Professional Compromise Assessment & Digital Forensics Services
At Trilight Security, we provide compromise assessment and digital forensics services for organisations across the USA and the EU, including a strong focus on Germany. Digital forensics is the process of collecting, preserving, and analysing digital evidence from systems, endpoints, cloud environments, and network infrastructure — determining how a breach occurred, what was accessed or exfiltrated, and ensuring the integrity of evidence for regulatory submissions and legal proceedings. Whether you suspect you may already be compromised, have experienced a confirmed incident, or need forensic evidence to satisfy GDPR, NIS2, DORA, or insurance requirements, our certified DFIR specialists deliver the investigation depth and documentation rigour that regulators, insurers, and courts require. Get in touch with Trilight Security to find out whether your environment is clean — or to establish exactly what happened if it is not.
What We Investigate:
Endpoint & Server Forensics
- Memory forensics — recovering running processes, network connections, and malware from RAM
- Disk forensics — file system analysis, deleted file recovery, artefact extraction
- Windows forensics — registry analysis, event logs, prefetch, LNK files, shellbags, browser history
- Linux/macOS forensics — bash history, cron jobs, startup items, system logs, shell artefacts
- Malware persistence — scheduled tasks, services, registry run keys, WMI subscriptions
Network Forensics
- Network traffic capture and analysis — PCAP review, protocol analysis, data exfiltration reconstruction
- Firewall and proxy log analysis — identifying command-and-control communications and data egress
- DNS forensics — identifying malicious domain lookups, DGA activity, and beaconing behaviour
- VPN and remote access log analysis — identifying unauthorised external access and lateral movement
Cloud & SaaS Forensics
- Microsoft 365 / Azure AD — unified audit log analysis, sign-in forensics, email forwarding rule discovery, OAuth application abuse, conditional access bypass
- Google Workspace — Drive access logs, admin activity, email exfiltration analysis
- AWS / Azure / GCP — CloudTrail/Activity Log analysis, IAM event forensics, storage access logs, serverless function execution logs
Mobile & Endpoint Forensics
- iOS and Android device forensics — application data, communication history, location data, deleted content recovery
- Endpoint EDR telemetry analysis — reviewing EDR logs for missed detections, detection gaps, and attacker evasion techniques
Our Offering
Compromise Assessment
A compromise assessment analyses endpoint telemetry, system logs, and network data to identify Indicators of Compromise (IoCs), malicious persistence mechanisms, and attacker lateral movement within your environment. It is the right engagement when you have reason to believe a breach may have occurred but have not confirmed it — or when you want periodic proactive validation that your defences have not been silently bypassed.
Incident Forensic Investigation
When a confirmed breach has occurred, we conduct a full forensic investigation — preserving evidence in chain-of-custody format, reconstructing the attack timeline, identifying systems and datasets accessed or exfiltrated, and determining the root cause and access vector. We produce the documented evidence chain for GDPR Article 33, NIS2 Article 23, DORA, and HIPAA requirements, and supports insurance claims and legal proceedings.
Malware Analysis & Reverse Engineering
We perform static and dynamic analysis of malware samples identified during an investigation — reverse engineering the malicious code to determine its capabilities, C&C infrastructure, persistence mechanisms, and whether it was targeted or opportunistic. Malware analysis supports both technical remediation and regulatory reporting, and can establish attribution evidence relevant to law enforcement and insurance.
Threat Hunting
Threat hunting is the proactive process of searching for IoCs that automated tools may have missed — analysing network traffic, logs, and endpoint data to uncover hidden adversaries operating within your environment, using BA, pattern recognition, and historical log review to detect anomalous activity that falls below detection thresholds. We conduct structured threat hunting against your environment on demand or as a recurring programme.
eDiscovery & Legal Support
We provide digital forensics services in support of legal proceedings — collecting, preserving, and producing digital evidence in legally defensible formats that maintain chain of custody and satisfy the requirements of courts, regulators, and arbitration bodies across EU and US jurisdictions. We work alongside your legal counsel and produce expert witness documentation and testimony where required.
Post-Incident Forensic Review
For organisations that have already responded to and recovered from an incident, we conduct a post-incident forensic review — verifying that the attacker has been fully eradicated, that no persistence mechanisms remain, and that the root cause has been correctly identified. This service is valuable for satisfying insurance requirements, closing out regulatory notifications, and confirming remediation before returning systems to production.
Why Compromise Assessment & Digital Forensics?
The average attacker dwell time in 2025 is 241 days. Most organisations discover breaches not through their own detection capabilities but through external notification — from law enforcement, threat intelligence vendors, or the attackers themselves via ransomware deployment. By the time a breach is confirmed, an attacker has typically moved through your environment, established persistence, exfiltrated data, and positioned themselves for maximum impact. A compromise assessment answers the question your existing tools cannot: has your environment already been breached by an attacker who is still present, or who was present and left without being detected.
