves a potential insider threat.
At NE, the Critical escalation path:
- IR team lead: phone call (not email, not Slack, phone call)
2. CISO: phone call within 15 minutes of triage classification 3. Legal: email with "CRITICAL INCIDENT" subject line 4. BlueVoyant: escalation via the managed SOC portal + phone call to the NE account manager 5. HR: only if insider indicators present
High. IR team and management within 15 minutes:
The IR team is notified via the primary communication channel (at NE: Teams incident channel + phone call to on-call IR). Management (CISO/CTO) receives a structured notification within 1 hour, not an immediate phone call, but a written summary. Legal is notified only if the triage evidence suggests a regulatory trigger (personal data exposure, sector-specific requirements). The MSSP is informed for awareness and potential support.
Medium. IR team assignment within 4 hours:
The incident is documented in the ticketing system with the triage report attached. The IR team lead is notified via email or Slack, not phone. The incident is assigned for investigation within the next 4 hours (or next business day if the alert fires after hours). Management is not notified for Medium unless the investigation escalates the severity. The MSSP is not engaged.
Low. Standard ticket queue:
The alert is documented with the triage assessment, filed in the standard SOC ticket queue, and reviewed within 24 hours. No escalation to IR team, management, legal, or MSSP.
Worked NE escalation examples
Critical escalation. CHAIN-HARVEST ransomware indicators (Saturday 01:45):
01:47 — Phone call to IR lead (S. Park). Answered at 01:48.
Brief: "Ransomware pre-encryption on FILE-SVR-01. VSS deletion
plus suspicious service. Requesting immediate isolation authorization."
01:49 — IR lead authorizes isolation. Defender for Endpoint isolation executed.
01:50 — Phone call to CISO (D. Thompson). Answered at 01:52.
Brief: "Critical incident. Ransomware indicators on file server.
Isolated. IR team mobilizing. Next update in 30 minutes."
01:53 — Email to legal (a.marsh@northgateeng.com).
Subject: "CRITICAL SECURITY INCIDENT — INC-NE-2026-0418-001"
01:54 — BlueVoyant portal escalation + phone to account manager.
Brief: "Critical — ransomware. Need concurrent monitoring + IOC check."Total escalation time: 7 minutes from alert to all parties notified. The phone calls are sequential because there is only one on-call responder. In a team operation, these would be parallel.
High escalation. AiTM credential compromise (Tuesday 10:15):
10:18 — Teams incident channel: "@IR-Team — High severity. AiTM confirmed
for j.morrison. Cloud session revoked. Triage in progress."
10:20 — Phone call to on-call IR analyst (M. Torres). Answered immediately.
Brief: "Confirmed AiTM. j.morrison. Session revoked, checking for
VPN/endpoint activity. May need your help with KAPE if this expands."
10:35 — Email to CISO.
Subject: "Security Incident — HIGH — Credential Compromise"
Body: 3-sentence executive summary from TR7.6 template.
10:36 — BlueVoyant Teams channel: standard coordination message with IOCs.No phone call to CISO (High, not Critical). No legal notification (no regulatory trigger identified yet, will notify if triage reveals personal data exposure). No HR notification (no insider indicators).
Medium escalation. Suspicious SharePoint downloads (Wednesday 16:30):
16:35 — Sentinel incident comment: "Investigating. r.chen 3x baseline
SharePoint downloads. No auth anomaly. Checking pattern."
16:45 — Email to IR team lead: "Medium severity — possible data exfiltration
or legitimate project activity. r.chen bulk SharePoint downloads.
Assigning for investigation. Recommend checking with r.chen's
manager tomorrow if pattern is unexplained."No phone calls. No CISO notification. No MSSP engagement. The incident enters the standard investigation queue.
Anti-Pattern
Escalating to everyone, or to the wrong channel
Calling every stakeholder for every incident trains them to ignore you, and reaching the right person on the wrong channel (an email for a Critical, a 3am call for a Medium) is its own failure. Match the tier to the defined recipients and channel. Over-escalation burns the credibility you'll need when it's genuinely Critical.
Communication channels per stakeholder
The channel matters as much as the timing. A Critical incident notification buried in a Slack channel that the CISO does not check at 02:00 is effectively not sent.
IR team: Primary: phone call (Critical/High). Secondary: Teams incident channel. Tertiary: email. At NE, the on-call IR responder carries a duty phone, this is the Critical/High channel. The Teams incident channel is for ongoing coordination after the initial phone call.
CISO/CTO: Primary: phone call (Critical). Secondary: email with "INCIDENT" in subject (High). The CISO does not need a phone call for High severity: a structured email is sufficient because the response timeline (1 hour) allows email delivery and reading. The CISO does need a phone call for Critical because the response timeline (immediate) requires real-time acknowledgment.
