Time Since Alert
00:00:00
Back to Arqen arqen
Interactive Experience

What happens when
your defences fail?

Walk through a real incident — from the first alert to full recovery. See every decision, every action, every handoff.

Built for security professionals who've seen how IR usually goes wrong — and want to see it done right.

Scroll to begin
Phase 01 — Alert Triggered

Something's wrong.

02:47 AM. Your security tools fire on anomalous C2 communication. You call the Arqen IR hotline. Within minutes, our team is online — correlating EDR, network, and DNS telemetry to confirm this is real.

CRITICAL — P1 INCIDENT
02:47:13 AST
WKS-FIN-034.internal
185.234.xx.xx (C2 Server)
Cobalt Strike Beacon — HTTPS (Correlated: EDR + NetFlow + DNS)
Critical — Active C2 / 3-source correlation
APT-34 Infrastructure (93% conf.)
Hosting: Moldova → Netherlands proxy
14 days ago (missed by prev. vendor)

Live Feed

02:47:13Beacon on WKS-FIN-034 → C2 callback 60s interval, HTTPS/443, JA3: match known CS profile
02:47:14Lateral movement via SMB + PsExec to DC-PROD-01 — domain admin token detected
02:47:15IR Lead auto-paged — SEVERITY P1 — SLA clock started — team mobilising
02:47:18Automated containment: EDR isolation triggered on WKS-FIN-034 — network ACL pushed
What usually happens
You call your IR vendor's hotline and get voicemail. Hours pass. Someone calls back and asks you to explain the situation from scratch. They ask YOU for logs, network diagrams, and credentials. By the time they're "onboarded," the attacker has moved laterally.
What Arqen does differently
24/7 emergency hotline — a senior IR analyst answers, not a call centre. If you're on retainer, we already have your network topology, credentials, and pre-authorised containment playbooks. We start working within minutes, not hours.
Phase 02 — Rapid Containment

Isolate. Preserve. Control.

Within minutes — not hours, not days — we segment the network and lock the blast radius. Every action logged, every decision shared with you in real-time.

💻
WKS-FIN-034
Compromised
🖥️
DC-PROD-01
Monitoring
🗄️
SQL-PROD-02
Monitoring
📧
EXCH-01
Monitoring
🔒
VPN-GW-01
Monitoring
🌐
WEB-DMZ-01
Monitoring
💻
WKS-HR-012
Monitoring
📁
FS-SHARE-01
Monitoring
Live Analyst Channel — You Have Full Visibility
SA
Sarah A. — IR Lead: WKS-FIN-034 isolated via EDR. Network ACLs pushed to core switch. Confirming no lateral to DC — checking Kerberos logs now. ETA: 8 min
02:49 AST
MK
Mohammed K. — Forensics: Memory acquisition initiated on WKS-FIN-034. Disk image queued. Evidence chain documented — hash: SHA256:a3f8c2...
02:51 AST
SA
Sarah A.: Confirmed — DC-PROD-01 shows PsExec service creation at Day -7. Escalating to full compromise scope. Recommending credential rotation for all domain admins immediately.
02:54 AST
What usually happens
You file a ticket. A "war room" gets scheduled for tomorrow morning. Nobody tells you what's happening. The vendor's analyst asks YOU for network diagrams. Containment happens 18 hours later — after the attacker has already moved.
What Arqen does differently
You're in the channel from minute one. Every containment action is logged with rationale. Our analysts already have your network topology (from onboarding). Auto-containment fires while humans investigate — no waiting for approval chains at 3 AM.
Phase 03 — Deep Investigation

Trace every step. Miss nothing.

Full forensic reconstruction with MITRE ATT&CK mapping, data source attribution, and timeline correlation. Not a PDF in 6 weeks — a living investigation you can follow.

Day -14, 09:23 AM
Initial Access — Spearphishing
Targeted email to finance team. Weaponised Excel with macro. Bypassed email gateway — no sandbox detonation.
T1566.001Email LogsEDR
Day -14, 09:24 AM
Execution — Cobalt Strike Stager
VBA macro dropped CS stager to %TEMP%. Reflective DLL injection into rundll32.exe. Process tree: EXCEL → cmd → rundll32.
T1059.005T1055.001EDR Process Tree
Day -12, 11:45 PM
Credential Access — LSASS Dump
Mimikatz executed in memory via CS beacon. Domain admin creds for svc_backup harvested. Account password age: 847 days.
T1003.001HIGH RISKSysmon Event 10
Day -7, 03:12 AM
Lateral Movement — PsExec
svc_backup used to deploy PsExec service on DC-PROD-01 and SQL-PROD-02. Service name: PSEXESVC — default config (attacker got lazy).
T1021.002Windows Event 7045NetFlow
Day -2, 01:30 AM
Exfiltration — 2.3GB Financial Data
7zip compression of \Finance\FY2026. Staged in C:\Windows\Temp\. Exfiltrated over HTTPS to C2 — masquerading as Microsoft Update traffic.
T1560.001T1071.001DATA BREACH
Day 0, 02:47 AM
Client Escalates to Arqen IR
Client's security team flags the alert and calls Arqen's emergency hotline. IR team is online within 4 minutes. Behavioural analysis on JA3 fingerprint + beacon timing confirms active C2 — not a false positive.
IR ACTIVATEDBehavioural Analytics
What usually happens
You get a 200-page PDF report 6 weeks later. No MITRE mapping. No data source attribution. You can't tell if they actually checked your cloud environment. Root cause is "user clicked a link" — thanks, very helpful.
What Arqen does differently
Living investigation with real-time updates. Every finding mapped to MITRE ATT&CK with the data source that proved it. You know what we checked, what we found, and what we ruled out. Root cause is actionable — not obvious.
Phase 04 — Eradication

Hunt. Remove. Verify.

