> ## Documentation Index
> Fetch the complete documentation index at: https://docs.cotool.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Alerts

> Track security work from detection through triage and disposition

Alerts are first-class security work items in Cotool. They give analysts one place to see what needs attention, what produced it, who or what is working it, and how it was resolved.

## What creates alerts

Cotool creates alerts from two source types:

<CardGroup cols={2}>
  <Card title="Cotool detections" icon="magnifying-glass">
    Verified detection hits create alerts with the detection name, severity,
    evidence, and source payload.
  </Card>

  <Card title="Response-agent triggers" icon="bolt">
    Jira, Linear, email, webhook, Bugcrowd, Slack, and scheduled triggers
    can create alerts when **Create alert on trigger** is enabled.
  </Card>
</CardGroup>

<Note>
  Manual alert creation and human assignees are not part of the current alert
  workflow. Alerts are generated by configured sources and can be assigned to
  response agents for triage.
</Note>

## Alert fields

Each alert has:

* **ID**: a readable `COT-###` identifier
* **Title and description**: editable summary fields for the analyst-facing story
* **Status**: the alert lifecycle and final disposition
* **Severity**: `Low`, `Medium`, `High`, or `Critical`
* **Source**: Cotool Detection or the trigger source that created the alert
* **Detection**: the Cotool detection or extracted external detection name, when known
* **Assignee**: the response agent currently triaging the alert
* **Activity**: comments, status changes, assignment changes, triage runs, and source events
* **Payload**: the original detection-hit or trigger payload, when available

## Statuses and dispositions

Alert status combines workflow state and final disposition:

| Status                      | Meaning                                                              |
| --------------------------- | -------------------------------------------------------------------- |
| **Open**                    | The alert exists and is not actively being triaged.                  |
| **In Progress**             | A response agent or user has started triage.                         |
| **Escalated**               | Triage found something that needs higher-attention human review.     |
| **Closed · True Positive**  | A human closed the alert as malicious or security-relevant.          |
| **Closed · False Positive** | The alert was not a valid finding.                                   |
| **Closed · Benign**         | The activity was real but expected, authorized, or otherwise benign. |

Response agents cannot close an alert as **True Positive**. If an agent confirms malicious or security-relevant activity, it escalates the alert for a human to close.

## The Alerts page

Go to **Triage > Alerts** to review active security work.

You can:

* Search across alert titles, descriptions, detection names, and origin references
* Filter by status, severity, source, and detection
* Open an alert detail page from the list
* Select multiple alerts and bulk update status
* Assign one or more open, unassigned alerts to a response agent

When your organization has no default response agent for detection-created alerts, the Alerts page shows a routing CTA. Detection alerts are still created, but they wait for manual assignment until routing is configured.

## Related pages

<CardGroup cols={2}>
  <Card title="Work an alert" href="/alerts/working-alerts" icon="list-check">
    Triage, comment, edit, assign, and close alerts.
  </Card>

  <Card title="Alert routing" href="/alerts/routing" icon="route">
    Configure how detections and triggers reach response agents.
  </Card>
</CardGroup>