A disciplined loop for working any incident from symptom to fix — without breaking more than you mend, and knowing when to hand it to security. Companion to the RCA Field Guide: troubleshooting restores service; RCA stops it recurring.
Goal restore service safelyDiscipline one change · reversibleKnow when to escalate
Troubleshooting is a loop, not a guess. Define what's broken, gather evidence, isolate the cause, plan a reversible fix, change one thing and verify, then close it out. The discipline matters more than the cleverness: a methodical analyst who changes one thing at a time and can always undo it beats a fast one who can't say what they changed.
01
The Loop
Six steps. Steps 1–3 are diagnosis; 4–6 are remediation and closure. If a fix doesn't work, you don't push forward — you revert and loop back to the evidence.
Diagnose 1–3 · remediate 4–5 · close 6. Never stack a second fix on an unreverted first.02
Four Standing Rules
These govern how you execute every step, especially the change itself.
One change at a time. Multiple simultaneous changes make the result unattributable and the rollback messy.
Least-impact change first — when several causes are plausible, try the least disruptive. Exception: in an active security incident, containment speed can outrank user impact (isolating a compromised host now beats a tidy low-impact change later).
Don't open a security hole. No disabling AV/EDR, opening firewall rules, sharing credentials, or granting standing admin as a "workaround." A fix that widens the attack surface is a new incident.
Always have a back-out. Before you touch anything, know how to revert it and record the prior state. This is the rule that makes every other step safe to attempt.
03
Triage First
Before you dive in, set priority = impact × urgency. It decides how far down the loop you go and how fast — and whether it jumps the queue.
Severity drives depth. A red-quadrant outage gets the full loop now; a quick fix may skip the deep dive — but still gets a back-out.04
Step 1 · Define
One sentence: what's broken, what should happen instead, who/what is affected, and the scope.
Separate fact from assumption. Don't start fixing without data.
Capture the error text verbatim, when it started, and what changed recently.
Security overlay
Classify the report — confirmed / suspected / theoretical. Don't escalate "possible phishing" as "confirmed breach." Note whether evidence is observed in this environment vs. general threat intel.
05
Step 2 · Gather
Basic checks first. Connectivity, power, cabling, account/license status, service running, recent patch or config change. Trivial causes are common — rule them out before the deep dive.
Reproduce the error if it's safe to do so; pull the relevant logs and metrics.
Consult the people involved; check the internal KB, vendor docs, and known-issue trackers.
Security overlay · preserve before you probe
Logging in, rebooting, or re-imaging alters state. If compromise is possible, capture volatile and forensic evidence before remediation, and record exactly what you ran and when. A help-desk cleanup can destroy the evidence an investigation needs.
06
Step 3 · Isolate the Cause
Don't fix the symptom. Break the path into components and test one at a time until the fault localizes.
Localize the fault to one segment before changing anything. The half-split (binary search) finds it fastest on a long chain.
Prioritize branches by impact and likelihood; don't chase a branch that can't be the cause.
5 Whys — ask "why" down the chain until you reach a cause you can actually fix.
The visible failure (alert, popup, outage) is the symptom; keep going until you reach what produced it.
Security overlay
The symptom (alert) is not the access path. Reconstruct the timeline of events; don't close on the symptom while the way in stays open.
When to go deeper
For recurring or high-impact problems, isolating the immediate cause isn't enough — run a full Root Cause Analysis (see the RCA Field Guide) to find and close the systemic cause so it doesn't come back.
When it won't reproduce
The loop assumes you can trigger the fault on demand; intermittent faults break that. Don't try to catch it live — capture state for the next occurrence: raise logging verbosity, add instrumentation, or leave a capture or monitor running so the evidence is waiting when it recurs (see the Logging & Evidence and Packet Capture guides). Then work it statistically: record every occurrence with its context — time, load, host, user, recent changes — and hunt for what differs between the failing and the working cases (the KT IS / IS-NOT and change-analysis methods in the RCA Methods Handbook are built for exactly this). Intermittent is not random; something varies. And resist "fixing" on a guess you can't test — with no reproduction you cannot confirm the change worked, so label it unverified and keep watching (§08) rather than declaring it closed.
07
Step 4 · Plan
List a few options before judging any; don't grab the first workable one.
Pick against: solves it without new problems, acceptable to users, feasible, acceptable risk.
