- After a cyber incident you should determine exposure, find out if you’re compromised, follow your framework, recover and learn from the incident.
- Having the right data helps to form a clear picture.
- Curated threat intelligence refers to information that has been carefully selected, validated, and placed into context with an organisation’s environment, rather than raw data feeds delivered in bulk.
Exploited in the wild. Four words that strike fear in security practitioners. They don’t mean the clock is ticking, but it began ticking days or weeks ago, and now the alarm is sounding. The immediate priority now is to determine exposure and confirm any compromise.
One example of this situation that quickly comes to mind is the research our Rapid7 Labs team did in July 2025 on a previously unknown vulnerability in Microsoft SharePoint: CVE-2025-53770. The zero-day vulnerability allowed attackers to place a backdoor on on-premises SharePoint servers and steal the systems’ security keys, leading to full compromise of the machine.
The vulnerability highlighted the importance of speed and decisive action in identifying and remediating the threat, particularly the need to determine exposure and conduct a threat hunt to confirm any compromise.
As criminal threat groups improve their tooling and exploit previously unreported vulnerabilities for initial access, the need for defenders to adapt their response has never been greater.
Task one: determine exposure
When a security advisory is published, the first question is whether any assets are potentially exposed. In the past, a vendor’s claim of exploitation may have sufficed. Given the precedent set over the past year, it is unwise to rely solely on a vendor advisory for exploited-in-the-wild status.
Too often, advisories or exploitation confirmations reach teams too late or without the context needed to prioritise the response. CISA’s KEV, trusted third-party publications, and vulnerability researchers should form the foundation of any remediation programme.
The first task at this stage is to determine exposure. This, of course, demands comprehensive content coverage and, potentially, vulnerability validation to establish whether assets are truly susceptible to the reported risk.
Being able to answer senior management’s most important question of “are we exposed?” is a requirement that demands immediate attention. While it may sound straightforward, those managing vulnerability programmes know this is where claims of commoditisation are often overstated.
Secondly, where additional evidence is required to drive remediation, further validation may be necessary. Open-source tooling such as Metasploit can provide that validation and, in some cases, may be a necessary part of the response.
Task 2: ask yourself if you’re compromised
Depending on the answer to the exposure question, the next question should be whether the organisation is compromised. At this stage, the threat actor may have held the zero-day for days, weeks, or even months, and could already be at the final stage of the kill chain, exfiltrating data over an extended period.
This phase focuses on determining what has been taken and eliminating any remaining persistence, such as additional backdoors established by the attacker.
Many organisations will leverage their incident response (IR) retainers to assess the extent of the compromise or, at a minimum, perform a rudimentary threat hunt for indicators of compromise (IoCs) before involving the IR team.
As with the first step, accurate, high-fidelity intelligence is critical. Simply downloading IoC lists filled with dual-use tools from social media will generate noise and likely lead to inaccurate conclusions.
Arguably, the cornerstone of the initial assessment is ensuring that intelligence incorporates decay scoring to validate command-and-control (C2) infrastructure. For many, the term ‘threat hunt’ translates to little more than a log search on external gateways.
For example, if traffic is observed to known domains or IP addresses, the assumption may be made that there is evidence of compromise. Such findings are likely to trigger a more comprehensive assessment and/or bring in external support.
If the foundation of this exercise is outdated intelligence drawn from security research that equates publishing seven pages of Indicators of Compromise (IoCs) with expertise, then the entire process is pointless.
Task three: follow your framework
The approach at this stage will be dependent on the results of the previous assessments. There is no default playbook here; however, an established decision framework that dictates how a company reacts is key.
For example, I have witnessed organisations determine that the threat actor has been within the environment for years, and the only way to identify any additional backdoors is to monitor the threat actor within the environment. In other cases, the priority is to expel the actor quickly, especially if ransomware has not yet been deployed.
Regardless, analysts must conduct a final check for any signs of persistence that may have evaded initial detection. During the SharePoint exploit, we used known ToolShell behaviours to ensure the attacker left no lingering footholds.
Task four: recover from the attack
With containment and remediation complete, the work is not finished. Focus now shifts to communication, clarity, and validation.
A detailed incident report should include a forensic timeline, a confirmed root cause, all remediation actions, and what did and didn’t occur, such as data loss, lateral movement, or persistence.
Clear, timely reporting builds stakeholder confidence and closure, while enabling the security team to assess their response, recognise successes, and highlight areas for improvement.
For me, the most important point is ensuring senior management fully understands any gaps that exist. I won’t use the phrase “never waste a good security incident.” However, make no mistake, if improvements are needed, now is the time to secure the appropriate investment.
If a threat actor has already compromised the environment and no meaningful changes are made, it is highly likely to happen again. This is not meant to spread fear, but to acknowledge that organised criminal groups are equipping themselves with increasingly capable tooling.
Spotting the small things makes all the difference
A critical element is having the right data to form a clear picture. A security team’s success depends on spotting subtle process anomalies and filtering alert noise to assemble it.
This is where curated threat intelligence becomes absolutely critical. Curated threat intelligence refers to information that has been carefully selected, validated, and placed into context with an organisation’s environment, rather than raw data feeds delivered in bulk.
Instead of overwhelming security teams with thousands of indicators or alerts, context-driven intelligence focuses on what is relevant, credible, and actionable for a given situation. This allows suspicious activity to be identified and verified earlier, reducing the attacker’s window of opportunity before they are able to escalate.
Investing in intelligence that is validated, relevant, and tailored to your environment ensures that the security team is not chasing noise but instead concentrating on the threats that truly matter.
Raj Samani is SVP chief scientist at Rapid7.
Read more
Bridging the IT and security team divide for effective incident response – Greater alignment between IT and security teams is crucial for effective incident response – here’s how to lay down the foundations
Why shutting down systems can backfire during a cyber attack – Despite what instinct might dictate, shutting down your systems during a cyber attack could lead to a slew of negative outcomes
Prioritising cyber resilience in a cloud-first world – Despite complexity and cost, it’s certainly worth devoting time to your organisation’s cyber resilience strategy. Here’s what to do
