The situation

A defense-adjacent organization with a small internal IT team discovered indicators of compromise across multiple endpoints over a single weekend. By Monday morning, the scope had expanded: lateral movement was confirmed, persistence mechanisms were active, and at least one privileged credential had been used outside business hours from an unexpected location.

The internal team had skill but not bandwidth. The threat actor was still operational. Regulatory reporting clocks were already running. The CISO needed an outside team that could move at the speed of the active threat — without disrupting mission-critical operations that could not pause.

What we did

Hour 1 to day 3 — Containment

Our IR lead was on a call within 90 minutes of first contact. By end of day one we had embedded a forensic analyst, a senior investigator, and a remediation engineer alongside the client’s team. Priorities in that first 72 hours:

• Isolated affected segments without taking mission-critical systems offline
• Captured volatile evidence (memory, network, endpoint artifacts) under defensible chain of custody
• Rotated and re-issued privileged credentials in a controlled, auditable sequence
• Established a single coordinated communication channel with the client’s leadership and legal team

Week 1 to week 3 — Investigation & eradication

Forensics confirmed the initial vector, mapped the actor’s full path through the environment, and identified every persistence mechanism. We worked in parallel with the client’s SOC, sharing IOCs and timeline data as they emerged.

Eradication was staged and reversible at each step. Nothing was changed on production systems without a clear rollback path and sign-off from both sides.

Week 4 to week 8 — Hardening & handover

Once the environment was clean, we shifted to making it harder to compromise again. Architecture review, identity tiering, network segmentation, logging and detection coverage, and tabletop validation against the original attack chain.

Final deliverable: an executive readout, a regulator-ready incident package, and a prioritized 12-month hardening backlog with owners assigned to the client’s internal team.

The timeline

Outcomes

The regulator review that followed concluded without enforcement action. The client’s internal team continues to work through the hardening backlog with quarterly check-ins from our side.

Why this is repeatable

This is not the only engagement of this shape we have run. The pattern — rapid embed, defensible eradication, staged hardening, regulator-ready handover — is the same playbook we use across financial services, defense, and regulated industries. The people change. The methodology does not.

What we do not do: theatrical incident response. No war rooms with twelve junior analysts looking at dashboards. The team is small, named, and senior. Each member owns a domain. Decisions are made on the call, not escalated up three management layers.