Skip to content
Log in

Declaration threshold

Definition

The criteria defined in an organisation's IR plan that a suspected event must meet before it is formally declared a confirmed incident, assigned a case number, and escalated to the full IR team. Thresholds are typically expressed in terms of confirmed malicious activity, impact level, and data exposure.

Related terms

Blast radius
The full set of systems, accounts, and data that an attacker has accessed or could access given their current level of compromise....
Corroboration
The practice of confirming an observed attacker action by finding evidence of the same action in at least two independent data sources,...
Dwell time
The period between an attacker gaining initial access and their detection. Reducing dwell time is a primary goal of threat hunting. The...
Initial indicator of compromise (IoC)
The first observable artefact or event that triggers the investigation: a hash match, a suspicious process, an anomalous login, or an alert...
Lateral movement
Attacker activity after initial compromise in which the threat actor traverses from one internal system to another, typically to escalate privileges, access...

Explained in

  • Scoping and Confirming an IncidentThe criteria defined in an organisation's IR plan that a suspected event must meet before it is formally declared a confirmed incident, assigned a case number,...

Your journey to becoming a forensic professional starts here.

Practice with mock tests, learn from structured notes, and get your questions answered by a global forensic community, all in one place.

Continue learningCreate Your Account