Module 0: TR0 — The Triage Problem
The Triage Problem
Every security incident has a first responder — the person who sees the alert, assesses it, and decides what happens next. In most organisations, that person has no structured methodology for the first 60 minutes. They rely on intuition, experience, and whatever procedures they can remember under pressure.
This module introduces the triage methodology that replaces intuition with structure. The 60-minute window. The 8-question triage scorecard. The Triage Trinity: classify severity, preserve volatile evidence, execute initial containment. Applied consistently across cloud, Windows, and Linux — because attackers do not respect environment boundaries.
What you will learn
- Why the first 60 minutes determine the outcome of every incident
- The binary triage decision and the cost of getting it wrong in both directions
- The Triage Trinity methodology applied across three environments
- The NE cross-environment attack scenario that demonstrates why single-environment triage fails
- The 8-question triage scorecard that classifies any alert within 15 minutes
- Where triage ends and investigation begins
Subsections
TR0.1 The 60-Minute Window · TR0.2 The Triage Decision · TR0.3 Three Environments, One Methodology · TR0.4 The NE Attack Timeline · TR0.5 Triage vs Investigation · TR0.6 The Triage Scorecard · TR0.7 Interactive Lab: Your First Triage · TR0.8 Module Summary · TR0.9 Check My Knowledge