Beyond breach detection, digital forensics is increasingly required by regulators whether or not a breach is suspected. GDPR, NIS2, and DORA all impose notification obligations that require forensic-quality documentation — the timeline of discovery, the systems affected, the data involved, and the evidence of containment — and this documentation must be produced under time pressure once an incident is confirmed. Without forensic capability in place, organisations scramble to reconstruct evidence under regulatory deadlines, often producing incomplete documentation that exposes them to additional enforcement risk.
Compromise Assessment & Digital Forensics Process:
We follow the NIST SP 800-86 four-phase digital forensics framework — Collection, Examination, Analysis, and Reporting — adapted to the specific scope, environment, and regulatory requirements of each engagement:
- Scoping & Evidence Planning: We agree the investigation scope with your legal, security, and executive team — identifying the systems, timeframes, and data sources most relevant to the investigation objectives. We establish chain-of-custody procedures, confirm data handling requirements under applicable law, and agree communication protocols that preserve legal privilege where required.
- Evidence Collection & Preservation: Data is identified, labelled, recorded, and acquired from all relevant sources using procedures that preserve the integrity of the data — creating verified forensic copies while maintaining integrity throughout. This includes memory acquisition from live systems, disk imaging, log extraction from endpoints, servers, cloud platforms, SaaS applications (Microsoft 365, Google Workspace), and network devices. All evidence is preserved in forensically verified formats with documented chain of custody from the moment of acquisition.
- Examination: We process the collected data to surface artefacts relevant to the investigation — identifying Indicators of Compromise, malware signatures, attacker tooling, persistence mechanisms, and anomalous activity across all collected data sources. Automated processing is validated by experienced analysts to eliminate false positives and ensure no relevant artefact is missed.
- Analysis & Timeline Reconstruction: We correlate findings across all collected evidence sources to reconstruct the complete attack timeline — establishing initial access vector, lateral movement paths, privilege escalation, data accessed or exfiltrated, persistence mechanisms installed, and the full scope of systems affected. MITRE ATT&CK is applied to map all identified attacker techniques and provide your defensive team with a precise understanding of the adversary's behaviour.
- IoC Extraction & Threat Intelligence: We extract all Indicators of Compromise — IP addresses, domains, file hashes, registry keys, persistence artefacts, and behavioural patterns — and assess them against threat intelligence sources to determine attribution, campaign context, and whether the same actor is known to be targeting other organisations in your sector.
- Reporting & Regulatory Documentation: We produce the full documentation set required for your specific regulatory obligations and legal needs. Technical reports document every finding with forensic evidence references. Regulatory notification reports are structured to the specific requirements of GDPR Article 33, NIS2 Article 23, DORA, HIPAA, and PCI-DSS. Executive summaries communicate findings and recommendations to boards and senior management without requiring forensic expertise to interpret.
- Remediation Validation: Following your remediation of identified vulnerabilities and attacker persistence, we conduct a validation sweep to confirm that the environment is clean — that all attacker tooling has been removed, all persistence mechanisms are closed, and no residual IoCs remain. This validation is the foundation of a defensible regulatory closure submission.
Our Benefits
Compliance & Regulatory Support
Helping you meet industry standards and legal requirements within ISO 27001, NIST, NIS2, DORA, PCI DSS and other cybersecurity frameworks.
End-to-End Security Enhancement
Strengthening your defenses against future attacks with EDR/XDR solutions, SIEM systems, firewalls and other cybersecurity infrastructure.
Deliverables
- Incident Timeline Report: A chronological account of the complete incident — from first indicators of compromise through detection, containment, eradication, and recovery — with timestamps, evidence references, and documentation of every action taken.
- Root Cause Analysis: A detailed technical report identifying how the attacker gained initial access, what techniques were used, which systems were affected, and what data was accessed or exfiltrated.
- Forensic Evidence Package: Memory dumps, disk images, log extracts, network traffic captures, and other forensic artefacts preserved in chain-of-custody format for use in legal proceedings, insurance claims, and regulatory submissions.
- Regulatory Notification Documentation: Drafted notifications for GDPR, NIS2, DORA, HIPAA, and other applicable frameworks — including supporting evidence and timeline documentation required for supervisory authority submissions.
- Remediation Plan: A structured plan addressing every vulnerability and misconfiguration exploited during the incident, with specific recommended actions, timelines, and responsible parties.
- Executive Summary: A board-level summary of the incident — what happened, what was affected, what the response achieved, and the three to five most critical improvements required to prevent recurrence.
- Lessons Learned Report: A post-incident review document covering detection gaps, response effectiveness, communication quality, and specific programme improvements recommended for each phase of the response.
