Advanced
Lesson 31 of 35 · ~7 min

The categories of mandatory escalation

Six categories of work that always escalate regardless of how the ticket arrives, how confident the customer's IT contact sounds, or how reasonable a senior's offhanded 'just go ahead' sounds. The list is short; carrying it as a mental check is the practice.

Half the failure modes covered so far reduce to one habit gap: not noticing that a ticket has crossed a category line. This lesson is the list. The list is short. Memorising it at the row level is one of the highest-leverage things to do in the capstone.

The six categories

These categories escalate every time. Recognition is the skill.

#CategoryTrip shape
1Critical incidentsAnything Critical by default, or the markers from the Critical-incident lesson (canary trip, mass deletion, lateral movement, admin-credential abuse). Contain-and-escalate-in-parallel.
2Tenant-wide identity compromiseMulti-user patterns, admin involvement, tenant-level grants or app registrations. Single-identity playbook is in scope. Tenant-wide response is above the line.
3SIEM tuning requestsDetection rules, query configuration, retention settings, ingestion architecture. The portal exposes these surfaces. Visibility isn’t authorisation.
4Subscription, billing, or permanent commercial actionsDeployment-strategy decisions, subscription scope, product-mix changes, permanent organisation deletion. Runbook execution is in scope; decisions that commit the customer are not.
5Anything irreversible the tech doesn’t fully understandPermanent org deletions, bulk un-isolations across many hosts, tenant-wide credential rotations. Two-question test fails: irreversible plus no clean articulation of why this is the right action.
6Customer-versus-SOC tensionThe customer wants the host released, the OAuth grant left, the inbox rule restored. Any time customer preference and SOC recommendation pull in different directions, the senior owns the conversation.

Most tickets aren’t in any category. Standard EDR, ITDR, and SIEM workflow applies; do the work. The categories trip when something pushes past the line: a senior’s casual instruction, a customer’s pushback, a Recommendation that includes tuning language.

Visibility isn't authorisation

The portal exposes the SIEM tuning surface, the org-deletion control, the bulk un-isolation action. Being able to click is not the same as being permitted to click. Category 3, 4, and 5 trip on the action, not on whether the UI lets the tech reach it.

How a category trips on a quiet day

Three patterns show up more than others.

A senior walking past the desk: while you’re at it, can you delete those three legacy orgs? Category 4. Permanent organisation deletion is the archetypal commercial action. A corridor instruction isn’t a documented delegation.

A customer’s IT manager on the phone: release Bob’s machine, he’s sure he was the one signing in. Category 6. Customer preference vs. SOC remediation. The senior owns that call.

A SOC Recommendation that reads, halfway down: consider tuning the threshold for this detection on this source. Category 3. The remediation portion is in scope; the tuning portion is above the line, even though it lives in the same report.

Decision walkthrough

The senior's casual ask, end of a quiet afternoon
A senior tech (not your direct manager, more experienced) messages you between tickets: 'Can you delete those three legacy organisations in the portal? They've been archived for months.' You have the access. The portal allows it. The senior is asking nicely. The category trip is the entire question.
What do you do first?

The senior pushes back: they have been dead for months, do it, I’ll vouch for you. The vouch is the senior’s social safety net, not a process one. The cleanest response names the underlying gap and proposes the fix: if these really are stale, this is paperwork. Can we update the offboarding runbook to delegate permanent deletion for orgs older than X months? Covers this case and the next ten. I’ll wait until then. The senior gets the path forward; the category stays gated; the runbook earns the rule.

Common misconceptions

  • If a senior tells me to do it, that’s the authorisation. Sometimes. Verbal corridor instructions are not documented delegations for category-4 actions. The form matters.
  • If the customer asks me directly, that’s their authority. The customer’s request does not authorise the tech to act against the SOC’s recommendation. Customer-versus-SOC tension is automatic escalation.
  • If I read the runbook carefully enough, I can navigate the categories myself. The categories exist because the MSP has decided the tech-level decision lacks the full picture. Reading more carefully does not change the scope.

What to do with this

Run the six-category check on every non-routine ticket. Most tickets pass through it in two seconds. When a category trips, the action is the same every time: name the category to the senior out loud, hand off cleanly, support per their direction. Naming the category is what makes the hand-off legible.

Loading quiz…
Next lesson