Extended Slovník

Triage

In cybersecurity, triage is the initial process of assessing and prioritizing security alerts, events, or incidents to determine their severity, impact, and the appropriate level of response required.

Cybersecurity triage is a critical first step in the incident response lifecycle, focusing on the rapid evaluation of incoming security alerts and events. Its primary goal is to quickly distinguish between benign activity, false positives, and genuine threats, then prioritize the latter based on factors such as potential impact, urgency, and likelihood of exploitation.

What is Triage in Cybersecurity?

In cybersecurity, triage is the initial process of assessing and prioritizing security alerts, events, or incidents to determine their severity, impact, and the appropriate level of response required. This methodical process involves collecting initial information, categorizing the event, determining its severity, and assigning it to the appropriate team or automated workflow for further investigation and resolution.

The term originates from medical emergency contexts, where healthcare professionals must quickly assess patients and prioritize treatment based on the severity of their conditions. Similarly, security teams must rapidly evaluate incoming alerts to focus resources where they matter most.

Why is Triage Important in Incident Response?

Effective triage serves several critical functions within a security operations center (SOC):

  • Resource optimization: Ensures that limited security resources are focused on the most critical threats
  • Alert fatigue prevention: Helps analysts avoid burnout by filtering noise from genuine threats
  • Damage minimization: Enables rapid response to actual attacks before they escalate
  • Operational efficiency: Streamlines the incident response workflow and reduces mean time to response (MTTR)

How to Conduct Incident Triage?

A structured triage process typically follows these steps:

  1. Initial data collection: Gather relevant information about the alert, including source, timestamp, affected systems, and associated indicators of compromise (IOCs)
  2. Categorization: Classify the event type (malware, unauthorized access, data exfiltration, etc.)
  3. Severity assessment: Evaluate potential impact on confidentiality, integrity, and availability of systems and data
  4. Prioritization: Rank the incident against others based on urgency and business impact
  5. Assignment: Route to the appropriate team or automated response workflow

When Does Incident Triage Occur?

Triage occurs at the earliest stage of incident response, immediately after an alert is generated by security tools such as SIEM systems, endpoint detection and response (EDR) platforms, or intrusion detection systems (IDS). It serves as the gateway between alert generation and formal incident investigation.

Which Incidents Require Immediate Triage?

While all security alerts should be triaged, certain scenarios demand immediate attention:

  • Alerts involving critical infrastructure or high-value assets
  • Indicators of active data exfiltration
  • Signs of ransomware deployment
  • Compromised privileged accounts
  • Alerts affecting customer-facing systems

Practical Examples

Example 1: Brute-Force Attack Detection

A SIEM system generates an alert for multiple failed login attempts on a critical server. During triage, the analyst reviews the source IP addresses, timing patterns, and targeted accounts. The investigation reveals automated login attempts from a known malicious IP range, confirming a brute-force attack. The incident is escalated for immediate response, including IP blocking and password resets for targeted accounts.

Example 2: Executive Phishing Attempt

An email security gateway flags a suspicious email detected in an executive's inbox. Triage involves analyzing the email headers, attachment or link payload, and checking if the recipient interacted with the message. If analysis confirms a malicious payload and user click-through, the incident is prioritized for credential reset, endpoint scanning, and organization-wide awareness notification.

Additional Resources

For more information on incident triage and response best practices, consult these authoritative sources:

← Back to Glossary