Sign In
In this section

Severity Classification and Escalation: Tier Bands and Timelines

5-6 hours · Module 8

A tier is not a label

You ran the card and the hybrid backdoor came out High. Now ask the question that exposes whether you actually have a severity system or just a vocabulary: what does High oblige you to do, and by when? If the answer is vague, a sense that High is bad and someone should look at it soon, then the tier is a label you filed, not a decision you made, and it will not survive contact with a real incident. The failure is treating the tier as a name, Low, Medium, High, Critical, as if naming the badness were the output of triage. It is not. The output is an action with a deadline, and the tier's only job is to translate the grade into that. A severity tier that does not start a clock and name who must act is decoration.

This is also where two analysts who both say High can turn out to disagree completely. If High means "engage the on-call lead within fifteen minutes and begin containment" to one and "raise it in the morning standup" to the other, they are not using the same scale, they are using the same word for different commitments. A tier is only shared if the timeline and the obligations attached to it are shared, which is why the bands have to be defined as clocks and responsibilities, not adjectives. This sub turns the tier you derived into the thing it exists to produce: a defined response timeline and a defined set of who must act, so that grading an incident High is the same as committing to a specific clock, and the word carries the same meaning to everyone who reads it.

Each band is a clock and a roster

The four bands map to four response postures, and the way to hold them is as escalating clocks with escalating rosters, not as a scale of how worried to feel. A Low incident is real but contained or minor: it is handled in the normal queue on normal hours, owned by the triaging analyst, with no out-of-hours engagement, the clock is "this shift or next." A Medium incident needs attention but not alarm: it is worked promptly during the day, may pull in a second analyst or the team lead, and has a clock measured in hours, not days, but it does not wake anyone. The line between Low and Medium is whether it can wait for normal capacity; the line between Medium and High is whether it can wait for normal hours.

High and Critical are the bands that start real clocks. A High incident cannot wait for the morning: it engages the on-call responder now, regardless of the hour, with a clock measured in tens of minutes to first action, and it pulls in the incident lead and begins containment in parallel with continued scoping. A Critical incident is High plus organisational consequence, active wide-scale harm, confirmed major data loss, business-critical systems down, and its clock is immediate and its roster reaches beyond the security team to leadership, and often legal and communications, because the response is no longer only technical. The bands are cumulative: each one carries everything the band below obliges plus a tighter clock and a wider roster. Grading to a band is choosing which clock you are starting and which people you are committing, and that is the whole reason the grade matters operationally, it is the difference between someone being woken at 3am and not.

Each band is a clock and a roster, not an adjective LOW normal queue, normal hours, owned by the triaging analyst clock: this shift or next  |  roster: you MEDIUM worked promptly during the day, may pull a second analyst or team lead clock: hours, not days  |  roster: you + lead  |  no out-of-hours HIGH engages on-call now regardless of hour, incident lead, containment in parallel clock: tens of minutes to first action  |  roster: on-call + lead CRITICAL High plus organisational consequence: response no longer only technical clock: immediate  |  roster: + leadership, often legal and comms

The bands are cumulative: each carries everything below it plus a tighter clock and a wider roster. Grading to a band is choosing the clock and the people, which is what makes the grade an action.

The lines between bands are the decisions

The useful thing about defining bands as clocks is that the boundaries become answerable questions rather than feelings. The Low-Medium line is "can this wait for normal capacity, or does it need attention promptly today." The Medium-High line is the one that matters most operationally, "can this wait for normal hours, or does someone need to act now, out of hours if necessary," because that is the line that decides whether a person gets woken, and getting it wrong in either direction is expensive: cross it too readily and you burn out the on-call and erode trust in the page, hold back when you should have crossed it and an active incident runs unattended overnight. The High-Critical line is "is this contained within the security team's response, or does it have organisational consequence that pulls in leadership, legal, and communications." Each line is a specific question about timeline and roster, and the scorecard shape is what answers it.

