Intakes reported phish, analyses, and decides contain or dismiss.
Activation complexity
High
Time to activate
14-21 days
Volume share
25-35% of role volume
Impact range
Under 15 minutes
Inherited pricing
€3.00 – €12.00 per review or incident handled
This capability shares the Security Operations Analyst's metered unit. A review or incident handled is counted once at the role level regardless of which capability handled it. Adding this capability to an active deployment does not change the per-action price.
What this capability handles
Phishing Triage intakes reported phish from the reporting channel, analyses headers, URLs, and payloads, decides contain, dismiss, or escalate, and orchestrates containment actions — with analyst review on confirmed incidents.
Workflow summary
Intakes report, analyses artifact, decides action, orchestrates containment.
Stages
Decision logic
Uses artifact-analysis rules and threat-intel signals to decide contain, dismiss, or escalate.
Systems and data
{EDR,"email gateway",messaging,"ticket system"}
{"reported phish","threat intelligence","prior triage","containment playbook"}
Exceptions & human handoff
Confirmed incidents, targeted-campaign patterns, or executive-target phish route to the analyst for immediate ownership.
Confirmed incident, targeted campaign, or executive-target flag.
Readiness
EDR feed connected, email gateway integrated, containment playbook approved.
Owner on client side · CISO
Impact contribution
25-35% of role impact is phish-triage lead time with containment discipline.
Primary KPI · Phishing-triage lead time · Under 15 minutes
Capability-specific integrations
Beyond the Security Operations Analyst's base stack, this capability plugs into:
The chat opens with Security Operations Analyst and Phishing Triage pre-selected. You can add other capabilities during the conversation.