Build a structured SOC escalation matrix defining severity tiers, response SLAs, escalation paths, and notification procedures for security incidents.
A SOC escalation matrix defines how security incidents move through the organization based on severity, impact, and response requirements. Modern SOCs use context-driven escalation combining business risk, asset criticality, and data sensitivity rather than purely severity-based models. Organizations using AI and automation in their SOC cut detection-and-containment lifecycle to approximately 161 days, an 80-day improvement over the 241-day industry average.
| Attribute | Value |
|---|---|
| Impact | Active data breach, ransomware spreading, critical systems compromised |
| Business Impact | Revenue loss, regulatory exposure, customer data at risk |
| Initial Response | 15 minutes |
| Escalation to Tier 2 | Immediate |
| Escalation to Management | 30 minutes |
| Resolution Target | 4 hours |
| Communication | Every 30 minutes to stakeholders |
| Examples | Active ransomware, confirmed data exfiltration, domain admin compromise |
| Attribute | Value |
|---|---|
| Impact | Confirmed compromise, limited scope, no active exfiltration |
| Business Impact | Potential revenue impact, contained risk |
| Initial Response | 30 minutes |
| Escalation to Tier 2 | 30 minutes if unresolved |
| Escalation to Management | 2 hours |
| Resolution Target | 8 hours |
| Communication | Every 2 hours to SOC management |
| Examples | Compromised user account, malware on single endpoint, insider threat indicator |
| Attribute | Value |
|---|---|
| Impact | Suspicious activity requiring investigation |
| Business Impact | Low immediate risk |
| Initial Response | 4 hours |
| Escalation to Tier 2 | 8 hours if unresolved |
| Resolution Target | 24 hours |
| Communication | Daily status update |
| Examples | Policy violation, failed brute force, suspicious email report |
| Attribute | Value |
|---|---|
| Impact | Informational alerts, routine security events |
| Business Impact | Minimal |
| Initial Response | 8 hours |
| Escalation | Only if pattern emerges |
| Resolution Target | 72 hours |
| Communication | Weekly summary |
| Examples | Vulnerability scan findings, expired certificates, policy exceptions |
Asset Criticality
Low Medium High Critical
Severity Low P4 P4 P3 P3
Medium P4 P3 P2 P2
High P3 P2 P2 P1
Critical P2 P1 P1 P1
| Trigger | Action |
|---|---|
| Ransomware detected on any endpoint | P1 - Immediate Tier 3 + Management |
| Domain admin account compromise | P1 - Immediate Tier 3 + Management |
| Active data exfiltration to external IP | P1 - Immediate Tier 3 + Management |
| Critical infrastructure (DC, SCADA) alert | P1 - Immediate Tier 2 minimum |
| Executive account anomaly | P2 - Immediate Tier 2 |
| Multiple hosts with same malware | P1 - Immediate Tier 2 |
| Condition | Action |
|---|---|
| P2 unresolved after 4 hours | Escalate to Tier 3 |
| P3 unresolved after 12 hours | Escalate to Tier 2 |
| Any incident unresolved past SLA | Escalate to SOC Manager |
| P1 unresolved after 2 hours | Escalate to CISO |
SUBJECT: [P1 CRITICAL] Security Incident - {Incident_ID}
Incident Summary:
- Type: {incident_type}
- Affected Systems: {systems}
- Affected Users: {users}
- Current Status: {status}
- Assigned To: {analyst}
Impact Assessment:
- Business Impact: {impact}
- Data at Risk: {data_risk}
- Containment Status: {containment}
Next Actions:
- {action_1}
- {action_2}
Next Update: {time} (30-minute intervals)
Bridge Line: {conference_details}
# XSOAR escalation playbook trigger