Security monitoring tool generates alert - On-call security analyst validates the alert (true positive vs. false positive) - If true positive: declare incident, assign severity level