Skip to main content
Alerts are first-class security work items in Cotool. They give analysts one place to see what needs attention, what produced it, who or what is working it, and how it was resolved.

What creates alerts

Cotool creates alerts from two source types:

Cotool detections

Verified detection hits create alerts with the detection name, severity, evidence, and source payload.

Response-agent triggers

Jira, Linear, email, webhook, Bugcrowd, Slack, and scheduled triggers can create alerts when Create alert on trigger is enabled.
Manual alert creation and human assignees are not part of the current alert workflow. Alerts are generated by configured sources and can be assigned to response agents for triage.

Alert fields

Each alert has:
  • ID: a readable COT-### identifier
  • Title and description: editable summary fields for the analyst-facing story
  • Status: the alert lifecycle and final disposition
  • Severity: Low, Medium, High, or Critical
  • Source: Cotool Detection or the trigger source that created the alert
  • Detection: the Cotool detection or extracted external detection name, when known
  • Assignee: the response agent currently triaging the alert
  • Activity: comments, status changes, assignment changes, triage runs, and source events
  • Payload: the original detection-hit or trigger payload, when available

Statuses and dispositions

Alert status combines workflow state and final disposition:
StatusMeaning
OpenThe alert exists and is not actively being triaged.
In ProgressA response agent or user has started triage.
EscalatedTriage found something that needs higher-attention human review.
Closed · True PositiveA human closed the alert as malicious or security-relevant.
Closed · False PositiveThe alert was not a valid finding.
Closed · BenignThe activity was real but expected, authorized, or otherwise benign.
Response agents cannot close an alert as True Positive. If an agent confirms malicious or security-relevant activity, it escalates the alert for a human to close.

The Alerts page

Go to Triage > Alerts to review active security work. You can:
  • Search across alert titles, descriptions, detection names, and origin references
  • Filter by status, severity, source, and detection
  • Open an alert detail page from the list
  • Select multiple alerts and bulk update status
  • Assign one or more open, unassigned alerts to a response agent
When your organization has no default response agent for detection-created alerts, the Alerts page shows a routing CTA. Detection alerts are still created, but they wait for manual assignment until routing is configured.

Work an alert

Triage, comment, edit, assign, and close alerts.

Alert routing

Configure how detections and triggers reach response agents.