Skip to content
Security incident? Call: +48 732 059 711
Cydefen
pl en
Post-Breach Analysis

I will admit it, but we have evidence

The breach happened. Now what matters is cause, scope and evidence. Our digital forensics reconstructs what happened — line by line, with NIST methodology and chain of custody that holds up in court.

Who is it for?

  • Companies that just discovered a breach
  • Organisations under regulatory pressure (DPA, central bank, financial regulator)
  • Entities with obligations to report to CSIRT or national security
  • Organisations preparing for lessons learned and remediation
  • Companies needing evidence for legal proceedings or insurance claims
What you get

Outcomes

Evidence acquisition (forensic acquisition)

Memory snapshot (RAM dump), disk images (forensic images), system logs — all data preserved with MD5/SHA1 hashes and acquisition timestamps. Chain of custody from A to Z.

Event reconstruction (timeline)

Windows artefacts (Prefetch, NTFS Journal, Registry), application logs, network logs — complete timeline from first threat indication to termination.

Root cause analysis

How did they get in? What did they exploit? What gaps did we miss? Technical insight without jargon — ready to translate into remediation actions.

Executive summary

Report for the board — what happened, who may be affected, what is the path forward. No technical jargon, but concrete business impact.

Technical detailed report

Full report for the IT team — every line of code, every log, every IoC (Indicator of Compromise). Prepared for audit and legal proceedings.

Lessons learned recommendations

Concrete remediation actions: patches, procedure changes, new controls, infrastructure updates. Calibrated to your maturity and budget.

How we work

Post-Breach Analysis in 4 phases

  1. 01

    Triage & acquisition (0–72h)

    Crisis call, identify affected systems, acquire disk images, memory snapshots, export logs. Everything with chain of custody.

  2. 02

    Initial analysis (day 3–5)

    Review artefacts, identify IoC (hashes, IP, domains), first view of cause and breach scope. Interim report for board.

  3. 03

    Deep analysis (day 5–10)

    Full event reconstruction, memory dump analysis, malware analysis (if present), integration with threat intelligence. We know exactly what happened.

  4. 04

    Reporting and conclusions

    Technical report + executive summary. Recommendations, cause, scope, IoC for your SOC/SIEM. Ready for regulator disclosure.

FAQ

Frequently asked questions

Is forensics the same as data recovery?
No. Recovery recovers deleted data. Forensics reconstructs what happened with the data, who touched it and when. It is investigation, not rescue.
Do we need to shut down systems for forensics?
We start with memory snapshot (hot forensics), then slowly shut down systems and do cold forensics. We always minimise downtime.
How quickly can you get into action?
First response within 2–4 hours of the call. Data acquisition within 24h. Interim report in 3–5 days, full report in 7–10 days.
Will the report be accepted by the regulator?
Yes — we base ourselves on NIST IR 1.1, SANS IR and ISO 27035. Chain of custody and documentation that pass audit.
What about confidentiality? Will the report be safe?
Everything encrypted (TLS/AES). NDA before work. Report only for you and whoever the board designates. We do not share with anyone.

We already have an incident — help us now

2–4 hours, we will establish crisis path and first scope assessment. It will be okay.

Call now Back to incident response