- Updated Incident Response Plan: Revisions to your IRP and playbooks incorporating lessons learned from the engagement, tested against the specific techniques used in the incident.
Regulatory Notification Timelines — Know Your Deadlines
Regulation | Deadline | Notification Target | Consequence of Failure |
NIS2 (Article 23) | 24h early warning, 72h notification, 1 month final report | National CSIRT / competent authority | Up to €10M or 2% of global turnover |
GDPR (Article 33) | 72 hours | National supervisory authority (DPA) | Up to €20M or 4% of global turnover |
DORA | 4 hours initial, 72h intermediate, 1 month final | National financial regulator | Sanctions under DORA enforcement regime |
HIPAA | 60 days | HHS Office for Civil Rights | Up to $1.9M per category per year |
PCI-DSS | Immediately | Card brands and acquiring bank | Loss of card processing rights |
FAQ
Incident response is the structured process of detecting, containing, eradicating, and recovering from a cyberattack or security breach — minimising damage, preserving forensic evidence, and meeting the regulatory notification requirements that apply from the moment of discovery.
An IR retainer is a pre-negotiated agreement with an incident response provider that gives you guaranteed access to their team when an incident occurs — with priority response, pre-agreed rates, and typically annual readiness reviews. Without a retainer, finding a vendor and executing contracts during a live attack adds hours or days to your response timeline when every minute has financial consequences. Retainer clients resolve breaches 54 days faster than those without pre-established arrangements.
Under GDPR you have 72 hours to notify the supervisory authority of a personal data breach. Under NIS2 it is 24 hours for an early warning to the national CSIRT, 72 hours for full notification, and one month for the final report. Under DORA, the initial notification window is 4 hours for major ICT incidents. Missing these deadlines carries severe financial and reputational consequences regardless of how well the technical response was handled.
We respond to ransomware and extortion attacks, data breaches and exfiltration, business email compromise (BEC), phishing and credential compromise, insider threats, DDoS attacks, supply chain compromises, and any other security incident impacting your IT systems, cloud infrastructure, or operational technology.
Digital forensics is the systematic investigation and documentation of what happened during an incident — how the attacker gained access, what techniques they used, which systems and data were affected, and what evidence exists for legal and regulatory purposes. Forensic evidence preserved correctly during the incident is essential for regulatory submissions, insurance claims, legal proceedings, and preventing recurrence. Evidence destroyed or contaminated during a rushed response cannot be recreated.
Our ransomware response begins with immediate isolation of affected systems to prevent further encryption, followed by forensic preservation of affected systems before any remediation. We assess the ransomware strain, determine whether data exfiltration occurred, identify the full scope of compromise, and work with your legal team and cyber insurer on the ransom decision. We do not advise on paying — that decision requires legal, forensic, and insurance counsel. We focus on containment, evidence preservation, clean restoration from verified backups where available, and notification to applicable regulators and law enforcement.
Our incident response team is available 24/7. For IR retainer clients, response begins within the hour. For new engagements, we aim to have our team engaged and active within four hours of first contact. We establish an emergency hotline number for retainer clients so that incident notification never routes through a ticketing system.
Yes. We assist with drafting, reviewing, and submitting breach notifications under GDPR, NIS2, DORA, HIPAA, PCI-DSS, and other applicable frameworks. We provide pre-drafted notification templates as part of every retainer and IR plan engagement, and support the notification process in real time during an active incident.
A tabletop exercise is a structured, discussion-based simulation of a cyberattack scenario — bringing together your IR team, legal counsel, communications lead, and executive stakeholders to walk through how they would respond to a realistic incident. It tests whether your IR plan works in practice, exposes gaps in escalation paths and communication protocols, and generates the evidence of tested procedures that NIS2 and ISO/IEC 27001 auditors require.
MDR is a continuous, ongoing service — monitoring your environment 24/7 to detect threats before they become incidents. Incident response is activated when an incident has occurred or is actively in progress. The two are complementary: MDR reduces the likelihood and size of incidents; incident response contains and remediates them when they happen. Trilight Security offers both services.
Containment of an active incident typically takes 24–72 hours for straightforward cases. Full investigation, eradication, and recovery can take one to four weeks depending on the scale and complexity of the attack. Post-incident review and hardening activities extend the timeline further. We provide regular status updates throughout and a timeline estimate after the initial scope assessment.
Our incident response services satisfy requirements under GDPR, NIS2, DORA, ISO/IEC 27001, PCI-DSS, HIPAA, SOC 2, and other applicable regulatory frameworks. We provide the documented evidence chain — incident timeline, forensic findings, notification records, and remediation documentation — that auditors and supervisory authorities require.
Our Recognition
