When Every Minute Costs Money We Move First.
Whether an active breach is unfolding right now or a hidden adversary has been quietly inside your environment for weeks SourceMash has the people, tools, and battle-tested playbooks to contain it fast, dig out every trace, and make sure it cannot happen the same way twice.
Two Specialist Practices
Reactive When You Need Us. Proactive Before You Do.
Incident Response deals with the breach you know about. Threat Hunting finds the one you don't. Together, they form the most complete active-threat posture available to enterprise organisations.
Practice 01 Incident Response
Contain It. Understand It. Close It.
A breach that is contained in 22 minutes costs exponentially less than one that runs for 22 hours. SourceMash Incident Response provides organisations with a battle-ready team that moves at the speed of the attacker remotely isolating systems, revoking compromised credentials, severing C2 channels, and preserving forensic evidence simultaneously. We operate as an extension of your team: transparent, fast, and forensically rigorous at every stage from first call to final report.
IR Retainer Services
Pre-contracted access to a dedicated SourceMash IR team guaranteeing sub-60-minute analyst engagement the moment an incident is declared. No procurement delays, no negotiation under fire. Retainer hours also cover tabletop exercises, IR playbook development, and annual readiness assessments to strengthen your response posture before a crisis occurs.
Active Breach Containment
Immediate remote containment of live threats isolating compromised endpoints, revoking attacker-held credentials, blocking C2 communication channels, and severing lateral movement pathways, all while preserving forensic integrity. IR engineers work transparently alongside your IT team throughout the containment operation, narrating every action in real time.
Digital Forensics & Investigation
Court-admissible digital forensics covering disk and memory analysis, timeline reconstruction, patient-zero identification, full scope-of-compromise determination, and attacker tool cataloguing. We produce detailed forensic reports with chain-of-custody documentation suitable for legal proceedings, regulatory submissions, and cyber insurance claims all to the ACPO and NIST standards.
Ransomware Response & Recovery
Specialist ransomware response from initial triage through clean recovery covering variant identification, decryption feasibility assessment, negotiation support, backup integrity verification, and recovery environment planning. With over 200 ransomware cases across all major threat actor groups, our team knows exactly how each family behaves and what recovery options are genuinely viable.
Regulatory Breach Notification
Expert guidance through the breach notification obligations of GDPR, HIPAA, SOX, PCI-DSS, FCA, and sector-specific regulations assessing notification thresholds, drafting compliant regulator communications, managing DPA and regulatory authority submissions, and producing cyber insurance claim documentation that maximises coverage utilisation under your policy terms.
Post-Incident Hardening
Following every incident, a comprehensive post-incident report documents the root cause, full attacker timeline, security gaps exploited, and a prioritised hardening roadmap. We then work with your security and IT teams to implement the technical controls, validate that every identified attack path is permanently closed, and confirm that the specific exploit chain used cannot be repeated.
Incident Response Core Capabilities
24/7 IR Emergency Hotline
Always answered by a qualified incident responder never a call centre or answering service. Sub-15-minute guaranteed first response for retainer clients.
Playbook-Driven Response
Pre-built and custom-authored playbooks for ransomware, BEC, data exfiltration, insider threats, supply-chain compromise, and 40+ additional attack scenarios.
Executive Crisis Communication
Dedicated liaison keeping CISO, legal, and board accurately informed throughout every incident plain language, no jargon, no speculation.
Threat Actor Attribution
TTPs mapped to MITRE ATT&CK to identify the threat group, campaign context, and likely next-stage activity enabling proactive pre-emption of follow-on attacks.
Practice 02 Threat Hunting
Don't Wait for the Alarm. Go Looking.
The most dangerous threat in your environment right now is the one your automated tools have not flagged yet. The median dwell time for an undetected intrusion remains over 16 days in some sectors, adversaries operate for months before triggering a single alert. SourceMash Threat Hunting closes that gap by deploying elite analysts who proactively search your environment using adversary intelligence, behavioural hypotheses, and advanced analytics to find what detection rules alone consistently miss.
icon The Adversary Dwell Time Problem It Is Almost Certainly Affecting You Right Now
Industry research consistently shows that in organisations relying on alert-driven detection alone, 38% of compromises are discovered by an external third party not the organisation's own security team. Threat hunting directly addresses this by applying human expertise and intelligence to actively search for adversary behaviour that evades automated detection. For every hour a threat hunter operates, the probability of finding a hidden adversary in your environment increases measurably. Waiting for an alert is a strategy that works only for the threats you have already anticipated.
