← Home

Analyst Field Guide · IT Help Desk & Security

Trouble-
shooting

A disciplined loop for working any incident from symptom to fix — without breaking more than you mend, and knowing when to hand it to security. Companion to the RCA Field Guide: troubleshooting restores service; RCA stops it recurring.

Goal restore service safely Discipline one change · reversible Know when to escalate

Troubleshooting is a loop, not a guess. Define what's broken, gather evidence, isolate the cause, plan a reversible fix, change one thing and verify, then close it out. The discipline matters more than the cleverness: a methodical analyst who changes one thing at a time and can always undo it beats a fast one who can't say what they changed.

01

The Loop

Six steps. Steps 1–3 are diagnosis; 4–6 are remediation and closure. If a fix doesn't work, you don't push forward — you revert and loop back to the evidence.

Define Gather Isolatecause Plan Change& verify Close didn't work? revert the change, loop back to the evidence
Diagnose 1–3 · remediate 4–5 · close 6. Never stack a second fix on an unreverted first.
02

Four Standing Rules

These govern how you execute every step, especially the change itself.

  1. One change at a time. Multiple simultaneous changes make the result unattributable and the rollback messy.
  2. Least-impact change first — when several causes are plausible, try the least disruptive. Exception: in an active security incident, containment speed can outrank user impact (isolating a compromised host now beats a tidy low-impact change later).
  3. Don't open a security hole. No disabling AV/EDR, opening firewall rules, sharing credentials, or granting standing admin as a "workaround." A fix that widens the attack surface is a new incident.
  4. Always have a back-out. Before you touch anything, know how to revert it and record the prior state. This is the rule that makes every other step safe to attempt.
03

Triage First

Before you dive in, set priority = impact × urgency. It decides how far down the loop you go and how fast — and whether it jumps the queue.

Plan a fixhigh impact · not urgent Drop everythinghigh impact · urgent Schedule / deferlow impact · not urgent Quick fixlow impact · urgent IMPACT high low URGENCY → low high
Severity drives depth. A red-quadrant outage gets the full loop now; a quick fix may skip the deep dive — but still gets a back-out.
04

Step 1 · Define

Security overlay

Classify the report — confirmed / suspected / theoretical. Don't escalate "possible phishing" as "confirmed breach." Note whether evidence is observed in this environment vs. general threat intel.

05

Step 2 · Gather

Security overlay · preserve before you probe

Logging in, rebooting, or re-imaging alters state. If compromise is possible, capture volatile and forensic evidence before remediation, and record exactly what you ran and when. A help-desk cleanup can destroy the evidence an investigation needs.

06

Step 3 · Isolate the Cause

Don't fix the symptom. Break the path into components and test one at a time until the fault localizes.

Client Network Server Application Auth / Data test each segment in turn — or half-split: test the midpoint, then keep bisecting the half that still fails
Localize the fault to one segment before changing anything. The half-split (binary search) finds it fastest on a long chain.
Security overlay

The symptom (alert) is not the access path. Reconstruct the timeline of events; don't close on the symptom while the way in stays open.

When to go deeper

For recurring or high-impact problems, isolating the immediate cause isn't enough — run a full Root Cause Analysis (see the RCA Field Guide) to find and close the systemic cause so it doesn't come back.

When it won't reproduce

The loop assumes you can trigger the fault on demand; intermittent faults break that. Don't try to catch it live — capture state for the next occurrence: raise logging verbosity, add instrumentation, or leave a capture or monitor running so the evidence is waiting when it recurs (see the Logging & Evidence and Packet Capture guides). Then work it statistically: record every occurrence with its context — time, load, host, user, recent changes — and hunt for what differs between the failing and the working cases (the KT IS / IS-NOT and change-analysis methods in the RCA Methods Handbook are built for exactly this). Intermittent is not random; something varies. And resist "fixing" on a guess you can't test — with no reproduction you cannot confirm the change worked, so label it unverified and keep watching (§08) rather than declaring it closed.

07

Step 4 · Plan

Security overlay

State the threat you're addressing. Contain → eradicate → recover are different goals — sequence them; don't recover onto a host you haven't eradicated.

08

Step 5 · Change & Verify

Security overlay

Verify the adversary's access is actually closed, not just the alert silenced. Watch for re-infection or re-entry after remediation.

09

Step 6 · Close

Security closure rule

Never close as "secure" or "clean." State what was checked, what was remediated, and what residual or out-of-scope risk remains. "EDR alert resolved, host re-imaged, credential reset" — not "the host is now safe."

10

Escalate / Hand Off

Knowing when to stop is part of the method. Hand off cleanly rather than burning time you should have escalated.

STOP · escalate to securitypreserve evidence · don't go solo During anystep Securityred flag? Fixed inyour scope? Close (Step 6) Hand off YES NO YES NO
Security red flags always win — they jump straight to escalation before any further "fixing."

Stop and escalate to security immediately on any of

On a suspected incident

Don't go solo. Notify per your IR plan, preserve state (Rule 4 + the Step 2 overlay), and stop "fixing" until security scopes it — a help-desk cleanup can destroy the evidence the investigation needs.

11

Technique Quick-Picks

For recurring or high-impact problems, graduate from troubleshooting to a structured Root Cause Analysis — the RCA Field Guide and Methods Handbook cover the techniques in depth.

12

Evidence Tiers

Tag every claim in a ticket, escalation, or incident note by how well you actually know it.

A labeled "suspected" beats a confidently wrong "confirmed." Don't carry a vendor's general advisory into your report as if you observed it locally.

13

Anti-Patterns

14

Quick-Reference Card

Troubleshooting in one screen

The loop

Define → Gather (basic checks first) → Isolate cause → Plan (with back-out) → Change one thing & verify → Close. Didn't work? Revert, loop back.


Four rules

One change at a time · least-impact first (containment beats tidiness in an incident) · don't open a security hole · always have a back-out.


Escalate to security NOW on

Ransomware · credential theft · rogue admin accounts · EDR alert · exfil / lateral movement · tampered logs. → Stop, preserve, notify per IR plan, don't go solo.


Security non-negotiables

Preserve before you probe · symptom ≠ access path · contain → eradicate → recover · never close as "secure" — state residual risk.

Synthesized from the source troubleshooting notes (Cisco 8-step; Polya, How to Solve It; AllSkilled; ASQ; OnRamp; Cuesta College) and standard IT/security practice. Examples are illustrative. Security red-flag triggers are a general starting set — tune them to what your stack actually detects. Companion to the RCA Field Guide and Methods Handbook, First Principles (when to stop pattern-matching and reason from the ground up), and Critical Thinking (weighing evidence and avoiding premature closure).