Knowledge Base

Incident Scope Assessment

Determine what may be affected without treating incomplete evidence as a complete boundary.

Scope is an evidence question

Scope can include identities, hosts, applications, network segments, cloud resources, related indicators, persistence, lateral movement, data access, privilege changes, and business services. Start with confirmed entities and expand through defensible pivots, not assumptions. Absence of evidence is not evidence of absence when logging, retention, or access is incomplete.

Scope-expansion questions

  • Which identities, assets, and services are confirmed by source records?
  • What related activity shares a reliable indicator, process, account, session, network path, or time window?
  • Which sources can confirm or challenge the hypothesis?
  • What is known, what is suspected, and what cannot yet be checked?

Workflow

  1. Create separate lists for confirmed facts, plausible hypotheses, and unknowns.
  2. Pivot from a verified entity through one source at a time, recording the query, time range, and result.
  3. Prioritize pivots with potential ongoing harm, privileged access, sensitive data, or critical service impact.
  4. Update confidence as evidence changes and retain gaps for the handoff or review.

Premature closure

Do not close scope because one endpoint is clean, one account is disabled, or a search returns no results. Confirm the coverage and retention of the data source, then state the remaining uncertainty. A bounded scope is useful only when its evidence and limitations are clear.