Incident Triage and Severity Classification: A Practical Framework for Security Operations

It's 2:47 AM. Your SIEM just fired 312 alerts in the last hour. One is a nation-state actor exfiltrating your crown jewels, and the rest are noise. The difference between a contained incident and a career-ending breach comes down to one skill: how fast and accurately your team can triage. Let's build the framework that makes that decision repeatable.

Why Triage Fails Without a Framework

Most security teams operate with informal severity definitions—"critical means really bad" is not a classification standard. Without explicit criteria, two analysts will assign different severities to the same event. This inconsistency cascades into misallocated resources, delayed escalations, and violated SLAs.

Effective triage answers three questions in under five minutes:

1. What is affected? (asset criticality)
2. What is happening? (threat category)
3. How far has it progressed? (attack lifecycle stage)

A Four-Level Severity Model

Adopt a severity scale anchored to business impact, not technical complexity:

Document this in a runbook and make it the single source of truth for your SOC.

Scoring Triage Decisions Programmatically

Subjective triage doesn't scale. Assign numerical weights to the three triage dimensions and calculate a composite score. Here's a lightweight Python function you can integrate into your SOAR playbook:

def calculate_severity(asset_criticality, threat_category, lifecycle_stage):
    """
    Each parameter scored 1-4.
    asset_criticality: 4=crown jewel, 3=business critical, 2=standard, 1=dev/test
    threat_category: 4=destructive/exfil, 3=C2/lateral, 2=exploitation, 1=recon
    lifecycle_stage: 4=actions on objective, 3=lateral movement, 2=initial access, 1=scanning
    """
    score = (asset_criticality * 0.4) + (threat_category * 0.35) + (lifecycle_stage * 0.25)
    if score >= 3.5:
        return "SEV-1"
    elif score >= 2.5:
        return "SEV-2"
    elif score >= 1.5:
        return "SEV-3"
    return "SEV-4"

This eliminates the "gut feeling" problem and creates auditable, defensible decisions.

Enriching Triage With Context

Before an analyst assigns severity, automate context gathering. A quick enrichment script using your SIEM's API and threat intelligence can save critical minutes:

# Quick IOC enrichment during triage
IP="203.0.113.45"
echo "=== Threat Intel Lookup ==="
curl -s "https://otx.alienvault.com/api/v1/indicators/IPv4/$IP/general" | jq '.pulse_info.count'
echo "=== Internal Asset Lookup ==="
grep "$IP" /etc/asset_inventory/critical_assets.csv
echo "=== Recent Firewall Hits ==="
grep "$IP" /var/log/firewall/connections.log | tail -20

Feed this enrichment data directly into your severity calculation. An alert hitting a crown-jewel database server demands a fundamentally different response than the same alert against a sandbox VM.

Escalation Logic That Actually Works

Severity without escalation policy is just a label. Define explicit escalation paths:

• SEV-1: Page incident commander + CISO immediately. Bridge call within 15 minutes. Invoke IR retainer if needed.
• SEV-2: Notify senior analyst and security manager. Dedicated analyst assigned within 30 minutes.
• SEV-3: Assigned to analyst queue. Investigated within shift.
• SEV-4: Batched for daily review. Automated closure if no progression in 72 hours.

Continuous Calibration

Review severity assignments weekly. Track severity accuracy rate—how often the initial classification matched the final post-incident assessment. If SEV-3 alerts regularly escalate to SEV-1, your scoring weights need adjustment.

Triage is not an art. It's an engineering problem. Build the framework, automate the scoring, and train your team until the 2:47 AM decision is as reliable as the 2:47 PM one.

Have questions about incident triage and severity classification? I'm always happy to talk shop — reach out or connect with me on LinkedIn.