Intermediate
Lesson 33 of 38 · ~7 min

What makes an incident Critical

Four markers tell you the response model has flipped, ransomware canary trip, mass deletion, lateral movement, admin-credential abuse. Recognise the shape and you switch from triage to contain-and-escalate before the severity tag confirms it.

Course 5 is short because Critical incidents don’t reward thoroughness. They reward speed, containment, and not investigating. The shape of the work changes the moment the markers are clear. Miss the switch and you do the wrong work efficiently while the customer’s environment burns.

The four markers

The SOC raises Critical when the activity needs containment now, not action after analysis. The patterns cluster into four shapes you’ll see again and again.

Ransomware canary trip. A canary file (lesson 34 covers these) was touched in a pattern consistent with ransomware. Critical by default. The assumption is that encryption is in flight on the endpoint or a network share.

Mass deletion. Files are being deleted at a rate or pattern that’s destructive: wiping data, removing backups, destroying logs. The pattern doesn’t match user behaviour; it matches an attacker scrubbing evidence or running a destruction phase at the end of an attack.

Lateral movement signals. The attacker is moving between hosts. Credentials being used from unexpected endpoints, remote-execution patterns spreading, network-share traversal at scale. One compromised host might land as Low or High; lateral movement is Critical because the blast radius is widening in real time.

Admin-credential abuse. A service account, domain admin, or other elevated credential is being used in ways that don’t match the legitimate workflow. The credential’s blast radius equals the credential’s privilege level; abuse of an admin credential is Critical because the next action could touch anything in the customer’s environment.

Identity-side Criticals and SIEM-correlated Criticals exist too; the four above are what you’ll see most often.

Why the response model changes

In the standard EDR workflow you learned earlier in this course, the work goes in order: claim, review, approve, verify, close, document. Time matters but it isn’t critical-path. On a Critical, two things flip and a third drops out.

Time matters more than completeness. Every minute before containment is a minute the attacker keeps doing what they’re doing. A 30-second containment that’s slightly imperfect is dramatically better than a 5-minute containment that’s exactly right. Speed wins.

Containment and escalation happen in parallel, not in sequence. On a Low or High you might handle the whole ticket and mention it at end-of-shift handover. On a Critical you contain and you tell the senior at the same time. The senior may take the response over; you may stay on it under their direction. What doesn’t happen is “I handled it alone, will tell you tomorrow.”

You don’t investigate. This is the hard one. The standard workflow trains the muscle of reviewing the Recommendation, sometimes the Evidence, before acting. On a Critical the Recommendation will lead with containment, and the Evidence is there for the senior’s context, not the tech’s analysis. The deeper investigation is above the helpdesk ceiling. Looking at it from the tech seat with tech tools while the attacker is active is the wrong trade against speed.

The line you don't cross

Contain (isolate the host, or run the ITDR compromise playbook on the affected identity). Notify the on-call senior in parallel. Document what you’ve done. Pass the deeper investigation to whoever owns it (senior, MSP’s senior-level security analyst, sometimes a vendor’s incident response service). Forensics and persistence-hunting are above the helpdesk ceiling, regardless of how confident you feel.

Recognising Critical-shape inside a High

A High Incident Report lands. Host: WS-CONTOSO-IT-01, a customer helpdesk workstation. Recommendation: approve the autoruns remediation. Standard High shape. Three minutes into your review, the Evidence catches your eye: the autoruns binary has signatures of a known credential-dumping tool, and the SOC’s notes mention the workstation owner’s domain-admin credential was used for a remote-execute on three other endpoints in the last six hours.

That’s two markers stacking inside what’s still tagged High: admin-credential abuse plus lateral movement. The High tag is what the SOC had when the report opened. You now have new context from reading the Evidence.

Critical-shaped pattern inside a High-tagged incident
The severity tag and the patterns in the Evidence have diverged. The tag is the SOC's call; the pattern is yours to recognise. The response model switches the moment the markers are clear, not when the tag catches up.
You spot Critical-shaped markers (admin credential abuse, lateral movement) in the Evidence of a High-tagged incident. What do you do?

Recommendation phrasing that’s a Critical tell

Even if you missed the tag at the top of the report, certain Recommendation phrases are a tell.

  • “Isolate the host immediately.”
  • “Preserve evidence.”
  • “Do not perform further actions until forensic review.”
  • “Escalate to incident response.”

Those four phrases say the SOC has classified this as needing containment now and that the deeper response is above the helpdesk ceiling. A standard High Recommendation reads differently, “approve the autoruns remediation” or “verify the affected host before approving.” If the wording leans toward containment and preservation, the response model has already switched whether or not the tag matches.

Misconceptions to drop early

Critical means the most evidence to review. Opposite. Critical means contain first and read evidence only as context for what was contained. Thoroughness on a Low becomes a time-cost on a Critical.

If I’m careful, I can handle a Critical end-to-end like a High. The escalation ceiling rules it out regardless of how careful you are. Critical investigation is above the line because the blast radius and stakes are different, not because of skill level.

Containment will look like over-reacting if it turns out to be benign. It won’t, and even if the customer is annoyed, the conversation is much easier than “we didn’t contain it and the attacker spread laterally.” The cost asymmetry is the whole reason Critical exists as a category.

Loading quiz…
Next lesson