Escalation Policies
Multi-step notification chains with delay and severity routing
What Escalation Policies Are
By default, Flowtriq sends incident notifications to all active channels immediately when an attack is detected. Escalation policies let you override this behavior with a structured chain of steps: notify specific channels at specific times, only for specific severity levels.
This is how you implement workflows like "Slack the NOC immediately, page the on-call engineer after 5 minutes if the attack is still active, and email the VP of Engineering after 15 minutes for critical incidents."
Creating an Escalation Policy
Go to Dashboard → Settings → Escalation Policies and click Create Policy. Each workspace has one default policy. The default policy applies to all incidents unless overridden by a runbook.
Policy Structure
A policy is a JSON array of steps. Each step has three properties:
| Property | Type | Description |
|---|---|---|
| delay_minutes int | Required | Minutes after incident detection before this step fires. Use 0 for immediate. |
| severity_min string | Optional | Minimum severity for this step to fire. One of: low, medium, high, critical. Default: low (all severities). |
| channels array | Required | Array of channel types to notify at this step. Values: discord, slack, pagerduty, opsgenie, telegram, email, sms, webhook, teams. |
Example Policy JSON
How Steps Execute
When an incident fires, the dispatch engine loads the default escalation policy and walks the steps in order. For each step:
- Check if the incident's age (in minutes since detection) is greater than or equal to
delay_minutes - Check if the incident's severity meets or exceeds
severity_min - If both conditions pass, send notifications to all active channels matching the types listed in
channels
Steps are re-evaluated on every incident update (every 5 seconds during an active attack). A step only fires once per incident per channel thanks to built-in deduplication.
Severity Ordering
Severity levels are ordered: low < medium < high < critical. A step with severity_min: "medium" fires for medium, high, and critical incidents but not for low.
Examples
Page NOC on Critical Only, Slack for Everything
Result: Slack gets every incident immediately. PagerDuty only fires for critical incidents.
Gradual Escalation with Delays
Result: Discord fires immediately for everything. After 3 minutes, Slack and Telegram fire for medium+. After 10 minutes, PagerDuty and SMS fire for high+. After 30 minutes, email fires for critical only.
Webhook-Only (External SOAR Integration)
Result: All incidents are sent to your webhook endpoint immediately, with no human-facing notifications. Use this when your SOAR platform (Splunk SOAR, Cortex XSOAR, Tines) handles all alerting internally.
Without an Escalation Policy
If no escalation policy is configured (the default for new workspaces), all active channels receive notifications for all incidents immediately. This is equivalent to a single step:
Interaction with Runbooks
Runbooks execute independently from escalation policies. A runbook can send its own notifications to specific channels as part of its action steps, regardless of what the escalation policy does. This means you can have an escalation policy that pages PagerDuty after 5 minutes AND a runbook that sends a Slack message immediately with auto-mitigation details.
Maintenance Window Suppression
During a scheduled maintenance window, notification dispatch is suppressed for all channels. Escalation policy steps that would have fired during the window are silently skipped. Incidents are still created and visible in the dashboard for post-maintenance review.