Request a Free Hunt Scoping Session iconHypothesis-Driven Threat Hunting
Structured hunts developed from adversary behaviour hypotheses building hunting queries from known threat actor TTPs relevant to your sector and technology stack, then systematically testing those hypotheses across your log and telemetry data. Every hunt is documented regardless of outcome, building institutional knowledge about your specific threat landscape that compounds in value over time.
Intelligence-Led Hunting
When a new adversary campaign, zero-day exploitation, or sector-specific threat emerges, we immediately initiate targeted hunts across client environments to determine exposure. Our intelligence team monitors threat actor infrastructure, dark web forums, and sector ISAC feeds continuously so hunt operations stay ahead of the adversary's operational tempo rather than reacting after breach reports emerge.
Lateral Movement Hunt Operations
Targeted hunts focused on detecting stealthy lateral movement analysing authentication logs, service account abuse, credential relay techniques (Pass-the-Hash, Pass-the-Ticket, Kerberoasting), remote administration tool usage, and SMB/WMI-based movement to surface attackers who have already gained initial access and are expanding their foothold quietly before executing their primary objective.
Malware Analysis & Reverse Engineering
In-depth analysis of suspicious binaries, scripts, and artefacts discovered during hunting operations static analysis, dynamic sandbox execution, obfuscation unpacking, C2 infrastructure mapping, and behavioural characterisation. Our malware analysts produce detailed technical reports and actionable YARA detection signatures deployable immediately across your security stack to prevent re-infection and detect related samples.
Data Exfiltration Hunting
Targeted hunts for data staging and exfiltration activity monitoring for abnormal data transfers, cloud storage uploads to personal accounts, large archive file creation, DNS exfiltration attempts, and anomalous outbound traffic patterns. We hunt for the early indicators of exfiltration before data leaves your environment, giving you the window to intervene before a security incident becomes a notifiable breach.
Detection Engineering
Every hunt finding is systematically converted into durable detection content new SIEM correlation rules, EDR custom detection logic, YARA signatures, Sigma rules, and SOAR playbook triggers. Each hunt permanently improves your automated detection coverage, transforming one-time human-led discovery into persistent, machine-speed protection that continues operating long after the engagement closes.
How a SourceMash Threat Hunt Works
Intelligence & Hypothesis Generation
We review current threat intelligence relevant to your sector, technology stack, and geography then develop a set of specific, testable hypotheses about adversary behaviour that may be present in your environment. Each hypothesis is tied directly to one or more MITRE ATT&CK techniques.
Environment Scoping & Data Access
We identify which log sources, telemetry feeds, and data sets are required to test each hypothesis, confirm data availability and retention windows, and establish read-only analyst access to the relevant systems. Scoping is completed before any hunting queries run to avoid wasted effort on data that isn't available.
Active Hunt Execution
Analysts execute hunting queries across the agreed data sources using KQL, SPL, or native log query languages depending on your stack. Results are triaged manually, anomalies are investigated in depth, and any confirmed findings are escalated immediately regardless of where we are in the hunt cycle. Active hunts typically run 3–10 working days.
Findings Triage & Escalation
All findings positive and negative are documented with full supporting evidence. Confirmed adversary presence or active threat triggers immediate IR escalation. Near-miss indicators and suspicious artefacts are classified, rated by severity, and included in the hunt report with specific recommended actions for each finding.
Detection Rule Development
Every finding and near-miss is converted into detection content Sigma rules, YARA signatures, SIEM correlation logic, or EDR custom rules. This content is validated against your environment before deployment and fully documented in your detection library, creating a permanent improvement to your automated coverage that compounds over multiple hunt cycles.
Hunt Report & Recommendations
Delivery of the full hunt report: hypotheses tested, methodology used, complete findings catalogue, MITRE ATT&CK coverage heatmap showing gaps addressed, detection rules deployed, and a prioritised set of environment hardening recommendations. Executive summary included for board and CISO consumption alongside the technical findings pack.
Threat Hunting Core Capabilities
SANS GIAC-Certified Hunters
All hunt operations led by GCIA, GCIH, or GCFE certified analysts with hands-on adversary simulation and red team backgrounds.
MITRE ATT&CK Mapping
Every hunt mapped to ATT&CK delivering clear visibility of which techniques are being hunted and where your coverage gaps remain after each cycle.
Hunt-to-Detect Automation
Every hunt finding becomes a detection rule systematically converting one-time human discovery into permanent, automated security coverage at machine speed.
