The idea behind triage is to simplify things This article explores allowing tier escalate. . It has the opposite effect in many teams.

Alerts become repeated checks, back-and-forth, and "just escalate it" calls when you are unable to reach a definitive decision in a timely manner. This expense is not contained within the SOC; instead, it manifests as missed SLAs, increased case costs, and increased space for actual threats to evade detection. Where does triage go wrong, then? Hides of Over-Escalation Actual Priority Events Business risk: Tier 1 escalates "just to be safe" when the evidence is ambiguous, and Tier 2 turns into a verification layer for cases that are on the borderline.

This slows response to high-impact incidents, clogs queues, and diverts senior time into "maybes." It also raises the risk that critical cases will be delayed and increases the cost per investigation.

The Solution: Use Execution Evidence to Close More Cases at Tier 1 Tier 2 remains focused on actual incidents rather than serving as a verification desk when Tier 1 is able to independently validate or reject alerts. That becomes feasible with ANY.RUN because the sandbox is designed for quick triage; it is easy to use, offers AI-assisted guidance during analysis, and produces automatically generated reports that capture the most important evidence without the need for additional manual write-ups. Additionally, a specific IOCs tab gathers indicators in one location, allowing Tier 1 to escalate with context instead of confirmation.