What Is Triage in Cybersecurity?

What do you do when your phone starts ringing in the middle of a meeting? Do you rush to immediately pick it up, or do you begin to repeatedly press the volume down button to silence it? Well, the answer probably depends on who’s calling, right? 

Just like some calls are naturally more important than others, so are security incidents. A cybersecurity monitoring tool can easily generate dozens if not hundreds of alerts per day, but only a small fraction of them really deserve your immediate attention. 

What sometimes happens is that organizations become distracted by low-priority alerts to such a degree that they completely miss the few alerts that are actually important. The consequences of a delayed and lackluster incident response can be severe—if not devastating. 

To ensure that all high-priority security incidents are properly identified and addressed, organizations should carry out the so-called cyber triage, and this article explains everything you need to know about this practice. 

What are security incidents? 

A security incident is any event that indicates a compromised cybersecurity posture and insufficient defense measures. 

The cyber kill chain is a useful cybersecurity model that was created by Lockheed Martin to illustrate the stages of a cyber attack. 

What are false positives? 

False positives in cybersecurity are alerts that incorrectly indicate the presence of a threat when no real threat is actually present. False positives are harmless in small quantities, but they can be very problematic if they occur frequently because they can cause information overload. 

What Is Cyber Incident or Threat Triage? 

Triage is a medical term used to describe the practice invoked when acute care has to be provided to patients according to the urgency of their need for care due to insufficient resources. 

What does this practice have in common with cybersecurity? A lot! As we’ve said in the introduction to this article, modern cybersecurity monitoring tools generate a large number of alerts on a steady basis, with a large percentage of them being false positives. 

Even a well-staffed cybersecurity response team can’t possibly investigate alerts in chronological order without failing to address high-priority alerts before they turn into data breaches with huge financial and reputational consequences. 

Knowing that some alerts need to be addressed much sooner than other alerts, it makes sense to first take the time to order them according to their priority by practicing cyber triage. Cyber threat intelligence is the collective knowledge an organization has about the threats it faces. 

Events are cybersecurity-impacting activities. To properly respond to them, the priority of each event has to be determined first, and the process of doing so is called event triage. 

What is a triage analysis?

Triage analysis is the evaluation of security incidents to determine which are false positives and which need to be addressed urgently.

Cybersecurity Triage Steps

Okay, so let’s say that you’ve identified multiple alerts, and you want to find out which of them you can safely ignore and which are important. 

To accomplish this objective, it’s useful to separate alerts into the following three categories: 

  • Low-priority: Alerts that are unlikely to have any significant impact on business performance or customer satisfaction.
  • Medium-priority: Alerts that may have some impact on business performance or customer satisfaction, but their resolution can be delayed. 
  • High-priority: Alerts that are likely to have a serious impact on business performance or customer satisfaction unless resolved immediately.

But what kind of criteria should you take into consideration when categorizing your alerts? That’s where the IT Infrastructure Library (ITIL) series of best practices for managing information systems can help. 

According to ITIL, alerts can be prioritized based on the following criteria: 

  • Impact: How severely will the business be affected. 
  • Urgency: How long can the resolution be delayed. 

An alert’s priority, then, is the combination of its impact and urgency. The incident triage matrix below can help you correctly prioritize your alerts.

Incident Triage Matrix


If you’re not sure how impactful or urgent an alert is, then you need to invest in cyber threat intelligence to gain invaluable insight into the cyber kill chain beyond basic malware detection capabilities. 

Cisco defines cyber threat intelligence as “a dynamic, adaptive technology that leverages large-scale threat history data to proactively block and remediate future malicious attacks on a network.”

In other words, cyber threat intelligence is the collective knowledge an organization has about the threats it faces. When implemented correctly, it helps identify and prioritize all types of cyber risks, including cutting-edge advanced persistent threats and zero-day threats and exploits.

There are multiple threat intelligence tools organizations of all sizes can choose from, and an experienced managed IT service provider like us at Aligned Technology Solutions can help you determine which one can meet your needs the best. 

Cybersecurity Incident Examples

Now that we’ve explained how the cyber triage process works in a nutshell, we should illustrate it with a few examples. 

Heavy Traffic on Port 80 (Low-Priority)

Port 80 is the port number assigned to Hypertext Transfer Protocol (HTTP), which is used to send and receive unencrypted web pages. Heavy traffic on this port is often caused by employees downloading content from the web. In most cases, the content is work-related and safe, but it could also be illegal content from various shady websites that are plagued with malware, so an in-depth investigation may be needed, especially if the spikes in traffic are detected after business hours. 

Phishing Attempt (Medium-Priority)

It’s estimated that phishing attacks account for more than 80 percent of reported security incidents. The detection of a phishing attempt typically isn’t a highly urgent issue, but it can potentially have a serious impact on business performance. The proper response to a phishing attempt is to block the sender’s address and educate employees about the threat so they can recognize it and avoid it even if the same or similar phishing attempts arrive from a different email address. 

Malware Attack (High-Priority)

The presence of active malware is always a highly serious incident that needs to be addressed as soon as possible to prevent the malware from spreading further. The exact steps to follow after malware detection depends on the malware itself. Some strains of malware are relatively harmless and can be deleted using readily available tools, while other strains are designed to leave behind hidden backdoors and other unpleasant surprises. 


In medicine, triage can save lives. In cybersecurity, triage can prevent costly data breaches and other cyber risks. With the right tools and the right provider of cybersecurity services, any organization can reliably separate threats based on their priority to address them in the right order. Contact us at Aligned Technology Solutions and let us help you master cyber triage. 

    Filter articles

Latest Articles

Contact us to get started today!

Call us at (703) 740-9797 or fill out the form below to schedule your free consultation. We will get back to you shortly.

*All fields are required.

This site uses cookies to optimize functionality and give you the best possible experience. If you continue to navigate this website beyond this page, cookies will be placed on your browser. To learn more about cookies, click here.