Every implant, backdoor, and compromised credential — systematically found and neutralised. With machine-readable IOCs you can feed directly into your stack.

cobalt_strike_beacon.dll
Persistence: schtask "WindowsUpdate" on WKS-FIN-034 — runs every 60min
ACTIVE
mimikatz (in-memory via CS)
No disk artifact — reflective loading only — detected via Sysmon Event 10
ACTIVE
PSEXESVC service
Residue on DC-PROD-01, SQL-PROD-02 — default PsExec service, not renamed
ACTIVE
svc_backup (Domain Admin)
Compromised — password age 847 days — used for lateral movement
ACTIVE
C2 channel (HTTPS/443)
185.234.xx.xx — JA3: e7d705a3286e19ea42f587b344ee6865 — beacon interval 60s
ACTIVE
Extracted IOCs — Ready for Your Stack
IP
185.234.xx.xx
High
Hash
a3f8c2e9...d47b (SHA256)
High
JA3
e7d705a3286e19ea42f587b344ee6865
High
Domain
update-msft[.]cloud
Med
Task
schtask: "WindowsUpdate"
High
What usually happens
You get IOCs in a PDF table you have to manually copy-paste. Half are already stale. No JA3 hashes, no behavioural indicators. Your SIEM team spends a day reformatting them. The vendor can't tell you what they missed.
What Arqen does differently
Machine-readable IOCs in STIX/JSON — one click into your SIEM, EDR, or SOAR. JA3 fingerprints, behavioural signatures, and scheduled task names included. We tell you what we found AND what we scanned and cleared.
Phase 05 — Secure Recovery

Bring it back. Safely.

Phased restoration with validation gates. Each system verified clean before reconnection. 30-day post-incident surveillance with committed SLAs — because attackers often come back.

Active Directory
Offline
Email Exchange
Offline
SQL Database
Offline
File Shares
Offline
VPN Gateway
Offline
Web Services
Offline
30 days
Post-IR Surveillance
<15 min
Alert-to-Triage SLA
24/7
Dedicated Analyst
Weekly
Status Briefings
What usually happens
The IR vendor declares "incident closed" and disappears. You bring systems back yourself, hoping nothing was missed. No post-incident surveillance. No SLA. If the attacker comes back next week, you're calling a new vendor from scratch.
What Arqen does differently
30-day post-incident surveillance with the same analyst who handled your case. Committed 15-min triage SLA for any related alerts. Weekly status briefings until you're confident. If it recurs — we're already there, already context-loaded.
Phase 06 — Report & Transfer

Not just a report. A capability uplift.

The report is just the start. We deliver actionable playbooks, custom detection rules for YOUR environment, and hands-on training for your team.

ARQEN-IR-2026-0047.pdf
CONFIDENTIAL
Incident Response Report
Client: [Redacted]  |  Date: March 2026  |  Classification: Confidential
14
Days Undetected
4 min
Time to Contain
47
IOCs Extracted
Technical Deliverables
Executive summary for board presentation
Full MITRE ATT&CK navigator layer (importable)
IOC package: STIX 2.1 + CSV + YARA rules
12 custom Sigma detection rules for your SIEM
Remediation roadmap: 30/60/90 day priorities
NCA notification support (if applicable)

🎓 Knowledge Transfer — You Get Stronger, Not Dependent

Every engagement ends with your team being better than before. Not locked into a retainer. Not dependent on us. Genuinely more capable.

  • Custom detection rules written for your SIEM (Sigma format)
  • Runbooks tailored to your environment and stack
  • Hands-on workshop: "How this attack worked"
  • Purple team exercise on the exact TTPs we found
  • Gap analysis: what your current tools missed and why
  • Recommendations: what to buy, what to tune, what to retire
What usually happens
A 200-page PDF report arrives 6 weeks later. Generic recommendations like "implement MFA" and "improve security awareness." No custom detections. No knowledge transfer. Your team learns nothing. The same attack would work again tomorrow.
What Arqen does differently
Report in 2 weeks with importable MITRE layers, STIX IOCs, and 12 custom Sigma rules that work in YOUR SIEM on day one. Hands-on workshop with your team. Purple team exercise. You walk away with detections that would catch this exact attack if it ever comes back.

This is IR done right.

No black boxes. No 6-week PDF. No dependency. Just fast, transparent, expert response that leaves your team stronger.

Talk to Our Team Back to Arqen.com