Agentic investigationsfor security teams

Achieve the depth of digital forensics at the speed of EDR. Every security alert, identity compromise and network intrusion analysed in minutes to identify root cause, lateral movement and data impact.

Akira Ransomware

Attack Path

3 confirmed
Root Cause

Compromised VPN account logs in from leased VPS

vpn-gw01m.walker185.225.69.41
02:14 UTCRoot Cause
Attack Step

Mimikatz dumps LSASS and elevates to domain admin

dc-jump-02lsass.exesvc-backup
02:41 UTCConfirmed
Attack Step

PsExec creates scheduled tasks across file servers

psexesvc.exefs-prod-07GPO cache
03:16 UTCUnreviewed
Evidence Needed

Rclone stages 53.2 GB to cloud storage over TLS

rclone.exeMEGA remote53.2 GB
03:33 UTCEvidence
Confirmed Malicious

Akira ransomware encryptor deployed to file shares

w.exeakira_readme.txtfs-prod-*
03:58 UTCConfirmed

Detection tells you something happened. Forensics gives you the truth.

EDR and SOC teams can flag unusual activity. But the answers customers, regulators, insurers, and executives need still come from painstaking evidence collection, analysis, and correlation.

As attackers move faster, “has something happened?” is not enough. Defenders need to explain how it happened, what data was impacted, and how to recover at the same pace.

Timeline

Incident evidence in chronological order

Root cause

Compromised VPN account signs in from leased infrastructure

m.walker · vpn-gw01 · 185.225.69.41

02:14 UTC

Lateral movement

RDP connection to fs-prod-07 using account m.walker

m.walker · fs-prod-07 · Remote Desktop

02:41 UTC

Persistenceescalated to Strand

AnyDesk service installed and configured for unattended access

fs-prod-07 · anydesk.exe · service created

03:16 UTC

The investigation layer for your entire stackon-premises and cloud.

Collect data from existing tools, or use our forensic collector for raw artifact ingestion. Strand ensures full investigation coverage, regardless of the tools already in place.

Internal teams

Proactive forensics for internal teams

Connect Strand behind the tools that already detect. High-confidence alerts from EDR, XDR, SIEM, or MDR automatically trigger evidence collection before analysts have to stitch the story together by hand.

SentinelOne

Alert source

CrowdStrike

Alert source

Defender

Alert source

SIEM / MDR

Alert source

IR firms

Reactive investigations for IR firms

During ransomware or breach response, Strand collectors can be deployed to compromised hosts, servers and cloud tenants. The investigation does not depend on the client having perfect telemetry already in place.

Strand Agent

Collects forensic evidence in seconds

Raw artifact sources

Hosts
Servers
Cloud tenants

Strand

One investigation engine for every source of evidence

Root cause
Lateral movement
Persistence
Data impact
Report generation

Hoping for false positives. Ready for critical incidents.

Investigate everything from new and novel threat actor tactics, to common incidents every team faces.

Business Email Compromise

Identify the access, produce archives of accessed data in seconds, find all outbound communications from the threat actor, secure the tenant and autonomously identify the root cause.

BEC investigation

35 anomalies32 emails2 persistence
3
Unfamiliar proxy infrastructure was grouped into the mailbox timeline and linked to the affected identity.
Relevant messages were exported with IDs and timestamps so counsel can review exposure quickly.
Forwarding behavior and OAuth persistence were tied back to the compromised account.

Network Intrusions

Strand turns endpoint, server, and cloud evidence into a defensible sequence: initial access, lateral movement, persistence, staging, and exfiltration. Built ground up for full autonomous ransomware and APT investigations.

Initial access

VPN account compromise

Lateral movement

RDP to file server

Persistence

AnyDesk service

Alert Investigations

Start with the alert your stack raised, then let Strand prove what happened around it. A malicious VBS scheduled task is traced back to a downloaded ZIP file, then forward to LummaStealer deployment on the device.

WIN-9K4D2Q7

2 High1 Critical18 IOCs
3
The scheduled task launched wscript.exe against update.vbs from the extracted archive.
Filesystem evidence showed the archive download, extraction, and script launch sequence.
Process, browser, and network evidence confirmed LummaStealer execution on the device.

Keep everyone in the loop

Incidents take time. Teams need rest. Ensure everyone has the information they need, exactly when they need it.

Updates

Progress from your alerts and investigations

Today

Findingby Maya Chen

Initial access confirmed

VPN sign-in from leased infrastructure tied to m.walker.

Root cause finding
02:18 UTC
Evidenceby Strand Agent

Evidence collected from 3 hosts

Filesystem, process, service, and remote access artifacts collected.

View evidence bundle
02:36 UTC
Escalatedby Priya Shah

Persistence identified

AnyDesk service installed for unattended access on fs-prod-07.

Open persistence finding
03:16 UTC
Actionedby Alex Rivera

Containment status updated

Affected accounts disabled and file server isolated pending recovery.

Containment evidence
03:44 UTC

Powerful, custom reporting

Create reusable report templates for every stakeholder, internal and external.

Reporting

Executive, technical, legal, client-ready

Northstar Incident Report Template.docx
FileHomeInsert
N

Northstar Foods

Incident Response Report

Akira ransomware investigation

Processing report

Evidence, findings, and citations are being assembled.

Report generated

A stakeholder-ready incident report with evidence-backed findings is ready.

Real investigations. Evidence-backed outcomes.

See how Strand turns alerts, compromised accounts, and ransomware response into root cause, data impact, and decisions teams can act on.

Portfolio SOC

Our analysts were burned out investigating less than 10% of alerts. Now we investigate 100%, burnout is gone, and they focus only on the important, strategic decisions.

A private equity security team moved 1,600 weekly SentinelOne alerts into automated forensic investigation across hundreds of portfolio companies.

100%qualifying alerts investigated
Read story
Ransomware

Strand determined how Akira gained access within an hour. Recovery would have started days later without it.

An Akira response moved from encrypted systems to a defensible attack path with evidence tied to each finding.

30 minto root cause
Read story
Business Email Compromise

Knowing which emails were accessed and sent in seconds blew our legal team away. Our reputation with external clients was protected by having this information immediately, rather than two days later.

OAuth grants, inbox rules, accessed messages, and outbound communications were turned into a review-ready incident picture.

847emails reviewed
Read story
Threat Campaign

Our EDR hadn't generated any alerts and we were looking for a needle in a haystack.

A hospitality investigation recovered ClickFix execution, infostealer activity, persistence, and guest-data impact.

0EDR alerts at discovery
Read story
Patient Zero

We couldn't afford to examine every workstation manually, but Strand made it a breeze and ensured we hadn't missed anything.

Endpoint forensics rebuilt the chain from helpdesk compromise to domain impact even after key logs were unavailable.

52 hrsof attacker activity rebuilt
Read story

Pulled from over 1,000 incidents investigated by Strand, each time ensuring the business survived and thrived after their worst days.

View all case studies

Be ready for the bad days.

When an incident happens, the value of responding quickly is measured in millions. Remove the waiting for answers, get responders focusing on recovery, and protect your business from modern threats with Strand. Start with a free, no-obligation trial.

Book a demoSee how Strand investigates