Decide quick-fix vs. durable fix deliberately — note if a quick fix will force later rework.
Confirm the back-out path exists (Rule 4).
Security overlay
State the threat you're addressing. Contain → eradicate → recover are different goals — sequence them; don't recover onto a host you haven't eradicated.
08
Step 5 · Change & Verify
Make the single planned change.
Test against the expected result; use built-in diagnostics and reproduce the original failure to confirm it's gone.
If it didn't work, revert it and return to the loop — don't layer on a second change.
Security overlay
Verify the adversary's access is actually closed, not just the alert silenced. Watch for re-infection or re-entry after remediation.
09
Step 6 · Close
Document in the ticket: symptom, cause, the exact change, outcome, and time. This is your future search hit and your pattern source.
Prevent recurrence: address the cause, not just this instance — patch/firmware, config standard, monitoring, backups.
Security closure rule
Never close as "secure" or "clean." State what was checked, what was remediated, and what residual or out-of-scope risk remains. "EDR alert resolved, host re-imaged, credential reset" — not "the host is now safe."
10
Escalate / Hand Off
Knowing when to stop is part of the method. Hand off cleanly rather than burning time you should have escalated.
Security red flags always win — they jump straight to escalation before any further "fixing."
Stop and escalate to security immediately on any of
Ransomware / file encryption / a ransom note.
Credential theft or unexpected MFA prompts.
New or unknown admin accounts or privilege changes.
EDR/AV alert on active malware.
Signs of data exfiltration or lateral movement.
Cleared or tampered logs.
On a suspected incident
Don't go solo. Notify per your IR plan, preserve state (Rule 4 + the Step 2 overlay), and stop "fixing" until security scopes it — a help-desk cleanup can destroy the evidence the investigation needs.
Divide & conquer — isolate which component in a path is at fault.
Half-split (binary search) — on a long chain, test the midpoint and keep bisecting the failing half. Fastest localization.
5 Whys — drill a single cause chain to something you can fix. Weak when causes interact.
Work backwards — start from the failed end state and trace to the trigger; ideal for "it worked yesterday."
Fishbone — when the cause is unclear and you need to enumerate candidates across categories before narrowing.
For recurring or high-impact problems, graduate from troubleshooting to a structured Root Cause Analysis — the RCA Field Guide and Methods Handbook cover the techniques in depth.
12
Evidence Tiers
Tag every claim in a ticket, escalation, or incident note by how well you actually know it.
confirmed directly observed in this environment, with evidence attached.
suspected consistent with the evidence but not proven; state what would confirm it.
theoretical known to be possible; not yet tied to this case.
A labeled "suspected" beats a confidently wrong "confirmed." Don't carry a vendor's general advisory into your report as if you observed it locally.
13
Anti-Patterns
Stacking changes — you can't tell what worked and can't cleanly revert.
Fixing the symptom so it recurs.
No back-out path — a failed change becomes a second incident.
Acting before you have data — solving the wrong problem confidently.
"It worked there, close enough" — context differs; prior fixes don't always transfer.
Triage bias — anchoring on the first theory, optimism, deferring to the senior person's guess.
(Security) Closing on the alert instead of the access path; remediating before preserving evidence.
Not escalating when stuck or out of scope.
14
Quick-Reference Card
Troubleshooting in one screen
The loop
Define → Gather (basic checks first) → Isolate cause → Plan (with back-out) → Change one thing & verify → Close. Didn't work? Revert, loop back.
Four rules
One change at a time · least-impact first (containment beats tidiness in an incident) · don't open a security hole · always have a back-out.
Escalate to security NOW on
Ransomware · credential theft · rogue admin accounts · EDR alert · exfil / lateral movement · tampered logs. → Stop, preserve, notify per IR plan, don't go solo.
Security non-negotiables
Preserve before you probe · symptom ≠ access path · contain → eradicate → recover · never close as "secure" — state residual risk.
Synthesized from the source troubleshooting notes (Cisco 8-step; Polya, How to Solve It; AllSkilled; ASQ; OnRamp; Cuesta College) and standard IT/security practice. Examples are illustrative. Security red-flag triggers are a general starting set — tune them to what your stack actually detects. Companion to the RCA Field Guide and Methods Handbook, First Principles (when to stop pattern-matching and reason from the ground up), and Critical Thinking (weighing evidence and avoiding premature closure).