This is where the shape from 8.1 does its operational work. The tier total tells you roughly which band, but the shape often decides the line, because what drives the score changes what the response needs and therefore which clock fits. An incident scoring High on active spread and containment urgency sits firmly above the Medium-High line, someone acts now, because the harm is compounding by the minute. An incident scoring the same total on data exposure and standing access also lands High, but the clock is subtly different, the harm is serious and continued but not accelerating by the minute, so "now" means engage promptly rather than this instant, while the roster may extend toward the regulatory and legal side that data exposure implies. Same band, the shape tuning the exact clock and roster within it. Reading the band off the total and then letting the shape set the precise timeline and people is how you turn a grade into the right response rather than a generic one.

The lines between bands are answerable questions LOW MEDIUM HIGH CRITICAL wait for normalcapacity? wait for normal hours,or act now? (wakes someone) security-team only, ororganisational? each line is a question about timeline and roster; the scorecard shape answers it

The Medium-High line is the one that matters most, because it decides whether a person gets woken. Cross it too readily and you burn the on-call; hold back wrongly and an active incident runs overnight.

The common mistake

Treating the tier as a label that describes how bad the incident is, rather than a clock that commits you to a timeline and a roster. The analyst grades the incident High, writes "High" on the ticket, and moves on, having named the badness without starting anything, so the incident sits with a serious-sounding label and no clock running, no on-call engaged, no containment begun, until someone notices hours later that High apparently meant nothing.

The mirror failure is bands that mean different things to different people: High obliges immediate out-of-hours action to one analyst and a morning-standup mention to another, so the same grade produces wildly different responses and nobody can rely on what a tier means, which defeats the entire point of a shared scale. Both come from treating the tier as a word instead of a defined commitment.

The fix is to attach a clock and a roster to every band and to grade knowing you are choosing them: Low is normal-hours and you, Medium is promptly-today and a lead, High is now-regardless-of-hour and the on-call, Critical is immediate and leadership.

Then grading to a band is the same act as starting its clock and engaging its roster, and the word High carries the identical obligation to everyone who reads it. A tier that does not start a clock is decoration, and a tier whose clock varies by reader is not a scale at all.

Seeing it in the evidence

The same High, two clocks: how the shape that scored the hybrid backdoor sets the precise timeline within its band.

Where to find it

The band comes from the total you derived in 8.3, and the precise clock within it comes from the shape, which you read from the same evidence. For the hybrid backdoor, the service-principal sign-in history (AADServicePrincipalSignInLogs) shows the harm is continued but not accelerating, signing in steadily across days rather than spiking, which tells you the High clock here is engage-promptly rather than act-this-instant. Contrast an active-spread incident, where the endpoint and identity logons would show authentications against new hosts minute by minute, the accelerating shape that pushes the same band's clock to act-now. The total sets the band; the rate the evidence shows sets the clock inside it.

SIEM Console

Read the rate of harm from the evidence to set the precise clock within the band.
The backdoor's sign-ins binned over time show a steady cadence, not a spike, so the High clock is engage promptly and pull in the regulatory and legal roster that data exposure implies, rather than the act-this-instant clock an accelerating spread would demand. The band is the total; the shape and rate are what tune the timeline and roster inside it.
azure-aad-signin-sp sp_name="NE-Mail-Archiver"
| timechart span=1d count
AADServicePrincipalSignInLogs
| where ServicePrincipalName == "NE-Mail-Archiver"
| summarize signins = count() by bin(TimeGenerated, 1d)
| order by TimeGenerated asc
# Steady cadence (not a spike) = High, engage-promptly clock, not act-this-instant
Get-MgAuditLogSignIn -Filter "servicePrincipalName eq 'NE-Mail-Archiver'" |
  Group-Object { $_.createdDateTime.Date } | Select-Object Name, Count

Read the output

Predict before running. The panel bins the backdoor's sign-ins over time, and the cadence is steady, a similar count each day, not a spike that accelerates. Read that rate as the clock-setter within the band.

The total put this incident at High, that band is settled. But High covers a range of clocks, from act-this-instant to engage-promptly, and the rate tells you which end. A steady cadence means the harm is continued, more mail readable each day, but it is not running away from you minute by minute, so the appropriate High clock is engage the on-call promptly and begin containment, not the drop-everything-this-second response an accelerating attack would demand.

