AJT icon mark Aaron Johnson Tech — Security Operations, Detection Engineering, AI Security

Incident response and phishing defense case study

Phishing Defense & Investigation Workflow

A repeatable analyst workflow for user-reported suspicious emails, designed to improve triage consistency, escalation decisions, containment actions, and documentation quality.

Phishing triageIncident responseIndicator reviewEscalationDocumentationUser-risk reduction
Back to projects
Objective

Create a consistent path for handling suspicious-email reports.

Inputs

Sender, headers, URLs, attachments, user action, mailbox context, and related alerts.

Decision points

Benign, suspicious, malicious, escalate, contain, or monitor.

Outcome

Clear analyst notes and repeatable escalation language.

Workflow map

From report to response

1. Intake

Capture who reported the message, when it arrived, what action the user took, and whether credentials or files were involved.

2. Indicator review

Review sender identity, domain age/context, URLs, attachments, reply-to mismatch, spoofing indicators, and message intent.

3. Scope

Check whether similar messages reached other users, whether the sender or URL appears elsewhere, and whether related alerts exist.

4. Decision

Classify as benign, suspicious, or malicious and decide whether to escalate, contain, block, or document only.

5. Containment

Recommend password reset, session/token review, email quarantine, URL/domain block, endpoint check, or user notification as appropriate.

6. Documentation

Record evidence, timeline, classification, user impact, containment steps, and lessons learned for repeatability.

Analyst takeaway

What this proves to a hiring manager

This workflow shows incident-response discipline: gather the right evidence, classify risk consistently, avoid over-escalating benign activity, and document enough context for another analyst or manager to understand the decision.

Skills demonstrated

Role-aligned capabilities

  • Phishing triage and user-reported alert handling
  • Indicator review and investigation documentation
  • Escalation criteria and containment planning
  • Risk communication for users and leadership
  • Repeatable playbook thinking for SOC environments

Continue reviewing

Related case studies

Next case studyPrivate RAG Stack for SOC NotesAI-assisted retrieval for SOC notes and playbooks. Next case studyWazuh Detection Engineering LabCustom alert logic and threat-hunting validation.