Overview
At this level, administrators move from passive monitoring to active security operations. Sentry detections now feed into a structured incident management board, allowing teams to triage, investigate, and contain threats through an organized workflow.
This stage focuses on operational response: assigning ownership, tracking progress, and documenting outcomes to strengthen accountability and control.
The Incident Management Board
The Incidents section of the Scout dashboard presents a Kanban-style board designed to simplify security operations. Each card on the board represents a detection that requires review or action.
The board includes the following standard columns:
| Column | Purpose |
|---|---|
| New | Recently detected alerts awaiting review. |
| Investigating | Alerts under analysis or validation. |
| Contained | Incidents where the threat has been mitigated, but follow-up is pending. |
| Resolved | Fully remediated and verified as safe. |
Administrators can drag and drop incidents between these stages as investigations progress.
Managing Incidents
When reviewing an incident card, key information is displayed:
- Detection source and summary
- Severity rating
- Affected device or peer
- Timestamp and detection details
- Actions taken or recommended
Administrators can expand incidents for detailed context, add notes, or document containment steps. All updates are tracked automatically in the Audit Log for compliance and historical review.
Response Workflow
An effective incident response process typically includes:
- Triage: Identify and prioritize incidents by severity and potential business impact.
- Investigation: Determine whether the activity is legitimate or malicious by reviewing details and cross-referencing other detections.
- Containment: Isolate or disconnect affected devices, rotate credentials, or apply policy changes as needed.
- Resolution: Confirm that the root cause has been addressed and document lessons learned.
- Closure: Move the incident to the Resolved column to signal completion.
Following a consistent workflow ensures uniform handling of incidents and clearer communication across teams.
Measuring Effectiveness
Several metrics help evaluate your response performance:
- Active Incidents: current operational workload
- Critical Resolution: time to resolve severe incidents
- Average Response Time (MTTR): average speed of containment and remediation
- Incidents by Severity: overall distribution and trend
These metrics provide valuable insight into response efficiency and help identify areas for process improvement.
Maturity Progress
By consistently triaging and resolving incidents through the Kanban board, administrators reach Level 3 — Control 🟠. The organization now has a repeatable process for detection, investigation, and remediation—core elements of a mature security operation.