Investigation Playbooks

Encryption-based extortion attack targeting files, databases, or entire systems with ransom demands for decryption keys.

Social engineering attack delivered via email, SMS, or messaging platforms designed to harvest credentials or deliver malicious payloads.

Unauthorized transfer of sensitive data outside the organization through network channels, cloud services, or removable media.

Malicious or negligent activity by an authorized user, employee, contractor, or business partner that compromises data or systems.

Exploitation of web application vulnerabilities such as injection flaws, authentication bypasses, or server-side request forgery leading to unauthorized access.

Unauthorized access to cloud infrastructure or identity provider through stolen tokens, OAuth abuse, or misconfigured access policies.

Targeted attack leveraging compromised or spoofed executive email accounts to authorize fraudulent transactions or redirect sensitive communications.

Theft of authentication credentials through brute force, credential stuffing, keylogging, LSASS dumping, or password database compromise.

Compromise of a trusted software vendor, update channel, or third-party library to distribute malicious code to downstream customers through legitimately signed artifacts.

Advanced Persistent Threat activity by a sophisticated, well-resourced adversary characterized by long dwell time, custom tooling, stealthy persistence, and focused intelligence or strategic targeting.

Unauthorized deployment of cryptocurrency mining software on compromised infrastructure — often a foothold indicator for broader compromise, not just a resource theft issue.

Distributed denial-of-service attack targeting application or network availability through volumetric floods, reflection/amplification, or Layer 7 exhaustion patterns.

Active exploitation of a previously undisclosed vulnerability with no public patch or signature, requiring behavioral hunting, vendor coordination, and compensating controls.