Do I Need to Escalate?
A decision guide for knowing when to stop, raise risk, and involve an approver or response lead.
Use this page when a task becomes riskier, broader, or less certain than originally expected.
Purpose
Escalation protects the operator, the environment, and the quality of the response. Escalation is not failure. It is controlled decision-making.
Escalate immediately if
- scope becomes unclear
- the target appears more sensitive than expected
- a user may be compromised
- privileged accounts are involved
- multiple users or systems may be affected
- the action may impact production
- the next step would be intrusive or difficult to reverse
- you are being asked to move faster than evidence allows
- legal, privacy, or compliance concerns appear
- you cannot explain why the next action is safe
Escalate before continuing if
- you want to move from review to active testing
- you need broader access than originally approved
- you need to collect more sensitive data
- you suspect the issue is larger than the original report
- your evidence is incomplete but pressure is increasing
- you need to coordinate with another team
Do not delay escalation because
- you want to "be sure" first
- the requester seems confident
- it feels like a small issue
- you think asking will slow things down
- you do not want to look inexperienced
These are common causes of avoidable mistakes.
What to provide when escalating
Include:
- the original objective
- the target or artifact involved
- what you observed
- what you have already done
- what risks you now see
- what action you believe may be needed next
- what evidence supports your concern
Good escalation example
I was validating a reported phishing email. The message is malicious, and the user confirmed they entered credentials. The account has elevated access. I preserved the message, captured link and sender details, and documented user interaction. I recommend escalation for account review, session invalidation, and broader exposure assessment.
Poor escalation example
This looks bad. Can someone take over?
The first is actionable. The second creates confusion.
If you are unsure
Escalate. Uncertainty around impact, scope, or authority is itself a valid escalation reason.
Quick action frame
| Check | Use this rule |
|---|---|
| When to stop | Stop when the next action is intrusive, hard to reverse, or broader than the original task. |
| Escalation trigger | Escalate when scope, impact, authority, or evidence quality becomes uncertain. |
| Evidence required | Provide the objective, target, observations, actions already taken, current risks, and recommended next step. |
| Next path | Continue to What Evidence Is Required? or the relevant scenario page before any higher-risk action. |
Related pages
| When to stop | Stop when the next action is intrusive, hard to reverse, or broader than the original task. |
| Escalation trigger | Escalate when scope, impact, authority, or evidence quality becomes uncertain. |
| Evidence required | Provide the objective, target, observations, actions already taken, current risks, and recommended next step. |
| Next path | What Evidence Is Required? |