ForgeAwareness
Get started
Incident Response Playbook: Your First 5 Minutes/Course player
0 of 6 complete0%
Module 13 min

Trust the feeling that something's wrong

TL;DR

You don't need certainty to report an incident. You need a pattern, a feeling, or a fact that doesn't fit. That's enough. Report it.

You're the early warning system

Most incidents aren't discovered by security tools. They're discovered by someone like you noticing something that doesn't feel right.

  • A file server acting slow or unresponsive
  • Emails that look almost right but the sender is slightly wrong
  • A coworker's account sending strange messages
  • Files being renamed or modified unexpectedly
  • Systems you can't access that you use every day
  • A call from "IT" asking for your password
  • Your screen doing things you didn't ask it to do
  • An email from a vendor with an attachment you weren't expecting

None of these PROVE an incident. But they're all worth reporting.

What stops people from reporting

Fear of being wrong. "What if it's nothing?"

If it's nothing, your security team will confirm it's nothing and everyone moves on. They'd rather investigate 10 false alarms than miss one real incident.

Fear of looking bad. "Did I do something wrong?"

If you accidentally clicked a phishing email, you're not in trouble for reporting it. You're the hero for catching it. (You're only in trouble if you hide it.)

Fear of being a snitch. "If it's my coworker, will I get them in trouble?"

If your coworker's account is compromised, reporting it saves them and the company. If they actually did something wrong, that's between them and your security team. Your job is to notice and report.

Fear of the disruption. "An incident response will be chaotic."

Yes. It will be. That's what happens when something real is happening. Better to have organized chaos than slow damage.

The one-line rule

If something doesn't feel right, you're probably right. Report it.

You don't need proof. You don't need to investigate. You just need to tell your security team what you observed and let them decide if it's real.

What an incident actually is

An incident is:

  • Unauthorized access to systems or data
  • Malware or ransomware running
  • Phishing compromise (credentials taken, malware installed)
  • Data being copied or deleted by unauthorized parties
  • Systems behaving unexpectedly
  • Accounts being used in ways the owner didn't authorize

If you see any of these, that's an incident. Report it.

What's NOT an incident (but report it anyway if it's unusual)

  • A system being slow (could be incident, could be legitimate load)
  • Someone asking an odd question (could be social engineering, could be normal)
  • An email that looks suspicious (could be phishing, could be a typo)
  • A file being updated by someone else (could be legitimate collaboration, could be unauthorized)

These aren't automatically incidents, but if they're unusual for your environment, mention them. Context matters. Let your security team decide.

Knowledge check

Knowledge check 1

What's the right bar for reporting something as a potential incident?