Blog · SOC · playbook · on-call

After-hours alert triage: a SOC playbook

2026-05-27 · 5 min read · By Jason Lazerus, Founder, WeaveHub Technologies LLC

A practical playbook for the on-call analyst handling a 2 AM page. What information you need before you act, how to decide between escalate / dismiss / contain, and how to leave a clean handoff for the morning shift.

The 2 AM page is a different cognitive context than the daytime alert queue. You're tired. You may have minutes, not hours, before you make a decision that matters. This playbook lays out a structure for handling after-hours alerts that's tight enough to follow when you're half-asleep and rigorous enough that you won't regret a decision in the morning.

Before you act: read three things

Don't act on an alert title alone. Read at least these three things before you decide on a response:

  1. The detection type and severity. A Critical CrowdStrike behavioral detection means something very different from a Medium credential dumping detection. Get the category before you decide what to do.
  2. The affected host and user. Domain controller? Executive laptop? A developer's machine running security testing tools? Context determines urgency.
  3. The triggering activity. Process tree, command line arguments, network connections. If it looks like a real attacker — outbound connection to a known-bad domain, lateral movement, credential theft — your decision space is much narrower.

The three-way decision

Once you have context, your decision is almost always one of three:

  • Dismiss — confirmed false positive. Common for known-noisy detections on developer machines. Mark the alert closed with a note and move on. More on false positives.
  • Escalate — real but not requiring immediate action. Assign the detection to the appropriate analyst or team for daytime investigation. Add a clear comment with what you saw and why you're escalating rather than containing.
  • Contain — real and active. Isolate the host (see host containment), then escalate to senior responders and your incident response runbook.

"I'll figure it out in the morning" is not a fourth option. If you can't determine whether it's a real attack or not from the available context, that itself is a signal — escalate to a teammate who has the experience or context you lack.

Documentation discipline

Every action you take after hours becomes the morning shift's starting point. Be specific in your comments:

  • What you saw that led to your decision
  • What you ruled out (so the morning shift doesn't re-investigate)
  • Outstanding questions for the morning team
  • Anything you noticed that wasn't directly part of this alert (related hosts, unusual logins, etc.) — even one line

Sleep hygiene matters

This is a SOC playbook, not a wellness post, but it's worth saying: alert fatigue is real and accumulates. If you keep getting paged for the same noisy detection, fixing the detection is the highest-leverage action you can take. Talk to your detection engineering team in the morning.

For the full mobile workflow context, see after-hours triage.

See PocketSOC in your hands

PocketSOC puts the urgent incident response workflows for CrowdStrike Falcon, Microsoft Defender, and AWS GuardDuty on your phone. Get connected in five minutes or see plans and pricing.

2026-05-27 · 4 min read

Why SOC teams need a mobile incident response strategy →

The on-call SOC analyst at 2 AM is the slowest link in your detect-and-respond chain. A mobile-first response strategy isn't about convenience — it's about cutting dwell time and reducing burnout.

2026-05-27 · 3 min read

How to isolate a CrowdStrike host from your phone →

A step-by-step walkthrough of network-containing a Falcon host from PocketSOC on iOS or Android — including biometric confirmation, audit trail, and how to lift isolation when the investigation closes.