Triage

Triage is the initial sort of incoming alerts by severity, impact, and confidence so scarce analyst time goes to what matters and false positives get closed fast. It’s where many SOC programs live or die — well-tuned alerts and clear criteria prevent the alert fatigue that lets a real attack slip through. Typical tiers: T1 triage, T2 investigation, T3 threat hunting and forensics.