Now imagine the contrast panel for an active-spread incident: the same query against logons would show a sharp climb, three hosts, then six, then ten over minutes, and that accelerating rate would push the same High band to its tightest clock, contain now, because every minute of delay is measurably more compromise. Same band, opposite rates, different clocks within it. Run the panel and read the cadence as the thing that tunes the timeline: the total chose the band, the rate chooses the clock inside it, and the data-exposure shape also widens the roster toward legal and regulatory that the next subs address.

Same High band, two clocks set by the rate of harm Steady cadence continued, not accelerating clock: engage promptly + legal roster Accelerating rate clock: contain now (tightest) the total chose the band; the rate chooses the clock inside it

Both are High. The steady backdoor wants engage-promptly and a wider legal roster; the accelerating spread wants the band's tightest clock. The rate the evidence shows decides which.

Tier bands as clocks and rosters

Each band is a defined response timeline and a defined set of who acts. Grading to a band is starting its clock and engaging its roster, not filing a label.

Low: normal queue, normal hours, you

Real but contained or minor. Handled in the normal queue on normal hours, owned by the triaging analyst, no out-of-hours engagement. Clock: this shift or next. The Low-Medium line is whether it can wait for normal capacity.

Medium: promptly today, you plus a lead

Needs attention but not alarm. Worked promptly during the day, may pull a second analyst or the team lead, clock in hours not days, but wakes no one. The Medium-High line is whether it can wait for normal hours.

High: now regardless of hour, on-call plus lead

Cannot wait for the morning. Engages the on-call responder now, pulls the incident lead, begins containment in parallel with scoping. Clock: tens of minutes to first action. The shape and rate tune the exact clock within the band.

Critical: immediate, plus leadership, legal, comms

High plus organisational consequence: active wide-scale harm, confirmed major data loss, business-critical systems down. The response is no longer only technical; the roster reaches leadership and often legal and communications. Clock: immediate.

Your turn

Two analysts grade the same incident and both write "High" on the ticket. Analyst A then engages the on-call lead and begins containment immediately; Analyst B notes it for the morning standup. Both believe they have responded correctly to a High. What has gone wrong, and what would make "High" mean the same thing to both?

Reveal

What has gone wrong is that "High" is functioning as a word rather than a defined commitment, so the same grade has produced two incompatible responses and the scale is not actually shared. Both analysts are sincere, each believes they have handled a High correctly, and that is exactly the problem: if High can mean "act now, out of hours, engage the on-call" to one competent analyst and "raise it at the morning standup" to another, then the tier carries no reliable obligation, and grading an incident High tells you nothing about what will actually happen to it. The scale has the appearance of agreement, both wrote the same word, and none of the substance, because the word is not attached to a timeline and a roster. This is the failure the sub warns against: a tier whose clock varies by reader is not a scale at all. What makes High mean the same thing to both is defining the band as a clock and a roster, not an adjective, and doing it in advance so it is not relitigated per incident. High has to be written down as something like "engage the on-call responder now regardless of the hour, pull in the incident lead, begin containment in parallel with continued scoping, first action within tens of minutes." Once that definition exists and is shared, grading an incident High is the same act as starting that clock and engaging that roster, and there is no room for one analyst to read it as a morning-standup item, because the band itself specifies out-of-hours immediate action. Analyst B is not making a defensible alternative interpretation of High; B is using the word without its committed meaning, and the fix is organisational, the bands are defined as clocks and rosters everyone shares, so the grade determines the response rather than leaving it to each reader. The deeper lesson is the sub's core: a tier exists to translate the grade into an action with a deadline and a set of people, and if it does not do that identically for everyone, it is decoration, a serious-sounding label that commits no one to anything.

Where this leads: you can turn a grade into a band with a clock and a roster. But the number does not always get the band right on its own, some incidents carry a feature that must escalate them regardless of where the total lands. The next sub is the overrides: the conditions that lift an incident above its scored tier because the shape, not the total, is decisive.

© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.
← Previous Next →