Security Event

Security event handling is entirely reactive — someone notices a suspicious login or a customer reports an anomaly, and the response depends on which engineer is available and what they think to check first.

None — AI has no security event process definitions to follow or automate.

A general security event handling document describes event types and escalation contacts, but actual triage varies by analyst — 'We have a runbook, but when the WAF starts firing alerts at 2 AM, people just do whatever gets it quiet.'

Can reference the process document but cannot determine whether security events are being classified and escalated according to the defined criteria.

Structured stages exist for security event handling — detection through resolution — but correlation rules, investigation playbook requirements, and containment action criteria are not formalized per event category.

Can track security events through defined stages but cannot enforce investigation depth or containment actions because per-category requirements are not specified.

Security event handling defines per-category playbooks, correlation rules, containment decision trees, and evidence requirements — brute-force attempts trigger account lockout review, data exfiltration patterns trigger network isolation assessment.

Can enforce event-specific investigation workflows, trigger appropriate containment actions, and verify evidence collection completeness for each event category.

Machine-readable SOAR playbooks automate security event classification, investigation orchestration, and containment execution — events auto-classify by source and pattern, investigations auto-gather context, and containment actions execute with approval gates.

Can autonomously orchestrate security event response — automated classification, parallel investigation, context enrichment, and containment with human-in-the-loop for critical actions.

Adaptive security event handling learns continuously — classification thresholds adjust from false positive feedback, playbook selection optimizes from resolution outcomes, and new event patterns auto-generate draft playbooks from observed analyst behavior.

Can autonomously manage the full security event lifecycle — classification, investigation, containment, and resolution — adapting processes based on real-time outcome analysis.

Ceiling of the CMC framework for this dimension.