Every alert flows through these stages. No exceptions.
This lifecycle is the security spine for ThreatLabs. Every decision is recorded, every transition is traceable, and every action is verified.
- 01
Alert Received
Raw alert ingested from SIEM/EDR. Timestamp captured. Source recorded.
- 02
Normalized
Mapped to standard schema. Fields extracted. Deduplicated if applicable.
- 03
Enriched
MITRE ATT&CK mapping. Asset and historical context. Threat intel correlation. User behavior baseline.
- 04
Classified
Severity assigned (Critical/High/Medium/Low/Info). Confidence scored. Category determined. Recommended action proposed.
- 05
Decision
Decision gateAuto-resolve, auto-contain, escalate to human, delegate to BioLayer.tech, or hold for more signals.
- 06
Action Taken
Record what was done. Capture evidence of action. Note any failures.
- 07
Verification
Confirm action succeeded. Check for persistence or recurrence. Validate scope.
- 08
Closure
Incident marked resolved. Final status: True Positive, False Positive, or Inconclusive. Lessons documented.
- 09
Reporting
Incident report generated. Metrics updated. Feedback to detection tuning.
When we auto-act vs. when we escalate
| Severity | Confidence | Auto-Action | Human Required |
|---|---|---|---|
| Critical | High | Contain | Verify |
| Critical | Medium | Contain | Investigate |
| Critical | Low | Hold | Investigate |
| High | High | Resolve/Contain | Optional verify |
| High | Medium | Hold | Investigate |
| Medium | Any | Resolve if known | Optional |
| Low | Any | Auto-resolve | No |