Analyst Quickstart Guides

Time-boxed response path for ransomware incidents covering initial triage through eradication. Prioritises containment to stop encryption spread, evidence preservation for decryption feasibility, and backup validation for recovery.

Time-boxed response path for phishing incidents from initial email analysis through credential remediation. Focuses on rapid IOC extraction, recipient-scope determination, email quarantine, and post-compromise activity analysis across M365 and Azure AD.

Time-boxed response path for business email compromise incidents. Prioritises halting fraudulent financial transactions, revoking cloud sessions, identifying impersonation tactics, and preserving email evidence chains for potential law-enforcement referral.

Time-boxed response path for data exfiltration incidents. Focuses on confirming active exfiltration, blocking outbound channels, preserving network and host evidence, and determining the scope of data loss for regulatory notification and business impact assessment.

Time-boxed response path for insider threat investigations. Emphasises covert evidence collection, HR and legal coordination, and maintaining operational secrecy to prevent evidence destruction while building a defensible case for personnel action or law-enforcement referral.

Time-boxed response path for cloud identity compromise incidents targeting Azure AD, M365, and associated cloud services. Prioritises immediate session revocation, MFA enforcement, tenant-configuration review, and OAuth app auditing to eliminate attacker persistence in the cloud identity plane.

Time-boxed response path for web application compromise incidents. Covers initial access vector validation, server isolation, evidence preservation, web-shell hunting, and vulnerability remediation to restore the application to a known-good state.

Time-boxed response path for credential theft incidents including credential dumping, pass-the-hash, Kerberoasting, and credential harvesting attacks. Focuses on rapid account lockdown, volatile-evidence capture, credential-dumping technique analysis, and comprehensive credential reset across the environment.