Incidents overview
Log, triage, and resolve security and operational events from first detection through close — with a full audit timeline and regulatory deadline tracking.
The Incidents area is where your team records security and operational events and works them from first detection through to close. It pairs a filterable incident queue on the left with a detail panel on the right, so you can scan everything that needs attention and drill into any single incident.
Reach it from the Incidents entry in the sidebar, or go to /incidents directly.
What an incident is
An incident is a single tracked event. Each record carries a title and optional description, a severity, a status, an incident type, a source, a reporter and an optional assignee, and a set of lifecycle timestamps (detected, aware, triaged, contained, resolved, closed). Incidents that fall under data-protection or operational-resilience law also carry regulatory fields — which frameworks apply, whether a data breach or personal data is involved, and the notification deadlines those frameworks impose.
The incident type is a coarse operational classification and is independent of which regulatory frameworks apply. Typing an incident as Data breach does not by itself mean GDPR applies, and vice versa — the two are set separately. See Reporting an incident and Regulatory notifications.
The incidents list
The queue on the left is your working view of every incident you can see. Search matches by title, reporter, or assignee; the Status and Severity dropdowns narrow the list further. Each card shows the title with severity, status, and (where relevant) a Breach chip.
What you can see is decided by how your access was granted, not by a single "view all" permission: a company-scoped role sees every incident in the company, while someone added to a single incident as its reporter or assignee sees only that one. If the queue reads "No incidents in view", nothing currently matches your filters or your visibility scope — clear the search or reset the filters to widen it.
What you'll see as a member
The screenshots here are the admin / incident-responder view. Incidents only appears in the sidebar if you have incident access — either a company-wide incident role (responder or manager) or because you are the reporter or assignee on specific incidents. A company-wide role sees the full queue; if you are only on individual incidents, the queue is scoped to just those, and most regular members do not see the Incidents area at all. The authoring controls in these screenshots — New, Edit triage profile, status transitions, and regulatory actions — are limited to incident responders, managers, and admins. A view-only member can read the incidents in their scope but cannot create or change them.
The list, search, and dashboard views are served from a denormalized read model (incident_summaries) that is written in the same transaction as every incident change. It is always current — there is no background sync lag between editing an incident and seeing it reflected in the queue.
The lifecycle at a glance
Every incident moves through an ordered, forward-only lifecycle. You advance it one stage at a time:
Reported → Triaged → Investigating → Contained → Eradicated → Resolved → Post-review → Closed
You cannot skip a stage. The only backward move is Resolved → Investigating (re-opening), which requires a note explaining why. Reaching certain stages auto-stamps a timestamp used for response metrics. Full detail is in Working an incident.
In this section
Reporting an incident
The report form and the triage profile: type, severity, data breach / PII, detection and awareness times, and regulatory frameworks.
Working an incident
Advancing the status lifecycle, the lifecycle rail and event timeline, the discussion thread, and remediation tasks.
Regulatory notifications
Notification stages, deadline clocks per framework, and marking regulator dispatches as sent.
Linking incidents
Connecting controls, risks, evidence, reports, and assets to an incident.
Linking risks
Connect a risk to controls, suppliers, incidents, assets, and vulnerabilities from the Links tab, and understand what each link means.
Reporting an incident
Log an incident through the report form, then complete the triage profile that captures regulatory frameworks, awareness time, and per-regime required fields.