Board-Ready Reports
Hunt reports in two formats: full technical findings pack for your security team, and an executive summary that communicates risk and outcome in plain business language.
How SourceMash Responds to an Active Incident
A structured, time-bound response methodology built from 600+ real-world incident engagements every stage has a defined owner, a clear output, and a target completion time.
Incident Declaration & IR Team Activation
Call received on the IR hotline. Incident is declared, severity assessed on the initial call, and the appropriate IR team is paged simultaneously. Retainer clients have a named responder on the line within 15 minutes. A secure incident channel is opened and all communication moves there immediately.
Rapid Scoping & Evidence Snapshot
IR engineers perform rapid remote scoping identifying affected assets, initial indicators of compromise, attacker foothold locations, and immediate data-at-risk assessment. Evidence snapshots of key systems are taken immediately to preserve forensic integrity before any containment actions are executed that might alter the evidence state.
Containment & Attacker Eviction
Active containment operations isolating compromised systems, revoking attacker-controlled credentials and tokens, blocking C2 communication channels, severing lateral movement pathways, and removing attacker-deployed tools and persistence mechanisms. Containment actions are executed with your explicit authorisation at each stage, with real-time narration of every action taken.
Deep Forensic Investigation
Comprehensive forensic analysis of affected systems memory and disk forensics, full timeline reconstruction, patient-zero identification, complete scope-of-compromise mapping, data access and exfiltration assessment, and attacker TTP cataloguing against MITRE ATT&CK. This phase produces the factual foundation for regulatory notification decisions, legal proceedings, and the hardening roadmap.
Regulatory & Legal Notification Support
Assessment of regulatory notification obligations based on confirmed forensic findings jurisdiction-specific advice on GDPR 72-hour notification windows, HIPAA breach assessment, PCI-DSS forensic requirements, and FCA/PRA reporting obligations. Drafting of regulator communications and preparation of cyber insurance claim documentation with evidence packages attached.
Post-Incident Report & Hardening Roadmap
Delivery of the full post-incident report executive summary, technical narrative, forensic timeline, root cause analysis, regulatory impact assessment, and a prioritised hardening roadmap with specific, implementable recommendations for each identified gap. Board-ready executive version included. SourceMash engineers available to present findings to board, legal, and regulatory stakeholders as required.
Where We Hunt Across the Kill Chain
Our threat hunting and incident response capabilities span the full MITRE ATT&CK Enterprise framework from initial access through to impact. Every engagement is mapped to specific techniques to give you measurable coverage visibility.
- Phishing (T1566)
- Valid Accounts (T1078)
- Supply Chain Compromise (T1195)
- Exploit Public-Facing Application (T1190)
- PowerShell (T1059.001)
- WMI (T1047)
- Scheduled Tasks (T1053)
- LOLBins / Living Off the Land
- Registry Run Keys (T1547.001)
- Scheduled Tasks (T1053.005)
- Account Creation (T1136)
- Boot / Logon Autostart
- Bypass UAC (T1548.002)
- Exploitation for Privilege Escalation (T1068)
- Token Impersonation (T1134)
- DCShadow / DCSync
- Obfuscated Files (T1027)
- Process Injection (T1055)
- Disable Security Tools (T1562)
- Indicator Removal (T1070)
- OS Credential Dumping (T1003)
- Brute Force (T1110)
- Kerberoasting (T1558.003)
- Pass-the-Hash / Pass-the-Ticket
- Pass the Hash (T1550.002)
- Remote Services (T1021)
- Internal Spearphishing (T1534)
- WMI / SMB Lateral Movement
- Data Staged (T1074)
- Exfiltration over C2 (T1041)
- Data Encryption / Ransomware (T1486)
- DNS Tunnelling (T1071.004)
Latest from SourceMash
Perspectives, research, and practical guidance from our enterprise technology experts.
Trusted by Security Leaders
The SourceMash IR team contained an active ransomware deployment in 22 minutes and had a full forensic picture in our hands within 48 hours. That single incident response justified the retainer investment many times over and the post-incident hardening roadmap is now our security programme's primary execution backlog for the next two quarters.
The threat hunting engagement found a backdoor that had been in our environment for over two months completely invisible to our existing EDR and SIEM. The speed of discovery, the quality of the forensic evidence, and the detection rules that came out of it have permanently changed how we think about proactive security in this organisation.
What stands out about SourceMash is the communication quality during an active incident clear, calm, technically precise, and always one step ahead of our own questions. When you are dealing with a live breach at 2am, that clarity is not just valuable, it is what allows the business to make the right decisions under pressure.