Cyber Crisis Management

You don't always know
if you've been breached.

The average time between initial compromise and detection is months. A Compromise Assessment investigates whether there is currently, or has recently been, unauthorised access to your environment.

Request an assessment Get in touch

What is a Compromise Assessment?

A Compromise Assessment is an investigation to determine whether your environment has been compromised, currently or historically. The team searches for indicators of compromise across endpoints, network traffic, logs, Active Directory and cloud. This goes beyond a vulnerability scan: it looks for evidence of actual attacker activity, combining automated scanning with expert manual threat hunting.

The Service

Find what is already there

The team searches targeted for indicators of compromise: suspicious files, unknown processes, unusual network connections, log manipulation, lateral movement and persistence mechanisms. This goes further than a vulnerability scan: it searches for evidence of actual attacker activity.

A Compromise Assessment is relevant after a merger or acquisition (is the environment you are integrating clean?), after a supplier incident (were we also affected?), or simply as a periodic health check of your environment.

The team combines automated scanning with manual threat hunting. Automated tools scan broadly for known indicators. Manual analysis searches for subtler traces that tools miss.

Why it matters

Attackers dwell for months before you notice

The average dwell time is measured in months, not hours

Sophisticated attackers move slowly and quietly. They establish persistence, map your environment and wait for the right moment. Without active investigation, you may not know for months.
M&A introduces unknown risk into your environment

When integrating acquired environments, you inherit their security posture. A Compromise Assessment before integration prevents importing an active threat into your network.
Supplier incidents frequently affect downstream organisations

Supply chain attacks target multiple organisations through a single compromised supplier. When a key supplier is breached, you need to know whether your environment was also affected.

Scope

What we investigate

Endpoint analysis (malware, backdoors, persistence)

Network traffic analysis (C2 communications, data exfiltration)

Log analysis (authentication, privilege use, anomalies)

Active Directory analysis (golden ticket, DCSync, unauthorised accounts)

Cloud and identity analysis

Dark web check (leaked credentials, mentions)

Historical IoC sweep

Manual threat hunting for subtle attacker traces

Methodology

How we investigate your environment

Scoping

Environment, time period, trigger and priorities. Defining what is in scope and what detection depth is required.

Data collection

Deployment of forensic tooling, log extraction and network monitoring. Minimal operational footprint.

Automated analysis

Broad scan for known IoCs and anomalies. Baseline deviation analysis across endpoints, logs and network.

Manual threat hunting

Targeted search for subtle indicators of compromise. Expert hunters look for what automated tools miss.

Reporting

Findings, risk assessment and recommendations. If compromise is found, immediate transition to incident response.

What You Receive

Deliverables

Compromise Assessment report
Findings with risk classification
Indicators of compromise (if found)
Recommendations for remediation and monitoring
Executive summary
Immediate escalation to incident response if active compromise is detected

For Whom

When to run a Compromise Assessment

Organisations after a merger or acquisition

Before integrating an acquired environment, validate that it is clean. Do not import a threat into your network.

Companies after a supplier or partner incident

When a key supplier is breached, determine whether your environment was also affected. Supply chain attacks are designed to propagate.

Organisations wanting periodic validation

Regular Compromise Assessments provide confidence that your environment is clean and your controls are effective.

Companies starting a new security programme

Establish a clean baseline before investing in new security measures. Know what you are starting from.

Tech stack

Vendor-agnostic by design

DEFION works with the tooling you already have, or brings ours. No vendor lock-in.

Frequently Asked Questions

FAQ

How does a Compromise Assessment differ from a pentest?

A pentest looks for vulnerabilities that could be exploited. A Compromise Assessment looks for evidence that vulnerabilities have already been exploited. The difference is between "can someone get in?" and "is someone already in?".

How long does a Compromise Assessment take?

Typically 1 to 3 weeks, depending on the size of the environment and desired depth.

What happens if something is found?

The incident response process is immediately activated. The team switches to containment and investigation. You are notified immediately.

Is this disruptive to our operations?

Minimal. The forensic tooling has a light footprint and network monitoring is passive. Employees typically notice nothing.

How often should a Compromise Assessment be performed?

Always after specific triggers (M&A, supplier incident, suspicious behaviour). As a periodic health check: annually for organisations with a high risk profile.

Incident Response Service

More information →

Incident Response Retainer

More information →

Digital Forensics

More information →

Incident Response Readiness

More information →