Overview

When Xpernix issues a Critical alert, it means our analysts have reviewed the event and determined it requires your immediate attention. This guide walks you through our recommended response process.

Critical alert SLA: Acknowledge within 15 minutes, initial response within 1 hour.

Step 1: Acknowledge the Alert

Critical alerts are delivered through all your configured channels simultaneously:

Slack/Teams (dedicated #xpernix-alerts channel)
Email to your on-call address
PagerDuty / Opsgenie webhook (if configured)

The alert message includes:

One-line summary of what was detected
Affected asset(s)
Severity and time of detection
Direct link to the incident in the portal

Click the link and acknowledge the alert in the portal. This starts the clock on your response SLA and notifies our analyst team that you’ve seen it.

Step 2: Read the Analyst Brief

Every Critical alert includes an analyst-written brief at the top of the incident view. This is the most important thing to read first — it contains:

What happened: the specific events that triggered the detection
What we think it means: our assessment of the threat (e.g. “likely credential stuffing bot” vs. “possible targeted intrusion”)
Affected assets: hostname, IP, username, and any related assets
Immediate recommended action: what to do in the next 15 minutes

Our analyst will also be in your Slack/Teams channel to answer questions in real time.

Step 3: Contain the Threat

Containment means stopping the threat from spreading before you fully investigate.

Common containment actions by threat type

Threat type	Recommended containment
Compromised credentials	Reset password, revoke active sessions, enable MFA
Infected endpoint	Isolate host from network (quarantine in EDR)
Malicious IP	Block IP at firewall / WAF
Data exfiltration	Block outbound connection, disable affected user account
Lateral movement	Isolate affected segment, revoke compromised service account

Xpernix analysts can execute some containment actions directly on your behalf if you’ve enabled Active Response in your settings — ask your onboarding engineer to set this up.

Step 4: Investigate the Scope

Once contained, you need to understand the full blast radius. In the portal, open the Timeline tab.

The timeline shows:

All events from affected assets in the ±6 hours around the incident
Related events from other assets that communicated with the affected host
Enrichment data: threat intel matches, geolocation, known malicious indicators

Work with your assigned analyst to answer:

Is this a single compromised asset, or is there lateral movement?
What data, if any, was accessed or exfiltrated?
How did the attacker get in? (Initial access vector)

Step 5: Remediate and Document

Once the scope is clear:

Remediate the root cause — patch the vulnerability, fix the misconfiguration, reset all affected credentials
Re-enable services — bring quarantined systems back online after verifying they’re clean
Document your actions — add notes to the incident in the portal (required for compliance frameworks)
Close the incident — click Resolve and select the resolution category

Xpernix will automatically generate a Post-Incident Report within 24 hours, suitable for your CISO, board, or auditors.

What Xpernix Does After Resolution

Root cause summary added to your threat model
Detection rules tuned to catch similar events earlier
Compliance evidence logged automatically
Optional: 30-minute debrief call with your analyst team

Escalating to Our IR Team

If the incident is larger than your team can handle, request our Incident Response Retainer escalation from within the portal (Incident → Escalate to IR). Our IR team will engage within 30 minutes.

How to Respond to a Critical Alert