Understand Who Is Behind the Attack
Knowing that you were attacked is rarely enough. We analyze the infrastructure, tooling, and behavior behind an incident to assess who is likely responsible – and we tell you how confident we are, and why.
After an intrusion or campaign, the most consequential decisions hinge on who was responsible. A breach driven by an opportunistic criminal crew calls for a very different response than one tied to a sophisticated, well-resourced actor. Attribution is the discipline of answering that question responsibly – a structured analytic process that weighs technical evidence, behavioral patterns, and context, then states a conclusion at a clearly defined confidence level. We test hypotheses against evidence, consider alternative explanations, and make our reasoning legible.
Threat Actor Analysis – Objectives, targeting patterns, techniques, and operational habits.
Infrastructure Analysis – Domains, hosting, certificates, and the relationships among them.
Nation-State vs. Criminal Indicators – Hallmarks distinguishing state-sponsored activity from financially motivated crime.
Campaign Analysis – Whether your incident is isolated or part of a broader campaign.
Confidence Assessments – Every conclusion paired with an explicit confidence level and the reasoning behind it.
- Evidence & Intelligence Intake – We gather available evidence and combine it with relevant external intelligence.
- Indicator Extraction & Enrichment – We extract and enrich technical and behavioral indicators to surface connections.
- Hypothesis Development – We develop competing hypotheses and look for facts that would disprove our leading theory.
- Confidence Assessment – We weigh the evidence, account for deception or false flags, and assign a defensible confidence level.
- Reporting & Briefing – A written assessment, with a briefing for leadership or counsel as useful.
- An attribution report with conclusions, supporting evidence, and an explicit confidence level.
- An intelligence report with context on the actor, campaign, and landscape.
- An executive summary written for leadership, boards, and counsel.
- Technical findings with indicators and methodology for technical teams.
Sophisticated actors deliberately obscure their identity and plant misleading indicators. In some cases the responsible, evidence-based conclusion is a confident assessment of actor type and methods rather than a specific named entity. We always tell you what the evidence supports and what it does not.
Can you name the specific individual who attacked us?
Sometimes, but often the responsible conclusion is an assessment of actor type, group, or campaign, reported at a stated confidence level.
What evidence do you need?
Logs, forensic images, malware samples, and network/email artifacts all help. We can work alongside your forensics team or perform the acquisition ourselves.
Can attribution findings support litigation or insurance claims?
Our reports are written to be clear and defensible. We are not a law firm and don’t provide legal advice.
We deliver disciplined, defensible threat attribution with honest confidence assessments.