"Cover" wrongly suggests hiding it. "Block" applies to traffic/IPs, not the incident as a whole. "Hold" is not idiomatic here. Containment buys time before you eradicate the threat and recover. Usage: "we contained the breach by isolating the affected subnet within minutes of detection."
2 / 5
An on-call SOC procedure states:
"When dozens of alerts fire at once, the analyst must first ___ them — quickly assess severity and priority so the team works the most dangerous incidents first."
Which verb describes rapidly sorting incidents by severity?
Triage an incident.
Borrowed from medicine, "triage" means to rapidly assess and prioritise incidents (or alerts/bugs) by severity and urgency so limited resources go to the most critical first.
triage an incident / an alert / the backlog
severity (SEV-1 ... SEV-4) and priority (P1 ... P4)
false positive — an alert that turns out to be benign
"Queue", "batch", and "log" describe handling or recording incidents, not assessing their priority. Triage is what an analyst does the moment alerts arrive. Usage: "the on-call engineer triages incoming alerts and escalates anything SEV-1."
3 / 5
An IR communications plan reads:
"If the on-call engineer cannot resolve the incident within 15 minutes, they must ___ it to the incident commander and page senior leadership."
Which verb describes raising an incident to a higher level of response?
Escalate an incident.
To "escalate" an incident is to raise it to a higher tier of responders or management when it exceeds the current responder's authority, severity threshold, or time limit.
escalate to the incident commander / on-call lead / leadership
escalation path / policy — who gets paged, and when
contrast: de-escalate — downgrade once it is under control
"Promote" and "upgrade" apply to versions or roles, not incidents. "Forward" just passes a message along without the urgency and authority change that "escalate" implies. Note: in security this escalate (raise an incident) differs from privilege escalation (an attacker gaining higher rights). Usage: "per the escalation policy, any data-loss incident is escalated to legal immediately."
4 / 5
After an outage, the team schedules a meeting described as:
"We will hold a blameless ___ to understand the timeline, root cause, and the action items that stop this from happening again — focused on systems, not individuals."
Which term names this structured after-the-fact review?
Post-incident review.
A "post-incident review" (also post-mortem or retrospective) is a structured, ideally blameless, analysis after an incident: timeline, root cause, contributing factors, and concrete action items.
post-incident review / post-mortem / PIR
root cause analysis (RCA), contributing factors
action items / follow-ups — preventive work tracked to completion
indicators of compromise (IOCs) — forensic evidence captured during the incident
"After-action chat", "failure meeting", and "incident recap" are not the recognised terms — the industry standard is post-incident review / post-mortem. Blameless framing focuses on systemic fixes. Usage: "the post-incident review produced five action items, all tracked to closure."
5 / 5
A containment-and-cleanup checklist reads:
"Step 1: ___ the compromised host — cut it off from the network so the malware cannot spread or phone home. Step 2: ___ the threat — remove the malware, backdoors, and attacker persistence entirely. Watch for the ___ we extracted, such as malicious IPs and file hashes, on every other machine."
Which set of terms fills the three blanks?
Isolate a host, eradicate the threat, hunt for indicators of compromise.
Three precise IR terms:
Isolate a host — disconnect a compromised machine from the network to stop spread and command-and-control ("network isolation", "quarantine the endpoint")
Eradicate the threat — fully remove malware, backdoors, and persistence (the phase after containment in the NIST lifecycle)
Indicators of compromise (IOCs) — forensic artefacts (malicious IPs, domains, file hashes, registry keys) used to detect the same attacker elsewhere
The other options are loose paraphrases ("unplug/scrub/fingerprints", "detach/purge/markers") that no IR playbook uses, and "signatures" refers to detection-rule patterns, not the incident's own evidence. Usage: "we isolated the host, eradicated the threat, then swept the fleet for the same IOCs."