Intakes reported phish, analyses, and decides contain or dismiss.
Activation complexity
High
Time to activate
14-21 days
Volume share
25-35% of role volume
Impact range
Under 15 minutes
Inherited pricing
€3.00 – €12.00 per review or incident handled
This capability inherits the Security Operations Analyst's pricing model. The role's launch fee + monthly retainer + role-level usage cover every capability under the role. Adding this capability to an active deployment does not change the price.
What this capability handles
Phishing Triage intakes reported phish from the reporting channel, analyses headers, URLs, and payloads, decides contain, dismiss, or escalate, and orchestrates containment actions — with analyst review on confirmed incidents.
Workflow summary
Intakes report, analyses artifact, decides action, orchestrates containment.
Stages
Decision logic
Uses artifact-analysis rules and threat-intel signals to decide contain, dismiss, or escalate.
Systems and data
{EDR,"email gateway",messaging,"ticket system"}
{"reported phish","threat intelligence","prior triage","containment playbook"}
Exceptions & human handoff
Confirmed incidents, targeted-campaign patterns, or executive-target phish route to the analyst for immediate ownership.
Confirmed incident, targeted campaign, or executive-target flag.
Readiness
EDR feed connected, email gateway integrated, containment playbook approved.
Owner on client side · CISO
Impact contribution
25-35% of role impact is phish-triage lead time with containment discipline.
Primary KPI · Phishing-triage lead time · Under 15 minutes
When this capability shows up
Patterns where phishing triage is part of the launch set, with volume and pricing anchored to each company profile.
Mid-market SaaS with SOC 2 posture and heavy vendor footprint
SaaS · 300-800
300 / mo
A 500-person B2B SaaS company runs 300 reviews or incidents a month. Quarterly access reviews overrun by weeks. Reported phish waits hours in the queue.
Security Operations Analyst activates access review and phishing triage. Reviews ship on cadence with stale-access removal; phish is triaged in minutes; the analyst shifts to real risk calls.
Expected outcomes at this volume: access-review completion above 95%, phishing-triage lead time under 15 minutes, analyst hours reclaimed weekly.
Monthly cost
€900–€3.6k
vs human anchor
€3.5k–€12k
Savings
0–3%
Enterprise services firm with ISO 27001 and vendor questionnaires
Services · 800-2000
700 / mo
A 1500-person services firm runs 700 reviews or incidents a month. Vendor questionnaires backlog for weeks. Audit evidence is a scramble every cycle.
Security Operations Analyst activates all four capabilities. Access reviews ship on cadence; vendor questionnaires turn around in days; phish gets triaged in minutes; compliance evidence stays audit-ready.
Expected outcomes: cycle-time reduction 50-70% on coordination surface, vendor-review turnaround 60-80% faster, compliance evidence audit-ready at any moment.
Monthly cost
€2.1k–€8.4k
vs human anchor
€8.2k–€28k
Savings
0–3%
Marketplace with heavy third-party integrations and phishing pressure
Marketplaces · 300-800
500 / mo
A 500-person marketplace runs 500 security reviews and incidents a month. Vendor questionnaires queue up for two weeks. Reported phish attempts sit in the queue half a day. Audit evidence is stitched together the week before each review.
Security Operations Analyst activates vendor-security review, phishing triage and compliance monitoring. Questionnaires turn around in days; phish triages in minutes; compliance evidence holds audit-ready.
Expected outcomes: vendor-review turnaround 60-80% faster, phishing-triage lead time under 15 minutes, compliance evidence continuously ready.
Monthly cost
€1.5k–€6.0k
vs human anchor
€5.8k–€20k
Savings
0–3%
All scenarios and cost ranges come from the Security Operations Analyst role page.
Capability-specific integrations
Beyond the Security Operations Analyst's base stack, this capability plugs into:
The chat opens with Security Operations Analyst and Phishing Triage pre-selected. You can add other capabilities during the conversation.