Incident response · M365 forensics · tenant hygiene
We investigated the breach
after your MSSP said nothing happened.
CyberRisk Services is a working incident-response practice, not a report factory. We've re-opened "closed" incidents and found a year of attacker dwell, 91 ignored alerts, and RCAs with placeholder text still in the body. When the deliverable matters — to your insurer, your counsel, or your board — the investigation has to actually be done.
Direct line to the principal — no intake tier, no ticket queue
706 attacks. Five months. Two mailboxes.
A business-email-compromise campaign ran 706 coordinated attacks against two finance mailboxes for five months. One inbox rule exposed it — and a SIEM blind spot had hidden the rest.
Eighteen seconds between two continents.
A "perfect" Conditional Access geo block that never fired — because the attacker brought their own session cookie. The policy change that actually closes the gap.
One year of dwell. 91 alerts. Nobody looked.
A default SIEM connector hid an AiTM compromise for twelve months. One configuration change surfaced every victim in the tenant — and the question of what the MSSP was watching.
Credentials
Filed provisional portfolio · assigned to EnvyGroup, LLC · patent pending