Legal: Primary: email to the legal contact with "SECURITY INCIDENT, [SEVERITY]" in the subject line. Legal does not need a phone call, their role during triage is regulatory assessment, which begins when they read the notification, not when they answer the phone. Exception: if the incident involves confirmed data breach of regulated data (GDPR, HIPAA, PCI DSS), a phone call is appropriate because the regulatory clock is running.
MSSP (BlueVoyant): Primary: managed SOC portal escalation (creates a ticket in their queue). Secondary: phone call to the NE account manager (Critical only). The portal escalation includes the triage report, the severity classification, and the specific support request (concurrent monitoring, additional containment execution, IOC sharing).
HR: Primary: phone call to the HR security liaison (not general HR inbox). HR is only engaged for insider threat indicators, this is a sensitive notification that should not go through general channels. The phone call ensures the information reaches the right person and that the investigation does not alert the suspected insider.
Compliance Myth: "The CISO should be notified of every security incident regardless of severity, they need complete visibility." Reality: A CISO who receives notifications for every Low and Medium alert stops reading them. Notification fatigue is real and dangerous, when the Critical notification arrives, it competes with dozens of Low/Medium notifications in the same inbox. The CISO should receive: all Critical notifications (immediate phone call), all High notifications (email within 1 hour), a weekly summary of Medium incidents with trends, and a monthly summary of Low incidents. This structure ensures the CISO reads every notification they receive, because every notification they receive is significant.
⚖ Decision Point: Escalating across organizational boundaries
The triage reveals that the compromised account belongs to a contractor managed by an external vendor. The vendor's IT team manages the contractor's endpoint. Do you escalate to the vendor?
Yes, immediately for Critical/High when the vendor's systems are part of the attack chain (e.g., the contractor's VPN is the entry point, or the contractor's endpoint has lateral movement to your infrastructure). The vendor needs to contain on their side while you contain on yours. Use the vendor security contact defined in the service agreement, not the vendor's general support line.
Not during triage for Medium/Low. Document the vendor involvement in the triage report and include it in the investigation handoff. The IR team decides whether and how to engage the vendor during the investigation phase.
The after-hours escalation adjustment
The escalation matrix shifts after business hours. The core question: is this important enough to wake people up?
Critical: No adjustment: the escalation path is identical at 02:00 and 14:00. Phone calls to IR lead, CISO, legal. If the IR lead does not answer within 5 minutes, escalate to the backup IR contact. If no IR contact answers, escalate to the CISO directly, they own the decision to mobilize alternative resources.
High: Adjusted: the IR on-call responder is notified by phone. Management notification shifts from "within 1 hour" to "within 1 hour or at 07:00, whichever is earlier." The CISO does not need a 02:00 phone call for High severity unless the triage evidence suggests escalation to Critical is likely. Send the email notification: the CISO will see it when they wake up.
Medium: Adjusted, email notification to the IR team. No phone calls. Investigation begins at the start of the next business day. The after-hours triage responder documents the triage report and assigns the ticket, nothing more.
Low: No after-hours action. Document in the morning.
Troubleshooting escalation
Problem: The IR team lead is unreachable during a Critical incident. The escalation path must have redundancy. At NE: primary IR lead → backup IR analyst → CISO → BlueVoyant emergency line. Document the full escalation chain with phone numbers in the on-call runbook (TR7.10). Test the chain quarterly, call each number during business hours and verify it reaches the right person.
Problem: Management demands to be notified of all incidents, overriding the matrix. Push back with data. Track the notification volume for one month: "You would receive 47 notifications — 3 Critical, 8 High, 19 Medium, 17 Low. Do you want 47 phone calls per month, or do you want to receive the 3 Critical calls and a weekly summary of the rest?" Frame the matrix as a way to ensure the Critical notifications get the attention they deserve.
Problem: The MSSP takes too long to respond to the portal escalation. The managed SOC portal creates a ticket, it does not guarantee immediate response. For Critical incidents, the portal escalation must be paired with a phone call. If the MSSP consistently fails to respond within the SLA, escalate to the account manager and document the response time gap. This is a service delivery issue, not a triage issue.
Try it: Map your organization's current escalation path. For each severity level, document: who is currently notified, through which channel, and within what timeline. Compare this with the matrix in this subsection. Identify the gaps, is there a defined after-hours path? Is there a backup contact for every primary contact? Is legal included for Critical? Is the MSSP engagement process documented? Every gap you identify now is a gap that will cause confusion during a real incident.