1.4 Escalation Framework

8-10 hours · Module 1 · Free

Escalation Framework

Introduction

Escalation is the mechanism that routes incidents from the person who detected them to the person who can resolve them. A well-defined escalation framework answers three questions at every point in an investigation: (1) Does this need to go higher? (2) Who does it go to? (3) How quickly?

Without a framework, escalation is ad hoc — the analyst either escalates everything (overwhelming senior staff) or escalates nothing (sitting on critical incidents they cannot resolve). Both failure modes are common and both are preventable.

Escalation triggers

Escalation is triggered by specific, observable conditions — not by subjective assessment of “how bad it looks.”

Escalate from T1 to T2 when:

Triage indicates a potential true positive (the playbook triage checks do not definitively rule out compromise)
The alert involves a high-value account (executive, administrator, finance, HR)
The alert involves multiple correlated detections for the same entity
The T1 analyst has completed triage checks and the playbook directs “proceed to investigation” (which requires T2 skills)
The T1 analyst is uncertain about classification and needs a second opinion

Escalate from T2 to T3 / SOC Manager when:

The incident involves more than 3 compromised accounts (campaign-scale)
The incident involves lateral movement or privilege escalation beyond identity compromise
Containment requires high-blast-radius actions (account disablement, device isolation, KRBTGT reset)
The investigation reveals data exfiltration or potential regulatory notification
The incident requires external communication (vendor notification, customer notification, law enforcement)
The T2 analyst’s investigation has been running for more than 4 hours without resolution

Escalate to CISO / Executive leadership when:

Incident is classified Critical
Confirmed data breach involving customer or regulated data
Financial loss confirmed or likely
Ransomware with active encryption
Incident involves executive accounts or sensitive business functions
Media or public attention is likely

The escalation matrix

The escalation matrix is a reference document — posted in the SOC workspace, pinned in the team chat, and included in every playbook.

ESCALATION MATRIX
======================================================
Business hours (09:00-17:00 Mon-Fri):

Alert severity | First responder | Escalation path
Low            | T1 analyst      | → T2 if uncertain
Medium         | T1 analyst      | → T2 within 30 min
High           | T2 analyst      | → SOC Manager within 15 min
Critical       | T2 analyst      | → SOC Manager immediately
                                 | → CISO within 30 min

After hours (17:00-09:00 and weekends):

Alert severity | First responder   | Escalation path
Low            | MDR provider      | Hold for morning handover
Medium         | MDR provider      | Triage and escalate if TP
High           | MDR provider      | → On-call analyst within 15 min
Critical       | MDR provider      | → On-call analyst immediately
                                   | → SOC Manager within 15 min

On-call rotation:
- Week of [date]: [Name] — [phone number]
- Week of [date]: [Name] — [phone number]

CISO contact: [Name] — [phone number]
Legal contact: [Name] — [phone number]
IT Ops contact: [Name] — [phone number]
======================================================

Test the escalation path quarterly

An escalation matrix that has never been tested is an assumption, not a plan. Once per quarter, simulate a Critical severity incident after hours and verify: (1) The on-call analyst answers within the defined SLA. (2) The SOC manager can be reached. (3) The CISO contact information is current. (4) The MDR provider's escalation procedure works as contracted. Discovering that the on-call phone number is wrong during a real ransomware incident at 02:00 is a failure that should never happen.

Escalation communication format

When escalating, use a structured format so the receiving person immediately understands the situation:

The SBAR format (Situation, Background, Assessment, Recommendation):

Situation: DET-SOC-008 and DET-SOC-009 fired for the CFO at 14:30.
Background: Inbox forwarding rule to a newly registered domain + evasion rule deleting messages with “wire transfer” in the subject. Sign-in from hosting provider IP in Ukraine at 14:22.
Assessment: High-confidence BEC compromise. Adversary has been in the mailbox for 8 minutes. Forwarding active — all incoming email being exfiltrated. Evasion rule targeting financial keywords suggests imminent payment fraud.
Recommendation: I have removed both inbox rules and revoked tokens. Requesting approval to force password reset and to contact the finance team about any recent payment change requests from the CFO.

This format takes 30 seconds to deliver and gives the receiving person everything they need to make a decision. Compare this to: “Hey, I have a weird alert for the CFO, can you take a look?” — which requires 5 minutes of back-and-forth before the senior person understands the situation.

Check your understanding

1. A T1 analyst receives a Critical severity alert at 22:00 (after hours). The escalation matrix says "MDR provider → On-call analyst immediately." The MDR provider has not triaged the alert — it came directly from Sentinel. The on-call analyst's phone goes to voicemail. What should the T1 do?

Follow the escalation chain: (1) Leave a voicemail with the SBAR summary. (2) Send a Teams/Slack message to the on-call analyst with the same summary. (3) Try the SOC manager — Critical severity justifies skipping a level when the primary escalation is unreachable. (4) If nobody responds within 10 minutes, begin triage yourself — even a T1 can run the playbook's triage checks to determine whether the alert is a true positive. The worst outcome is a Critical alert sitting in the queue because nobody could be reached. The second-worst outcome is a T1 attempting containment beyond their authority. The triage checks are within T1 scope and provide critical context for whoever responds to the escalation.

Wait for the on-call analyst to call back — do not act on a Critical alert without authority

Handle it independently — the alert cannot wait

Escalate through the chain (on-call → SOC manager → CISO). While waiting for a response, begin triage — this is within T1 scope and provides context for the response. Do not wait passively and do not act beyond your authority. Triage is always appropriate regardless of tier.

You're reading the free modules of SOC Operations

The full course continues with advanced topics, production detection rules, worked investigation scenarios, and deployable artifacts. Premium subscribers get access to all courses.

View Pricing See Full Syllabus

← 1.3 Shift Handover Procedures 1.5 Operational Metrics and KPIs →