Alert triage is the front door of the SOC, and it is a throughput problem. An analyst facing a queue of hundreds of alerts cannot deep-dive every one — the job is to decide, quickly and consistently, whether each alert is a true or false positive, how severe it is, and whether it closes, gets monitored, or escalates. Good triage is fast, repeatable and well-documented; bad triage either drowns the team in noise or lets the one real alert slip past at 3am. This runbook gives a consistent five-step path through a single alert, plus how to spot false positives and when to escalate.