Analyst Quickstart Guides

Time-boxed response path for ransomware incidents covering initial triage through eradication. Prioritises containment to stop encryption spread, evidence preservation for decryption feasibility, and backup validation for recovery.

Time-boxed response path for phishing incidents from initial email analysis through credential remediation. Focuses on rapid IOC extraction, recipient-scope determination, email quarantine, and post-compromise activity analysis across M365 and Azure AD.

Time-boxed response path for business email compromise incidents. Prioritises halting fraudulent financial transactions, revoking cloud sessions, identifying impersonation tactics, and preserving email evidence chains for potential law-enforcement referral.

Time-boxed response path for data exfiltration incidents. Focuses on confirming active exfiltration, blocking outbound channels, preserving network and host evidence, and determining the scope of data loss for regulatory notification and business impact assessment.

Time-boxed response path for insider threat investigations. Emphasises covert evidence collection, HR and legal coordination, and maintaining operational secrecy to prevent evidence destruction while building a defensible case for personnel action or law-enforcement referral.

Time-boxed response path for cloud identity compromise incidents targeting Azure AD, M365, and associated cloud services. Prioritises immediate session revocation, MFA enforcement, tenant-configuration review, and OAuth app auditing to eliminate attacker persistence in the cloud identity plane.

Time-boxed response path for web application compromise incidents. Covers initial access vector validation, server isolation, evidence preservation, web-shell hunting, and vulnerability remediation to restore the application to a known-good state.

Time-boxed response path for credential theft incidents including credential dumping, pass-the-hash, Kerberoasting, and credential harvesting attacks. Focuses on rapid account lockdown, volatile-evidence capture, credential-dumping technique analysis, and comprehensive credential reset across the environment.

Time-boxed response path for a compromised software vendor or third-party library. Moves from vendor-advisory ingestion through blast-radius estimation, package rollback, and malicious-payload analysis. Emphasizes separating "package present" from "payload executed" from "attacker infrastructure contacted".

Time-boxed response path for a suspected advanced persistent threat. APT incidents reward patience and thoroughness over speed: the fastest short-term containment is often the cause of failed long-term eradication. This path emphasizes TTP characterization, dwell-time hunting, and assume-breach recovery.

Time-boxed response path for unauthorized cryptocurrency mining. Treats the miner as a foothold signal, not a resource-theft event. Focuses on identifying miner family, closing the entry vector, and confirming whether secondary attacker tooling is also present.

Time-boxed response path for an active denial-of-service attack. DDoS is a speed-plus-volume problem; mitigation latency kills more than attack magnitude. This path emphasizes rapid characterization, scrubbing activation, and parallel hunting for secondary intrusion that may be hidden behind the flood.