Overview
When a critical incident hits, the last thing you want is confusion about who to call, when to escalate, or how fast the response needs to be. This escalation matrix template defines clear severity-based escalation paths, response SLAs, and notification chains so your SOC can act decisively under pressure. It eliminates ambiguity and ensures the right people are engaged at the right time.
Severity Definitions
- P1 Critical: Active breach, ransomware execution, data exfiltration confirmed, production outage from cyberattack
- P2 High: Confirmed compromise with contained scope, suspected data exposure, critical vulnerability under active exploitation
- P3 Medium: Suspicious activity requiring investigation, potential indicator of compromise, security tool failure
- P4 Low: Policy violation, informational alert, minor misconfigurations, expired certificates
Escalation Matrix
| Severity | Initial response | 30-minute escalation | 1-hour escalation | 4-hour escalation |
|---|---|---|---|---|
| P1 Critical | SOC Analyst + IR Lead | SOC Manager + CISO | CTO + Legal + CEO | Board notification, external IR retainer |
| P2 High | SOC Analyst | IR Lead + SOC Manager | CISO briefing | Executive update if unresolved |
| P3 Medium | SOC Analyst | SOC Lead (if unresolved in 4h) | SOC Manager (if unresolved in 8h) | N/A |
| P4 Low | SOC Analyst | Peer review at shift handover | N/A | N/A |
Response SLA Framework
Response SLAs define three key time targets: time to acknowledge, time to triage, and time to contain. For P1 incidents, acknowledgment must happen within 5 minutes, initial triage within 15 minutes, and containment actions within 1 hour. For P2 incidents, these targets extend to 15 minutes, 30 minutes, and 4 hours respectively. SLAs should be aggressive enough to drive urgency but realistic enough that the team can consistently meet them. Track SLA compliance monthly and use misses as a trigger for process improvement, never just punishment.
On-Call and Contact Procedures
- Maintain an up-to-date on-call rotation with primary and secondary contacts for each role
- Use a dedicated paging system (PagerDuty, Opsgenie) rather than relying on email or chat for critical escalations
- Establish a bridge call or war room procedure for P1 and P2 incidents with a pre-scheduled conference number
- Define backup escalation paths for situations where the primary contact is unreachable after two attempts
- Keep a printed copy of the escalation matrix in the SOC and in the incident response kit
- Test escalation procedures quarterly through tabletop exercises
Maintaining the Matrix
An escalation matrix that is outdated is as dangerous as not having one at all. Review contact information monthly. Update escalation paths whenever there are organizational changes, new hires, or departures. After every P1 and P2 incident, assess whether the escalation worked as designed. Were the right people reached quickly enough? Were there gaps in the chain? Incorporate feedback into the next revision. Distribute updated versions to all SOC staff and store the current version in a location accessible even during a systems outage.
Frequently Asked Questions
How do we handle escalation during off-hours?
Implement an on-call rotation with automated paging that covers nights, weekends, and holidays. Define clear override procedures so analysts can page senior leadership directly for P1 incidents without waiting for the chain to work through intermediaries.
What if the assigned escalation contact does not respond?
Define a maximum wait time per escalation tier, typically 10 minutes. If the primary contact does not respond, automatically escalate to the backup. If the backup also fails, the analyst should escalate to the next tier in the chain.
Should vendors be included in the escalation matrix?
Yes. Include your managed security service provider, external IR retainer contacts, cyber insurance broker, and outside legal counsel. For P1 incidents, you may need these contacts engaged within the first hour.
How do we prevent unnecessary escalations?
Clear severity definitions are the best defense against unnecessary escalation. Provide analysts with decision trees that help them classify severity accurately. Conduct regular calibration discussions where the team reviews past escalation decisions.
Can automation help with escalation?
Absolutely. SOAR platforms can automate initial severity classification, auto-page on-call staff, open bridge calls, and send status updates based on incident progression. Automation ensures consistency and saves critical minutes during P1 events.
Ready to use this resource?
Download it now or schedule a demo to see how Hunto AI can automate your security workflows.