DFIR

The attack surface has moved. Most incidents today play out across cloud control planes, identity providers, SaaS platforms, and EDR-instrumented endpoints — not bare metal. We investigate where attackers actually operate: in your logs, your telemetry, your identity stack, and your cloud environment.

Investigations begin with rapid scoping using EDR telemetry and SIEM data to establish the incident timeline, identify affected systems and accounts, and prioritise containment actions. Modern EDR platforms — CrowdStrike, Microsoft Defender, SentinelOne — provide process trees, network connections, file events, and registry activity at sufficient depth to reconstruct most attacks without any host-based collection.

Cloud environment investigation spans the full Microsoft, AWS, and GCP stack: Unified Audit Log and Entra ID sign-in logs for Microsoft 365 compromises, CloudTrail and GuardDuty telemetry for AWS, identity forensics across OAuth tokens and service principals, and storage access reconstruction to determine what data was actually reached.

Identity is the new perimeter and most modern intrusions involve credential abuse, token theft, or privilege escalation within an identity provider. We investigate Entra ID and Active Directory environments to trace lateral movement through identity — mapping OAuth consent grants, conditional access bypasses, persistent access mechanisms, and exfiltration pathways that leave no endpoint artefact at all.

Every engagement closes with structured deliverables: a complete incident timeline, attacker TTP documentation mapped to MITRE ATT&CK, root cause analysis, and prioritised remediation guidance written for both your technical team and executive leadership.

Post-incident, we work with your team on detection uplift — converting investigation findings directly into new detections, coverage gap analysis, and hardening recommendations so the same attack path cannot be repeated.