Advanced Services
Compromise Assessment (DFIR-lite)
A rapid, evidence-driven assessment to determine whether compromise is likely, where it occurred, and what immediate containment actions are recommended—without the overhead of a full incident response engagement.
Overview
What this service is (and when to use it)
Compromise Assessment (DFIR-lite) is designed for organizations that need a fast, structured answer to the question: “Are we compromised?” It focuses on high-signal evidence sources (endpoints, identity, email, and key logs) to identify indicators of compromise, suspicious persistence, and likely intrusion paths.
Common triggers
Suspicious alerts, unusual account activity, ransomware concerns, data exposure indicators, or third‑party notifications.
Primary outcomes
Triage findings, likely attack timeline, affected assets/users, and prioritized containment and remediation actions.
What it is not
A full forensic investigation for legal proceedings, or a complete incident response with eradication and rebuild—those can be scoped as a next step if needed.
Best fit environments
Microsoft 365 / Entra ID, Windows endpoints, common EDR/XDR stacks, and organizations with centralized logging (SIEM optional).
What’s Included
High-signal checks that answer “Are we compromised?”
Scope is tailored to your environment and available telemetry. Typical inclusions:
Identity & access triage
Review privileged accounts, risky sign-ins, MFA posture, suspicious OAuth/app consent, and anomalous access patterns.
Endpoint compromise sweep
Targeted endpoint review for persistence, suspicious processes, malware traces, and high-confidence indicators across priority devices.
Email & collaboration review
Mailbox rules, forwarding, suspicious logins, and common BEC patterns; review of key artifacts in M365 where applicable.
Deliverables
Clear outputs you can act on immediately
You receive practical, audit-friendly documentation and a prioritized action plan.
Executive summary
What we found, what it means, and what to do next—written for leadership and stakeholders.
Findings & evidence pack
Indicators of compromise (IOCs), affected accounts/assets, supporting artifacts, and confidence levels.
Containment & remediation plan
Prioritized actions (0–24h, 1–7d, 7–30d) mapped to risk reduction and operational impact.
Optional retest / validation
Follow-up validation to confirm containment actions reduced the identified risk.
Typical timeline
Fast turnaround, with daily touchpoints during the assessment window.
Most engagements complete in 3–10 business days depending on scope, number of endpoints/users, and log availability. We start with a short kickoff to confirm priority assets, access requirements, and communication channels, then proceed with evidence collection and analysis.