A security incident manger includes events and network flows in the analysis of an attack to better identify the magnitude of the attack and how to handle the situation. The raw events are reported by monitored devices and the incident manager may request network flows from various devices corresponding to a raw event. The manager then assigns a variable score to the severity, the relevance and the credibility of the event to determine its next processing steps. Those events that appear to be a likely and effective attack are classified as offenses. Offenses are stored in order to provide additional data for evaluating future events and for building a “rap sheet” against repeat attackers and repeat events.