The workflow tool receives a phishing alert from a detection system. It then retrieves additional context data on related URLs, attachments, emails, and keywords. The workflow tool then opens a ticket, assigns it to an analyst based on preset rules, and includes the enriched alert data to assist the manual investigation. The analyst reviews the evidence and remediates the threat, such as imaging infected laptops, blocking senders, and deleting emails.